Tuesday, December 15, 2009

I have recently added a new section to my website, where I will publish a series of "Working Papers" on topical risk management subjects. The first of these is on Target Risk, others will follow.

Target Risk was written following a recent enquiry about the subject. In particular I was asked whether I knew of any other organisations that was using the concept of target risk, and if so how were they defining it? In essence I was asked whether my client was being consistent with best practice and with general usage. Given that this exercise was done by talking to other clients, contacts and consultants, I am now sharing the results of that exercise. To see a copy of the paper, click here.

Governance article: while I am writing, you might be itnerested to see a very short article that was published in "Governance" recently on my views as to whether the Walker Report will make the slightest difference to the state of Corporate Governance in the UK. To see a copy click here.

I thrive on feedback - let me know what you think.


Tuesday, October 13, 2009

Three Lines of Defence - Dead or Alive?

I went to a hearing at the European Commission yesterday. They wanted to know what professionals, experts, regulators, bankers and others thought about Corporate Governance, the role of shareholders, and risk management. There were three panels, but the one that I participated on, and which is prompting this post, was the one on risk management. One of the panelists put forward the view that internal control and risk management really needs the Three Lines of Defence (1: Line Mangers manage risks, 2: Risk Managers set policy, 3: Internal audit confirms compliance with policy etc).

I argued that Three Lines of Defence (TLD from now on) had not worked... witness RBS and HBOS and others in the States etc. To which this participant replied, but had it been done better it would have provided clear guidance on what should have been done.

My contention is that TLD allows assurance (actually that should be Assurance with a capital A) should not be divided. What we need is: a balanced view to risk, ethical programmes, mature risk management, a risk management and assurance framework, and an organisational structure that works. Now TLD might do that, but it is not the only way at all.

So I am arguing that TLD is fine if you really want it, but don't depend on TLD to protect you next time round. It wasn't that we were slightly wrong in our approach to risk management, we were fundamentally inadequate and TLD did not spot that...

I would welcome your comments, either here, on LinkedIn, or via my website.



Friday, October 2, 2009

Risk oversight committees in Banks and Other Financial Institutions

You will all be aware that Sir David Walker issued his consultation paper on Corporate Governance in UK Banks and Other Financial Services Entities (BOFIs for short) on 16 July. There may well be some overlap here with the SEC recommendations. In my view there is a lot to be welcomed in Sir David's report, however there are a few areas where further fresh thinking would be merited.

My main recommendations are fourfold (excuse the numbering...):
  1. I continue to believe that we need to see a paradigm shift in Corporate Governance. In order to make incumbent boards and individual directors take this seriously we need to see new fiduciary duties relating to Corporate Governance responsibilities, which should be discharged with due and diligent care.
  2. I applaud the recommendation to create effective board risk oversight committees. I happen to believe that the remit as described in Sir David's paper is insufficient for the purpose. The remit and mechanics should:
  • Encompass the development of a balanced view of risk;
  • Include the oversight of the development and implementation of a robust ethics programme;
  • Encompass the periodic assessment of the maturity of risk management maturity;
  • Include the development of a risk management and assurance framework that is fit for purpose; and
  • Address the development of an appropriate risk management organisation.
  1. Although it may well be difficult, in the context of the worst dereliction of Corporate Governance responsibilities of recent economic history, I continue to believe that we should find ways to make a form of permanent, full time non-executive director role work in BOFIs (and other organisations) that have a major societal impact.
  2. I continue to believe that the most important attribute of a non-executive director is an ability to act in a challenging, and yet supportive manner. Akin to risk management, the role of such directors is to periodically pierce the “perfect place arrogance” that develops in large corporate organisations. I am therefore less interested in the sectoral background, while of course acknowledging the need for a number of the directors to have BOFI backgrounds.

I set out more detail supporting my recommendations in my letter to Sir David, a copy of which can be found at http://randerson-assocs.co.uk/WalkerConsultationPaper.aspx. I would be pleased to hear what you think of (a) Sir David's consultation paper, (b) my responses and whether you believe Corporate Governance will improve as a consequence of his work.

Kind regards


Thursday, August 6, 2009

Is ERM becoming more important or not???

I have created a small poll on LinkedIn about ERM and its mounting importance following the financial crisis. Click HERE to go to the poll.

Let me know what you think.


