How Examiners Are Assessing Your Risk Strategies in 2024 By Milton Bartley, President & CEO, ImageQuest Community banks, often at the heart of local economies, find themselves at a crucial juncture where their approach to risk management, particularly in cybersecurity and operational resilience, could determine their future success or vulnerability. Whether your regulator is the OCC, the FDIC and DFI, or the FRB, you will likely face a heightened focus during your next exam on how you manage and mitigate risks, making this cycle a pivotal moment for your bank. This article draws on our firsthand experiences with community bank clients across recent examinations to shed light on emerging regulatory trends. By sharing insights into the specific focus areas we have noted during this exam cycle, from business continuity to cyber expertise, we offer a roadmap for your bank to effectively prepare for your next exam. The goal is not just to prepare for the scrutiny of the next examination but to foster a culture of proactive risk management that safeguards your bank’s future in an increasingly uncertain world. Elevating Business Continuity Management to Board‑Level Priority Examiners have asked detailed questions about business continuity management (BCM), specifically how your bank tested your plans and the results of those tests. But more than that, examiners wanted to know that management regularly presented the results to the bank’s board. Examiners asked for documentation detailing when management presented BCM testing results to the board. Examiners wanted to see that management had done more than summarize BCM into a paragraph in the annual Information Security report. They wanted clear evidence that BCM planning and subsequent testing were presented to the board as a detailed report — and discussed thoroughly by management. What does that mean for you? First, you should prepare a testing calendar at the beginning of the year that details your planned BCM tests. Then, regularly update the document throughout the year, detailing test results, observed issues and relevant remediation activities. Lastly, share that information with the board or an appropriate board committee. Board Reporting and Oversight Examiners have also asked what and how often management reported to the board — specifically about cybersecurity and IT operations — and how well directors grasped essential issues. Examiners’ questions focused on whether bank directors read their banks’ annual Information Security reports and asked relevant questions of management. There were questions about the IT Strategic Plan, how recently it was updated and what visibility the board had in the process. It is part of a board’s governance responsibility to approve the IT Strategic Plan, which should include the directors being familiar with its contents. 24 West Virginia Banker
RkJQdWJsaXNoZXIy ODQxMjUw