Tag: governance

20 Apr 2016
Hot Topics Tom Hinkel 0 comment

FDIC Targets Board Responsibilities

“A topic is at times of such significant interest to bankers and examiners that it warrants a special issue…”  Whenever something from a regulatory body begins this way all bankers should take notice, and the latest Special Corporate Governance Edition from the FDIC is no exception.  In fact the Guru did a little research and the last time the FDIC released a Special Edition of its Supervisory Insights was the Foreclosure Edition in 2011, which was a post-mortem on the banking crisis.

So all bankers would be well advised to review this latest publication, but particularly community bankers.  In fact the full title is:  A Community Bank Director’s Guide to Corporate Governance: 21st Century Reflections on the FDIC Pocket Guide for Directors.  The emphasis on community banks and bankers is intentional, and the release states right up front that:

“Community banks play a vital role in the nation’s economy and local communities, and a bank’s management – including its directors and senior management – is perhaps the single most important element in the successful operation of a bank.”

[pullquote]…a director’s responsibility…necessitates using independent judgment and providing a credible challenge (to management).[/pullquote]

Although the FDIC states that this does not constitute new guidance (the original Pocket Guide was issued almost 30 years ago, but the basics haven’t really changed), the fact that they chose this topic and this time to release a special issue indicates that this is almost certainly going to be an area of increased focus for examiners going forward.

If there is one common theme that resonates from this issue it is that directors are expected to play a more active role in the day-to-day affairs of their institutions, and NOT be simply a “rubber stamp” for management.  This sums it up pretty well:

“…a director’s responsibility to oversee the conduct of the bank’s business necessitates using independent judgment and providing a credible challenge.  This entails engaging in robust discussions with senior management and perhaps challenging recommendations at times, rather than simply deferring to their decisions.”

I’ve talked about this concept of “credible challenge” before, which also appears several times in the recent FFIEC Management Handbook, and is defined as “being actively engaged, asking thoughtful questions, and exercising independent judgment.”  In order to do that, directors need access to accurate, timely and relevant information.  Board reports, once very high-level, should now include sufficient detail to allow members to comprehend (and if necessary, challenge) management decisions.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why some of the most commonly believed “facts” about IT outsourcing for banks are actually myths.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



Make sure your IT management systems and processes are capable of producing these Board-level summary reports, then get them in front of the Board and in the Board minutes.  And be prepared for 2 things going forward; first, examiners WILL ask for these Board minutes and expect to see evidence of more engagement.  And secondly, expect Board meetings to become a lot more spirited!

19 Dec 2011
Hot Topics Tom Hinkel 0 comment

2012 Compliance Trends, Part 3 – Management

I’ve written about the importance of this before, and from many different angles, but I want to recap and explain why I think management (both IT and enterprise) will be an area of increased regulatory focus in the year ahead.  To recap my criteria for inclusion in the “2012 Trends” list, it must have a basis in:

  1. Recent audit and examination experience,
  2. Regulatory changes, and/or
  3. Recent events.

Management, or as it is sometimes referred, governance, is defined by the FFIEC in the IT Examination Management Handbook as;

“…an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”

And…

“Due to the reliance on technology, effective IT management practices play an integral role in achieving many goals related to corporate governance.”

So regulators have always considered IT management critical, and most institutions address that obligation by assigning responsibility for day-to-day management of IT to a committee, such as a technology or IT Committee.  In recent examinations we have seen regulators ask specifically to see committee minutes, looking for things such as discussion of vendors before they are approved, and discussion of new technology before it is implemented.  They want to know that the institution considered the strategic value of the vendor and the new technology prior to approval.  Was the decision to approve consistent with (in alignment with) the overall goals and objectives of the strategic plan?  Can you document that?

Effective management of IT has significance way beyond just IT and strategic alignment though, after all…

“…IT management is an essential component of effective corporate governance and operational risk management.”

An institution that fails to demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide.  I further explained this here, and examiners agree.  Consider this…the two most often repeated statements in FDIC enforcement orders this year is for the institution to “have and retain qualified management”, and for the Board of Directors to “increase its participation in the affairs of the Bank”.

For all these reasons I believe the CAMELS “M” will be in the minds of examiners.  So how can you prepare?  In a word, reporting.  Take a look at the following illustration:

 

Once the overall strategy has been communicated top-down (left side), reporting (right side) will document that the strategy has been successfully incorporated into the policies and procedures of the organization, and (most importantly) that day-to-day practices abide by those policies and procedures.  Implementing an internal self-assessment program can be a very effective way of both communicating strategy and documenting compliance.  Use automated controls and monitoring (like this for example), and employ outside expertise whenever possible.

22 Feb 2011
From the Field Tom Hinkel 1 Comment

Management of IT reflects overall management

(This is an extract from an article written for Bank Technology News.  The full article is here.)

One of the reasons compelling the shift towards increased focus on IT is found in the only non-financial element in the CAMELS ratings: management. Post-mortem reports on the failures of both Washington Mutual and Indy Mac placed the blame equally on management for pursuing overly aggressive growth strategies, as well as on the regulator (OTS) and their inability to effectively identify and assess the risks. The OTS was a regulatory casualty of Dodd-Frank, and I think we can expect (and rightly so) increased focus on all governance issues going forward.  But how does that translate into increased IT focus?

There are twelve factors that go into the CAMELS management rating component, and one of them is a measure of how well the institution manages its information systems. In addition to that, the FFIEC makes it clear in their IT Examination Handbook on Management that

“…effective IT management practices play an integral role in achieving many goals related to corporate governance. The ability to manage technology effectively in isolation no longer exists. Institutions should integrate IT management into the strategic planning function of each line of business within the institution.”

And regarding the relationship between IT and strategic planning;

“…an institution capable of aligning its IT infrastructure to support its business strategy adds value to its organization and positions itself for sustained success.”

Clearly IT is so pervasive throughout financial institutions that no enterprise-wide assessment of management and governance is complete without a thorough review of IT.  It also stands to reason that an institution that can not demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide.

Bottom line…more scrutiny of management equals more scrutiny of IT, and deficiencies in IT can lead to lower CAMELS scores.  Solution?  Implement a formal IT management process consisting of a dedicated committee.  Use a standardized agenda, assigning follow-up items to responsible parties with specific time-frames for resolution.  Involve ALL functional units in the committee, and regularly report status updates to the Board.

Then take this same model and apply it to the rest of the organization!

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy