By Grace Brasington and Lynn Woosley
(Originally published in ABA Risk and Compliance, July/August 2024)
In today’s regulatory environment, bank directors have extensive accountability and responsibility for ensuring safe and sound operations by overseeing the bank’s activities, providing credible challenge to management, holding management accountable, and ensuring the institution meets community credit needs.[i] , [ii] This is especially true of outside directors, whose independence results in an increasingly important role in oversight and performance assessment.[iii] To do their jobs well, bank directors need information regarding bank operations, strategies, opportunities, and threats. Risk and compliance professionals can support the board by providing robust risk reporting for inclusion in board meeting materials.
When developing board reporting, financial services professionals need to remember three things:
- What is the Board’s role?
- What does the Board need to know?
- What does the Board need to do?
The Role of The Board
The role of the Board is significant today. Responsibilities include providing guidance, overseeing strategy, serving on various committees, recruiting new members, attending periodic meetings, and ensuring the company has adequate resources for the organization to fulfill its objectives. The Board has a fiduciary responsibility to the shareholders and must provide effective challenge to management.
Board members are also responsible for appointing the Chief Executive Officer (CEO), evaluating the CEO’s performance, setting executive compensation, and planning for succession. In some institutions, the Board may select or approve other top executives. The Board must hold senior management accountable for implementation of the bank’s strategy, maintaining an effective risk management framework consistent with the risk appetite, and operating in a manner that is consistent with safety and soundness and in compliance with laws and regulations.[iv]
While developing board reporting materials, staff must remember that the Board of Directors is responsible for oversight and governance, not the day-to-day operations of the bank. Directors rely on board packages to provide critical updates on key issues. Focused, concise, fact-based presentations will provide the information the Board needs without overwhelming the directors with minutia. Materials should reflect enough information for the Directors to be able to form questions about the topics being discussed. If the materials are too detailed and difficult to understand, it impacts their ability to perform their obligation and provide that effective challenge in their oversight role. The days of Board packages being 1000 pages should be over as it is impossible to review that much material to prepare for these discussions. Remember, time is scarce, so it is important to include the most important points at the beginning.
Directors are typically required to meet monthly (sometimes virtually) and quarterly for in-person meetings. Directors are also responsible for participating in one or more committees. Participation in these meetings is critical to ensuring the appropriate oversight activities.
What Does The Board Need to Know?
Second, what does the Board need to know? The Board’ information needs can be divided into three components: what is going right, what is going wrong, and other important information. Board reports should be tailored to address specific concerns facing the institution, risks, as well as opportunities, and performance indicators related to strategic priorities and the Board’s priorities. Board packages should offer strategic insights, including industry trends, competitive dynamics, and emerging opportunities.
To determine what is going right and wrong, consider information from first-, second-, and third-line monitoring, testing, and audit reports. Performance metrics should cover all risk areas. Typical information includes newly identified issues from quality control testing, second-line monitoring, audit findings, and other independent reviews, as well as remediation updates on previously identified issues. Examination findings and associated action plans should also be reported to the Board. Breaches of limits and variances from projections and goals help understand risk levels and trends.
Financial Update Materials
The first item in many board packages is the financial update. Directors need to be aware of financial performance and trends. Board members may wish to review essential financial metrics such as return on assets (“ROA”), return on equity (“ROE”), net interest margin (“NIM”), overhead measures, the efficiency ratio, cost of funds, yields on loans and securities, pricing and profitability reports, and growth rates of assets, loans, deposits, and equity. Information from Uniform Bank Performance Reports (“UBPR”) may provide meaningful context for assessing performance against peers.[v] National banks may find the CANARY reports prepared by Office of the Comptroller of the Currency (“OCC”) also contain useful information.[vi] In addition, directors should be briefed on future projections for performance and the impact of changing economic conditions.
Financial statements and UBPR data also give insight into asset quality. Key metrics include credit and counterparty concentrations, loan growth rates, and changes in portfolio mix. Adequacy of reserves can be measured by metrics such as the ratios of criticized and classified assets to Tier 1 capital plus reserves or reserves to total loans and leases. Discussions of credit and investment risk should also include metrics related to policy exceptions, limits and limit breaches, stress testing results, loan and investment risk ratings, risk layering, and renegotiated or restructured debt.
Board reporting should also include capital and funding information. To provide governance over capital, Board members should be aware of capital ratios, dividends to net income, stress test results, and plans. Considering recent liquidity-related bank failures, the Board may be particularly interested in measures of liquidity risk, such as net non-core funding dependency, loan-to-deposit ratio, liquid asset coverage ratio, liquidity coverage ratio, and the ratio of short-term assets to short-term liabilities. Contingency funding plans and results of scenario analyses and contingency funding tests will also be of interest. Interest rate risk metrics might include investment portfolio duration and depreciation, and ratios of long-term assets to total assets, residential real estate loans to total assets, and non-maturity deposits to long-term assets.
