Cybersecurity, CRE and Regulatory Risk: What Boards Face When Reviewing the Risk Appetite

Bank boards revisiting the risk appetite in the near future have interest rate risk, new mortgage regulations and warning signs in commercial real estate to contend with. In this kind of environment, is once a year sufficient for revisiting that risk tolerance statement?

Setting the risk appetite — that is, the amount of risk the bank will accept — is a key feature of the board’s risk oversight function, along with monitoring risk across the bank and setting risk governance policies.

Forty percent of directors who took part in Bank Director’s 2024 Governance Best Practices Survey said their board reviews the bank’s risk appetite yearly. One-third engage in this exercise on a quarterly basis, and 12% said their board doesn’t review the risk appetite at all.

There’s a high level of confidence among board members in their role to set the bank’s risk appetite. Ninety-two percent of survey participants felt their board was either very effective or somewhat effective at setting the bank’s risk appetite.

“The risk appetite framework is going to be dependent upon the background of the bank,” which includes the makeup of its loan portfolio and whether it’s recently gotten into any new products or services, says Robert Maddox, a partner with the law firm Bradley Arant Boult Cummings, which sponsored the survey. “In defining the risk appetite, it’s got to be clear, it has to be specific, it needs to be actionable, and it needs to have reporting.”

One area of increased risk may be the regulatory environment. For example, proposed mortgage servicing rules, referred to as Regulation X, may be of particular relevance for banks with a significant mortgage lending business, Maddox says. Aimed at streamlining the loss mitigation process, that proposed rule may add a new dimension of risk that boards could consider when revisiting their risk tolerances around mortgage lending.

Because the proposed update could allow relief for troubled borrowers, bank leaders may want to take into account how often those borrowers fall behind. He says, “My actionable issue would be, ‘What’s the recidivism rate? How many times do they come back in? That’ll tell me, you know, am I being too lenient? Am I being too tough?’”

To ensure the board and its directors provide appropriate governance oversight on enterprise risk management, it’s important to differentiate between setting the risk appetite and evaluating the risk scorecard, says Ursuline Foley, an independent director on the board of $24 billion Provident Financial Services in Jersey City, New Jersey, the parent company of Provident Bank. As a best practice, the management team sets the risk appetite and typically, presents it annually to the board for review, while the board evaluates the risk scorecard generally on a more frequent basis, usually quarterly, she says. Risk scorecards should show current key performance indicators in each area and activity compared with the risk appetite statement.

For example, if upon reviewing the risk scorecard, a board sees that its bank is beginning to approach its concentration limits in commercial real estate, it will usually have a conversation with management about next steps. Those might include tightening underwriting or pulling back in certain segments of that business line.

Other areas within the banking industry may also merit additional ongoing monitoring, particularly given increased regulatory scrutiny following the bank failures of the Spring of 2023.

Cybersecurity threats also loom large over all financial institutions today and should also be considered when setting the risk appetite. Unlike issues in credit risk or talent management, which may build slowly over time, a cyberattack presents an immediate crisis and threat of financial, legal and reputation risk.

Boards need to understand that the acceptable level of cybersecurity risk will never truly be zero, Maddox says. But a tabletop exercise can help the board better understand how well-prepared the bank is for this type of risk by walking through the initial steps following a data breach.

“You’re not going to be there when senior management takes those first five steps,” he says. “But if you go ahead and do the tabletop exercise, then you as a board have become a source of strength because you have directed the bank through those first five steps.”

Risk is usually discussed in the context of being a threat to the bank’s business, but there’s also a flipside: taking appropriate risks means capitalizing on potential opportunities. Foley, who also sits on the board of Greenlight Reinsurance, gives the example of partnering with insure-tech firms. “As you know, startup companies are high risk, so you’re trying to find those companies that provide business opportunity, that align with your strategy, that have good governance within them, good founders, good ideas, and good business plans …” she says.

It’s easy to get caught up in the potential threats and downsides to the business when discussing risk, so it’s important to remember that taking calculated risks can have a positive impact for the business.

She adds, “Good business people, savvy management teams and experienced board members will always talk about the opportunity side of risk and raise discussions like, ‘This business area is changing. What does it mean to us? Is there an opportunity there?’”