Relying on Washington for relief is probably not an airtight strategy. The federal government has not established a long history of reducing or even streamlining regulations. Only recently, with the arrival of the new administration, has regulatory relief for them been made a priority.
While smaller banks have taken the recent election as a sign that relief might be on the way, perhaps community bankers should rely on the people they can really trust to help them handle compliance: themselves.
Tailored ERM can save money and trouble
Not only a “best practice,” enterprise risk management is an absolute necessity and should be at the core of any sensible compliance and regulatory management program. A compliance program without an ERM focus will only lead to unnecessary expenditure, duplicative effort, and, more than likely, a much higher incidence of deficiencies.
Community banks will never have the resources that larger banks have, so they must think differently about ERM. A common pitfall of compliance managers is to design programs that address perceived incoming regulations, rather than tailoring programs to the bank’s actual business practices and risks.
Implementing a risk management program requires truly understanding your institution and addressing matters on a proactive, rather than a reactive, basis.
A reactive approach is ineffective at best and, more often than not, chaotic and wildly expensive.
Compliance systems that are not underpinned by an ERM program are often unable to provide strategic advice to an organization’s leaders, such as whether the organization is equipped to take on a new line of business. As a result, staff is always playing catch-up.
Lack of ERM leads to poor exam results
Without a thoughtful analysis of business operations and corresponding risks, designing a compliance management system can be an exercise in futility.
Banks often hire third parties to produce compliance manuals that are essentially factory pre-sets, and are not tailored to the actual risks of that specific institution. A more valuable exercise requires basing a compliance management system on the known risks of the institution so that appropriate, specific controls can be put in place.
Banks should place more emphasis on monitoring and mitigating their greatest risks. But this is difficult to accomplish if a financial institution has not carefully studied those risks in the first place.
Beyond wasting resources, ineffective ERM can result in potentially prolonged regulatory examinations and poor exam results. When a bank does not fully understand its own risks and cannot direct regulators to relevant areas, the examiners may choose to stay longer than usual. Examiners wind up poring over additional documents and conducting additional interviews. While much of this may prove superfluous, the worst result would be prolonged examinations combined with compilation of significant deficiencies.
So, establishing a sound ERM program is the easiest way for a community bank to help itself in this hazardous and dynamic regulatory climate.
ERM positively alters strategic direction
Searching for new and creative ways to enhance profitability is a must for community banks. Before launching a new lending program, for example, a bank should understand the regulatory and operational risks and should design a compliance management system that addresses those risks.
Unfortunately, as fundamental as this appears, many community banks don’t do this.
Rather, the business is launched. Then issues and problems arise along the way. These problems lead to greater expense and regulatory issues, which further complicate current and desired business practices and potentially harm the reputation of the institution with shareholders and investors.
The time to understand the risks and the necessary controls of a new line of business is before it is launched. Launching a new business line can be fairly straightforward if the preliminary work on ERM has already been undertaken and key data factors have been updated along the way.
A good Chief Compliance Officer or Chief Risk Officer with an effective program should be able to provide simple answers to the questions of whether a bank is currently equipped to launch a new business or product line, or whether additional controls or resources are needed.
If these answers are not readily available, something is wrong.
Put positively, ERM is an excellent way to turn what is often seen as a bothersome expenditure of time and money into a strategic advantage when it comes time to expand the business.
Sorting out responsibility: working with third parties
In order to get at the issue of establishing appropriate monitoring mechanisms and controls, first it is important to fully understand where the risks are—and whether any of them are being controlled in the first place. That is the first way a community bank can help itself.
However, foolish heroism is overrated. When it comes to third-party controls, the bank should not take on the burden of monitoring every risk, nor volunteer to establish every control, given resource limitations. This is especially true in the area of vendor management. Here, risk can be controlled through a thoughtful approach to reviewing and approving vendor agreements.
Many banks simply sign off on standard contracts provided by the vendor—this is a mistake. Vendor contracts can be one-sided, require the bank to undertake extra steps to monitor the vendor’s efforts, or otherwise impose additional cost or burden on the bank. The bank’s in-house or outside counsel can greatly reduce risk to the bank and free up resources by requiring vendors to provide certifications regarding their own internal compliance, risk management, and overall controls.
The burden should be on the vendor to provide routine information or certifications, which in turn the bank can rely on and provide to the examiners. While every circumstance is different and this is not always possible, banks should make every effort to ensure that vendor contracts are fair—and do not make life unduly complicated for their already overworked teams.
Self-help is the best help
Given the current political climate in Washington, one can rest assured that efforts to reduce regulatory burdens will face obstacles. In the meantime, community banks should use the same instincts that have kept them going through the last difficult decade—they should bring into play effective strategies to address risk and preserve resources, and apply the ingenuity that has kept them going these many years.
America needs its community banks more than ever. However, self-help is critical going forward. Twenty-first century approaches to risk identification and management, and to vendor contracts and oversight, and a thoughtful approach to establishing a compliance management system will serve these vital institutions well in years to come.
About the authors
Don Andrews is a partner in Venable's Corporate Group in the New York office, and co-leads the effort in Compliance and Risk Management. Jonathan King is an associate in the Commercial Litigation practice group in New York. For more information, visit www.venable.com.