Credible Challenge, Risk Management and Compliance
For several years now, regulators have talked about enterprise wide risk management(“ERM”). Often times however, when you ask someone to describe, it becomes a “shaggy dog” story with many different component parts but no main theme. The truth is that there has not been much clear guidance in this area.
In recent months there have been some developments that have come together to shed some light on what ERM might mean for community banks. First there has been the OCC pronouncement about the expectations for ERM in very large banks. Next the concept of clear credible challenge by the Board to the senior management of banks has been espoused by all of the regulatory agencies. Finally, regulators have made it clear that in the future, compliance management will be considered a part of the “M” rating in a banks CAMEL rating for safety and soundness.
The OCC released guidance for very large banks on what is expected for a credible risk management structure. For very large banks this means that there has to be:
- Department heads and line business holders must track and manage the individual risk in their business units
- There must be an independent risk manager whose role it is to monitor and control risk throughout the organization
- Independent audits must be performed to test the risk monitoring system
The main thrust of this guidance is that there has to be an entity (ultimately the Board) that serves to set the level of risk that is acceptable at a financial institution. Further the risk managers should be independent of the risk takers. At the end of the day, the expectation is that the Board will control the level of risk at the Bank and must push back against the business lines that naturally want to increase risk for profits.
Along those same lines, the idea that the Board must present credible challenge to the senior management at the bank is a concept that is becoming widely impressed by the regulators. The concept here is not simply that the Board members question each and every decision of management. Instead the idea is that the Board must undertake a process that allows them to get comprehensive information about the banks performance in real time. It also means that the Board must then take this information and use it to challenge the strategic plans and projections of management. Much like the biblical saying that “iron sharpens iron” the idea here is that the Board must increasingly ensure that management has thought through the idea and has answers for credible challenges to those plans. Again most of the pronouncements in this area are directed at large banks, but that no means says that community banks should a different route. Board members should be cognizant of the fact that the regulators are expecting a strong commitment to directing the bank.
The third factor that comes into play is the ascendance of compliance as an issue for bank management. In past years, the truth is that compliance often took a back seat to safety and soundness. After all, the thought went, no banks fails because of compliance problems. However, recently regulators have come to realize that compliance management is s indeed a reflection of overall management. The ability of banks to direct the compliance management program has to be a part of the “M” component of the CAMEL ratings. In point of fact the Comptroller of the Currency in remarks made in late 2013 said as much. In his December 2013 comments to the Consumer Federation of America, Mr. Tim Curry, the Comptroller of the Currency pointed out that consumer compliance is a management issue:
In reality, there is no neat dividing line between consumer compliance and safety and soundness issues. If an institution has a compliance issue, they are certain to have underlying risk management issues. Consumer protection is inextricably linked to safety and soundness. 
The fact of the matter is that at the very base of the financial crisis that this country recently experienced is consumer lending gone horribly wrong. Compliance is going to be a major focus for the regulators in the near future. The areas of compliance are also expanding. The area in simply the alphabet soup regulations that we know so well, vendor management, debt collections practices, the effects of practices at a bank are all topic that come under the rubric of compliance.
Putting together the ideas of enterprise wide risk management, credit challenge theory and compliance management as a safety and soundness issue. We come to a “brave new world” for compliance. When the strategic plan is being put together for example, it will soon be the expectation that the question “how are we meeting the credit needs of our community” is asked regularly. When a Chief Credit Officer tells the Board that it is not economically feasible to offer home mortgages, it will be expected that a member of the Board will challenge the officer to “prove it”!
There are currently many mantras that have been held to be true for some time without challenge. For example, community often say that they have limited accesses to community development opportunities because they get eaten up by the big banks. Now is a good time to find out if that is really true. When was the last time you actually reviewed the community development opportunities in your assessment area. This is not to say that there are vast opportunities out there that remain untapped. It IS to say that now is the time to prove it with statistics and research!
What’s a community Bank to do?
It is clear that the regulators don’t expect community banks to hire a full time risk officer. Frankly it might be easy to say these directives only apply to large banks, stick ones head in the proverbial sand and hope that nothing will happen. On the other hand, it is also clear that the regulators are expecting that a senior management position, preferable one that is not in the risk taking function to monitor and administrate the risk portfolio of the bank. Now is the time to face the inevitable realty of risk management.
So how does a community banks start the risk management process under his new regime. Well, you start with putting your Board reports on turbo charge! Report to the board have to step outside the box. In addition to the operating results of the last reporting period, the reports should include changes to regulations and how these regulations might impact the bank. For example, many community banks felt hat the rules on qualified mortgages represented a whole new world of regulatory concerns and immediately decided to make only qualifying mortgages. However, if the specifics of these regulations had been presented to Boards with the opportunity to discuss them, many would have noticed that the regulations basically state best practices for making loan. There was very little to fear and the in some cases, an opportunity to increase market share. Going forward regulators will expect that these sort of regulations receive robust discussion at the Board level.
We also suggest that Board reports include information on technological changes and they impact the bank. Mobile banking and RDC present opportunities to grow the client base. Of course, both of these products come with the possibility of increased risk. The expectation that the decision to use (or not to use) these products will come after the considered decision of the Board.
One of the areas that often goes overlooked by banks is the changing demographics of the assessment area that they serve. In the recent past the failure to note the changing face of the neighborhood lead a client to make a product decision that lead to a fair lending investigation. The bank simply decided that the minimum disposable income for HELOCs would by $50,000. However, because had not done research on its assessment area in some time, they were unaware that this decision cut out whole neighborhoods that surrounded the headquarters of the bank. In our opinion, change presents opportunity, so a changing environment has to be one of the considerations of a strategic plan.
In the end, now is the time to enhance your risk management program, the level of Board participation in the process and to include compliance as one of the pillar considerations that your bank makes as it plans for the future.
 Comments by Comptroller Tim Curry before the CFA Financial Services Conference December 2013
James DeFrantz is a Partner in Atlanta-based financial services industry consulting firm Bank Solutions Group. [email protected]