In-House Training: The Key to Mitigating Operational Threats

Many community banks scrapped their in-house training programs years ago to reduce costs. But today a more rigorous regulatory environment, combined with increased pressure on banks to improve risk management, is causing many banks to rethink this strategy.

A strong training program can help you attract and retain quality management talent. It also can help you reduce operational risk. 

Use training as a retention tool

High turnover, especially among rank-and-file employees, often discourages banks from investing in training. They worry that, if newly trained employees leave, the bank won’t enjoy a return on its investment. But, in fact, offering training — together with a clearly articulated career development path — can inspire loyalty and help you retain your high-performing employees. Training programs can cover a broad range of subjects, from technical skills and compliance to leadership training and other executive development offerings.

Training is particularly important given the high level of consolidation in the banking industry in recent years. It’s not unusual, after a merger or acquisition, for some employees to move into new — and often unfamiliar — positions. Training is critical to ensure that these employees stick around, and succeed.

Employ training as a risk management tool

In today’s highly regulated, technology-dependent banking industry, regulators are placing a great deal of emphasis on risk management, particularly management of operational risk. (See “‘Operational risk’ for the record.”)

One of the keys to managing operational risk is well-trained personnel at all levels. After all, no matter how carefully a bank designs its policies, procedures and controls, they’re only as reliable as the employees entrusted to implement them. Thus, training is re-emerging as the Big Kahuna for preventing operational risk.

Here are a few examples of operational risks that can be reduced with good training:

Cybersecurity. As banks’ reliance on technology and automation continues to increase, so does their risk — and potential damage — from cyberattacks. And even though the techniques cybercriminals use are becoming more sophisticated, many banks also remain vulnerable to simple tactics, such as email phishing.

Phishing involves sending emails to bank employees or customers that appear to be from a legitimate source. By tricking recipients into clicking on links that install malware, cybercriminals gain access to bank assets or to customers’ sensitive personal information.

Often, these attacks can be avoided by training employees to recognize the red flags of fraud and teaching them how to deal with suspicious emails and other communications. 

Lending. Today, the lending process is heavily regulated by the Consumer Financial Protection Bureau (CFPB) and other banking agencies. Failure to comply can expose a bank to a high level of risk — with penalties ranging from monetary fines, to rescission of loans or other contracts, to criminal liability.

A particularly important regulation today is the CFPB’s ability-to-repay (ATR) rule. The rule generally requires lenders to make a reasonable, good-faith determination of a borrower’s ability to repay a mortgage. A qualified mortgage contains certain terms and conditions designed to reduce the borrower’s risk. Thus, it’s presumed to satisfy the ATR rule.

For many community banks, however, the qualified mortgage requirements restrict their ability to serve their customers. To comply with the ATR rule, these institutions must train their loan officers on how to evaluate and document a borrower’s ability to repay, based on factors such as current income and assets, employment status, credit history, monthly expenses, and debt-to-income ratio for loans that don’t meet the standards for one of the various types of qualified mortgages.

A way to stay current

As community banks continue to launch new products and services, take advantage of technological innovations and outsource critical activities, they’ll be exposed to increasing operational risks. A strong in-house training program can help banks manage these threats.

Operational risk” for the record

The Basel Committee on Banking Supervision articulated a definition of “operational risk” that’s generally accepted today: “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.”

It’s a broad definition that encompasses a variety of risks, including cybersecurity, internal and external fraud, regulatory compliance, lending, and vendor management. It’s also high on the list of banking regulators’ concerns. 

For example, the Office of the Comptroller of the Currency, in the June 2015 installment of its Semiannual Risk Perspective, reports that operational risk is elevated among banks — both large and small — for several reasons, including the amount and pace of internally and externally initiated change, and greater interconnectedness and interdependencies. Also cited were increased sophistication of cyberthreats and pervasive technology vulnerabilities.

The report also describes several “key risk themes” related to operational risk, such as:

• Increasing pressure on business models as bankers launch new products, leverage technology, reduce staffing, outsource critical activities and re-engineer business processes,
• Failure to incorporate “resiliency considerations,” including cyberevent recovery, into governance, risk management or strategic planning, and
• Vulnerability of banks and their employees, customers and service to cyberattacks.

© 2015