Phil Angelides, former California state treasurer and now head of the Financial Crisis Inquiry Commission, says he just doesn’t understand how Wall Street executives can claim they never saw the meltdown coming. In his view, the evidence was sitting in plain view, especially in places like Florida and California where bad home loans were piling up. The big banks must have known full well what was going on because they were buying these loans. Yet, as Angelides stated, “We’ve heard for a year how folks on Wall Street and people in Washington didn’t see it coming.”
This doesn’t sound like a feared “black swan”: the threat nobody had considered and didn’t see coming, as proposed by Nassim Nicholas Taleb in his celebrated 2008 book The Black Swan; The Impact of the Highly Improbable. How did this happen? Why did risk management, and common sense, fail to safeguard against the financial crisis? And where were the control departments—including internal audit—when these issues started bubbling up? Today, it would seem ridiculous to even consider buying a pile of diced up mortgage securities with scant documentation and extreme loan-to-equity values.
If black swan events are indeed random and unexpected (the “unknown unknowns”), I would propose that recent momentous episodes—such as the global financial meltdown—were not black swans at all. They were predictable; at most, these events were gray swans.
And if they were predictable, certainly they should be avoidable. As noted by Compliance Week Editor, Matt Kelly, a black swan is not what boards of directors should be concerned about. Black swan risks are, by definition, events that are beyond the realm of normal expectations. The more pervasive and dangerous risks are those staring us in the face—building up over time until it is too late. Companies should be able to anticipate the vast majority of ordinary business risks by understanding the environment in which the organization operates and putting robust governance processes in place that use the requisite expertise in the organization.
Where Were the Experts?
Departments explicitly focused on risk management—such as legal, internal audit, and compliance—should provide objective assurance and reporting on the effectiveness of the risk program to governing bodies and executive management. Auditors increasingly grasp that you can’t properly audit a business you don’t understand.
The assurance functions must have the expertise to recognize and understand the risks specific to the enterprise. For instance, were the board members at Lehman Brothers and similar failed financial institutions getting sound analysis on the dangers of the derivatives they were stockpiling? Or did the stature and perceived expertise of high-ranking operational managers dupe internal auditors and risk managers?
In a similar vein, the Securities and Exchange Commission apparently missed opportunities to nab Ponzi schemers Bernie Madoff and Allen Stanford much earlier, because the Commission’s lawyers and investigators failed to grasp the significance of the tips and information placed right under their noses.
It has become clear that technical auditing skills (with a deep understanding of the COSO framework) are no longer sufficient. To audit a process effectively, auditors must also have expertise in that process. This means having staff who are experts, or working with other units who have experts. Some companies strive to make that happen by hiring people from non-traditional backgrounds, implementing rotational programs, and providing staff with specific training in the business and subject areas they are auditing.
Instead of rushing to hedge against black swan events, boards of directors can take measured steps to manage and disclose major risks and to help bring them to an acceptable level.
For example, it’s become more common for internal audit departments to hire fraud examiners or to collaborate with them in fraud risk assessments and internal investigations. Auditors should also develop expertise or work closely with experts in risk management, compliance, and ethics programs, and related governance areas when examining board oversight processes. The disconnect among internal auditors, compliance professionals, and risk managers when evaluating governance continues despite calls for more linkage of governance, risk, and compliance processes (euphemistically referred to as GRC).
Instead of rushing to hedge against black swan events, boards of directors can take measured steps to manage and disclose major risks and to help bring them to an acceptable level. A few steps internal audit departments can take to reduce the chance that they’ll overlook a gray swan include:
Ensuring your chief audit executive, chief risk officer, or chief compliance officer has sufficient clout and independence to raise concerns—even if it means going against the group consensus. A leading practice is to require board approval before a chief audit executive or similar individual can be removed;
Determining if risk-management activities (identifying risks, reporting information, etc.) are integrated into relevant business processes;
Evaluating whether risk management is well understood outside the formal risk-management functions (risk management is of less value if activities are delegated to the quants);
Ensuring critical risk information flows across the organization so it is heard and can be acted upon. Is there a process where employees can bypass superiors if risk concerns are being ignored?
Assessing whether compensation and reward structures are properly aligned
These are topics that implicate governance (board-management Interface), risk (analysis), compliance and ethics (the risk culture and reporting concerns), and of course assurance by internal audit (trust but verify).
With appropriate expertise, internal auditors can add value by having the insight to recognize an emerging risk when others are looking the other way, along with the wherewithal to ensure the board is properly informed. It is one thing to warn of a potential risk or to advance a possible groundbreaking opportunity, but another thing altogether to convince the board and management to take appropriate notice and action.
Some commentators have lamented that the auditing function has often failed to provide objective oversight while viewing their assignment as a box-ticking exercise with limited critical analysis. A strong rigorous approach with expert knowledge of disciplines other than finance and accounting is needed for the modern auditor. To accomplish this goal, internal audit departments must collectively possess extensive knowledge of the business and its risks combined with a clear comprehension of the GRC disciplines.
In this manner internal auditors who are more forward-looking can help advise on rapidly changing environments to help a company grow in a safe manner. As recent events illustrate, companies that have a comprehensive approach to viewing their risk exposure while ensuring critical information is shared across the organization avoid major problems.
No comments yet