The SFO calls... Recessionary tales of the unexpected

Who will your disgruntled employee talk to first? You or the SFO? The SFO is putting paid for advertising into the media asking for whistleblowers to come forward see here, or for a legal perspective, see DLA Piper’s note on the subject: see here.

What are the business implications? What can you be doing right now?

Here we are in the worst recession in ages, if not since records began, and employees are under incredible pressure to produce results. Investors want results, boards are demanding results, managers are shouting for results, and who produces them? But staff cannot pull rabbits out of hats, so they are feeling coerced into manufacturing results that simply do not exist.

People who have led blame free lives, who would not say boo to a goose, are being encouraged to come up with results for their managers, or risk losing their jobs. Accountants and others are losing sleep over the “temporary” adjustments they have made – all in the expectation of making good next month. Except next month is even worse. Ask Bernie Madoff – and look where he ended up.

These staff, who are under excruciating pressure need to be able to let off steam. So who will they call: someone in your organisation, or the SFO? Indications are that more and more people are calling the SFO. And while we can all applaud the efforts to catch the crooks – is this really where you want to be spending your hard-earned management time: dealing with an SFO investigation?

So what can you do?

1. Review your ethics and compliance approaches: do you have an ethics programme? Do you know that you are in compliance with legal and regulatory requirements? Is it time to dust your programme down and remind people that is exists? Or do you need to create a framework right now?
2. Ensure that you have space for staff to let off steam. Vague whistleblowing policies about letting someone know somewhere in the organisation don’t usually work: there needs to be an independent (but that does not necessarily mean outsourced) mechanism that is both credible and seen to work. Make sure that communication programmes are in place, and that people feel that ethics is as much there to support them as it is for the organisation. This needs two-way risk-free communication.
3. Conduct an independent, anonymous survey of attitudes amongst senior managers and front line accountants – those who are most likely to know what is going on. Surveys in the States have shown that whereas a typical whistleblowing facility may have 1% of the staff using it for its primary purpose, a further 4% might explore ideas which could prevent abuses. And yet as many as 50% of staff, according to surveys, claim to have witnessed illegal or potentially seriously embarrassing unethical behaviour. Where did that 45% go?
4. Talk to partners, suppliers and customers – proper engagement with them, so that you have a dialogue which helps to reveal where pressure points are in the value chain.
5. Review those reconciliations and funny accounts – all the ones that are full of judgemental values. This is often where dodgy results start – implement a zero-tolerance policy with regard to unauthorised adjustments to these accounts.
6. Get your internal auditors on to the case: a few deep dives into trial balances and transactions sends out a message.
7. Bring your risk management down from the Olympian heights of governance compliance and turn to operational risks.

And if all of that sounds like yet more expense – well its better than having your collar felt by the SFO because you never got round to it...

Oh, and while this has a UK flavour (note the "u" in that word) it is relevant right round the world.

Turner Report

Lord Turner, Chairman of the FSA, set out his proposals for reforming the regulation of banking in the UK on 18 March 2009. The report emphasises, amongst other aspects, the importance of changing from a "light touch" approach to managing on a systemic basis. However, he does acknowledge the importance of Corporate Governance and internal risk management procedures, although final proposals await the Walker Report which will be published in October 2009.

The brief section on governance and risk management is nontheless interesting in that it illustrates the thrust of likely changes. I have reproduced this section in full below

2.8 Risk management and governance: firm skills, processes and structures

Analysis of the causes of the crisis suggests that there is a limit to the extent to which risks can be identified and offset at the level of the individual firm. Chapter 1.1 described how the origins of the crisis lay in macroeconomic imbalances and systemic developments: Chapter 1.4 argued that there are limits to the effectiveness of market discipline; and Section 1 of this chapter stressed that the crucial shift required in regulatory philosophy is towards one which focuses on macro-analysis, systemic risks and judgements about business model sustainability, and away from the assumption that all risks can be identified and managed at a firm specific level. As a result most of the changes proposed in this review relate to the redesign of regulation combined with a major shift in supervisory approach.

But improvements in the effectiveness of internal risk management and firm governance are also essential. While some of the problems could not be identified at firm specific level, and while some well run banks were affected by systemic developments over which they had no influence, there were also many cases where internal risk management was ineffective and where boards failed adequately to identify and constrain excessive risk taking.

