3 Key Takeaways from Bank Director’s Audit & Risk Conference

A quick check-in from the Swissotel in Chicago, where we just wrapped up the main day of Bank Director’s 10th annual Bank Audit & Risk Committees Conference.  This is a fascinating event, one focused on key accounting, risk and regulatory issues aligned with the information needs of a bank’s Chairman, CEO, Bank Audit Committee, Bank Risk Committee, CFO, CRO and internal auditor.  Risk + strategy go hand in hand; today, we spent considerable time debating risk in the context of growing the bank.

By Al Dominick, President & CEO of Bank Director

Earlier today, while moderating a panel discussion, I referenced a KPMG report that suggests “good risk management and governance can be compared to the brakes of a car. The better the brakes, the faster the car can drive.”  With anecdotes like this ringing in my head, allow me to share three key takeaways:

  1. A company’s culture & code of conduct are critical factors in creating an environment that encourages compliance with laws and regulations.
  2. Risk appetite is a widely accepted concept that remains difficult, in practice, to apply.
  3. As a member of the board, do not lose sight of the need to maintain your skepticism.

This year’s program brings together 150+ financial institutions and more then 300 attendees. The demographics reflect the audience we serve, so I thought to share three additional trends.  Clearly, boards of directors are under pressure to evolve.  Financial institutions need the right expertise and experience and benefit greatly when their directors have diverse backgrounds.

Further, as more regulatory rules are written, board members need to understand what they mean and how they can affect their bank’s business.  Finally, technology strategies and risks are inextricably linked to corporate strategy; as such, the level of board engagement needs to increase.

Given the many issues — both known and unknown — a bank faces as our industry evolves, today made clear how challenging it can be for an audit or risk committee member to get comfortable addressing risk and issues.  Staying compliant requires a solid defense and appreciation for what’s now.  Staying competitive?  This requires a sharper focus given near constant pressures to reduce costs while dealing with increasing competition and regulation.

##

To see what we’re sharing on our social networks, I encourage you to follow @bankdirector @fin_x_tech and @aldominick.  Questions or comment?  Feel free to leave me a note below.

Main Areas of Focus for a Bank’s Audit and Risk Committees

What’s top-of-mind for a bank’s Audit and Risk committee members?  Let’s start with cyber security…

By Al Dominick // @aldominick

There are many challenges that bank boards & executives must address, and these two videos (one by our editor, Jack Milligan; the other, by me) briefly review current issues that demand attention + emerging ones that we took note of at this week’s Bank Audit & Risk Committees Conference at the JW Marriott in Chicago.

*For more on the risks facing banks today, take a look at this report from our conference (#BDAudit15).

How to Understand a Bank’s Audit and Risk Committees Issues in Three Steps

I’m in Chicago at Bank Director’s annual Bank Audit & Risk Committees Conference along with more than 260 bankers and some 315 total attendees.  At a time when audit and risk committees have an increasing amount of responsibilities, I’m impressed with the commitments made by attendees and speakers alike to tackle real issues as opposed to sugar coating the challenges before banks today.

As we move into a series of afternoon breakout sessions, I am taking a pause to share my observations on the day so far.  Having moderated a session that touched on how banks can enhance risk oversight capabilities and effectively challenge management on risk, let me try to make sense of the issues being faced by senior bankers and board members if you are not with us.

Step 1: Know Where We Are Coming From

Now that the worst of the financial crisis is behind them, you might think bank boards might finally breathe a sigh of relief.  You would be mistaken.  For example, we have been in an exceptionally low-interest rate environment — one that has caused net interest margins to decline significantly since 2000.  Moreover, growing the bank organically remains challenging with slow loan growth and changing consumer expectations.  Finally,  compliance costs and uncertainties continue to escalate.  So yes, for banks here with us in Chicago, the storm was weathered.  Still, significant risks and challenges remain in place.

Step 2: Accept Where We Are Today

Per our first speaker, Steve Hovde, it has become exceedingly more difficult to maintain net interest margins without growing loan balances.  As he made clear, banks with lower loan-to-deposit ratios operate with less overhead, but they have been unable to translate their lower operating costs into higher profitability over the long run.  In his words, loan growth is now paramount to profitability — and banks will need to find ways to generate loans either organically or (more likely) through M&A activity.

