Support: (615) 499-7801
A magnifying glass on a stack of papers next to a calculator.

5 Risk Management Points Examiners Want to See in 2024

Community banks, often at the heart of local economies, are at a crucial juncture. Their approach to risk management, particularly in cybersecurity and operational resilience, could determine their future success or vulnerability.

Whether your regulator is the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Department of Financial Institutions (DFI), or the Federal Reserve Board (FRB), you will likely face a heightened focus during your next exam on how you manage and mitigate risks, making this cycle a pivotal moment for your bank. This article draws on our firsthand experiences with community bank clients across recent examinations to shed light on emerging regulatory trends.

By sharing insights into the five specific focus areas we have noted during this exam cycle, from business continuity to cyber expertise, your bank can effectively prepare for your next exam. The goal is not just to prepare for the scrutiny of the next examination but to foster a culture of proactive risk management that safeguards your bank’s future in an increasingly uncertain world. Book a consultation with us today to make your next exam the best one your bank has ever had.

1. Elevate Business Continuity Management to Board-Level Priority

In this past exam cycle, examiners have asked detailed questions about business continuity management (BCM), specifically how your bank tested your plans and the results of those tests. But more than that, examiners asked for documentation detailing when management presented BCM testing results to the board.

They wanted to see that management had done more than summarize BCM into a paragraph in the annual information security report. They wanted clear evidence that BCM planning and subsequent testing were presented to the board as a detailed report – and discussed thoroughly by management.

Simply discussing cybersecurity and your risk management strategies may not be enough for an examiner. The conversation needs to be about not only what cybersecurity measures are but also what the plan is when you experience a cyber attack. Your board needs to know how your bank will respond to the incident and recover with minimal harm to profits and reputation.

What does that mean for you? First, you should prepare a testing calendar at the beginning of the year that details your planned BCM tests. Then, regularly update the document throughout the year, detailing test results, observed issues, and relevant remediation activities. Lastly, share that information with the board or an appropriate board committee.

2. Enhance Boarding Reporting and Oversight

A group of people sitting around a table in a board room.

Examiners have also asked what and how often management reported to the board—specifically about cybersecurity and IT operations—and how well directors grasped essential issues, particularly around business strategy and risk management.

Examiners’ questions focused on whether bank directors read their banks’ annual Information security reports and asked relevant questions of management. There were questions about the IT strategic plan, how recently it was updated, and what visibility the board had in the process. It is part of a board’s governance responsibility to approve the IT strategic plan, which should include the directors being familiar with its contents.

Given the current cybersecurity landscape, it is vital to have regular conversations with your directors about their IT and cybersecurity governance responsibilities. This risk management conversation should happen not just once a year but be an ongoing dialogue. Having these conversations allows your bank to be better prepared for risk events, like cyber attacks and other associated risks, and can improve your bottom line.

To illustrate the importance of having a technology-knowledgable board, MIT Sloan Management Review states that companies with digitally savvy boards outperform those without digital expertise in terms of financial results. A machine-learning analysis of U.S.-listed businesses showed that companies with boards who are knowledgeable about emerging technologies experience better revenue growth, return on assets, and market cap growth. That’s why giving your board a solid understanding of the IT strategic plan is essential.

3. Understand Operational Resilience Through the Lens of Third-Party Systems

Another point examiners are making regarding your risk management is how affected your business will be if a third-party system faces unexpected downtime from a natural disaster, cyber attack, or other harmful events. You will want to ensure you have identified any systems for which it is difficult or impossible to build a redundant operational strategy (e.g., hosted core processor, SaaS-based LOB software).

Ensure your board clearly understands that if the provider is hard down for these identified systems, you are hard down, too. No one expects your bank to have a “backup” core processor, but examiners expect the board to know which systems or vendors present that risk so you can come up with the right risk mitigation processes.

Of course, your board understands this for vendors like your core processor – but do your directors understand how your bank could be impacted if other vendors were to have an extended outage? Take your ATM or ITM vendor, for example. Last year, a regional service provider’s issue affected thousands of supported devices across hundreds of banks. What would you do if your ATM/ITM service provider has an outage that takes all of your ATMs or ITMs offline?

What is your process for responding to customers needing to transact with your bank if one of these services or vendors is unavailable? Has management discussed this risk management plan with your board? Do your directors know which of your other vendors could significantly impact bank operations? And do they know how your bank would adapt to that situation?

Knowing the answers to these questions about your risk management strategies can be difficult. But our team can help you prepare for these questions from examiners and keep your board updated on this information. Contact our team today to learn more about our managed security services provider (MSSP) program.

4. Elevate Your Vendor Due Diligence

You already know you must be able to demonstrate how you assess your vendors and their controls. But are you looking at the complementary user entity controls in your critical vendors’ SOC 1 and SOC 2 reports? Are you reviewing each of those and ensuring your bank has the specific controls? This expectation has always existed, but recently, examiners are diving deeper and asking for more and better evidence that you regularly evaluate these risks.

Adding more items to your or your IT team’s to-do list is never fun, but it’s a necessary part of regulatory compliance. Without knowing the potential risks your vendors present, you won’t be able to create proper risk management standards to protect your bank in case of events that threaten your operations, bottom line, and reputation.

5. Cultivate IT Leadership

Identifying risks and keeping up to date with the latest cybersecurity threats is essential to any IT manager’s job. And if you aren’t investing in continuing education for your IT staff, you might get a ding on your next exam. In one specific bank, an examiner questioned the competence of the bank’s IT manager for the role. The examiner was concerned that the person had been doing that job for several years but had not kept pace with appropriate professional development.

You should ensure your IT management staff have adequate expertise in the technologies your bank employs. That may sound simple, but if the board and senior management have little or no technology expertise, it may be difficult for the bank to supervise the IT staff effectively. You must ensure they continually update their knowledge and expertise as the cybersecurity landscape evolves.

The concern is valid, even if you didn’t have to follow compliance standards. Bad actors continually refine their attacks and improve their methods, and you need to expand your security approach commensurately. Systems and expertise that were adequate five years ago may no longer be enough to thwart a sophisticated attack. Continued education on the latest risk events can help your bank prevent cyber attacks.

Your management team – and your board –need to understand that and be willing to address aging approaches that may be creating vulnerabilities.

Are Your Risk Management Strategies Ready for Your Bank’s Examiner in 2024?

As regulatory bodies intensify their focus in these areas, banks must prepare for heightened scrutiny and view these examinations as a catalyst for strengthening their operational foundations. By prioritizing comprehensive business continuity planning, enhancing board oversight, and rigorously managing third-party risks, your bank can not only navigate the complexities of the current regulatory environment but also lay a solid groundwork for sustainable growth and resilience.

And if you need help with any of these risk management practices, get in touch with us today. We can help you develop or improve your business continuity plan, present results and information to your board, and help you find resources that mitigate risk and improve your board’s knowledge. Make your bank’s 2024 exam the best it can be today.

Resources: