Combating Risk-Management Misconceptions

No comments

Working with a range of multinational companies over the years, I've had the privilege of collaborating with knowledgeable senior executives and directors who "get" risk management. On occasion, however, I've encountered extraordinarily self-confident business leaders who spout what they consider truisms about risk management that are simply false.

In one such instance, a board member of a multinational technology company emphatically insisted that because his company was complying with the Sarbanes-Oxley Act's Section 404 provision on internal control, it was guaranteed to have an effective, broad-based risk-management process. Despite feeling my blood begin to boil, I like to think I maintained a professional posture as I explained how he had been misinformed.

There's no shortage of cases where misguided views of how risk management works hindered organizations in designing and implementing their programs. Consider the example of the risk of security lapses for the Labor Department's monthly issuance of the consumer price index. Any advance knowledge—even by a few seconds—of the soon-to-be-published index could, with high-speed trading techniques, turn the advantage into millions of dollars in profits, giving the Labor Department and the media company involved a serious black eye.

Although the Labor Department had long-standing protocols in place to prevent advance access, it still worried that security lapses—including the concern that representatives inside the Department's “lockup room” where press members are sequestered as they prepare their coverage of the release—could give traders advance notice of the numbers. Indeed, an investigation had found that blackberries and mobile phones with cameras had been brought into the room undetected in the past.

Yes, risks include the potential of recurrence of past events—but central to risk management is identifying events that could take place, even if they haven't already.

While there appears to have been no major breaches, the Department of Labor decided to take further precautions, including requiring media outlets to replace their computers with equipment that had tighter controls. Executives at media firms pushed back, insinuating that since a major breach hadn't occurred, there wasn't a security risk.

The suggestion that a risk exists only after a damaging event has occurred is mind boggling! We can only scratch our heads and ask why supposedly knowledgeable people have to be reminded—or taught—that a risk is an event that potentially could take place. Yes, risks include the potential of recurrence of past events—but central to risk management is identifying events that could take place, even if they haven't already, and based on likelihood, impact, and velocity, deciding what to do about them—before they occur.

That point may seem obvious, but we see companies across industries that seem to continually focus their risk-management energy on the types of risks that have already caused damage to their organizations. Yes, such risks should be on radar screens, but it's of critical importance that other significant risks are also identified and addressed.

Banking Blunders

Let's take a look at this from the perspective of the banking industry. We know that major banks have long had some of the most sophisticated risk-management processes, focusing on interest-rate risk, market risk, liquidity risk, credit risk, and legal and regulatory compliance risk, among others. These institutions' senior managements, including the chief risk and compliance officers, have long dealt with risks on an ongoing basis.

We can only wonder whether there's been sufficient focus on what did not previously occur, or did with only limited effect, but that could happen with much greater adverse effect in the current political and regulatory environment. Recent lapses in risk management seem to indicate a pattern of ignoring risks of incidents that hadn't occurred in the past:

The large banks that provide information to the British Banking Association for setting the Libor rate are under attack for manipulating rates to benefit their trading positions and make their financial condition look better. Was this on banks' radar screens as a significant risk? Did senior executives consider the consequences of a manipulation scandal? Based on what's come out recently about the warning signs at Barclays, one can only wonder. One analyst estimates fines, penalties, and class-action lawsuits may cost the industry more than $20 billion, when all is said and done.

UBS has had more than its fair share of non-compliance. There was the fraudulent activity creating secret Swiss accounts to support U.S. taxpayers' non-payment of income taxes; it was fined for acting as an unregistered broker-dealer and investment adviser in the United States; it lost over $2 billion in a “rouge” trader's activities; and it settled charges that it engaged in fraud by selling auction rate securities with a reported $22.7 billion reimbursement to clients. To top it off, the bank admitted to having engaged in bid-rigging in the municipal bond markets. Did UBS recognize these as risks before they caused damage?

HSBC stands accused of letting Mexican drug cartels, Saudi Arabian banks linked to terrorist organizations, and Iranians circumventing U.S. sanctions use the bank as a money laundering machine. It's reported that for years HSBC gave its lowest risk rating to Mexico “despite overwhelming information indicating that Mexico was a high-risk jurisdiction for drug trafficking and money laundering.” This is a recurrence of past misconduct, as the bank has had money laundering violations and vowed to fix the problems, but still they persist. A U.S. Senate report called the bank's culture “pervasively polluted,” and investigations now are being conducted by the Justice Department, Federal Reserve, Office of the Comptroller of the Currency, and Manhattan's District Attorney.

These risk failures are, of course, in addition to the breakdowns that occurred in issuing and selling mortgages, leading to the fiscal crisis that brought the financial markets to the brink. And trading fiascos such as the one JPMorgan Chase recently endured add to the image of less than insightful risk-management processes. We've come to expect after-the-fact apologies, with one of the most recent from HSBC Chief Executive Officer Stuart Gulliver saying the bank is taking steps “to manage [money laundering] risks and ensure compliance more effectively.”

Whether banking executives considered in advance the potential direct adverse financial effect on their organizations of these potential problems can't be known, but it doesn't appear that they did. A skeptic, however, might say the profits were so great that conscious decisions were made to simply accept related fines and penalties as a cost of doing business.

In any event, we can question whether executives considered the shifting dynamics of the regulatory environment, with related fallout including reduction of the considerable power the banking industry held in shaping laws and regulations, including the Dodd-Frank Act's Volker Rule. Another consideration is whether the misconduct has provided additional reasons for former CEOs of large banks to join others in calling for the dismantling of business models by reinstating the basic provisions of the Glass-Steagall Act.

Undoubtedly senior executives now are well aware that regulators increasingly are bringing charges not only against their institutions, but also against individuals with the potential of huge fines and lengthy prison sentences. With all that bankers now have to contend with, one would think that risk-management radar screens will become sharper with greater peripheral vision and attention to the blips that do appear.

A Need to Educate

As a chief risk officer, ethics and compliance officer, general counsel, chief audit executive, or other influencer of your company's compliance and risk-management processes, you may interact with high-powered individuals who profess to understand what risk management is all about. You know whether they do, or if they are misinformed and unwilling to open their minds. As difficult as it may be, it's critical they be appropriately advised as to what risk and risk management is really about.

It may take all the tact you can muster and perhaps a series of discussions. But education is a must, as your company's success may depend on it.

No comments

Combating Risk-Management Misconceptions

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.

No comments yet

Only registered users can comment on this article.

“For tracking litigation, enforcement, and regulatory developments, Compliance Weekshould be your prime source.”

Combating Risk-Management Misconceptions

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor. googletag.cmd.push(function() { googletag.display('div-gpt-ad-B'); });

No comments yet

Only registered users can comment on this article.

“For tracking litigation, enforcement, and regulatory developments, Compliance Week
should be your prime source.”

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.