I know that many banks are struggling to find new revenue sources.  I also hear how bank boards are considering diversifying into new loan products and service offerings to attract and retain new and existing customers.  So, for banks considering new lending strategies or launching a new product or service, I made note that the audit committee, risk committee and internal auditor must collaborate to safeguard the organization by understanding an organization’s initiatives, limits and controls, all while understanding the risk monitoring that exists at the institution.

Step 3: Understand Where Things Are Heading

As we look ahead, it is quite clear that the largest banks in the U.S. (e.g. those above $50Bn in assets) have greatly benefited from their ability to spread fixed costs over a larger pool of earning assets.  They have lower efficiency ratios, more non-interest income and stronger earnings.  Since there are at most 30 banks that are above that $50Bn threshold out of some 6,500 banks, the risks facing most of the industry may take various forms but share similar origins.  That is, banks — and their boards — will continue to wrestle with technology issues, find fewer opportunities to replace declining fee revenue, deal with non-regulated “shadow” banks, struggle with regulatory cost burdens and expectations, face new cyber threats and have to address third-party vendor risks.

##

Tomorrow, I will have more to share on this afternoon’s breakout sessions and our final point/counterpoint session.  In between, I invite you to follow the conversation via Twitter using #BDAudit15, @bankdirector and/or @aldominck.

A Complete Guide to Bank Director’s Audit & Risk Committees Conference

Whether it is a complex product, new service or emerging line of business, this year’s Bank Audit & Risk Committees Conference examines the many issues and opportunities being faced in boardrooms at financial institutions of all sizes across the country.

By Al Dominick // @aldominick

While much has been written about how and where banks might grow, with new opportunities come new challenges.  With our industry undergoing significant change, boards must be highly informed in order to proactively oversee the management of security risks, compliance challenges and reputational issues.  At this year’s Bank Audit & Risk Committees Conference, we focus in on key accounting, risk and regulatory issues that challenge bankers and board members alike.  Today’s column tees up this year’s program, one that opens on Wednesday at the JW Marriott in Chicago, IL.

Screen Shot 2015-06-08 at 2.03.43 PM

Wednesday, June 10

Before the curtains officially come up, we offer a series of pre-conference programs; most notably, a series of peer exchanges exclusive to a bank’s audit and risk committee chairs.  Modeled upon our annual Bank Chairman/CEO Peer Exchange, small groups of directors meet in closed door, off-the-record peer exchanges for candid discussions about various hot topics.  In addition, we have added a cyber security workshop that allows attendees to play out various scenarios that involve a hack, breach or attack.  Finally, we offer a primer for newer audit and risk committee members and chairs that provides a framework for both roles and responsibilities.

Thursday, June 11

According to several bankers I have recently talked to, this has become a must-attend event for audit committee members, audit committee chairs, CEOs, CFOs, presidents, corporate secretaries, internal auditors, chief risk managers and other senior executives who works closely with the audit and/or risk committee.  This year, we cover pertinent issues such as enterprise risk management, fraud, relations with internal and external auditors, audit committee oversight and regulatory changes for banks.  It is this ability to focus in on critical concerns and complex scenarios to a very specific group of officers and directors that sets us apart from others.  At a time when audit and risk committee members are being asked to take on more responsibilities and perform at higher levels than ever before, the presentations made on day one are laser-focused on key financial, risk management and regulatory issues.

Friday, June 12

A significant imperative for members of a bank’s board today?  Fully integrate risk management, compliance and ethics “that fit” into a particular bank’s culture.  On day two, we look at how this might be done while addressing many other challenges.  Indeed, some of the key risks facing banks today (that regulators expect boards and senior managers to address) include:

  • Strategic risk as banks adapt business models to respond to the current economic and competitive landscapes;
  • Management succession and retention of key staff;
  • Loosening loan underwriting standards;
  • Expansion into new products and services;
  • Exposure to interest rate risk;
  • Oversight of third party service providers;
  • Increased volume and sophistication of cyber threats;
  • BSA/AML risk from higher-risk services and customer relationships; and
  • Maintaining effective compliance management systems.

