Robert Phelps
The Board’s IT Check-Up
At the conclusion of Bank Director’s recent board compensation survey co-sponsored with Meyer-Chatfield Compensation Advisors, we followed up with some of our respondents who reported being overwhelmed by information technology concerns. Directors have the responsibility of ensuring their banks are keeping up with IT threats and safeguards, but for some, keeping on top of IT to the satisfaction of regulators is becoming increasingly frustrating and time-consuming.
Paul Schaus, president of CCG Catalyst, a consulting firm that works with banks in regulatory compliance and technology planning, spoke with Bank Director about what directors should be considering when handling IT at their bank.
BD: What is changing about the board’s IT responsibility?
Boards are in some aspects in a transition phase. Now the regulators want them to have more oversight and know more what’s going on because they are legally responsible. Just having a community member on the board isn’t the only requirement. Having somebody with expertise to bring to the table is becoming more of a factor in banking.
So what you are seeing is more diversification of knowledge because directors are responsible for that oversight. You’ve seen the change in the larger banks. It’s slowly working its way down.
The board has to do what is reasonable based on its size, where it’s located, and its infrastructure. The problem is that the regulations are written in more of a vacuum. Regulators get under pressure like anybody else.
BD: What are some steps boards can take to address this change?
It’s healthy for a board to evaluate itself, to say, ‘Do we have the right people and do we need to bring some more people on the board?’ If a director can’t add anything to the board, and you can’t train him because he’s not a finance guy or a tech guy, a regulator could look at that as the board having poor judgment.
So do your due diligence, listen to the experts, and when you don’t know, go get outside advice. There is nothing wrong with saying, ‘we don’t know and we need outside help.’ Make sure what you are doing is not putting too much stress or risk on the bank itself, including the directors personally.
If I was sitting on the board of a bank, from my perspective, I would look at my personal risk. That’s how you have to look at things. If a board member doesn’t feel comfortable about something, his view should be voiced. The last thing you want is to have a regulator come in and talk to your board and the regulator makes a comment, ‘you do understand?’ and someone says, ‘no, I don’t.’ The regulator knows you didn’t know what you were doing when you approved something in the first place.
BD: What should boards be cautious of when taking a more proactive role in IT?
Some boards really go beyond what the rules require, and they create subcommittees that are technology oriented. The [chief information officer] will work with that subcommittee heavily. There’s nothing wrong with banks that are getting more involved; it’s just that it can lead to some micromanagement issues. There is a line. If the directors are going to start micromanaging the bankers, then do they have the right people in the right positions?
The board has to rely upon the expertise of the people that are working at the bank, and if that expertise is not there, then they have to question if they have the right people. That’s the board’s responsibility.
BD: Could you leave us with some questions directors need to be asking about IT?
Yes. Here they are:
- Are we confident we have a clear and viable IT strategy that supports our business strategy?
- Are we making capital investment decisions about technology proactively or reactively?
- Is our technology strategy customer-centric?
- Are we making measurable and sustainable progress toward integrating our IT at the enterprise level, or are we still predominantly a silo-focused organization?
- Is our technology usage moving us measurably and sustainably toward greater operating efficiency?