The Federal Reserve Board eagle logo links to home page

Remarks by Governor Susan Schmidt Bies
Before the Annual Convention of the Arkansas Bankers Association, Hot Springs, Arkansas
May 17, 2004

Corporate Governance and Community Banks

Thank you for the invitation to participate in the 2004 Annual Convention of the Arkansas Bankers Association. Over the past two years, a considerable amount of time and energy has been expended in our country addressing corporate governance issues. If you read the headlines in the financial press, you might think that every financial institution in the United States discovered corporate governance two years ago when the Sarbanes-Oxley act was enacted. Well, as we all know, corporate governance is not new to U.S. financial institutions. Senior management and boards of directors of banks, both publicly traded and privately held, have a tradition of taking their responsibilities for ensuring effective governance seriously.

In my comments today, I would like to address the state of corporate governance at community banks. I'll discuss the assessments some of the consultants and public accountants are giving the banking industry and I'll contrast that to what we are observing through the examination process. I'll also touch on some of the developing "best practices" in corporate governance, internal controls and operational risk management. Many of these best practices seem to be resulting from community bankers like you modifying the Sarbanes-Oxley corporate governance requirements to make them relevant for your individual business and corporate structure. At the Federal Reserve, we tend to favor best-practice approaches for corporate governance at community banks rather than a one-size-fits-all approach.

Corporate Governance Perspective of Consultants

I'll start with a report card on the state of corporate governance at community banks issued by the major consulting and accounting firms. Recently, several have reported on the governance practices at financial services firms, including community banks. These studies begin by recognizing the progress financial services firms have made in the areas of director independence, audit committee oversight, and overall board awareness of governance issues within their organizations. These studies cite a growing sensitivity to governance issues among employees and a heightened awareness among senior management and the board. They cite improvements in "governance type" disclosures to shareholders/stakeholders and increased vigilance on the part of the regulatory agencies. However, a number of these studies conclude by saying that banks and other financial services firms have a long road ahead of them if they are to achieve the goal of effective corporate governance. Based on these studies, it sounds like the firms believe that bank corporate governance practices should receive the equivalent of a C grade with a needs improvement notation.

Why is this? According to a global survey of financial institutions conducted by PricewaterhouseCoopers, part of the reason why financial institutions are not making the grade is that they equate effective governance with meeting the demands of regulators and legislators.1 That is, they tend to look at this as another compliance exercise. The study goes on to state that the compliance mentality is limiting the ability of these institutions to achieve strategic advantages through governance.

I would agree that any institution who views corporate governance as merely a compliance exercise is missing the mark. We all are aware of companies in various industries who have successfully presented their strategic vision to investors, but who later stumble because the execution of that strategy did not meet expectations. While the reasons for shortfalls can occur for many reasons, one of the more common shortcomings is that the strategy itself was focused too much on market and financial results without adequate attention to the infrastructure necessary to support and sustain the strategy.

Corporate strategies often focus on the most likely future scenario and the benefits of a strategic initiative. A sound governance, risk management, and internal control environment starts by being part of the strategic planning exercise. That is, while the strategy is being considered, managers and board members should be asking: What are the major risks of this plan? How much risk exposure are we willing to accept? What mitigating controls need to be in place to effectively limit these risks? How will we know if these controls are working effectively? In other words, by considering risks as part of the planning process, controls can be built into the design, the costs of errors and reworking in the initial rollout can be reduced, and the ongoing initiative can be more successful because monitoring can reveal when activities and results are missing their intended goals, so that corrective actions can be initiated more promptly.

Many of these studies note that it is very difficult for outsiders to determine the effectiveness of governance. Unfortunately, it takes significant breaks in internal controls for the public to be aware of weaknesses in the process. The disclosure of deficient business and governance practices can then lead to lower share prices, the likelihood of potential shareholder lawsuits and enforcement actions, the loss of credibility and damage to a bank's reputation, and the payment of higher spreads to access capital markets. The size of potential detrimental impacts due to a serious breach in governance can place the costs of improved governance in perspective.

Several studies highlight that institutions are spending more on corporate governance today than in the past. According to Grant Thornton's 2003 Eleventh Annual Survey of Community Bank Executives,2 it isn't just large organizations that are feeling the cost impact of corporate governance. Community banks not subject to the Sarbanes-Oxley and Federal Deposit Insurance Corporation Improvement (FDICIA) acts experienced or are expected to incur increases in costs for a number of services and functions related to corporate governance. Seventy-three percent of these banks expected to incur increases in general audit fees; sixty-two percent expected to incur increases in director and officer liability insurance premiums; thirty-two percent expected to incur increases in financial education costs for directors; and twelve percent expected to incur increases in costs associated with attracting and retaining board members.

In response to this study, a logical question is whether the benefits outweigh the costs. Many of you are reflecting on the first quarter 2004 discussion of your annual operating results, budget estimates, and income projections that were presented at recent board and staff meetings. True, these costs reduced some of your current profitability goals. But corporate managers have demonstrated over the years that focusing on better process management can enhance financial returns and customer satisfaction. They have learned that correcting errors, downtime in critical systems, lack of training for staff to promptly handle their changing tasks, all create higher costs and lost revenue opportunities. I would challenge you to consider the appropriate corporate governance structure suitable to your bank's unique business strategy and scale as an important investment, and consider returns on that investment in terms of the avoidance of the costs of poor internal controls.

Corporate Governance Perspective of Regulators

Now I would like to discuss the grade the regulatory community has given the community banks on their corporate governance practices. Regulators typically measure effectiveness by some sort of examination assessment. Using the current CAMELS type of assessment, a review of recent Federal Reserve examination results would indicate that most community banks have effective corporate governance. Eighty-four percent of all community banks reviewed were rated highly with respect to risk management practices, including corporate governance. This is not to say that we don't see the need for improvement in certain areas. Examination findings routinely cite ways in which risk management, including corporate governance, could be improved. However, it is apparent that the senior management, boards, and audit committees in these highly rated organizations are setting annual agendas that focus attention on the high-risk and emerging risk areas within their banks while continuing to provide appropriate oversight to the low-risk areas. Internal auditors, or equivalent functions at these banks, are testing to determine whether the risk management program is effective and are communicating the results to the board and audit committee.

So, the examination results appear to indicate that the majority of banks are getting the message on the basics of sound governance. I would almost like to stop my speech here and conclude by saying, "All is well in the banking industry." However, we also performed a review of the corporate governance at the subset of banks with weak or unsatisfactory ratings.

Not surprisingly, the review identified the major challenges facing these banks to be poor asset quality and corporate governance issues, such as policies, planning, management, audits, controls, and systems. Eighty-nine percent of the community banks in this group experienced serious asset quality problems, which was the most significant factor resulting in their low rating. Sixty percent of the community banks in this group experienced significant deficiencies in corporate governance. The corporate governance deficiencies could broadly be described as internal control weaknesses, weak or inadequate internal audit coverage, significant violations of law, accounting system weaknesses, and information technology issues.

Obviously, poor asset quality and ineffective corporate governance are not mutually exclusive. When we find significant asset quality problems, we usually find corporate governance problems--particularly inadequate internal controls. Similarly, when we find significant control deficiencies, significant asset quality or financial reporting problems are generally present. So, what is the message we should take away from these statistics?

On the one hand, we could pat ourselves on the back and say that things are generally going very well for most of the industry and we can finally tone down all of the corporate governance rhetoric. Or, we could say those negative statistics only apply to the boards and senior managers at a small group of poorly rated institutions who now have to pay the price. Or, yet again, we could say that effective corporate governance is a continuous process that requires ongoing vigilance on the part of the board, audit committee, senior management, and others within your bank. I hope you are thinking along the lines of this last sentiment.

As you know, once an organization gets lax in its approach to corporate governance, problems tend to follow. Many of you can recall the time and attention management devoted to Section 112 of FDICIA, which first required management reports and auditor attestations in the early 1990s. Then the process became routine, delegated to lower levels of management, and stale to the changes in the way the business was being run. That is when the breaks in internal controls occur. Unfortunately, trying to change the culture again is taking an exceptional amount of senior management and directors' time--time taken away from building the business. The challenge, therefore, is to ensure that the corporate governance at community banks keeps pace with the changing risks that you will face in the coming years.