The presenters at this event are some of the leading experts in accounting, legal, consulting and regulatory areas, as well as experienced bank officers and directors.  From Sullivan & Cromwell to KPMG, Arnold & Porter to Crowe, Latham & Watkins to FIS, we are pleased to bring some of the industry’s foremost advisors together in Chicago.

##

To follow the conversation via Twitter, check out #BDAUDIT15, @bankdirector and @aldominick.

Risk Management: Most Certainly An Ongoing Process

Next week, Bank Director releases its annual Risk Practices Survey.  In advance of that report, let me share an excerpt from a risk management-focused piece by KPMG’s Lynn McKenzie and Edmund Green — How a Board Can Credibly Challenge Management on Risk — that foreshadows some of the results. 

As our industry evolves, banks increasingly rely on complex models to support economic, financial and compliance decision-making processes. Considering the full board of a bank is ultimately responsible for understanding an institution’s key risks — and credibly challenging management’s assessment and response to those risks — let me share the eight considerations that KPMG wrote about for board members as they evaluate their risk oversight.

(1) Do our board members (particularly directors on audit or risk committees) know our bank’s top enterprise risks — those that threaten our bank’s strategy, business model, or existence?

(2) Does our bank have a formal risk management process? Do directors know how management identifies and manages risks, both existing and emerging, and if there is a process of accountability? Does the board have comfort that management has the proper talent to manage today’s risks?

(3) Does the bank have a formal risk appetite statement? If not, how does the board oversee that management is not taking risks outside of the bank’s stated risk tolerance? Is there a protocol to escalate a risk issue directly to the board? Is there evidence that management recognizes the critical need to timely communicate risk issues to board members? Is there a process for the board to evaluate the impact of compensation on management’s risk-taking?

(4) As the bank takes on new initiatives or offers new products and services, does the board understand the process to evaluate the risks prior to decisions being made? Is there a clear threshold for when items need to be brought to the board before finalizing a decision?

(5) In examining management’s reporting process, are directors concerned whether they are getting relevant data? Are they getting so much detail that it cannot be absorbed? Are they getting data at such a high level that it’s impossible to evaluate risk?

(6) Does the board recognize that risk management done well adds competitive advantage and value by addressing gaps in operations? Viewing risk management solely as a compliance function increases the chances of wasting time and money.

(7) Is the board ensuring that, in dealing with the regulators, the bank is “getting credit’’ for the risk management activities it is doing well by being able to describe the programs that have been instituted—or actions taken—that will enable the bank to “harvest value” from its enterprise risk management process?

(8) Finally, given the importance of “tone at the top,’’ are directors satisfied that the proper culture of “doing the right thing’’ exists across the organization?

##

As many know by now, the 2,300+ page Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers.  Not surprisingly, many institutions under these thresholds have similarly established committees and recruited executives into their bank.

By taking a more comprehensive approach to risk management, I continue to see institutions reap the benefits with improved financial performance… and yes, this too foreshadows next week’s research report.  To view the entire KPMG article, here is the link (don’t worry, no registration required).  I’ll post more about the Risk Practices Survey along with a link to both the full results and summary report here next week.

Three Observations From Bank Director’s 2015 Acquire or Be Acquired Conference (Monday)

News and notes from the second day of Bank Director’s annual Acquire or Be Acquired conference.

Key Takeaway

My biggest takeaway from the second full day of Acquire or Be Acquired (#AOBA15 via @bankdirector): instead of asking why take the risk of doing a deal or why take the risk of creating a high performing bank, a better question might be can you be relevant if you don’t?

Trending Topics

To start the day, I polled the audience — using an automated response system — on a number of non-M&A topics.  Of note, the majority of attendees believe the greatest organic loan growth opportunity is in commercial real estate.  Likewise, the majority of people voted for cash management services to businesses when asked what provides them with the greatest fee-growth opportunities.  Anecdotally, the issues I took note of where, in no particular order:

  • The expansive views of the regulators continue to frustrate bankers;
  • Where stock will be issued in a merger, an auction may not only be not required, but can be counterproductive from maximizing value to shareholders — hence the reasons why negotiated sales processes are gaining in popularity;
  • Key regulatory obstacles remain centered on compliance -‒ for buyers and sellers alike (e.g. BSA, consumer and increasingly, CRA);
  • There have been 28 transformational mergers — one bank acquiring another that is over 25% of its size — since 2013. These are merger of like-sized companies (yes, we are getting away from the term MOE). The market likes these deals — stocks in these deals have out-performed the market.