Financial Crimes
A perennial risk area is financial crimes compliance. The Board is responsible for ensuring the bank complies with Bank Secrecy Act (“BSA”), other anti-money laundering (“AML”), Office of Foreign Assets Control (“OFAC”), and terrorist financing requirements, including designation of a qualified BSA officer. The BSA officer should report regularly to the Board on ongoing compliance efforts, risk exposures, issue remediation, and the overall status of the BSA/AML compliance program, including the effectiveness of the customer identification program. Such reporting should include metrics related to suspicious activity report (“SAR”) filings and timeliness and suspicious activity alerts, currency transaction reports (“CTRs”) and CTR exemptions, risk assessment results, staffing adequacy, and audit findings. Directors should receive information regarding higher-risk customers, geographies, products, and services. In addition, board reporting should include measures of fraud risk, losses, and investigations, ACH, and wire activity, as well as chargeback reports and security incident reports.
According to the World Economic Forum, global data breaches increased by 72 percent in 2023 over the previous record set in 2022 and further increases are expected in 2024.[vii] The International Monetary Fund identifies rising cyber risks as a serious threat to financial stability.[viii] Many predict the exponential growth of artificial intelligence will further increase both cyber and privacy risks. In addition, 15 states have passed privacy legislation and 18 have bills under active consideration. As a result, board materials must contain sufficient information for the directors to provide oversight and governance of cybersecurity, information systems, and privacy risks. Such information might include policies governing information technology, information security, and cybersecurity, business continuity and disaster recovery plans, penetration testing, and system vulnerability assessments. In addition, directors should be briefed on system obsolescence and the status of vulnerability and maintenance patching programs.
Compliance Risk
Results of compliance risk assessments, monitoring, and testing should also be reported to the Board. This includes changes in risk levels or trends, quality control findings, second line monitoring and testing results, audit issues, and examination findings, as well as the status of any corrective actions or remediations to resolve issues identified by testing, oversight, or assurance functions. Given the intense regulatory focus on fair lending, banks should ensure board materials adequately cover the results of fair lending risk assessments and monitoring activities for each group of fair lending risk factors identified by the FFIEC and each stage of the credit life cycle. Similarly, include CRA performance relative to lending, services and investment against goals and peers in board reporting.
Complaints represent the voice of the customer and are an important component of a strong Compliance Management System. There is a significant reputation risk relative to complaints. Internal complaints from branches, customer contact centers as well as social media complaints should be reported on and discussed with the Board. Complaints reporting should include analysis of customer pain points, root causes, resolutions, trending, and any regulatory risks identified through complaints. The governance process for complaints should also be evaluated to ensure that complaints are reviewed at the business unit level, through a corporate risk lens, and ultimately by the Board.
For all risk and compliance areas, board reporting should also include training completion information.
Other Risks
The Board should review the code of ethics, as well as policies governing compensation and insider activities. To facilitate governance of insider activities, board packages should include ethics hotline data, whistleblower complaints, and internal investigations. Crucial information includes the seriousness of the allegations, whether a recurring issue is involved, the level of staff accused of wrongdoing, litigation risk, and whether the issue potentially requires regulatory reporting or restatement of financials.
Board materials should include measures of operational risk, such as employee turnover, operational losses, and model risk. Assessments of third-party relationships, such as breaches of service-level agreements, timeliness of ongoing monitoring reviews, and budget variances, are important, particularly for vendors involved in critical activities.
Other information directors need to know includes the status of key projects, especially regulatory implementations and strategic projects. Briefing materials should also address pending litigation and regulatory examination schedules, results and identified issues that require remediation. Remediation plans for audit or regulatory findings should also be discussed and reviewed with the Board.
What Does The Board Need to Do?
To support the directors’ oversight of strategic direction and goals, Board agendas and materials should include information to aid in decisions related to bank strategy, mergers, and acquisitions. At some institutions, changes in branch networks, product offerings, and lines of business may be subject to Board approval.
The Board also sets the institution’s risk appetite and must approve any changes to risk appetite. Risk appetite should be consistent with the bank’s strategy. If management recommends changes to risk appetite, risk framework, or institutional risk profile, such requests should be well-supported and tied to institutional strategy. Ensuring the adequacy of the control environment, as well as the independence and prominence of risk and audit functions is the Board’s responsibility, as is maintaining a robust corporate governance structure.