Another consequence of so much public attention on the breakdowns in controls at a few organizations is difficulty in finding good directors. One common theme we have heard during our examinations is the challenge facing banks of all sizes to retain, or attract, board members with the appropriate depth of understanding and commitment to sound corporate governance practices. Many potential directors who have the experience needed are cautious about the potential liability they face. They also would rather join a board on which they are able to balance their time among all of the areas of oversight--strategy, marketing, financial performance, human resource development, community involvement, and so on--and not just governance, compliance, audits, and internal controls. This is another result of inconsistent attention over time to good governance practices.

Operational Risk

The Federal Reserve System is also conducting selected reviews for operational risk at community banks. By operational risk, I mean "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events," which is the definition used by the Basel Committee on Banking Supervision. At the Federal Reserve, we are placing an increasing focus on operational risk. In part, this is due to the significant improvements we have seen in the last two decades in interest rate and credit risk management. Thus, weaknesses in governance and internal controls and operational risks become more apparent.

For example, at one of our Reserve Banks we are conducting a pilot program specifically geared toward the operational risk activities of smaller community banks, those with less than $500 million in assets. One of the objectives of the program is to identify and test the key internal controls used by banks to mitigate operational risk exposures. The reviews focus on specific business processes with high operational risk -- for example, the wire transfer and loan administration areas. Based on the results of these reviews, the bankers involved have responded very favorably to the program and indicated they have received measurable benefits. Moreover, the program has identified some common operational control weaknesses to which we believe community banks should pay particular attention. Let's use wire transfers and loan administration as examples.

With wires and similar transactions, the bank could suffer a significant financial loss from unauthorized transfers, as well as incur considerable damage to its reputation if operational risk factors are not properly mitigated. A few recurring recommendations from our reviews, are to: (1) establish reasonable approval and authorization requirements for these transactions to ensure that an appropriate level of management is aware of the transaction and establish better accountability; (2) establish call-back procedures, passwords, funds transfer agreements, and other authentication controls related to customer wire transfer requests; and (3) pay increased attention to authentication controls, since this area may also be particularly susceptible to external fraud.

Loan administration is an area where a bank could suffer a significant financial loss from the lack of appropriate segregation of duties or dual controls, as well as incur considerable damage to its reputation if operational risk factors are not properly mitigated. A few recurring recommendations from our reviews, are to: (1) ensure that loan officers do not have the ability to book and maintain their own loans, (2) limit employee access to loan system computer applications that are inconsistent with their responsibilities, and (3) provide consistent guidance--policies and procedures--to line staff on how to identify and handle unusual transactions.

We have several other recommendations that resulted from these reviews and have a number of operational risk initiatives underway currently. We expect to summarize these findings and provide further updates and guidance to the industry as we move forward. But given the examples of best practice I just mentioned, these are not revolutionary insights. Well-run organizations have these or similar controls in place. We hope these studies serve as reminders that can be used to help bank managers keep the focus on continuous improvements in internal controls as part of the normal business process.

Observations on Best Practices

Finally, I would like to focus on some best practices for corporate governance at community banks. Rather than talk broadly about best practices, I'll focus on certain aspects of internal controls and operational risk management.

Best Practice 1: Adopt a recognized internal control framework that works for the bank.

All banks have some framework for internal control. What I'm suggesting as a best practice is to adopt a version of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's Internal Control--Integrated Framework.3 Don't be put off by the titles of these frameworks. These frameworks are flexible enough to work effectively at a $25 million bank or a multi-billion dollar financial institution. The COSO framework describes how each internal control element can be tailored to smaller and less complex organizations. For example, if COSO is used as a best practice, you should modify the five following elements of internal control to meet your organization's needs.

    Control Environment --Board members and senior managers should identify the bank's key business strategies, objectives, and goals and tailor COSO to influence the bank's management philosophy, culture, and ethics to establish and maintain an appropriate control environment.
    Risk Assessment--Managers should look at the risks inherent in the businesses and processes they manage, and determine the bank's risk appetite and establish risk measurement practices that are appropriate for their organization.

