The role of bank directors in managing risk
The FDIC is offering a fresh take on how a bank’s board of directors should understand and manage risk. This insight could be helpful to share with a financial institution’s directors.
The regulator’s April edition of Supervisory Insights provides what the FDIC called a “refresher” on its Pocket Guide for Directors, the 1988 booklet outlining the basic duties and responsibilities of a bank’s board of directors. The core principles for directors have not changed materially since 1988, the FDIC said. Nevertheless, the Supervisory Insights publication “incorporates more recent guidance and technical resources, including significant bank-governance insights and experiences that have been gained since 1988.”
Directors overseeing a bank’s operations are important partners in supervisory efforts, the FDIC noted in the article (“A Community Bank Director’s Guide to Corporate Governance: 21st Century Reflections on the FDIC Pocket Guide for Directors.”).
“Prudent oversight is rooted in the directors sending a clear message to staff that they value a strong risk management culture that includes a strong ethical culture,” the FDIC said.
Risk management culture
What exactly is a risk management culture? The system of goals, objectives, policies, controls, values and behaviors present in an organization that influence risk decisions.
A risk management culture is the system of goals, objectives, policies, controls, values and behaviors that influence risk decisions.
As part of working with management to establish the bank’s short- and long-term business objectives, community bank directors should have a solid understanding of the institution’s risk profile, the FDIC said. Having a solid understanding involves more than simply reviewing the bank’s financial condition as of today. It also includes:
1. Assessing how risky the business model is. This means understanding the types of products and services the bank offers and how they are delivered.
2. Evaluating risk management. How does the bank manage the risks associated with its business model and growth plans?
3. Considering external threats. This means looking outside the financial institution to consider what about the operating environment could pose a hazard.
The FDIC noted that some community banks may seem similar to each other on some levels, but they can have vastly different risk profiles. “The FDIC would expect community banks with a higher risk profile to have stronger risk management practices and a higher degree of board oversight,” the article said.
Streamline the reserve calculation process and impress examiners.
Setting the risk appetite
Once the board of directors understands the bank’s risk profile, directors should set an appropriate risk appetite for the institution, according to the FDIC. “Risk appetite means a set of objectives and risk parameters within which senior management should operate,” the regulator said. Directors should establish “prudent limits” around risk areas that could affect the condition of the bank.
Risk appetite: A set of objectives and risk parameters within which senior management should operate.
The areas for which banks should set risk objectives and parameters may vary from institution to institution, but at a minimum, the FDIC expects objectives and parameters for:
• Overall credit risk
• Asset concentrations, by business line and by borrower or issuer, as appropriate
• The bank’s funding mix
• Interest rate risk.
When to ramp up oversight
The FDIC noted that how much oversight a board provides will vary among institutions, and the level of oversight also should be adjusted as the nature and complexity of the bank’s operations change and as external factors warrant. It provided a list of 13 situations that would warrant a higher level of board oversight:
1. A CAMELS composite or component rating of 3, 4 or 5, the existence of an enforcement action, or both
2. Elevated asset or funding concentrations
3. Complex or highly specialized products or activities
4. High levels of historical or planned growth
5. Rapidly shifting balance sheet structure
6. Low or shrinking levels of liquid assets
7. Plans to change the business model or enter into significant new lines of business
8. Deviations from bank policy or prudent banking practice, violations of laws and regulations, or heightened examiner or auditor criticism
9. Poor operating results
10. Low capital levels or poor access to new capital
11. Operational problems in BSA/ AML, information technology and cybersecurity
12. Deterioration in local economies or in business line fundamentals
13. Low Community Reinvestment Act or consumer compliance ratings, or high levels of consumer complaints
The FDIC said it strongly encourages directors of community banks to be involved in the examination and supervision process. “In addition to reviewing reports of examination, this includes attending board meetings where results are being discussed, and following up with the examiner-in-charge, field supervisor, or case manager with any questions or concerns about FDIC expectations on any aspect of the supervisory process,” it said.
An institution’s risk rating system often forms the basis for broader risk management practices, including setting the ALLL reserve, stress testing and strategic planning. For more on creating a strong risk rating system, access this archived webinar: Risky Business – Revamp Risk Ratings for Your ALLL.