When 2020 ends, expect to hear a collective sigh that this most unprecedented and challenging year is finally in the rearview mirror. However, the end of the pandemic isn’t tied to a date on the calendar.
Epidemiologists and economists predict that the most difficult effects of the coronavirus pandemic will continue well into 2021, and its shadow will linger even longer. As financial institutions anticipate the new calendar year, they must keep these predictions in mind while also getting ready for the next disruptive event.
That is why bank corporate governance is more important than ever. 2020 reminded us of the vital role that corporate governance plays in effectively navigating the unexpected, identifying the opportunities it brings and adapting for long-term survival.
Seven areas of bank corporate governance were make-or-break factors during the pandemic and deserve particular attention in 2021.
Looking back, it’s hard to believe how quickly our industry had to pivot to meet the challenges of the coronavirus pandemic. The time between the first news of the virus and state and local lockdowns was a relative blink of the eye. Financial institutions had to migrate employees and functions to almost 100 percent remote capability at warp speed while still serving their customers.
With employee and customer lives upended so quickly and thoroughly, agile communication became a crucial factor in navigating the pandemic. The last nine months provide valuable insight into the essential elements of a post-2020 corporate communication strategy that is ready to address everyday operations as well as the next crisis situation:
- Two-way, transparent lines of communication between the board of directors and senior management
- Active listening from and situational awareness by the board of directors
- A bottom-up mechanism for employees to raise red flags about emerging or ongoing issues
- A strategy for quickly and transparently disseminating vitally important yet continuously shifting information to both internal and external audiences
- The ability and capacity to immediately migrate to all-remote communications, including board meetings, departmental or enterprise-wide messaging and customer contact
Cyber Threats in Banking
Despite the pain of the initial transition, the pandemic proved that the majority of a financial institution’s workforce can operate remotely and still adequately perform all its necessary functions. But there’s a catch to this capability.
As highlighted by KPMG, the pandemic exposed banks to more cybersecurity risk: “It’s an unfortunate fact that fraudsters tend to prey on unexpected events or challenges.” The industry’s response to COVID provided cybercriminals with a slew of opportunities to exploit.
For example, employees working from home are potentially on what KPMG calls “hostile home networks.” In essence, everyone in the household is using the same network and “clicking on links and content of many different kinds, potentially exposing devices to malware that could enter the bank’s IT infrastructure if the right endpoint controls are not in place.”
Furthermore, employees are dealing with more outside stress than ever. They are worried about their health and that of their families. Working parents are dealing with distance learning for their kids. And the pandemic may be putting employees under increased financial pressure. These distractions make them more susceptible to social engineering schemes, diminishing your bank’s cyber hygiene.
Financial institutions must identify and mitigate the risk variables arising from any given crisis situation or unexpected event. Therefore, a robust corporate governance framework has to include a process for frequently and routinely monitoring, reviewing and updating the enterprise mechanisms that facilitate such mitigation. This includes the following:
- Corporate Policies: With specific focus on IT policies, including Bring Your Own Device (BYOD), remote access, wireless, email, encryption, firewall and incident response policies
- Internal Controls: Including the Center for Internet Security (CIS) Controls, such as secure configuration, administrative privileges, access management, malware defense and vulnerability management
- Awareness Campaigns: With consistent messaging that describes and stresses the importance of good cyber hygiene to all internal and external audiences
Strategic Planning for Physical Space and Digital Channels
For many financial institutions, their branches continue to operate with limited internal customer access due to state or local pandemic restrictions. Some still have a significant number of corporate and back-office functions being conducted remotely for that same reason or out of an abundance of caution. This leaves a lot of unused physical space that costs money to lease and maintain.
In October 2019, The Financial Brand noted that, “almost every financial service traditionally handled at a bank branch can now be handled digitally, and a growing number of customers prefer it that way.” However, there was arguably still a role for branches—one more focused on consultation and customer support, especially for customers slower to accept and migrate to everyday digital banking.
COVID may have been the last push needed to convert digitally-reluctant customers because they had no other choice for their everyday banking. But will they abandon digital banking when the branch doors are fully open again? As part of their strategic planning, financial institutions need to accept that the digital transformation timetable has substantially accelerated.
And the next logical exercise is critically assessing the following:
- The future role of branches based on customer preferences
- The size and expense of the brick and mortar footprint
It’s obvious but worth stating that the longer the coronavirus pandemic lasts, the more economic havoc it will cause. The good news, according to industry observers such as Deloitte, is that bank “capital ratios were the strongest going into this crisis than at any time in the last decade.” However, McKinsey notes that could change depending on the severity of losses due to loan defaults and increases in risk-weighted assets.
In 2021, boards and senior management will need to critically assess and delicately balance an array of factors in order to ensure their ability to preserve and raise capital, including:
- Stock buybacks
- Compensation plans
- Cost structures
- Asset/liability mix
- Credit portfolio strength
- Loan loss reserves (in general and as it impacts CECL)
Overlaying all of that, financial institutions need to keep a close eye on their reputations. Ultimately, their ability to preserve and raise capital is inextricably tied to their standing as both a trusted community resource and a safe and sound enterprise.
Corporate Banking Dynamics
The drastic upheaval of the pandemic and other geopolitical and societal events of 2020 should also provoke internal introspection by bank boards and senior management. In particular, good bank corporate governance now calls for assessing and reevaluating institutional positions on the following:
- Overall risk appetite given the economic impact of the pandemic
- Board and senior management succession planning in the event individual members are incapacitated by COVID or other circumstances
- Overall staffing levels and contingency planning, especially for roles involved in core functions
- Health and safety protocols for employees and customers in response to COVID
- Work-from-office versus work-from-home environments from a cost/benefit perspective
- Respect for free speech and civic discourse balanced against workplace policies
- Inclusivity and diversity in light of 2020 activism
Business Continuity Planning for Banks
In 2020, financial institution business continuity and disaster recovery plans were put to the test like never before. After all, it wasn’t one localized area affected by a tornado or a hurricane. Coronavirus was everywhere and has no concrete end.
This real-time test of business continuity plans likely exposed their strengths and shortcomings in key areas:
- Priorities: Did your Business Impact Analysis correctly assess and prioritize business functions, classify and protect sensitive and critical level data, and identify all relevant interdependencies?
- Assumptions: How accurate and true-to-life were your plan’s assumptions, in particular its threat analysis of the potential scale of a public health disaster?
- Responses: How quickly and successfully was the plan activated? Were the right human and technical resources in place both internally and at critical third-party providers? Did it provide a remedy for a long-term disruption?
Questions such as these need to be addressed so that business continuity plans can be updated and theoretically re-tested to better prepare banks for the next disrupting event.
Agility: The Must-Have Ingredient for Future Success
This year has proven that agility is the essential element that must be intentionally built into corporate governance frameworks—especially in the six areas discussed here—in order for institutions to navigate foreseeable change like digital transformation, and unforeseen events such as the coronavirus pandemic.
Without this ability to adapt and adjust to changing dynamics, financial institutions will miss out on the opportunities that inevitably arise out of challenging situations. Rigidity in thought or practice is no better than willful blindness. Each only serves to impede growth and cede the playing field to traditional and non-traditional competitors who are more than willing and able to seize the advantage.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprise-wide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With over 30 years of experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.