    Control Activities--Managers should establish and maintain controls and monitoring processes that ensure they will be effective in achieving the organization's profit and other objectives based on a designated level of risk. Managers should monitor the organization's business plan to assess how risk exposures are changing and determine whether new controls, or changes in existing controls, are needed to manage that level of risk.
    Information and Communication--Information required to successfully achieve the organization's control objectives should typically be accumulated in a management information system and should be communicated through reliable channels to all responsible parties--from tellers to board members. Normal bank communication channels should normally be adequate for this purpose. However, new channels may be necessary if the type of information is too sensitive to communicate over existing channels, or if that information may be risky to the individual making the communication (in other words, the knowledge of an incident of identified fraud for a whistle blower).
    Monitoring--Monitoring should typically be the role of internal audit. A number of community banks do not have a permanent internal audit department. Recognizing this, each community bank must develop a review (audit) function that is appropriate to its size and the nature and scope of its activities.

As you may know, COSO is just about to release a revised framework that will incorporate enterprise risk management (ERM). When this is issued, the best practices in these five elements will need to be re-evaluated to address ERM.

Best Practice 2: Adopt a program for independently assessing the effectiveness of internal controls on at least an annual basis.

Boards of directors and audit committees are responsible for ensuring that their organizations have effective internal controls that are adequate for the nature and scope of their businesses and are subject to an effective audit process. Effective internal control is the responsibility of line management. Line managers must determine the acceptable level of risk in their line of business and must assure themselves that they are getting an appropriate return for this risk and adequate capital is being maintained. Supporting functions such as accounting, internal audit, risk management, credit review, compliance, and legal should independently monitor and test the control processes to ensure that they are effective.

Implementing management reports on internal controls comparable to those required under Sarbanes-Oxley and FDICIA 112 can also assist community bank boards of directors and audit committees in obtaining a better understanding of the controllable risks within the bank and the quality of the controls in place over those risks. Sarbanes-Oxley and FDCIA 112 require an annual management assessment of internal control effectiveness and an attestation of management's assessment and the effectiveness of controls by the bank's external auditor. Community bank management could perform periodic assessments of internal control effectiveness. Another group of employees within the bank could perform an independent evaluation of management's report.

By independent, I do not necessarily mean an external auditor should be engaged to issue a report. In this sense, independent may mean that internal audit is brought in to perform something similar to an external auditor's attestation. The details of such an approach need to be worked out. The important point is that the audit committee should have some reasonably independent assessment of management's report. Audit committee members could use these reports to set the audit plan for the next year, to track how risks have changed and are changing within the organization, and to facilitate discussion of which controls should be added.

Best Practice 3: Adopt a framework for assessing operational risk

Over the past few years, the discussion of operational risk management has increased significantly in banking circles. In 2003, the Basel Committee released a paper, "Sound Practices for the Management and Supervision of Operational Risk."4 This paper sets forth a set of broad principles that should govern the management of operational risk at banks of all sizes. Although operational risk is nothing new to community banks, the prospect of addressing this risk in a structured framework with measurable results is something new.

The broad variety of products and services that banks provide, the evolution of business processes, and changes in the ethical environment in which we live have all contributed to more observable exposures to this type of risk. Managers and boards are beginning to gather the information necessary to monitor and understand the growing risks inherent in their operations. Supervisors are developing approaches for measuring and evaluating operating risk. At the Federal Reserve, we are studying different approaches and have a project underway to develop guidance on how to address this risk. In the near future, we plan to compare our observations on best practices on internal controls and operational risk management practices with yours to develop some useful resource materials for good corporate governance at community banks.

Conclusion

In conclusion, community banks are further improving their traditional focus on strong corporate governance. Those banks leading the way recognize that the culture of governance, ethics, and controls cannot readily be switched on and off. They build a culture of accountability and ethics to make governance a part of every strategic plan and daily operation. Banks are also beginning to focus more attention on operational risk issues which are an essential part of the overall risk management plan of the organization. The Federal Reserve has a number of initiatives underway, and we plan to work with community bankers to continue to identify emerging best practices.


Footnote

1.  Pricewaterhouse Coopers and the Economist Intelligence Unit, "Governance: From Compliance to Strategic Advantage,"(April 2004). Return to text

2.  Grant Thornton, LLP, Eleventh Annual Survey of Community Bank Executives, (January 2004). Return to text

3.  Committee of Sponsoring Organizations of the Treadway Commission, Internal Control - - Intergrated FrameworkReturn to text

4.  Basel Committee on Banking Supervision,"Sound Practices for the Management and Supervision of Operational Risk," (February 2003). Return to text

Return to topReturn to top

2004 Speeches