Managing risk has always been central to the purpose of a community bank’s board, arguably now more than ever. What’s changed with time is the breadth and degree of the risks out there, as well as the nuance with which current board members must view and monitor risk.

“I think a director’s role in managing risk is more important than it ever was in the past,” says Daryl Karsky, CEO and board member at $625 million-asset HomeTown Bank in Carver, Minnesota.

“As a CEO, it’s my job to make sure that everyone knows the ramifications of the risks we’re taking, so we’re making good, balanced decisions,” he says. “Yes, we have to take some risks to make money, but what is a tolerable level? We talk about risk at each and every board meeting so we all have a comfort level with where the appropriate risk level is.”  

Lynn Roche, board member at $600 million-asset 1st National Bank of Scotia in Scotia, New York, detects a shift in how savvy directors view risk. “Years ago, ‘audit’ was [often] the definition of risk, but ‘audit’ is a view that looks backwards,” she says. “It asks, ‘Were we effective in our operations and our controls and our financials?’ Now, I think about risk as a look forward. What is our strategy? How do we anticipate future stress? And what controls do we have in place?” 

She continues: “Risk is never going to sit still. So, if you’re looking at controls, you have to keep thinking: ‘What controls am I going to need tomorrow?’”  

Jenna Burke, ICBA’s EVP and general counsel for government relations and public policy, agrees. She maintains that “for boards evaluating a bank’s risk profile, it’s important to remember that that involves far more than looking at the financial conditions of today.”

What’s more, a permissive board that’s soft on risk can result in disaster. “Unfortunately, bank failures often have a common factor: complacent boards that fail to challenge senior management on risk,” Burke adds.

“Providing director training lets directors know [that risk management] is just as much their responsibility as the bank’s responsibility, and their oversight is extremely important.”
—Daryl Karsky, HomeTown Bank

A broadening spectrum

Boards play an essential role in managing risk by “setting an overall risk tolerance for the organization,” says Greyson Tuck, attorney and consultant at Gerrish Smith Tuck in Memphis, Tennessee. He explains that risk tolerance is set through the various policies and procedures a board adopts. Over time, this tolerance can be adjusted, typically during an annual policy review.

Matthew T. Doyle
Matthew T. Doyle, chairman of the board at Texas First Bank, says the board is responsible for managing risk across all bank operations.

Matthew T. Doyle, chairman of the board at $2.3 billion-asset Texas First Bank in Texas City, Texas, offers a similar view: “A board is in place to manage risk at the bank—in all aspects of operations.”

Over time, Doyle notes that his bank’s board has created additional committees for discussing risk. At Texas First, there’s an audit committee, but there are also committees tasked with overseeing loan and discount (L&D) risk, asset-liability risk and regulatory risk. 

Given more vantage points for viewing risk, directors are now in direct dialogue about risk with greater frequency than ever before. Doyle points out that at Texas First Bank, six directors sit on the L&D committee, which meets weekly.

Roche notes that a director’s job has expanded because there are so many new areas of risk to oversee. Not only are emerging technologies from cybersecurity (see sidebar on page 56) to AI occupying mind space for busy board members; risks posed by major vendors must be monitored, too.

“As community bankers, we rely heavily on our major vendors,” says Roche, “and so we have to look at the risk level of these vendors.” Here, questions include whether vendors have been audited, how and where they store data, and whether vendors have a disaster recovery plan in place. 

While newer risks are competing for time and attention, the bread-and-butter banking risks should never be forgotten, emphasizes Ross Hill, director at $380 million-asset Citizens Bank of Edmond in Edmond, Oklahoma.

To illustrate, Hill points out that far too many banks failed to see the liquidity crisis brewing. “Liquidity can sneak up on you, and you can be in a precarious position, because you don’t have backup lines of credit, you don’t have ample deposits and you may have been heavily reliant on jumbo CDs and hot money,” he says. “You have to have your tolerance levels set within your policy guidelines, and you have to monitor all of this regularly.”