In addition, the Board must ensure “that all significant activities are covered by clearly communicated written policies that can be readily understood by all employees. All policies should be monitored to ensure that they conform with changes in laws and regulations, economic conditions, and the institution’s circumstances.”[ix] As a result, the Board may be required to periodically approve certain risk management policies. The FDIC recommends that board-approved policies cover, at a minimum, credit risk and loan review, investments, asset-liability management, profitability and budget planning, capital planning, internal controls, compliance, audit, conflicts of interest, and ethics. [x]
Critical asset or capital deployment decisions may require Board approval. The Board should be apprised of all significant technology initiatives. A threshold is required and exceeding that threshold would mean the project would be taken to the Board for approval. Project status updates should also be provided to the Board relative to these initiatives. Those updates should include budget, schedule, and other key dependencies. Other board-approved components of asset, capital, and revenue deployment are reserve and allowance levels and dividend distributions.
Best Practices for Board Reporting
Board meeting materials for banks will have key differences compared to non-bank firms due to the nature of the financial services industry and the specific regulations governing banks. The volume of expected material makes it vital for board materials to be succinct, concise, and focused. The directors need sufficient information to understand the report and associated root causes, but their oversight role does not require the same level of detail that business unit leaders or executive management need. Risk and compliance professionals should prioritize ruthlessly in preparing board materials to avoid overwhelming the directors with excessive details. The Board Chair and other directors may provide helpful insights into what information is most useful to the directors. It is important for management to give the Directors the opportunity to provide 360-degree feedback at least annually for the Board materials so that improvements can be made.
A consistent look and feel across meetings may enhance readability and understanding. To this end, bullet points and numbered lists that summarize and highlight key points will provide greater readability and understanding than lengthy narratives. Use of visual aids such as charts, graphs, and heat maps can assist in delivering important information in an easily readable format. Using key risk indicators (“KRIs”), key performance indicators (“KPIs”), and key control indicators (“KCIs”) can aid in concisely reporting consistent information. Use of KRIs, KPIs, and KCIs also provide the ability to trend risk, performance, and control factors across time periods.
When preparing board materials, institutions should implement a robust internal review process. First, ensure all data presented is accurate and current. Statistics, KRIs, KPIs, KCIs, and financials should be verified with relevant departments. In addition, charts and graphs should be validated against source materials. All materials should be thoroughly vetted by business units and risk management before addition to the board package to avoid unpleasant surprises during the meeting.
In addition, board materials should be provided to the directors with sufficient time for a thorough review in advance of the board meeting. Board packages are often lengthy and take time to digest. Absent extenuating circumstances, it is a best practice to provide materials a minimum of a week prior to the meeting.
Finally, institutions should ensure that board materials and minutes have sufficient detail to validate Board knowledge and oversight of key risks and strategies. This should include evidence of discussion and effective challenge of management without sacrificing objectivity, accuracy, clarity, and conciseness. Essential details include the meeting date, time, location, attendees, agenda, and the person taking minutes. All topics discussed, motions, and voting results should also be recorded, along with any action items and next steps. Key points for each discussion topic should be included, but excessive detail is unnecessary. Individual votes typically are not included except for sensitive situations, such as conflicts of interest, director recusals, executive compensation, and whether to initiate a board investigation. For presentations to the Board, the minutes should include the topic and key takeaways. The Secretary may wish to include summaries of the main points of important discussions and significant dissenting opinions on important issues. However, minutes should not include confidential information that could compromise privacy or security. The Federal Reserve’s Commercial Bank Examination Manual (“CBEM”) notes minutes of Board “committees that play a significant role in managing the bank should be kept and meet the same minimum standards used for minutes of meetings of the full board.” [xi] Draft minutes should be circulated to directors for review and approval.
[i] https://www.occ.gov/publications-and-resources/publications/banker-education/files/pub-directors-reference-guide.pdf
[ii] https://www.fdic.gov/resources/bankers/bank-directors/pocket-guide/index.html
[iii] https://www.kansascityfed.org/Banking/documents/9393/BFBD20.pdf
[iv] https://www.federalreserve.gov/supervisionreg/srletters/SR2103a1.pdf
[v] UBPRs are published by the Federal Financial Institutions Examination Council based on Call Report data. Additional information is available at https://cdr.ffiec.gov/public/DownloadUBPRUserGuide.aspx.
[vi] The OCC CANARY report provides peer comparisons on key ratios related to Credit, Interest Rate, and Liquidity risks. It is available to national banks through BankNet. https://www.banknet.gov/entrance/about-banknet/about-banknet.html
[vii] https://www.weforum.org/agenda/2024/02/what-does-2024-have-in-store-for-the-world-of-cybersecurity/
[viii] https://www.imf.org/en/Publications/GFSR/Issues/2024/04/16/global-financial-stability-report-april-2024?cid=bl-com-SM2024-GFSREA2024001
[ix] https://www.fdic.gov/resources/bankers/bank-directors/pocket-guide/index.html
[x] https://www.fdic.gov/resources/bankers/bank-directors/pocket-guide/index.html
[xi] https://www.federalreserve.gov/publications/files/cbem-4000-202310.pdf