Risk Management Maven

Regulators have made it clear that ‘risk management’ is the new buzz word.”  —Rhonda Morris, Liberty Bay Bank
“Regulators have made it clear that ‘risk management’ is the new buzz word.”
—Rhonda Morris, Liberty Bay Bank

With curiosity and good cheer, Rhonda Morris promotes safety and efficiency through risk management

By Kelly Pike

Liberty Bay Bank
Poulsbo, Wash.
Assets: $71 million
Retail locations: One
Full-time employees: 21
Chartered: 2009
Website: www.libertybaybank.com

Always Seeking Answers
Rhonda Morris, a risk management officer, isn’t intimidated by auditors and examiners—because they’re her teachers.
Always seeking answers to her own questions, Morris founded an operations information-sharing peer group and participates in other IT and audit-compliance peer groups. Her first project after joining Liberty Bay Bank two years ago was to review policies and procedures to increase efficiencies, without adding risk.

“I know enough from auditing to know when something doesn’t seem right,” she says, “and I keep asking questions until it’s clear and I understand the impact or process.”

If Rhonda Morris had a catchphrase, it might be: “Have we risk assessed that?”

As senior vice president and risk management officer for Liberty Bay Bank in Poulsbo, Wash., Morris lives and breathes risk. She oversees risk assessment for IT, network systems, vendor management, privacy, interest rates, credit, compliance, physical security and disaster recovery—in addition to responsibilities in human resources, operations and IT.

Overall, it’s her job to help the $71 million-asset community bank assess its various risks and work within its risk appetite.

“Risk slips out into the conversation no matter what we are talking about,” Morris says of the role enterprise risk management plays in Liberty Bay Bank’s daily operations and culture. “Risk is a key component in everything we do. Kowing what our risk appetite is from the board level and working with that framework.”

Though the 21-employee commercial bank outsources IT and other functions, the risk management oversight required for those functions is still enormous—especially when it comes to IT exams. The bank stays on top of patches and vulnerabilities, yet breaches are inevitable. Morris focuses on having a response plan to quickly identify and recover from cyberattacks. Especially crucial, she says, is staff training—including monthly emails about the latest threats.

“That’s our biggest defense,” she says of the bank’s tight-knit group of colleagues. “Employees come in if they get something strange [in their email inbox]. They are asking instead of clicking.”

In 2013, Liberty Bay Bank was struck by CryptoLocker, malware sent via email that randomly encrypts files and holds them for ransom. The bank quickly detected the breach and its backup system recovered the infected files.

“We had protocol and backup procedures and restore procedures, and we were running fine the next day,” says Morris. “We really try to build our bank around responding quickly to threats.”

Internal auditing

While each department has its own certification program as a self-check, Liberty Bay Bank outsources its internal audit program to ensure and document that everyone is properly following policies and procedures. It’s part of the bank’s annual enterprise risk assessment, which Morris says is a regulatory expectation even though it’s not a requirement.

The bank uses four audit companies: one for financial; one for IT, quarterly penetration testing, vulnerability testing and a full audit; one for credit review; and one for everything else.

Auditors report directly to the bank’s audit committee of outside directors and can speak to the committee without bank management present. Typically the bank’s CEO and chief financial officer attend the meetings. Morris is the committee’s secretary, tracking findings or recommendations and working with management to make sure corrective action is taken.

Without hesitation or defensiveness, Morris welcomes the feedback. “That’s our report card that shows our processes and programs are working,” she says of audits and exams. “It’s the biggest indicator that everyone is working together.”

With critical functions outsourced, vendor oversight is also complicated but crucial. Morris, who spent 10 years as a bank auditor and much of the rest of her 33-year career in operations, doesn’t formally have a technical background. Yet her job often involves evaluating software and applications used by other departments that she doesn’t use, making savvy questioning essential.

“I know enough from auditing to know when something doesn’t seem right, and I keep asking questions until it’s clear and I understand the impact or process,” she says of her tenacious pursuit of answers. “I’ll find out I might have had a compromise had I not pushed or asked more questions.”

In fact, Morris’ curiosity has defined her career path. While many are intimidated by auditors and examiners, she sees them as allies. Her interest got her hired as an auditor and later in her career promoted to operations managers in charge of six branches in downtown Seattle. The first thing she did after joining Liberty Bay Bank in 2012 was to examine existing policies and procedures for ways to increase efficiency without adding risk.

Consider the community bank’s wire procedures, which used to require a lot of senior management’s involvement and time. Morris and the branch manager hammered out a way to retain dual control and meet customer expectations and cut-off times while reducing senior management involvement—with no additional risk.

The two years Morris has been with Liberty Bay Bank have been a crash course in IT and vendor management, plus the compliance requirements of the Dodd-Frank Wall Street Reform and Consumer Protection Act. A member of the Washington Bankers Association education committee for the past 10 years, she says education and training is a high priority for her and the bank’s board and employees. But she tries to keep it fun when she can, even hiring someone to teach employees how to use a fire extinguisher by putting out an actual fire. “There’s nothing like hands-on experience,” she quips.

Since Morris often can’t ask a colleague when she has a high-level question, she relies on tight networks of peers at other community banks for help. She founded and still leads an operations group with 23 Washington community banks. She’s also a member of an IT peer group and an audit and compliance peer group.

“They are invaluable,” she says of the confidential feedback she gets on vendors, compliance and other issues.

And while her inner auditor is glad to see Liberty Bay Bank adhering to its policies and procedures, Morris appreciates that she also has the authority to adapt them to maximize efficiency and minimize risk.

“I don’t manage the bank’s risk alone,” she says. “Our board and senior management team help set the culture, and we work together to successfully execute and manage risk throughout the bank.”

Kelly Pike is a freelance writer in Virginia.