Get educated through ICBA’s Bank Director Program

Diversity of experience is the holy grail for any community bank board. “It’s really important that your outside directors have varied backgrounds,” says Daryl Karsky, CEO and board member at HomeTown Bank in Carver, Minnesota. “What you want is a well-rounded board.”

While individuals with unique professional backgrounds can ferret out risks that lifelong bankers might overlook, these executives often need to be educated in the nuances of banking.

That’s one of many places where ICBA’s Bank Director Program can be an enormous help.

ICBA’s program includes everything from a bank director video series to webinars and online courses with topics ranging from “Ethics for Bank Directors” to “Cyber and Information Security for Directors” and “Understanding UDAAP.” Not sure what UDAAP is? ICBA’s Compliance Acronym Quick Reference Guide can come to the rescue.

ICBA has created other ways to provide far-reaching help in real time. For instance, ICBA’s governance helpline, with expert guidance from attorneys and consultants from Gerrish Smith Tuck, is at the disposal of directors enrolled in the program.

After Karsky recently enrolled a new director to the Bank Director Program as part of HomeTown’s onboarding process, he decided that the training was so valuable that the entire board should be enrolled.

“I only have so much time at each board meeting to share things happening out in the world,” he says. “The more background I can give [my directors], the better.”

Lynn Roche
“For community bankers, it’s not enough to come to the meeting, review a deck, have a cookie and leave. It’s never ‘set it and forget it’ anymore. Your directors have to be very engaged.”
—Lynn Roche, 1st National Bank of Scotia

The importance of ongoing training

“Providing training to your board is crucial,” says HomeTown’s Karsky. He enrolled his newest director in ICBA’s Bank Director Program (see sidebar, right) and plans to announce at future board meetings exactly what types of education each director has recently engaged in. 

“We want directors to know that this isn’t a once-a-year check-in. Education is ongoing,” he says.

Karsky is convinced that by investing in board education, he is underscoring the value of risk management. “Providing director training lets directors know [that risk management] is just as much their responsibility as the bank’s responsibility, and their oversight is extremely important.” 

Amanda Rodriguez
“[Board director] training equipped me with the tools to understand my fiduciary duties, and it taught me about the banking industry as a whole and about regulatory risk and risk oversight.”
—Amanda Rodriguez, Citizens Bank of Edmond

Education resources

Board education looks different at every bank. Some favor signing directors up for a formal education program. Others expect directors to glean information from the board book or from industry articles. Regulators’ comments can also be highly instructive, as can published risk frameworks and checklists provided via electronic portals and other online tools.

One excellent resource is the FDIC’s Pocket Guide for Directors, which ICBA’s Burke describes as “a helpful resource for directors to review the core principles of corporate governance.

”While ongoing education is key, nothing sets the tone quite so resoundingly as the initial onboarding process. When Amanda Rodriguez, cofounder and CEO of consulting firm LYT Group in Oklahoma City, Oklahoma, joined the board at Citizens Bank of Edmond nearly three years ago, one of her first assignments was to undergo board director training.  

“This training equipped me with the tools to understand my fiduciary duties, and it taught me about the banking industry as a whole and about regulatory risk and risk oversight,” says Rodriguez. She later became a certified community bank director (CCBD) through a two-day program at the SW Graduate School of Banking at SMU Cox School of Business.

Alongside the classroom and online webinars, some community banks have found ways to actively promote informal educational exchanges among their directors. For instance, when Roche joined 1st National Bank of Scotia’s board five years ago, she was paired with David Montana, the bank’s lead director, through a type of high-level “buddy system.”

“I’m very comfortable asking any question, but the buddy system helps when [I wanted to talk through a topic],” says Roche. “It’s great to have someone specific to go to when you want to bounce something off another director.”

Asking the right questions

Chuck Hays
According to Chuck Hays, chairman of the board at Kennebec Savings Bank, encouraging rigorous questions from directors helps foster a collegial tone among the board.