Picked Up Pieces

A really full day here in Scottsdale, AZ with quite a few spirited discussions/debates.  Here are some of the more salient points I made note of throughout the program:

  • The only thing worse than a flat yield curve is an inverted one.
  • If stocks do well after a deal, means you have the runway to do more deals in the future.
  • When it comes to buying another institution, keep in mind just because somebody has the money doesn’t mean they are going to spend the money.
  • Per Bill Hickey at Sandler O’Neill, capital markets are “open for business” given the lower rate environment and attractive yields/costs for both issuers and investors alike.
  • Without big bank M&A, community groups now review and protest transactions by much smaller banks.
  • A fundamental truth: as you grow, compliance & regulatory expectations grow with you.

More to come from The Phoenician and Acquire or Be Acquired tomorrow morning.

Three Thoughts on Banks and Risk

I’m heading out to Chicago and Bank Director’s annual Bank Audit & Risk Committees Conference.  The agenda — focused on accounting, risk and regulatory issues — aligns with the information needs of a Chairman of the Board, Audit and/or Risk Committee Chair and Members, Internal Auditors, Chief Financial Officers and Chief Risk Officers.  Before I welcome some 300 attendees (representing over 150 financial institutions from 39 states) to the Palmer House, I thought to share three things that would keep me up at night if I traded roles with our attendees.

The Bean

(1) The Risk of New Competition

For bank executives and board members, competition takes many forms.  Not only are banks burdened with regulation, capital requirements and stress testing, they now have the added pressure of competition from non-financial institutions.  Companies such as Paypal, as well as traditional consumer brands such as Walmart, are aggressively chipping away at the bank’s customer base and threatening many financial institutions’ core business — a fact made clear by Jamie Dimon, the CEO of JPMorgan Chase, at a shareholder meeting this February.

“You’d be an idiot not to think that the Googles and Apples  .  .  .  they all want to eat our lunch.  I mean, every single one of them.  And they’re going to try.”

To this end, I find myself agreeing with Accenture’s Steve Culp, Accenture’s senior managing director of Finance & Risk Services, when he writes “banks need to keep developing their risk capabilities, skills and talents, and align these skills with their agenda around future growth. If they don’t align their growth agenda with their risk capabilities—building a safe path toward growth opportunities—they will miss out on those growth opportunities.”  While I plan on diving much deeper into this topic following the conference, I definitely welcome feedback on the issue below.

(2) The Risk to A Reputation

While the Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers, I’m seeing smaller banks proactively following suit.  Such additions, however, does not absolve directors and senior managers of financial institutions from preparing for the worst… which is easier said then done.   In some ways, a bank’s reputation is a hard-to-quantify risk.  Anyone can post negative comments online about an institution’s products, services or staff, but one only needs to look at Target’s financial performance post-cyber hack to realize that revenue and reputation goes hand-in-hand.

(3) The Risk of Cyber Criminals

Speaking of Target, earlier this year, Bank Director and FIS collaborated on a risk survey to pinpoint struggles and concerns within the boardrooms of financial institutions.  As we found, tying risk management to a strategic plan and measuring its impact on the organization proves difficult for many institutions, although those that have tried to measure their risk management program’s impact report a positive effect on financial performance.  What jumps out at me in the results of this research are the concerns over cyber and operational security.  Clearly, the number of “bad actors” who want to penetrate the bank’s defenses has increased exponentially, their tools have become remarkably sophisticated, and they learn quickly.  I read an interesting piece by an attorney at Dechert (sorry, registration required) that shows the analytical framework for cyber security is very similar to what most directors have focused on in their successful business careers: people, process and technology.  But theory is one thing, putting into practice a plan to protect your assets, entirely different.

##

To comment on today’s column, please click on the green circle with the white plus sign on the bottom right. If you are on twitter, I’m @aldominick. Aloha Friday!

