By Walt Williams
Chief compliance and chief risk officers often struggle with presenting the right information when drafting reports for their bank committees and boards. One solution that many settle on is to share a little of everything. But that approach often means that critical insights are lost amid the deluge of data, and it leaves boards in a poor place when making decisions that drive the fate of the bank.
Instead, the adage “less is more” is the best advice when drafting reports. Rather than focusing on metrics, compliance and risk officers need to be thinking about what messages they seek to communicate with the data they have.
“We’ve got a ton of information and information overload is what we talk about now,” says Bill Tucker, CRCM, CAFP, CERP, chief compliance officer at First Carolina Bank. “We have to transcend that and somehow get this to the point of insight so the right kinds of decisions can be made and action can be driven. You need to tell a story, so you need to take a lot of things and boil them down to a place where you’re really sending a message, not just doing a data dump.”
Risk management is probably the most difficult thing to address in board reporting because, unlike other aspects of the bank, it is not dependent on financial or employee performance, which you can capture numerically, says Craig Brown, managing director of business advisory at Huron.
“Risk management is based on assessments — top and emerging risks and deficiencies,” Brown says. “There are elements that are quantifiable, whether there are credit risk trends, operational losses, liquidity or capital, but most of the areas are not. That really leads up to where the challenges occur.”
In his former life as a banker, Brown says he saw reports 500 to 600 pages long delivered to the bank’s risk management committee, and he has since seen reports weighing in at over 1,000 pages. That much information is simply not digestible in the few days that most committee and board members have to review the materials presented to them.
“Board members have a fiduciary responsibility,” he says. “When they’re inundated with information that you don’t believe to be critical, you’re exposing them to legal risk, simply because it was given to them and they reviewed it. And there might be something that’s very small in that period of time that you don’t think as a risk manager is important, but now that you put it in there, you have put the board member on the hook for knowing that information. Down the road that may become a big issue.”
The adage “less is more” is the best advice when drafting reports. Rather than focusing on metrics, compliance and risk officers need to be thinking about what messages they seek to communicate with the data they have.
Use clear language
A key challenge in board reporting is communication, not just with the board but with the other divisions in the bank.
“It doesn’t matter the size of the bank or how sophisticated it is, I ran into this everywhere: Terminology is just muddled,” Tucker says. “We play a critical part in helping clarify what is risk appetite, what is risk profile, what is risk metrics [and] what is risk tolerance. And if you’re not speaking a clear language, we can’t expect somebody to hear and understand it.”
Take a word like “account,” Tucker adds. “If you say ‘account’ to someone on the front line, they think ‘customer.’ If you say that to someone in operations, they’re thinking ‘product.’ If you say that to someone in finance, they are thinking of ‘general ledger.’ We have to be really clear about what we’re saying or otherwise our reporting up to the board is not going to be what it needs to be.”
Krysti Cunningham, CRCM, CERP, SVP and chief risk officer at Security National Bank of Omaha, also emphasizes the need to avoid confusing terminology when speaking to the various bank departments. During a panel discussion on board reporting with Tucker at the ABA Risk and Compliance Conference in June, she instead advocated for a more conversational approach.
“Talk to your business units … and say, ‘Okay, what’s keeping you up at night? How far are we willing to go?’” she says. “And then you can put that into a simple phrase: ‘This is what our risk appetite is, and these are the metrics we’re going to use.’”
Keep metrics relevant
That communication should lead to clear, concise metrics that define a report’s key performance indicators and key risk indicators. The former is looking backward, the latter forward. And risk indicators need to evolve.
“I think about things like last year with liquidity,” Cunningham says. “We had to make some changes there on how we were looking at some of those metrics. Whoever thought social media would become a key risk? We’re adjusting to the environment around us. And sometimes you have to talk to your management and your business units and ask: So this has changed. What are we doing and how are we going to tell the board?”
Also, compliance and risk officers need to remember that board members are not their only audience, according to Brown.
“I don’t think people are always aware of the fact that all of the board materials are provided to your regulators,” he says. “When they start seeing stale information, even though they may have the minutes and you may have discussed it, the regulator reads the minutes but then reads the report, and two weeks later they’re going to say, ‘Well, this has been unchanged for months now. They’re not matching the risk.’”
When reporting risks, they should be ordered from most impactful to least impactful to the organization, Brown says. The commentary should be plainly written, explaining why something is a risk, the potential outcomes of that risk, what changes have occurred with it and what is being done to mitigate it. And the report needs to be tailored to be tailored to the risks of your bank.
“Simply because it worked elsewhere doesn’t mean it is going to work for your bank. Remember who your audience is,” he says. “They’re responsible for strategy and risk appetite. So all of your reporting should be geared towards explaining why we’re operating within the risk appetite and why we’re operating consistently with our strategy.”
Mistakes to avoid
Failing to provide those explanations can result in a lack of reverence for the target audience, which Cunningham sees as a common mistake in many reports. Risk and compliance officers can provide great information, but if a report does not make clear how those data points could affect the bank, then it may not prove useful for board members.
“Let’s tone it down and figure out how that impacts the strategic objective — where the bank wants to be going,” she says. “What are the key things they want to accomplish in the next three to five years?”
Another common mistake is complacency. It may be tempting to just take last quarter’s report, change the dates and submit that, given already busy workloads for risk and compliance officers, Tucker says.
“I never want to have a report coming from me going to the executive manager on the board that simply has the date changed,” he says. “Even if the message is the same, think of the difference in how I say it, and then what’s changed behind it that could cause the message to change.
“I think that is the forward-looking view,” Tucker adds. “What are the drivers behind [the bank’s] good performance, and where are the soft spots in that? Where are the things that could be wrong? How significant are those? They may not yet warrant escalation up to an executive management or board report, but it’ll give you an indicator of the things I need to watch.”
Walt Williams is a senior editor at the ABA Banking Journal.
Keep your bank directors informed on industry trends — in just six pages, six times a year! Subscribe to ABA Banking Journal Directors Briefing at aba.com/directorsbriefing.