“Risk management is the topic we spend the most time on overall as a board,” says Chuck Hays, chairman of the board at $1.65 billion‑asset Kennebec Savings Bank in Augusta, Maine.

He recalls that for many years, conventional wisdom dictated that testing systems for 400-basis-point swings in interest rates was “ridiculous,” because rates were never expected to fluctuate that wildly. “And then all of a sudden, we were there—and beyond. So, one of my favorite questions is: ‘What’s the worst-case scenario?’” he says. “Looking at the worst case keeps you balanced.”

One reason why some banks shy away from spirited inquiry is that it might ruffle feathers, but Kennebec Savings Bank leaders don’t mind direct communication. Hays says fostering a collegial tone is a must, and encouraging rigorous questions from directors plays a significant role in establishing this dynamic. “We ask hard questions, and nobody takes offense,” he says.

Hill is also a fan of probing questions. As former CEO of Bank2, which he founded in 2002, he views fiscal conservatism as a strength.

“I probably have an advantage over most directors, because I [personally] hate high risk,” he says. “In my 44 years of banking, I had hardly any [past-due loans] and not much at all in the way of charge-offs. Any time you see yourself moving towards the upper range [of your risk tolerance], ask yourself: Why is this happening? And how can we get back to the midrange of risk we want to achieve?”

To detect nascent problems, Hill believes in thoroughly questioning anyone who appears before the board to champion a new product or strategy. “I like to ask department heads, ‘Is this something you really want to bet your career on?’ If they’re not behind the product, if they think there’s too much risk, we don’t want to go forward.”

Hill is convinced that a community bank should be ready to reverse course if boardroom debate unearths serious issues. “When I was a CEO,” he says, “I tabled some things because of good questions directors asked, if I wasn’t sure we had the right answers.”  

Taking cyber seriously

“Cybersecurity is everybody’s nightmare risk. All at once, your entire system can be compromised. It’s what keeps me up at night,” says Daryl Karsky, CEO and board member at HomeTown Bank in Carver, Minnesota.

The data shows that such fears are warranted. In 2024, for instance, the average financial-sector data breach cost $6.08 million, according to an IBM survey. Key to managing cyber risk is having a board that’s trained to identify red flags and to act quickly should disaster strike.

At 1st National Bank of Scotia in Scotia, New York, cyber incidents are reported to the board each month. Lynn Roche, board member, says that directors actively reflect on what they’ve learned from unsuccessful cyber attempts in the hopes of devising stronger defenses.

“Fraudsters are very sophisticated,” she says. “When something doesn’t work the first time, they’ll improve upon it and find a better way.” With the risk of a cyberattack always looming, Roche sees a need for “continuous education,” because “there’s no real end to this conversation.”

Fostering a culture of engagement

The openness with which a board treats challenging questions speaks volumes about its culture. Hill says bank management should set the tone by welcoming differing opinions. “I didn’t want ‘yes’ men and women on the board. I wanted people who could think and measure risk and see the vulnerabilities to make the bank rock solid.

“At a well-run bank,” he adds, “it’s never a gotcha game. Instead, we said, ‘Hey, look at this and make sure we’ve got all the ‘i’s dotted and the ‘t’s crossed.’ And we acted together.”

1st National Bank of Scotia’s Roche anticipates that board risk discussions will remain a consistent topic at board meetings and will be incorporated into several activities given the speed at which current events are unfolding.

At a recent board meeting, for instance, directors mulled potential risks to supply chains if new policy out of Washington, D.C., brought dramatically higher costs for components sourced from abroad.

“Current events is an area you have to be aware of when you think about your credit risk,” Roche says. “There used to be a standard list of questions you’d ask when making lending decisions; all this is evolving.”

As the task of monitoring and anticipating risks grows more complex, the need for knowledgeable, proactive directors is growing, too.  

“For community bankers, it’s not enough to come to the meeting, review a deck, have a cookie and leave,” says Roche. “It’s never ‘set it and forget it’ anymore. Your directors have to be very engaged.”