Tuesday, May 12, 2009

The frailty of VaR

A great article from way back when in January by Joe Nocera of the New York Times. It looks at the frailty of VaR and should be required reading! Click here.

Friday, April 17, 2009

OECD Report

As I have either said, or hinted at elsewhere, I was commissioned by the OECD to review Corporate Governance, risk management and remuneration in the banking sector in the UK, the US and France. My report has now been published, and can be found in full here. The same link will also take you to a shorter summary report. Be warned that the full report is over 50 pages long...

What people have said about the report:
  • Insightful"
  • a "pithy summary"
  • "This is a strong, impressive report. Your grasp of the issues in a still-unfolding international financial disaster is not only impressive, but lends credibility to your recommendations which, taken together, are peerless. I hope that they are widely read, debated and, ultimately, implemented. I will not comment on each of your recommendations, nor your analyses and arguments in support of them, because there would be nothing substantive that I could add."
  • "I have to read about risk day in and day out on the day job so for balance I prefer to read about other topics. But ... I made myself read it and I am glad I did. You paint a valuably comprehensive picture, and propose many innovative solutions."

I would welcome your feedback and thoughts as to how we can take the debate further.

Also, go to the OECD's website to see what else they are doing on the governance front.

Wednesday, April 15, 2009

Myners and boards

I think Lord Myners comments on boards are well worth reading. See here.

I am not sure about having a "Devil's Advocate" in that sounds a bit like having someone on the board just to be contrary. But I do agree that we need to do something about creating a counter-balance to what I have described elsewhere as the "red-blooded, testosterone-charged" CEOs of this world.

I would be interested in feedback

Thursday, March 26, 2009

The SFO calls... Recessionary tales of the unexpected

Who will your disgruntled employee talk to first? You or the SFO? The SFO is putting paid for advertising into the media asking for whistleblowers to come forward see here, or for a legal perspective, see DLA Piper’s note on the subject: see here.

What are the business implications? What can you be doing right now?

Here we are in the worst recession in ages, if not since records began, and employees are under incredible pressure to produce results. Investors want results, boards are demanding results, managers are shouting for results, and who produces them? But staff cannot pull rabbits out of hats, so they are feeling coerced into manufacturing results that simply do not exist.

People who have led blame free lives, who would not say boo to a goose, are being encouraged to come up with results for their managers, or risk losing their jobs. Accountants and others are losing sleep over the “temporary” adjustments they have made – all in the expectation of making good next month. Except next month is even worse. Ask Bernie Madoff – and look where he ended up.

These staff, who are under excruciating pressure need to be able to let off steam. So who will they call: someone in your organisation, or the SFO? Indications are that more and more people are calling the SFO. And while we can all applaud the efforts to catch the crooks – is this really where you want to be spending your hard-earned management time: dealing with an SFO investigation?

So what can you do?

1. Review your ethics and compliance approaches: do you have an ethics programme? Do you know that you are in compliance with legal and regulatory requirements? Is it time to dust your programme down and remind people that is exists? Or do you need to create a framework right now?
2. Ensure that you have space for staff to let off steam. Vague whistleblowing policies about letting someone know somewhere in the organisation don’t usually work: there needs to be an independent (but that does not necessarily mean outsourced) mechanism that is both credible and seen to work. Make sure that communication programmes are in place, and that people feel that ethics is as much there to support them as it is for the organisation. This needs two-way risk-free communication.
3. Conduct an independent, anonymous survey of attitudes amongst senior managers and front line accountants – those who are most likely to know what is going on. Surveys in the States have shown that whereas a typical whistleblowing facility may have 1% of the staff using it for its primary purpose, a further 4% might explore ideas which could prevent abuses. And yet as many as 50% of staff, according to surveys, claim to have witnessed illegal or potentially seriously embarrassing unethical behaviour. Where did that 45% go?
4. Talk to partners, suppliers and customers – proper engagement with them, so that you have a dialogue which helps to reveal where pressure points are in the value chain.
5. Review those reconciliations and funny accounts – all the ones that are full of judgemental values. This is often where dodgy results start – implement a zero-tolerance policy with regard to unauthorised adjustments to these accounts.
6. Get your internal auditors on to the case: a few deep dives into trial balances and transactions sends out a message.
7. Bring your risk management down from the Olympian heights of governance compliance and turn to operational risks.

And if all of that sounds like yet more expense – well its better than having your collar felt by the SFO because you never got round to it...

