By Monica C. Meinert
Ask any five bankers to define what risk management means to them, and you’ll likely hear five distinctly different answers. But the one thing that bankers can agree on is that regulatory focus is increasing around enterprise risk management, and regulators are expecting banks of all asset sizes to have a framework in place for assessing and monitoring risk across the entire organization.
“The whole concept of enterprise risk management continues to be pushed down to smaller and smaller institutions, and it certainly applies to anyone that’s crossed that $1 billion threshold,” observes Charles Umberger, who is EVP and chief lending officer with Waynesville, N.C.-based Entegra Bank.
Umberger’s perspective on enterprise risk management is unique; in the past decade, he’s gone through the both the de novo process and an acquisition that took the bank past the $1 billion mark. As then-president and CEO of Old Town Bank, a North Carolina de novo founded in 2007, Umberger recalls that enterprise risk management was a key priority for regulators as part of the de novo process.
“In order to graduate from de novo, the FDIC required us to have a very comprehensive risk management plan. It focused a lot on IT, and to some degree, BSA/AML—those two areas seemed to get a significant amount of focus,” he says.
Old Town was acquired by Entegra in 2016, a transaction that took the acquiring bank over the $1 billion threshold. Now, he says, “there’s much more formality” when it comes to risk management.
For smaller institutions, regulatory focus on ERM is still in the early stages. “It depends a lot on size and structure,” notes Luanne Cundiff, president and CEO of First State Bank of St. Charles, a $350 million institution based in St. Charles, Mo. She recalls how, when discussions first began in earnest about enterprise risk management several years ago, many vendors began quickly pushing banks to invest in various risk monitoring systems.
“When that happens, we as bankers sometimes think, ‘Oh my gosh, what am I missing?’ and an alarm goes off,” she says. “But then the examiners come in and tell us to just be practical. You don’t have to buy some elaborate system; you just need a program with procedures designed around the risk structure of your bank.”
But regardless of size, regulators do expect to see something in the way of a formal, documented risk management program, says Annette Russell, CEO of Security Federal Savings Bank, a $210 million mutual headquartered in Logansport, Ind.
Given its size, Security Federal chose to develop its own internal risk management program, rather than using a vendor. (Russell herself chairs the bank’s risk management committee.) “We’ve developed a dashboard that really reflects our policy limits and some of the strategies taken out of our long-term strategic plan,” she says. “If there’s an area like an asset-quality ratio, for example, that may be outside of what we say is our acceptable tolerance range, then we are required to have an action plan to give to the board.”
Russell adds that the bank also holds a meeting at least once a year with the bank’s internal risk management committee and the audit committee. It’s an opportunity to “reeducate the audit committee on the process of new product development, our existing products, all the way through vendor management, and to re-evaluate our tolerance limits that we’ve set.”
Like Russell, Cundiff says her bank also meets annually with the entire board and senior management to discuss the bank’s risk management practices. Each department head is responsible for coming up with a risk management plan for the next year and presents it to the board as part of the meeting. “It provides the review needed to assess our risk tolerance and validate our ability to operate within those parameters,” she says. “It provides board education, [and] it helps the employees understand that this is an important element of the bank.”
The CEOs all agree that having buy-in from bank employees and the bank board is an important part of a successful enterprise risk management program.
“We try to do [ERM] from a top-down perspective, but we also look at what happens from the bottom up and try to meet in the middle,” says Bryan Luke, president and COO of Hawaii National Bank in Honolulu. “We want to be able to understand what our employees’ wants and needs are, but set the tone from the beginning.”
“It always takes a little longer to get everyone to do something different, but when they see where you’re going with it, it becomes a lot easier,” he adds. “You have a couple strong core values and core common goals, and then everything you do should move in that direction.”
One particular challenge for Hawaii National recently has been how to effectively balance increasing compliance and risk management requirements with the customer experience, Luke notes. With so much emphasis now placed on customer due diligence and data security, “it seems like we’re making it more and more difficult for our customers to even open an account, but they’re expecting an easier and easier experience,” he says. “That challenges us every day, with every person that comes into the office and every account we open—how do we open it in a manner that will enhance the customer experience, while being more secure?”
Russell agrees that increasing compliance expectations have affected her staff’s ability to help find solutions for bank customers. “We have a very strong compliance culture, but it also impacts our employees’ ability to provide flexibility to our customers, because they are so afraid to deviate from our bank policies,” she says. “It’s difficult for our managers to give them some leeway to make judgement calls in order to better serve their customers.”
And Bryan Bruns, president and CEO of Lake Central Bank, a $133 million institution in Annandale, Minn., says that he’s concerned that heavier compliance requirements and new rules governing bank products and services are ultimately leading to fewer choices for consumers. “We can’t handle the liability risk if it comes down on us,” he explains, citing rules like the Department of Labor’s final fiduciary rule, which have caused banks to reevaluate their product and services offerings and, in some cases, exit business lines altogether.
But Bruns says he’s also optimistic that community bankers will continue to find ways to work through regulations and meet their customers’ needs. “I tell people all the time, bankers are first entrepreneurs. We’re business people. Tell me the rules, and I can tell you how I can run the bank—just quit changing the rules all the time.”