Risk management is meant to be proactive, but it’s not always easy. From the pandemic to cybersecurity, risks are constantly emerging—creating both threats and opportunities.

No one knows this better than community bank chief risk officers (CRO). Independent Banker convened a discussion between four CROs to learn what it takes to stay on the right side of risk.

Meet the CROs

Josh Hofer

Josh Hofer
Chief risk and information security officer
Stearns Bank
St. Cloud, Minn.
Assets: $2.2 billion
Years at bank: 5
Background: IT, IT security and bank operations

Greg Schaller

Greg Schaller
Senior vice president and chief risk officer
Midwest BankCentre
St. Louis, Mo.
Assets: $2 billion
Years at bank: 5
Background: Accounting, audit and compliance

Jennifer Johnson

Jennifer Johnson
Vice president and chief risk and operations officer
Forte Bank
Hartford, Wis.
Assets: $290 million
Years at bank: 6
Background: Compliance, audit and operations

Andy Stines

Andrew Stines
Executive vice president and chief risk officer
Coastal Community Bank
Everett, Wash.
Assets: $1.7 billion
Years at bank: 1
Background: Legal, compliance and risk management

What are your top challenges as a chief risk officer of a community bank?

Greg Schaller: One of the biggest challenges is dealing with the aftermath of the pandemic. We moved 80% of our workforce to remote, and the fallout of that is all those operational risks. We changed processes and procedures overnight, and we have to ensure we have our arms completely around all those changes and the risk. At this point, we feel we have a good handle on it. It was a challenge, but it also led to some great efficiencies. It made us reassess our processes.

Josh Hofer: We try to be proactive with our risk framework and build in processes so that if there is an opportunity on the business side, they are not waiting on the back office or risk to catch up. One of those examples is the FFIEC CAT [Cybersecurity Assessment Tool]. We try to stay one level ahead of the current maturity, so from a tech standpoint—and everything touches tech—if there is an opportunity, or if we grow or want to offer a product or service that’s a bit more risky, we already have controls in place and [can go ahead with the opportunity].

Andrew Stines: Reporting risk continues to be a big challenge. Reporting risk in a single area isn’t difficult. Reporting across all departments and lines of business in a manner that is useful and meaningful is much more difficult. It requires good methodology and technology and personnel who know how to perform data analytics and cooperate with business units that own data. Another challenge is [that we are] experiencing rapid growth due to our relationship with Google and our banking-as-a-service (BaaS) division. It’s challenging to have to move this fast and build processes, procedures and resources and do it in a scalable and safe and sound manner.

Jennifer Johnson: [Forte Bank has] $200 million in assets to [Coastal Community Bank’s nearly] $2 billion, yet the risks we’re facing are really similar. From an operational standpoint, we, too, are struggling with making our processes faster and better. No matter your size, customers make the same demands, saying “I need this now and right.” For example, we’re in the middle of three or four different projects in our mortgage division to streamline how we’re getting those products to customers more quickly and accurately. As a smaller institution, we’re constantly conscious of the cost balance and getting drilled on the efficiency ratio. We struggle with how many people we need to get this done, [as well as] “Is this the right technology?” and “Am I using it to the fullest extent to get the job done?”

Stines: Hiring the right individuals is a challenge anywhere I’ve worked. Having a successful risk program is having the right people with good skill sets to set high goals.

How has your role changed in the past few years?

Schaller: Our evaluation of operational risk and risk appetite has become critical. Are we starting to see trends or bump up against our appetite limits? What are we doing to ensure the potential risk is moved back to yellow or green status? We’re constantly looking at our risk appetite and how it aligns with strategy. That’s not to say we didn’t have that before, but our concentration on it is much more important.

Johnson: My role changed by growing into that CRO position where I’m not just aware of compliance and regulatory risk and internal controls. It’s an enterprise-wide concept.

Stines: When I started in January of 2020, there were seven of us in the risk group. Since then, I’ve hired more than 30 professionals. I’ve done a big shift from being in the weeds day to day—in prospect calls and solving problems—and now having to manage 30 very skilled professionals. We’re partnering with fintech firms that are going to market with cool technology and apps, but they don’t have a charter. They partner with us and we provide oversight. With approximately 35,000 commercial customers at the core bank we could see growth into the millions of customers over the course of the next few years. Those are our customers for compliance and risk purposes, so we still have BSA [Bank Secrecy Act] and consumer compliance risk.

What risks or types of risks are growing threats for community banks?

Stines: Cybersecurity, fraud and BSA continue to be top of mind. As we move further into the digital age, fraudsters are watching and waiting to commit a crime. A lot of fraud comes from actual people with no bad history or controls—they are utilized as mules. How do you stop that person from getting in without stopping everyone? It’s a big problem.

Johnson: I 100% agree BSA is a huge risk, because fraudsters are finding faster and better ways of getting around how banks identify fraud. With the size of my institution, it’s almost as scary as the threat of examiner scrutiny. We have no history of issues, but there is a lot of ambiguity of what are sufficient controls for managing and monitoring BSA risk.

Schaller: One of our biggest risks right now is fintechs and new entrants into the industry. A lot of people look at those as solely risk, because they can take market share and customers. But the risk isn’t that they’ll take market share. The risk is in not acknowledging that they are there, and not adapting to the innovations they are bringing to market. How can we take what they are doing and build it into our strategy?

Johnson: Credit risk is a growing threat, and not just in the potential for defaults. Competition continues to increase, and [larger banks] are developing fintech and doing things to grab customers like ours with cool new features we can’t access yet. When you’re a smaller organization, how do you keep up and stay competitive?

Schaller: Another risk since we’ve moved the majority of the workforce to remote: How do you continue to monitor employee engagement? How do you monitor productivity and security protocol? We’ve introduced a performance management system to help us with this.

“When you want to make a change—I’m a huge proponent of change—it’s so important to stop, breathe and really dig into the impacts of the change.”
—Jennifer Johnson, Forte Bank

What should others within your community bank know about your position?

Johnson: I wish all my coworkers would look at their positions globally. When you want to make a change—I’m a huge proponent of change—it’s so important to stop, breathe and really dig into the impacts of the change. Often, someone gets a good idea, runs with it and doesn’t contact the people who may be impacted and may miss some places where it [has an impact]. It turns into frustration and mismatched ideas. They get the impression we don’t want to change.

Stines: I couldn’t agree with you more. It’s a big message to get out there. What we are doing today will have a significant contribution to bank strategy.