A Risk Management Clinic for Community Bankers

Markets shift, regulations evolve, new products and services become available, and threats to your bank’s security develop.

Taken together, the risks can seem like a lot to manage, but by taking a more granular look, community banks can attack each one more effectively, mitigating the chances that regulators will come knocking.

Here are practical solutions to seven risks community banks routinely face, according to consultants who advise in these areas.

Risk

Staying current with changing regulations can be challenging.

Changing regulations consistently ranks as a top challenge across banks of all asset sizes. When asked about the overall compliance and risk areas demanding their focus, 59% of respondents to the 2022 Wolters Kluwer Regulatory & Risk Indicator survey identified the ability to manage risk across all lines of business as their top concern. This was closely followed by 58% who cited the ability to maintain compliance with changing regulations; 55% who named the ability to keep track of regulations; and 54% who cited the ability to demonstrate compliance to regulators.

Solution

Given the vast resources necessary to keep current on regulatory developments, community banks could consider outsourcing this function. Monitoring every one of the regulatory bodies, and what changes are needed and when, requires significant time and resources, says Jim Wrbanek, director of sales at Wolters Kluwer in Minneapolis. Indeed, 54% of banks cited the existence of manual compliance processes as an obstacle to maintaining an efficient compliance program.

In this ever-changing regulatory and compliance environment, finding a trusted strategic partner could be a wise investment.

Risk

Regulatory change management is complex.

Keeping track of regulatory changes is one thing, but implementing them across departments is another challenge entirely. Change management was cited as a top compliance challenge by 28% of community banks under $500 million in assets, 47% of community banks with $500 million to $999 million in assets and by 39% of banks with more than $1 billion in assets, according to the Wolters Kluwer study.

Solution

Regulations change constantly, and the best way for banks to approach this is to establish centralized oversight of these changes, says Vincent Hui, managing director at the strategic consultancy Cornerstone Advisors in Scottsdale, Ariz. 

So, rather than each department being responsible for implementing the relevant changes, centralizing the responsibility means that if a regulation applies to several departments, it can be rolled out in a coordinated, standardized, interdepartmental manner. 

For example, when a new regulation is expected, the compliance team can reach out to the appropriate department or departments within the bank to help get conversations started. In this way, there’s a coordinated effort such that individual departments aren’t siloed and have a clearer understanding of how the regulation could affect the bank more broadly. 

Risk

Digitalization is a necessary reality.

Most community banks have made efforts to digitalize, but only 27% say they have either made significant progress or are fully digitalized, according to Wolters Kluwer. 

“Community banks [should think about] what the full journey looks like,” Wrbanek says. For instance, a bank may allow customers to bank online, but does it also provide the ability to take out a loan online? What about e-closing functionality and digital vaulting capability? It’s important to keep the full spectrum of services in mind, he adds.

Solution

Community banks should consider creating a position such as head of digital banking to coordinate efforts broadly. “You want that change agent to be empowered to identify partners to work with the bank on its journey to complete its digital transformation,” Wrbanek says.

Another thing to keep in mind is that digitalization doesn’t relate only to systems. Processes also need to be digitalized and updated as part of the transformation, says Marcia Malzahn, president and founder of management consultancy Malzahn Strategic in Maple Grove, Minn. 

She advises that a good starting point is to make a list of all the processes under each department of the bank. Then, prioritize the list of processes by how critical the process is to the operations of the bank and the extent to which the process involves sensitive employee or customer data. Finally, community banks can determine if they can outsource the digitalization or if they have the resources to do it internally, she says.

To illustrate, Malzahn offers a simplified example of how this digitalization assessment could be accomplished within a community bank’s human resources department. First, the community bank needs to understand where employee records are held, which could be in a centralized location within its network, in the cloud or on paper in a file cabinet. Then the bank needs to determine who has access to those records and whether they could be easily recoverable after a disaster.

Based on the answers to these questions and other strategic considerations, the community bank could decide to outsource its human resources department so its HR director can focus on talent acquisition, development and retention strategies. Alternatively, the community bank could simply create an internal network folder with the appropriate authority levels and scan all the documents in a structured filing system. The community bank would also need to establish an electronic process to use going forward to ensure all employee documents are kept electronically, from application to onboarding to termination, Malzahn says.

Risk

Third-party risk management is time-consuming.

It’s not unusual today for community banks to outsource services. But staying on top of vendor partners requires significant work with respect to planning, initial due diligence, negotiating and ongoing monitoring.

Solution

When thinking about third-party risk, it’s important for community banks to evaluate various levels of risk. Vetting the provider itself is only the first step. Understanding the risks a bank faces from that vendor’s partners is also critical. 

“You’re not going to prevent every breach, but you want to make sure that you can get your systems up and running pretty quickly.”

—Dennis Hild, Crowe LLP

Be assured that regulators are looking carefully at this type of risk, especially with technology and fintech providers, says Dennis Hild, principal at Crowe LLP, a public accounting, consulting and technology firm in Chicago. That’s why it’s so important to understand more granularly what could happen to a bank’s systems if a vendor has a breach. 

