Top Issues for Bank Boards and Audit Committees in 2022? ESG, Cyber and Tech

In 2022, bank boards will pay greater attention to incorporating environmental, social, and governance (ESG) factors into their decision-making and focus on cyber and tech issues, according to the KPMG Bank Board Agendas: 2022 And the same goes for their audit committees.

Boards and audit committees often have divergent priorities. But in the current environment, there is even more of a balancing act necessary in pushing management for action on issues impacting the industry's risk environment, such as cybersecurity risks; economic challenges; a fast-changing and uncertain regulatory landscape; and attention to financial reporting and internal control risks—the number one priority of the audit committee.

Boards and Audit Committees Must Perform a Delicate Balancing Act

Board and audit committee priorities converge on three key areas:

embedding ESG, including climate risk and diversity, equity, and inclusion (DEI) matters, into discussions;
championing digital transformation while attracting and retaining top technology talent; and
monitoring the increasingly complex IT landscape and managing cybersecurity risk.

The board's fiduciary role remains oversight, and the audit committees' core oversight responsibility lies in financial reporting and related internal controls. Effective engagement in strategy discussions, which investors expect, increasingly calls for a collaborative mindset, since the current environment makes oversight and deployment especially challenging.

ESG Rulemaking and Disclosure Requirements Will Be Top of Mind

We anticipate that banks will need to provide detailed and measurable public information about how they are addressing and responding to climate change, DEI, cyber, and other ESG risks. Transparency on how these risks are managed is critical to investors, research and ratings firms, activists, employees, customers, and regulators.

Areas are of particular importance include:

Climate Change & Credit Exposure: Climate change increasingly impacts banks' processes and decision-making. For example, it may affect a bank's decision to underwrite mortgages in at-risk areas. Banks are now increasingly expected to identify and manage credit exposure to ESG factors such as carbon-related assets and water-stressed regions.
Financial Inclusion: Commercial banks that can successfully provide credit and financial services to underserved populations while also maintaining security and compliance standards are well-positioned to create long-term value. As noted in the SASB standards,

"By disclosing their approach to financial inclusion and capacity building, commercial banks can provide investors with decision-useful information for assessing banks' ability to ensure long-term, sustainable value creation."

Board Responsibilities: The board should challenge management to identify material ESG matters, define meaningful metrics, develop a control framework to gather data for reporting, and obtain assurance over the completeness and accuracy of disclosures.

After determining the ESG issues that are material to the bank, the board should assess which of these issues are of strategic significance. It should then ask questions like:

How is the company embedding ESG issues into core business activities to drive long-term performance?
Is there a clear commitment and strong leadership from the top, and enterprise-wide buy-in?
Are the right people leading this effort, and is there coordination within the organization?

Audit Committee Responsibilities: The audit committee should encourage management to reassess the scope and quality of the company's sustainability/ESG disclosures, particularly those used by a company's investors.

As investors and regulators increasingly pressure commercial banks to incorporate ESG risks, banks that fail to do so could face decreasing returns and value for shareholders.

Comprehensive Tackling of Cybersecurity and Data Privacy Is Key

The effects of the pandemic, rising cyberattacks and ransomware demands, and the increasing reliance of banks on technology make cybersecurity crucial. Companies that are unable to address these risks could face diminishing revenue and consumer confidence.

Board Responsibilities: Boards should insist on a data governance framework that makes clear how and what data is being collected, stored, managed, and used, and who makes decisions regarding these issues. They should also clarify which business leaders are responsible for data governance and reassess how the board assigns and coordinates oversight responsibility for cybersecurity and data governance frameworks.

Audit Committee Responsibilities: Audit committees' key focus should be on internal control over financial reporting and probing control deficiencies, especially as they relate to whether those controls have kept pace with the changing risk profile. Importantly, the SEC is likely to address cybersecurity governance. As former SEC Commissioner Elad Roisman recently said,

“Given the increasing and inevitable reliance of advisers on technology in their businesses, it is time that the Commission bring more clarity to this issue in cases where there may be confusion about whether to notify the Commission and investors in the event of a cybersecurity breach.”

This aligns to earlier guidance from the SEC, which states:

"Crucial to a public company's ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business."

Tech and Talent Will Drive Business

Accelerating digital transformations present important opportunities for banks. As audit committees monitor and help guide finance's progress in this area, banks would do well to think about these questions:

Does the board understand the impacts on financial controls over financial reporting that any new technologies could affect?
Do boards know the organization’s plans to automate as many manual activities as possible, reduce costs, and improve efficiencies?
Does expertise exist inhouse or would it make sense to outsource, with the proper risk controls, some elements of new technology?

Bank Boards Should Not Ignore Digital Assets

There will likely be a need for boards and audit committees to establish governance and perform oversight on how to engage in digital assets. Before making the jump into this growing market, boards of banks, like all companies considering direct investments in digital assets, should evaluate how their corporate governance, accounting procedures, and internal controls will need to be updated to support successful investment strategies. A solid foundation in these areas will translate into a smoother process and help companies manage the risks and rewards that come with digital assets.

Conclusion

The rapidly changing financial and regulatory landscape presents complex challenges for commercial banks. But by aligning their efforts, CFOs and audit and compliance committee chairs can drive growth and value for investors and the capital markets as well as instill trust through transparency. Their work will receive close attention in 2022.