April 7, 2017 | Fund Forum

Enterprise Risk Management in Community Banks: A Self-Help Guide

7 min

Community banks have learned over the past decade to take steps to help themselves. Amid the economic crisis and resulting regulatory firestorm of Dodd-Frank, banks that survived did so through a combination of consolidation, creative business plans, and basic ingenuity. It is probably not an airtight strategy to rely on relief from Washington, which has not established a long history of reducing or even streamlining regulations. The message sent to community banks has been more and more regulation, and only recently has the new administration made regulatory relief a higher priority.

Still, while smaller banks have taken the recent election as a sign that relief might be on the way, it is perhaps better for community banks to rely on the people they can really trust: themselves. Because community banks will never have the resources that their larger cousins have, enterprise risk management (ERM) must be thought of in a different way. ERM is not only a "best practice"; it is an absolute necessity and should be at the core of any sensible compliance program. A compliance program without an ERM focus will only lead to unnecessary expenditure, duplicative effort, and more than likely a much higher incidence of deficiencies.

A common pitfall of compliance managers is to design programs that address perceived incoming regulations, rather than tailoring programs to the actual business practices and risks of the financial institution. Implementing a risk management program is about truly understanding your institution and addressing matters on a proactive rather than a reactive basis. A reactive approach is ineffective at best and, more often than not, chaotic and wildly expensive. Compliance systems that are not underpinned by an ERM program are often unable to provide strategic advice to an organization's leaders, such as whether the organization is equipped to take on a new line of business. They are always playing catch-up.

Lack of ERM leads to poor examination results

Without a thoughtful analysis of business operations and corresponding risks, designing a compliance management system can be an exercise in futility. Banks often hire third parties to produce compliance manuals that are factory pre-sets, and are not tailored to the actual risks of a given institution. A more valuable exercise requires basing a compliance management system on the known risks of the institution so that appropriate controls can be put in place.

Moreover, given the limited resources that most community banks have in the Legal and Compliance area, controls, processes, policies, and procedures should be narrowly tailored to the risks of a given bank.1 A common result of not having sensible procedures is the expenditure of vital resources on areas that are not germane to the compliance management program, leaving little bandwidth to address more vital concerns. Banks should place more emphasis on monitoring and mitigating their greatest risks. But this is difficult to accomplish if a financial institution has not carefully studied its risks in the first place. Rather than wasting time and money on poorly designed or boilerplate ERM programs, banks should roll up their sleeves and identify their true critical risks.

Beyond wasting a bank's resources, ineffective ERM can result in potentially poor examination results and prolonged regulatory examinations. If the examiners sense that a bank is not acutely aware of its own risks, they may choose to extend their visit and stay a bit longer than usual. This becomes a real danger when a bank does not fully understand its own risks and cannot direct regulators to relevant areas. Examiners, through no fault of their own, wind up poring over additional documents and setting up additional interviews, much of which might be superfluous. What may result is the worst of all possible worlds: prolonged examinations combined with significant deficiencies.

In short, failing to spend the necessary time and effort on developing an underlying ERM program is perilous to the health of a bank and creates additional risks and costs that are not easily controllable. Establishing a sound ERM program is the easiest way for a community bank to help itself in this hazardous and dynamic regulatory climate.

ERM Positively Alters Strategic Direction

Searching for new and creative ways to enhance profitability is a must for community banks. Before launching a new lending program, for example, a bank should understand the regulatory and operational risks and should design a compliance management system that addresses those risks. Unfortunately, as fundamental as this appears, this is not always done by many community banks. Rather, the business is launched and issues and problems are discovered along the way. These problems lead to greater expense and regulatory issues, which further complicate current and desired business practices and potentially harm the reputation of the institution with shareholders and investors.

The time to understand the risks and the necessary controls of a new line of business is before it is launched. Launching a new business line can be fairly straightforward if the preliminary work on ERM has already been undertaken and key data factors have been updated along the way. A good CCO or CRO with an effective program should be able to provide simple answers to the questions of whether a bank is currently equipped to launch a new business or product line, or whether additional controls or resources are needed. If these answers are not readily discernible, something is wrong. Put positively, ERM is an excellent way to turn what is often seen as a bothersome expenditure of time and money into a strategic advantage when it comes time to expand the business.

Sorting Out Responsibility: Third-Party Responsibility

In order to get at the issue of establishing appropriate monitoring mechanisms and controls, first it is important to fully understand where the risks are—and whether any of them are being controlled in the first place. That is the first way a community bank can help itself. However, foolish heroism is overrated. When it comes to third-party controls, the bank should not take on the burden of monitoring every risk, nor volunteer to establish every control, given resource limitations. This is especially true in the area of vendor management, and can be controlled through a thoughtful approach to reviewing and approving vendor agreements.

Many banks simply sign off on standard contracts provided by the vendor—this is a mistake. Vendor contracts can be one-sided, require the bank to undertake extra steps to monitor the vendor's efforts, or otherwise impose additional cost or burden on the bank. The bank's in-house or outside counsel can greatly reduce risk to the bank and free up resources by requiring vendors to provide certifications regarding their own internal compliance, risk management, and overall controls. There should be a burden on the vendor to provide routine information or certifications, which in turn the bank can rely on and provide to the examiners. While every circumstance is different and this is not always possible, banks should make every effort to ensure that vendor contracts are fair and do not make life unduly complicated for their already overworked teams.

Self-Help is the Best Help

We should keep in mind that drastic regulatory reform is not the sort of thing that usually emanates from Washington. Those of us who were waiting for regulatory simplification shortly after the turn of the century are still waiting. Given the current political climate in Washington, one can rest assured that such efforts will face their share of obstacles. In the meantime, community banks should use the same instincts that have kept them going through the last difficult decades—they should bring into play effective strategies to address risk and preserve resources, and apply the ingenuity that has kept them going these many years. America needs its community banks more than ever, and they no doubt are committed to serving their communities throughout the country. However, self-help is critical going forward. Twenty-first century approaches to risk identification and management, and to vendor contracts and oversight, and a thoughtful approach to establishing a compliance management system will serve these vital institutions well in years to come.

[1] See, e.g., Hester Peirce et al., How Are Small Banks Faring Under Dodd-Frank? 30-36, Mercatus Center, George Mason University, Working Paper No. 14-05, Feb. 2014, available at https://www.mercatus.org/system/files/Peirce_SmallBankSurvey_v1.pdf. In one survey of more than 200 banks across 41 states, 90 percent of responding banks stated that compliance costs increased since the passage of Dodd-Frank, with more than 80 percent reporting increases of more than 5 percent. The median number of compliance staff for the small banks participating in the survey increased from one to two employees.