The twitch you need to heed

Have you got a twitch?

Not literally. But if you are a CEO, board member, a risk manager, or a compliance officer, you might be getting twitchy, either directly, or because of someone to whom you report. Amy Downey, U.S. banking and regulatory expert at Wolters Kluwer, quotes a client who described the condition:

“It’s like my board members and my senior management almost have a Twitter anxiety. I’m constantly getting short messages based on what they’re reading in the news. ‘Do we offer this product?’ and other questions like that. It’s a complete change. They want assurance from the Compliance Department that our bank won’t be the next headline.”

The old saw says that just because you’re paranoid, it doesn’t mean that everyone isn’t out to get you. David Baris, executive director of the American Association of Bank Directors, puts it simply: “Boards are expected to be more proactive in risk management.”

William Isaac, veteran consultant, former FDIC chairman, and now nonexecutive chairman at Fifth Third Bancorp, diagnoses the condition behind the symptoms: “Today the stakes are much higher. If you don’t get compliance right, you wind up in the penalty box with the regulators and you can’t keep your franchise fresh.”

Regulatory risk ranks higher than ever, Isaac continues, with the Consumer Financial Protection Bureau behind much, but not all, of that rise. “Nobody even knows all the questions that they should ask,” says Jeremiah Buckley, founding partner at Buckley Sandler LLP. “That’s because CFPB is making it up as they go along.”

“You need to look at the whole spectrum of risk today,” says Andrew Hove, currently a board member at Great Western Bank and a veteran regional and community bank board member and former FDIC vice-chairman. “Nor can you look at risk in silos, without looking across them all.”

If boards and managements—and the people who work for them—are twitchy, they have a right to be. The evolution of banking has taken all players far beyond old job descriptions. Isaac recalls that when he was at FDIC, many of the risks routinely contemplated today didn’t exist, or were embryonic.

“If you paid any attention at all to managing risk,” says Isaac, “it was difficult to get into serious trouble.” Not that there weren’t failures, and some big ones, years ago, but trouble came in two main flavors, asset risk and liquidity risk, chiefly a matter of endangered core funding.

And sometimes even the savviest risk manager couldn’t see it coming. Isaac recalls the carnage left by Paul Volcker’s Federal Reserve campaign against inflation, in the 1980s.

“Who would have forecast a 21% prime interest rate in their business plan?” says Isaac.

In more recent times, risk management was far from foolproof. Hove notes that the financial crisis saw institutions hurt by investment in iffy securitizations, but adds that even community banks invested in more straightforward choices suffered when those instruments got caught in big market ripples.

As a result, board members, consultants, and other experts interviewed see the nation’s bank directors moving towards a more proactive attitude towards compliance, regulatory risk, indeed, all forms of risk management. “It is all-consuming,” says Isaac.

“In days past you could get away with a reactive, uninvolved approach,” says Mark Olson, co-chairman at Treliant Risk Advisors, and a former Federal Reserve Board Governor, “but now that’s pretty dangerous. You can’t wait for the examiners to tell you that you’ve made a mistake, because by then it’s too late.”

The result, says Treliant’s other co-chairman, Jo Ann Barefoot, is that bank directors could face “spending more than they can afford or risking more than the bank can afford.”

Handling governance tension

So, it’s no surprise folks are “twittery.” Compounding this situation is that the relationship between board and management—not intended to be cozy—has been chilled. “Many boards have been through regulatory difficulty that has required them to distance themselves from management,” Barefoot explains. “They’ve been required to assess management, and have had regulatory orders to carry out. That can put some strain on the board-management relationship.”

While proactive governance naturally focuses on hot items, experts say it touches on much that may not seem “hot.” Overall, a picture emerges where compliance, risk management, corporate culture, strategic planning, mergers and acquisitions, fairness, and reputation issues converge.

“Governance is coming to be about compliance, fairness, and stewardship,” says Lawrence Cunningham, professor and governance expert at George Washington University Law School. “We are in the midst of a shift in the culture of the boardroom,” says Cunningham, co-author, with “Hank” Greenberg, of The AIG Story. Often, debates aren’t even about the direct interests of shareholders—though without attention to the big picture, their interests won’t be served, either.