Oh, and while this has a UK flavour (note the "u" in that word) it is relevant right round the world.

Monday, March 23, 2009

Turner Report

Lord Turner, Chairman of the FSA, set out his proposals for reforming the regulation of banking in the UK on 18 March 2009. The report emphasises, amongst other aspects, the importance of changing from a "light touch" approach to managing on a systemic basis. However, he does acknowledge the importance of Corporate Governance and internal risk management procedures, although final proposals await the Walker Report which will be published in October 2009.

The brief section on governance and risk management is nontheless interesting in that it illustrates the thrust of likely changes. I have reproduced this section in full below

2.8 Risk management and governance: firm skills, processes and structures

Analysis of the causes of the crisis suggests that there is a limit to the extent to which risks can be identified and offset at the level of the individual firm. Chapter 1.1 described how the origins of the crisis lay in macroeconomic imbalances and systemic developments: Chapter 1.4 argued that there are limits to the effectiveness of market discipline; and Section 1 of this chapter stressed that the crucial shift required in regulatory philosophy is towards one which focuses on macro-analysis, systemic risks and judgements about business model sustainability, and away from the assumption that all risks can be identified and managed at a firm specific level. As a result most of the changes proposed in this review relate to the redesign of regulation combined with a major shift in supervisory approach.

But improvements in the effectiveness of internal risk management and firm governance are also essential. While some of the problems could not be identified at firm specific level, and while some well run banks were affected by systemic developments over which they had no influence, there were also many cases where internal risk management was ineffective and where boards failed adequately to identify and constrain excessive risk taking.

Achieving high standards of risk management and governance in all banks is therefore essential. Detailed FSA proposals will await the outcome of the Walker Review (described below) but the key dimensions of required improvement are likely to be

  • Improved professionalism and independence of risk management functions. As already outlined in Section 2.7 above, the FSA will therefore in future play a more active role in assessing the technical competence of senior risk managers. And it will consider whether governance structures for risk oversight need to be changed, with a more direct relationship between senior risk management and Board risk committees
  • Risk management considerations embedded in remuneration policy, in the fashion described in Section 2.5 (ii). This has implications for the remit of remuneration committees and for the non-executive time commitments required
  • Improvements in the skill level and time commitment of non-executive directors. The crisis has revealed the extreme complexity of large banking groups and the difficulties which nonexecutive directors (NEDs) face in understanding all dimensions of the risks being taken, within the time commitments typically required of NEDs. It has also raised questions about the degree of technical skill and experience required to perform risk committee functions, and whether existing bank boards have sufficient people with these technical skills. In addition it has demonstrated the vital importance of non-executive challenge to dominant chief executives pursuing aggressive growth strategies
  • Shareholder discipline over corporate strategies. As Section 1.4(iv) described, shareholder influence seems to have been relatively ineffective in the past in constraining risky strategies. There may be ways of improving the effectiveness with which shareholder views are communicated to non-executives

These issues and the implications for overall governance principles and structures need to be looked at in an integrated fashion. One question they prompt is whether the governance arrangements appropriate for banks are different from those which apply to the generality of companies, and whether therefore codes and rules which go beyond the general Combined Code are required

These issues will be in part addressed by the review of bank governance being conducted by Sir David Walker which the government announced on Monday 9 February and which will report in October 2009. The FSA, which is providing the secretariat for this review, will work closely with Sir David Walker in consideration of these issues. Once the review has reported, the FSA will consider what changes to its rules and process are required to ensure that problems are addressed, making specific proposals by the fourth quarter of 2009

It will be interesting to see how this turns out under both the FRC review of the Combined Code and also the Walker review. For what it is worth, my view is that there is nothing intrinsically different about the governance of financial institutions just because they are financial institutions. While clearly there are differences in the technical aspects of risk, what seems to me to be more important is the potential societal impact of poorly handled risk in an organisation. Poorly handled risk in say chemical companies can be as (or even more) devastating than in banks: look at Bhopal or the BP refinery problems in the US. I am more interested in big v small impact organisations. One key difference may be whether there are Critical National (or International) Infrastructure implications, or whether there is scope for major disasters. I add the latter, because I am not sure whether Pharma companies are part of the CNI, but they can have devastating impacts (eg Thalidomide)

For the full detail of the Turner Report, click here...

