Community bankers who regularly survey the regulatory scene recognized the FDIC Improvement Act as an clarion call for renewed emphasis of internal control and risk management.
The law, enacted 1991, mandated that banks or thrifts with assets of $500 million or more obtain an independent accountant's attestation to the adequacy of the internal controls for financial reporting.
Although smaller banks are exempt, perceptive bankers noted that some form of the requirement would probably filter down to banks and thrifts with less than $500 million in assets.
Last Nov. 14 the Federal Reserve System issued supervisory release 95- 51, "Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies."
Though the release recognized that adequate risk management programs vary considerably in sophistication, it still imposed responsibilities upon small banks to implement internal control systems.
Banks must implement "regular reviews of essential internal controls," the release said, and "the results of these audits or reviews should be adequately documented, as should management's responses to them."
The release specifies that reviews or audits can be conducted by "other" bank personnel independent of the function they are assigned to review.
Small banks are likely to be in a quandary over this, because the "others" in the bank are typically occupied full-time with the functions they were initially employed to conduct. It is unlikely that a bank too small and traditional to warrant a full-scale internal audit function would have the "other" personnel available to conduct regular reviews.
Supervisory release 95-51 also has a provision addressing the adequacy of board involvement and oversight. The board must understand the "nature of the risks significant to their organizations." Additionally, board members should be versed in "the steps management is taking to identify, measure, monitor, and control these risks."
Although supervisory release 95-51 applies to all state member banks and bank holding companies, most large banks have already addressed its requirements as necessary for controlled growth. For many small banks, though, implementing these requirements will constitute the first full embrace of a structured risk-management process and internal control system.
Small banks should assess their own internal risk management processes and internal controls. Various strategies can be employed to ensure that their risk-management processes and internal controls are adequate.
Many community banks want the benefits of an internal audit function but realize that their size and activities don't warrant internal audit departments. Outsourcing is a feasible solution.
To keep abreast of the regulatory pattern developing, banks should:
*Discuss their risk management programs with their examiners. Such discussions go beyond making examiners aware of these efforts; they also provide an opportunity for examiners to offer additional advice and guidance before examinations.
*Continue to educate executives and directors about the emphasis on risk management. Review SR 95-51's provisions on the components of a risk management program; relate that information to the bank's efforts.
*Talk to similar banks about risk-management programs.
*Use outside accountants to help determine if the existing systems are adequate.
Ms. McFall is a senior banking specialist for Elliott, Davis & Co., an accounting firm based in Greenville, S.C.