Regulatory challenge needn’t bite

Proactive governance need not be accompanied by jitters, to Richard Riese’s thinking. Riese, former federal regulator and director of ABA’s Center for Regulatory Compliance, says “governance has always had to have a forward-looking element to it.” Riese compares the challenge to flying an airplane. The pilot (the board and management) has a dashboard full of instruments to consult, but there is also the view out the windshield to consider. Regulators tend to consult the “instruments” of a bank—all the reports and records—but governance demands consultation of radar and use of the eyes, and judgment.

In a sense, to build on Riese’s analogy, the pilot has to be able to fly through buffeting winds and worse. “The challenge,” he says, “is that with industry change happening so quickly, and in such quantity, how can boards do something that would be efficient in anticipation of more of it?”

Answering his own question, Riese says boards must look past the incremental changes—continual new rules and regulations arising from Dodd-Frank, for instance—and get a sense of where things are leading. Any time board members can take a leap over the incremental to understanding of the end of that stage, says Riese, represents an advantage.

One natural conclusion to draw from current increments, for instance, is that concern for the customer rules. While that certainly is not an alien concept to bankers or their boards, it deserves renewed emphasis. “Without customers, there is no bank, no franchise value,” says Riese. “So we all have a reason to serve people well. Indeed, banks compete for the privilege.”

In the past, compliance often received short shrift at the board level, but now more directors “get” compliance. The other side of the relationship, Riese adds, is that compliance officers need to learn to educate and warn. “Boards have a strength in that they understand risk,” he explains. “They only have so much time. Compliance staff must find ways to communicate that resonate with board members. Give the board insights”—not minutiae—“because directors have to grapple with things quickly.”

In a February speech, Fed Governor Sarah Bloom Raskin suggested that boards might do well to anticipate reputational risk issues. “Managing reputational risk is largely reactive rather than proactive,” said Raskin. “Banks and examiners tend to focus their energies on handling the threats to their reputations that have already surfaced. This is not risk management; it is crisis management—a reactive approach aimed at limiting the damage.”

Much as talk like that may keep chief risk officers up at night—remember what we said earlier about paranoia—many interviewed felt that reputational risk is a derivative risk, one that arises when you’ve blown some other risk category. Many reputational issues’ roots are in operational risk, points out director Andrew Hove.

Adds Downey of Wolters Kluwer, recalling her days in banking: “We never sat down in a room and said, ‘Let’s create something bad for consumers’.”

Caught in the squeeze

Nevertheless, regulatory risk presents itself, and not just from regulators. Lawyer Jeremiah Buckley says banks face a “pincer” threat in consumer lending, with the Department of Justice and regulators that make referrals to it watching banks for fair-lending violations. Meanwhile, the threat looms of violating UDAAP—Unfair, Deceptive, or Abusive Acts or Practices. Banks don’t want to deny people credit, yet fear being accused of taking advantage of them, on the other hand, in granting it, says Buckley.

To take the long view, David Baris, also a Buckley partner, believes boards must task someone in management to keep up with not only regulations and proposals, but with the published speeches of regulatory officials. They are stuffed with agency viewpoints and Baris says close attention “will identify trends and thoughts early.”

“You can’t fully control regulatory risk,” says Baris. “But you can understand it, and fully anticipate some of it.”

Treliant’s Jo Ann Barefoot says boards must also understand something they won’t find in a government bulletin: “The regulatory process has become increasingly subjective and aggressive at the same time. There is a heightened trend of examiner and supervisory judgment. And it’s seen strongly in the compliance area.”

At a minimum, advises Treliant’s Mark Olson, boards must give management sufficient resources to demonstrate commitment to compliance and risk management. Lack thereof stands out from day one of exams, he warns: “Those who give that signal,” says Olson, “invite greater scrutiny.”