Sunday, March 15, 2009

Gordon Brown on Changes Needed

Gordon Brown on the changes needed: This article highlights the changes that GB is looking for in the global financial system. Well worth looking at. More...

Saturday, March 14, 2009

GSO Finance Ministers

G20 Communiqué from the G20 Finance Ministers. It will be interesting to see whether Corporate Governance forms part of the stronger regulatory and oversight regime: hard to imagine that it won't. More...

Thursday, March 12, 2009

It gets better and better

See the report on Hector Sants in the FT... More...

Be frightened, very frightened

Just to prove my point on the change in mood music, see this article reporting on Hector Sants and Alastair Darling's views on regulation. Be frightened, very frightened...

(Or be prepared...)

Tuesday, March 10, 2009

Rethinking Compliance: get it right!

Compliance is about SOX right? Wrong - it is about a wide range of issues from cartels, through corruption, data protection, heath & safety. And they can each and every one cost money, time and reputations. In these dark economic times, it is worth revisiting your compliance programmes. Three headlines struck me as being somewhat out of the ordinary recently:

  • Aon fined for suspicious payments[1]: according to the BBC “The UK arm of the insurance broking group Aon has been fined £5.25m for making ‘suspicious payments’ worth $7m (£4.6m) to people and firms overseas. The fine was levied by the Financial Service Authority (FSA) and is its largest fine yet for ‘financial crime’.”
  • Lloyds pays $350m to end US case[2]: again, according to the BBC they have paid a $350m penalty to settle a case with the DoJ. I don’t propose to go into the rights and wrongs, because I simply do not know them.
  • Primark 'is probing law breaches'[3]: and yet another story from the BBC: “Fashion chain Primark has launched an investigation into allegations one of its suppliers has breached employment and immigration laws. The Observer newspaper reports an investigation found Manchester-based firm TNS Knitwear was paying illegal workers less than the minimum wage.” And the consequence of this: “On Saturday, Primark agreed to remove references to the Ethical Trade Initiative, the trade body which monitors Britain's top retailers, from its 140 shop fronts.”

And that is without even breaking into a sweat. I have not referenced the Satyam scandal or the Madoff Ponzi scheme. And I have not even headed in the direction of the banking failures. Apparent risk management failures are everywhere. And what is worrying is that these penalties are under what I might describe as the old regime.

The new regulatory mood music
What is for certain is that the mood music around regulation has changed from “light touch at all costs” to “meaningful” regulation. The argument for “light touch” regulation went something like this:

“Across the board we are seeing regulators adopt a more aggressive attitude. Over-enforcement of regulation can seriously damage the overall fitness of the economy. The critical point at which this starts to take effect is hard to identify, but there is a risk that we are getting close to it.”

Source: Paul Ormerod, Author of Butterfly Economics and Death of Economics in Rethinking Regulatory Risk by Baldwin and Anderson, published by DLA Piper, 2002

The counter argument was put as follows:

“Regulation is necessary to control corporate excess. Workers, shareholders and customers need protection from directors breaking the law and punitive liabilities send a clear message. Directors should act honestly or be jailed.”

Source: John Monks, General Secretary, Trades Union Congress in Rethinking Regulatory Risk by Baldwin and Anderson, published by DLA Piper, 2002

For a long time the former view held sway, as shown by Lord Turner’s evidence to the Treasury Committee recently in which he effectively said that even if the FSA had wanted a more interventionist approach in looking at the business models of banks, politicians of all political hues would have called them off. As far back as October Lord Turner was indicating a new approach:

“Financial regulators should be prepared to ‘wipe the slate clean’ as they search for a more effective global regime in the wake of the credit crisis, the chairman of Britain’s financial watchdog has said.

“Lord Turner also warned banks and insurance companies regulated by the FSA they would have to pay higher fees so the regulator could strengthen its supervision of institutions that pose a potential risk to the stability of the financial system.”

