Bank Board Reports: War and Peace or Cliff Notes?

Today, Board reports closely resemble War and Peace. Why? The same reason regulators focus on the little things... to CYA! We don't want to be criticized that our Board was uninformed, so that little embarrassment about the audit exception that turned into employee fraud is on page 262 of your Board report. 

You mean you didn't see it? That's on you, fella.

Are we trying to fool ourselves into believing that all of our Board members are reading the 300+ pages we send to them two days prior to the Board meeting every month? Sure, there will be some that do. But my suspicion is there are more that do not. How could they? It's 300 pages! In two days! And most Board members have full time jobs!

According to the FDIC pocket guide for directors, a financial institution's Board should:

- Select and retain competent management

- Establish, with management, the institution's long and short-term business objectives in a legal and sound manner

- Monitor operations to ensure that they are controlled adequately and are in compliance with law and policies

- Oversee the institutions' business performance

- Ensure that the institution helps to meet its community's credit needs

How many pages per month do we need to fulfill Board responsibilities? What is not in the above list are the following things that I often see Boards debating:

- Selecting contractors for the buildout of the new branch

- Determining raises for employees that are not Senior Management

- Credit underwriting

- Small ticket charitable donations

- Loan administration's $100 budget variance

All of these distractions take valuable time away from Boards doing what they should be doing, described above. Here is what I suggest for Board reporting:

1. Financial reports for the current period, and trends. 

2. Budget variance reports

3. Financial progress towards strategic plan

4. Financial condition and performance versus peer

5. High level risk management reports (because more granular risk reports are reviewed in Committee) and trends.

6. Compliance and audit reports, not included in 5 above

7. Other business such as approving policy changes, large/exception credits requiring Board approval as per policy.

Aside from including a whole policy (changes are blacklined so Board member doesn't have to search for them), or a credit package, I can't see why a Board package has to be more than 100 pages.

Executive recruiter Alan Kaplan recently wrote an article for Bank Director magazine titled What Makes Great Boards Great. His number one characteristic was quality dialog, debate, and discussion. With Board packages that are 300+ pages and agenda's crammed with unfocused topics not directly related to Board responsibilities, how can there be quality dialog, debate, and discussion?

Especially since most directors don't have the time to read 300 pages for their upcoming Board meeting. So they sit in silence when they should be focusing on debate emanating from what is on page 262.

Do you think Board packages focus on the right things?

~ Jeff

·         

Enterprise-wide Risk Management (ERM): Yawn

I attended an industry presentation on ERM this past week put on by RSM McGladrey.  The topic highly interested me, not because it is interesting, but because everybody is talking about it and there are differing opinions about what to do about it. What an opportunity for a non-audit, non-compliance, non-IT, and non-credit blogger to write about it!

First I would like to say that the McGladrey speaker really knew his stuff and was balanced. So often I hear commentary on ERM by advocates that think it is the next best thing to, say, online banking. Well, no it isn't. It is not likely to make your FI a lick of money. That said, here is my criteria for an ERM program:

"A successful ERM will result in reduced losses that exceed the investment made in the ERM program."

~ jeff for banks

Why else would an FI embark on ERM? If the investment in ERM exceeds losses foregone, then don't invest in an ERM program. It's not worth the money. As community FIs, regulators force us to throw enough money down a black hole without us volunteering to do so.

But managing risk across organizational silos is highly fragmented in FIs. It makes sense to coordinate the effort into one area. Perhaps, as suggested by one attendee at the presentation, ERM could streamline risk management efforts to make reporting more relevant, less voluminous, and less labor intensive. If this was a by-product of ERM, then I'm in! I think your Board of Directors (Trustees for CUs) would appreciate reducing the size of monthly Board reports for monitoring risk.

An organization's risk profile looks like the bubble chart below from McGladrey's presentation. But not all risks are equal. If we were to quantify risk across the industry, Credit Risk would rank at 10 for greatest risk (on a hypothetical scale of 1 to 10), but other significant risks would be much lower such as Liquidity and Interest Rate Risk (perhaps 4's). How would a non-audit, non-compliance, non-credit person develop a ranking system for risks?

Look at past experience to determine levels of risk. For example, perform a lookback over a meaningful sample period (perhaps 10 years, or at least one economic cycle) to identify where your FI actually lost money. A second criteria could be to query your personnel with the greatest knowledge of the risk to quantify the possible loss and the likely loss from a certain risk. By developing such a discipline, the FI should determine how much resources, if any, should be dedicated to mitigating the risk.

The bubble chart above contains too much in the form of risk categories, as most categories have sub-risks. The McGladrey presenter mentioned having 20-25 risks worth monitoring and mitigating, although he was not married to it. As ERM evolves, we have to guard against monitoring so many risks that the processes that result are inefficient in their application and ineffective at preventing those risks that represent the greatest potential loss.

For example, I was evaluating processes in a client's deposit operations function where one of the ladies in the department sorted through a large stack of checks for two hours each day. I asked why she did it. She said the Bank had a check fraud about seven years ago, and therefore she had to manually review all checks over $5,000. I asked what a fraud might look like. She didn't seem clear. I asked how many she has prevented since the undertaking. She said none.

Here was an FI that allocates two employee hours per day to prevent a fraud that she probably would not prevent. The investment in resources significantly outsized the risk. I put to you that this example will be all too familiar if we implement ERM without evaluating the size and likelihood of risk. And processes, like government programs, last forever.

This past economic cycle made clear that the single greatest risk FIs face is credit risk. I don't see this changing. Even FIs that failed due to liquidity had their woes start with credit risk, including the credit risk in the FIs investment portfolio. So let's not fool ourselves into thinking that somehow "employee fraud", or some other risk, ranks nearly as high.

But there are risks that can have materially negative impacts on our business. So a CEO and Board can efficiently and effectively monitor the greatest risks to the safety and soundness of the FI, consider implementing a well thought out ERM that is focused, efficient, and effective.

Any thoughts on what such an ERM program would look like?

~ Jeff