Governance beyond regs

“You can’t spend all of your time on the squeaky wheel,” says Fifth Third’s Isaac. “You have to be sure all the bank’s wheels are turning.”

Isaac’s point is that some risks dominate to the potential detriment of other important issues. “There’s a lot of focus on Basel III and stress testing and such,” Isaac says, “and while not to say that these issues aren’t important, they have grown out of proportion to their importance.”

Items from the regulators’ official risk lists aren’t the only things that Isaac sees escaping boards’ attention if they focus too much on regulatory worries. “Not understanding and not meeting customer expectations is a big risk,” says Isaac. While the risk of cybersecurity breaches ranks high, he adds, “the risk that technology is going to pass you by is also a big risk.” Isaac says boards risk spending so much time on regulatory and compliance issues that insufficient time and energy remain to handle business and strategy—“running the bank properly.”

Yet separating the categories isn’t always simple. Regulatory risk issues don’t just matter inside a bank’s own walls. Increasingly, says Paul Osborne, partner at Crowe Horwath LLP, potential acquirers delve into a target or partner’s compliance record. Having a record of significant violations “is a deal breaker,” says Osborne.  And a poor record in fair lending or in Community Reinvestment Act performance leads to regulatory brakes on shifts in strategy, says lawyer Jerry Buckley.

Beyond the actual compliance record, culture looms as a key factor. Some call it “tone from the top.” Culture takes in many things, among them, risk appetites and risk tolerances, two sides of the same coin.

Promontory Financial Group Managing Director Michael Patriarca believes culture has been an overlooked issue for many boards, especially in the wake of past waves of consolidation. Patriarca, a veteran national bank regulator who also worked at Wells Fargo before becoming a consultant, fears that some institutions have lost a unifying culture as a result of mergers. Pointing to one megabank’s long chain of formative combinations, including forebears with very different cultures, he observes, “Consolidation has had a muddling effect.”

Patriarca believes that boards should pay more attention to this than they have, because much of how a bank can address current and future challenges hinges on culture. Management and staff may have state-of-the-art toolsets to handle compliance, risk, and more, he points out, but the collective attitude set behind those tools plays a big part.

Good fit can’t be overemphasized, according to Patriarca. “People want to be proud of the place where they work,” he says, “because they are identified with it. To the extent that they are proud of it, they’ll do better there.”

Proactive = micromanage?

The classic board adage is “nose in, fingers out.” But can a board be proactive today without micromanaging? Opinions differ.

Nebraskan Andrew Hove points to the “Wizard of Omaha” as proof it can be done. “Warren Buffet controls a tremendous amount of businesses,” says Hove, “but he has good managers in place, and he lets them operate things.” Bill Isaac says “we have a very active board at Fifth Third, and my job is to focus on broad governance and the CEO’s job is to run the bank.” Isaac says “active” is the key word there. “Failed banks almost always have a dominant CEO and a weak and compliant board,” he says. “The board’s proper role is to oversee and to challenge assumptions.”

Crowe’s Osborne sees proactive board service as verging on micromanagement at times, “but it’s also risk management. You want to manage risk to the overall organization.”

Board expert David Baris says that “strategic planning, a key role of boards, and proactive governance are interwoven.” A good way to keep the board involved without micromanaging, he adds, is to ensure frequent communication from the chief risk officer.

“The CRO should discuss what issues are keeping him up at night,” says Baris. (A bank CRO shares views on p. 14.)

An odd middle ground arises when the posts of chairman and CEO exist in the same individual—witness the heavy debate over J.P. Morgan Chase. Treliant’s Mark Olson points to the value of a having a lead director as a means of offsetting potential troubles with combining the roles, though he’s seen examples of strong organizations both where the chairman and CEO posts are separated as where they are combined. Governance expert Lawrence Cunningham sees the empowerment of outside directors, through Sarbanes-Oxley and subsequent evolution, as critical.

Wolters Kluwer’s Amy Downey suggests that there’s enough work  here to go around to all parties—board, top management, risk management, compliance, and more: “You need everybody’s eyes open to what’s going on.”