Source: Source: Financial Times interview with Lord Turner, Chairman of the FSA, published 17 October 2008

And this is not just a UK phenomenon: summarising Charlie McCreevy’s speech to the ICSA Corporate Conference, he effectively said:

Risk management

  • Has been poor/disastrous
  • Needs to be embraced
  • Role of senior management
  • Requires transparency
  • Needs oversight by shareholders

Source: Charlie McCreevy, European Commissioner for Internal Market and Services at the Institute of Chartered Secretaries and Administrators (ICSA) EU Corporate Governance Summit Brussels, 8 October 2008

Compliance revisited
One of the consequences of this is that there is a renewed interest in compliance programmes. Some, like Siemens, who suffered spectacular compliance failings, have developed a top-down, heavy bureaucracy compliance programme based on Prevent, Detect, Respond, with the response to problems being Dismiss, Warning, Reduce Remuneration[4]. Their quarterly report shows 621 compliance staff worldwide in 2008, compared to just 86 in 2006. The compliance helpdesk had 3,836 calls during 2008 alone.

Others, who are not subject to the same level of intense regulatory scrutiny, have the luxury of doing this at their own time and pace. They are more likely to be able to justify the development of risk based compliance programmes. Best practice is pointing towards a programme that has three facets:

  • A process to manage “compliance” risks: in other words one that identifies, assesses, monitors and responds to risks in a pro-active way;
  • An ethical and supportive culture such that attitudes, skills and knowledge all support an ethical stance with regard to compliance; and
  • A view to supporting the organisational objectives: in other words this is not just compliance for the sake of compliance, it will help the organisation to achieve its ultimate goals.

But to make this style of compliance programme work the organisation has to balance two sets of pressures. In the first instance, CEOs are always under intense pressures from institutional investors who, needless to say, are always looking for ever increasing share values (or in the current environment – at least a containment of the fall). In the second instance, CEOs are placing ever greater pressures on the staff with a demanding performance culture shaped through rewards, incentives and disciplinary actions. If the staff fail, the CEO will fail. So there is something of an incentive to cut corners, chat to competitors who are in a similar situation or to incentivise customers to award you the contract. In other words, the slippery and dangerous route to unethical, or even worse, illegal actions.

The consequences can be horrendous. Ask the people at Siemens, or look at the volumes of time taken up at BAe, where accusations remain unproven. From the fines, through the time spent dealing with regulators to the sheer loss of personal and corporate reputations, the costs can be crippling. Above all regulatory penalties destroy shareholder value and consume enormous amounts of management time, and even worse you run the risk of having a solution imposed on you which will be expensive – because you will be on the back foot, and it will not necessarily fir your preferred business model, especially if there is any risk that the extra-territorial ambitions of the US agencies can finger you.

So, the argument goes, in this time of recession, when the pressures are really on everyone in the organisation to perform, it is time to make sure that your compliance house is in order. Make sure that there is total commitment from the Board right down through the organisation. All managers have to be able to walk the talk, as well as just talk it! This needs to be right up near the top of both the board’s and the CEO’s agenda or it will not work. You have to have the right resources available in the group to make this work, to make sure that the programme is aligned with your other risk management activities. Think through the involvement of Internal Audit and whether there are any other “assurance” programmes that this can link to. Be clear about the likely scope in terms of areas and geography, and appropriate timescales. Think about the need for, or use of existing risk management software. And in case you were in any doubt: compliance is not just about Sarbanes-Oxley – it covers a much broader spectrum of issues, from corruption, through competition, data privacy, health & safety, environmental and many other potential pitfalls.

The first steps
The first step is to understand what will influence the shape of your compliance programme. No doubt a history of past regulatory problems can encourage greater focus on the nature of the programme: escalating cartel fines for repeat offenders under EU rules can be horribly costly. Equally, current economic conditions and the associated investor pressures are forcing people to put the ethical dimension back in to their businesses so that they are not forced down inappropriate avenues. And all of this is backed up by the changing tide of regulation, let alone the extra-territorial ambitions of US law-makers. Boards have to consider all of these influences on themselves and their organisations as they consider their (and shareholders’) risk appetite as compared to their propensity to exercise control. Where there is a mismatch, something needs to be done.

But above all, remember that effective compliance programmes require full time leadership to work.

[1] For further details see: http://news.bbc.co.uk/1/hi/business/7817651.stm
[2] For more details see: http://news.bbc.co.uk/1/hi/world/americas/7821600.stm
[3] For more details see, amongst others: http://news.bbc.co.uk/1/hi/uk/7822902.stm
[4] In fact the third category in the quarterly reports is “Other”, one element of which is reduced remuneration. For more details see http://w1.siemens.com/responsibility/en/compliance/index.htm, and their quarterly compliance report at http://w1.siemens.com/press/pool/de/events/2009-q1/2009-q1-compliance-progress-report-e.pdf.