“You’re not going to prevent every breach, but you want to make sure that you can get your systems up and running pretty quickly,” Hild says.

Because of the complexities involved, Hild generally recommends community banks consider robust and comprehensive third-party risk management evaluation software. These platforms can help community banks manage their myriad vendor relationships and could be especially important if a bank is dinged by a regulator for deficiency in this area of third-party risk management, he says.

Risk

Managing credit risk is complicated.

Especially as rates rise, credit risk is becoming a more pressing issue for community banks. According to the most recent Wolters Kluwer study, 51% of banks cited it as a top concern.

Solution

For new loans, community banks should be vigilant about both credit risk and pricing.

Hui recommends that banks look at whether they are pricing the risk in the right way. If they aren’t getting compensated for the risk they are taking on, a higher price is probably the right answer for the institution, even though the loan officers might not like it. 

“When times are tougher and the uncertainty is greater, we need to ask questions with qualitative responses that won’t show up in the ratios.”

—Matt Pieniazek, Darling Consulting

Community banks should also look beyond their historical loss experience and consider that the world will be different and the risks may not be the same in the future, says Matt Pieniazek, president and CEO of Darling Consulting in Newburyport, Mass. 

“There can be a tendency for an overreliance on ratios,” he says. “When times are tougher and the uncertainty is greater, we need to ask questions with qualitative responses that won’t show up in the ratios.”

For instance, as uncertainties are elevated, the questions need to change, Pieniazek says. Banks look at a variety of metrics: loan-to-value ratios, debt-service-coverage ratios, cash flow returns and return on investment. Continuing to dig deeper will yield even better results. 

Even though the ratios may look good now, they should be asking the loan officers presenting a loan: How could this loan go bad? Could anything within the loan recipient’s industry change? What factors could cause this assessment to change? This process affords community banks greater clarity and allows them the opportunity to price the loans accordingly or take a pass, Pieniazek says.

Of course, existing loan portfolios should also be reviewed for possible trouble signs. Hui recommends that community banks enact protections for cases where the borrowers may not be on as solid ground as when the loan was extended. “The biggest exposure is not going to be new loans,” he says.

On annual commercial loan reviews, risk ratings should be a focus. If necessary, they can put the loan on a watch list to manage the risk going forward. 

“It’s not re-underwriting,” Pieniazek explains. “It’s just taking a look at a credit file of the borrower and loan to see what has changed.”

On the consumer side, banks might keep a close watch at the collateral and other protections they have in place so they can properly prepare if a loan or loans go sour, Hui says. For credit card customers, community banks might consider a reduced line of credit, for example.

Risk

Cybersecurity risk remains a top concern.

Cybersecurity risk was cited by 72% of banks polled in Wolters Kluwer’s most recent study. It’s certainly a pervasive problem as breaches of all kinds continue to compromise consumer data, increase the risk of damaging lawsuits and test the limits of all businesses’ security practices.

Solution

Outsourcing strategically is one solution to the challenge of evolving threats and keeping up with the technology necessary to run the institution, Malzahn says. 

Community banks have the option to outsource the core system to the core provider. They can also outsource the internal network management to an IT-managed solutions provider that will handle both level 1 PC support as well as the high-end technology. 

Then, the IT director or CIO can focus on managing the IT security program, the IT strategic plan (which should support the bank’s business plan) and collaborate with other departments to implement the customer technology products and services needed to support customers’ needs, she says.

“Information security is not just within the bank’s four walls; it’s part of our ecosystem.”

—Vincent Hui, Cornerstone Advisors

Ongoing education for employees and customers is also important. New threats and techniques evolve all the time, so staff and customers need reminders, Hui says. A once-a-year refresher training isn’t enough, especially as these threats continue to evolve.

From a vendor management perspective, it’s also important to assess vendors for cyber risks on an ongoing basis. Notably, an annual review may not be enough; frequent checkpoints could mean the difference between a small headache and a major one. “Information security is not just within the bank’s four walls; it’s part of our ecosystem,” Hui says.

Risk

Uncertainty makes it difficult to assess liquidity risk.

As the economy ebbs and flows, uncertainty can be acute and must be taken into account when managing liquidity. 

Solution

In managing liquidity, one strategy is to find ways to improve the management of the deposit base.

“Never lose sight that core deposits are what builds real value, so anything [community banks] can do to cement those relationships is a huge positive,” says Randy Dennis, founding partner of DD&F Consulting in Little Rock, Ark. 

He notes that given the recent large bank failures, community banks may have received calls from concerned businesses and consumers asking, “Is my money safe?” 

Pay close attention to those customers’ concerns. For instance, community banks can help their customers seek extra protection for their funds by retitling accounts, or they can use third-party providers to distribute funds among multiple institutions, while still maintaining the customer relationship. 

As Dennis says, “The customer doesn’t know who has it; they just know it’s all insured.”

---