What you learn at a puppet show

Hank Williams "walking" the red carpet in Nashville

I wrapped up a fairly intense period of travel with a day trip to NYC on Monday and a subsequent overnight in Nashville on Tuesday & Wednesday. While in the Music City, our Chairman invited me to join him at a puppet festival (yes, you read that right). The show, a musical chronicle of the history of country music, benefitted the Nashville Public Library Foundation and the Country Music Hall of Fame. Laugh if you will, but I will tell you, it was amazingly creative. As I mingled with various benefactors of both institutions, I found myself engaged in conversation with the former managing partner at Bass, Berry & Sims. Having led one of the preeminent law firms in the Southeast, his perspective on how dramatically the legal profession has changed in the last fifteen years struck a nerve. The parallels between his profession and the banking space were immediately apparent. So with Patsy Cline playing in the background, we talked about the future of banking, professional services firms and relationship building in general. As we did, I made a mental note to share three thoughts from this week that underscore how things continue to change in our classically conservative industry.

(1) First Republic’s founder and CEO, Jim Herbert, shared some of his Monday morning with me while I was in NYC. Jim founded the San Francisco-based bank in 1985, sold it to Merrill Lynch in 2007, took it private through a management-led buyout in July 2010 after Merrill was acquired by Bank of America, then took it public again this past December through an IPO. For those in the know, First Republic is one of this country’s great banking stories. Not only is it solely focused on organic growth, it’s also solely focused on private banking. While my conversation with Jim was off-the-record, I left his office convinced its the smarts within, not the size of, a bank that will separate the have’s from the have not’s in the years ahead. Clearly, as new regulations and slim profit margins challenge the banking industry, the skills and backgrounds of the employees who work in banking must change.

(2) Speaking of successful banks that have successfully navigated recent challenges… KeyCorp’s Chief Risk Officer, Bill Hartman, joined us last week for Bank Director’s annual Bank Audit Committee Conference in Chicago. Bill is responsible for the bank’s risk management functions, including credit, market, compliance and operational risk, as well as portfolio management, quantitative analytics and asset recovery activities. While I shared some thoughts about that program last week, I thought to elaborate on how KeyCorp divides the roles and responsibilities of its Audit and Risk Committees. Some still think you “retire” to the board; as he showed, that is definitely not the case – especially not at an institution that counts 2 million customers, 15,000 employees and assets of $89 Bn. In terms of Key’s Audit Committee, members oversee Internal Audit, appoint independent auditors and meet with the Chief Risk Officer, Chief Risk Review Officer, and of course, for financial reporting, the CFO. I thought it was interesting to note their Audit Committee met 14 times in 2012 — twice as often as the institution’s Risk Committee convened. With many smaller banks considering the creation of such a committee, let me share the focus of their Risk Committee. Strategically, it is responsible for:

  • Stress testing policy;
  • Dividend and share repurchases;
  • Modeling risk policy;
  • Asset and liability management; and
  • Setting tolerances, key risk indicators and early warning indicators

For those thinking about introducing a Risk Committee into their bank, take a look at what some of our speakers shared leading up to last week’s Audit Committee conference for inspiration.  For a recap of the event, our editor shares his thoughts in today’s Postcard from the Bank Audit Committee Conference.

(3) Yesterday, I was pleased to learn that ConnectOne’s CEO, Frank Sorrentino, agreed to participate in our annual Bank Executive & Board Compensation Conference in November. In addition to being one of the more active bankers I follow on Twitter, I’ve written about his bank going public in a previous post. Today, it’s a WSJ piece that shows U.S. regulators grilling banks over lending standards and “warning them about mounting risks in business loans” that has me citing the NJ-based bank. This particular article quotes the CEO of the Englewood Cliffs, N.J. bank in terms of lending standards (yes, a subscription is required). He reveals that regulators recently asked what he is doing to ensure he isn’t endangering the bank by making risky loans. His response: “the bank is trying to offset the lower revenue from low-interest-rate commercial loans by cutting expenses.” While I get the need for oversight, I do wonder how far the regulatory pendulum will continue to swing left before sanity/reality sets in at the CFPB, FDIC, OCC, etc. I’ll stop before I say something I regret, but do want to at least encourage a Twitter follow of Frank and his “Banking on Main Street” blog.

Aloha Friday!