C How Examiners are ASSESSING YOUR RISK STRATEGIES IN 2024 BY MILTON BARTLEY, IMAGEQUEST LLC Community banks, often at the heart of local economies, find themselves at a crucial juncture where their approach to risk management, particularly in cybersecurity and operational resilience, could determine their future success or vulnerability. Whether your regulator is the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp., Department of Financial Institutions or Federal Reserve Board, you will likely face a heightened focus during your next exam on how you manage and mitigate risks, making this cycle a pivotal moment for your bank. The following serves as a roadmap for your bank to effectively prepare for your next exam based on firsthand experiences with community bank clients across recent examinations, from business continuity to cyber expertise. The goal is not just to prepare for the scrutiny of the next examination but to foster a culture of proactive risk management that safeguards your bank’s future in an increasingly uncertain world. Elevating Business Continuity Management to Board-Level Priority Examiners have asked detailed questions about business continuity management (BCM), specifically how your bank tested your plans and the results of those tests. But more than that, examiners wanted to know that management regularly presented the results to the bank’s board and asked for documentation detailing when those presentations happened to prove management had done more than summarize it into a paragraph in the annual information security report. They wanted clear evidence that BCM planning and subsequent testing were presented to the board as a detailed report – and discussed thoroughly by management. What does that mean for you? First, you should prepare a testing calendar at the beginning of the year that details your planned BCM tests. Then, regularly update the document throughout the year, detailing test results, observed issues and relevant remediation activities. Lastly, share that information with the board or an appropriate board committee. Board Reporting and Oversight Examiners have also asked what and how often management reported to the board – specifically about cybersecurity and IT operations – and how well directors grasped essential issues. Examiners’ questions focused on whether bank directors read their banks’ annual information security reports and asked relevant questions of management. There were questions about the IT strategic plan, how recently it was updated and what visibility the board had in the process. It is part of a board’s governance responsibility to approve the IT strategic plan, which should include the directors being familiar with its contents. DIRECTORS & SENIOR MANAGEMENT The goal is not just to prepare for the scrutiny of the next examination but to foster a culture of proactive risk management... “ 52 HOOSIERBANKER
RkJQdWJsaXNoZXIy MTg3NDExNQ==