Achieving high standards of risk management and governance in all banks is therefore essential. Detailed FSA proposals will await the outcome of the Walker Review (described below) but the key dimensions of required improvement are likely to be

• Improved professionalism and independence of risk management functions. As already outlined in Section 2.7 above, the FSA will therefore in future play a more active role in assessing the technical competence of senior risk managers. And it will consider whether governance structures for risk oversight need to be changed, with a more direct relationship between senior risk management and Board risk committees
• Risk management considerations embedded in remuneration policy, in the fashion described in Section 2.5 (ii). This has implications for the remit of remuneration committees and for the non-executive time commitments required
• Improvements in the skill level and time commitment of non-executive directors. The crisis has revealed the extreme complexity of large banking groups and the difficulties which nonexecutive directors (NEDs) face in understanding all dimensions of the risks being taken, within the time commitments typically required of NEDs. It has also raised questions about the degree of technical skill and experience required to perform risk committee functions, and whether existing bank boards have sufficient people with these technical skills. In addition it has demonstrated the vital importance of non-executive challenge to dominant chief executives pursuing aggressive growth strategies
• Shareholder discipline over corporate strategies. As Section 1.4(iv) described, shareholder influence seems to have been relatively ineffective in the past in constraining risky strategies. There may be ways of improving the effectiveness with which shareholder views are communicated to non-executives

These issues and the implications for overall governance principles and structures need to be looked at in an integrated fashion. One question they prompt is whether the governance arrangements appropriate for banks are different from those which apply to the generality of companies, and whether therefore codes and rules which go beyond the general Combined Code are required

These issues will be in part addressed by the review of bank governance being conducted by Sir David Walker which the government announced on Monday 9 February and which will report in October 2009. The FSA, which is providing the secretariat for this review, will work closely with Sir David Walker in consideration of these issues. Once the review has reported, the FSA will consider what changes to its rules and process are required to ensure that problems are addressed, making specific proposals by the fourth quarter of 2009

It will be interesting to see how this turns out under both the FRC review of the Combined Code and also the Walker review. For what it is worth, my view is that there is nothing intrinsically different about the governance of financial institutions just because they are financial institutions. While clearly there are differences in the technical aspects of risk, what seems to me to be more important is the potential societal impact of poorly handled risk in an organisation. Poorly handled risk in say chemical companies can be as (or even more) devastating than in banks: look at Bhopal or the BP refinery problems in the US. I am more interested in big v small impact organisations. One key difference may be whether there are Critical National (or International) Infrastructure implications, or whether there is scope for major disasters. I add the latter, because I am not sure whether Pharma companies are part of the CNI, but they can have devastating impacts (eg Thalidomide)

For the full detail of the Turner Report, click here...

Gordon Brown on Changes Needed

Gordon Brown on the changes needed: This article highlights the changes that GB is looking for in the global financial system. Well worth looking at. More...

GSO Finance Ministers

G20 Communiqué from the G20 Finance Ministers. It will be interesting to see whether Corporate Governance forms part of the stronger regulatory and oversight regime: hard to imagine that it won't. More...

It gets better and better

See the report on Hector Sants in the FT... More...

Be frightened, very frightened

Just to prove my point on the change in mood music, see this article reporting on Hector Sants and Alastair Darling's views on regulation. Be frightened, very frightened...

(Or be prepared...)

Rethinking Compliance: get it right!

Compliance is about SOX right? Wrong - it is about a wide range of issues from cartels, through corruption, data protection, heath & safety. And they can each and every one cost money, time and reputations. In these dark economic times, it is worth revisiting your compliance programmes. Three headlines struck me as being somewhat out of the ordinary recently:

• Aon fined for suspicious payments[1]: according to the BBC “The UK arm of the insurance broking group Aon has been fined £5.25m for making ‘suspicious payments’ worth $7m (£4.6m) to people and firms overseas. The fine was levied by the Financial Service Authority (FSA) and is its largest fine yet for ‘financial crime’.”
• Lloyds pays $350m to end US case[2]: again, according to the BBC they have paid a $350m penalty to settle a case with the DoJ. I don’t propose to go into the rights and wrongs, because I simply do not know them.
• Primark 'is probing law breaches'[3]: and yet another story from the BBC: “Fashion chain Primark has launched an investigation into allegations one of its suppliers has breached employment and immigration laws. The Observer newspaper reports an investigation found Manchester-based firm TNS Knitwear was paying illegal workers less than the minimum wage.” And the consequence of this: “On Saturday, Primark agreed to remove references to the Ethical Trade Initiative, the trade body which monitors Britain's top retailers, from its 140 shop fronts.”

And that is without even breaking into a sweat. I have not referenced the Satyam scandal or the Madoff Ponzi scheme. And I have not even headed in the direction of the banking failures. Apparent risk management failures are everywhere. And what is worrying is that these penalties are under what I might describe as the old regime.

The new regulatory mood music
What is for certain is that the mood music around regulation has changed from “light touch at all costs” to “meaningful” regulation. The argument for “light touch” regulation went something like this:

“Across the board we are seeing regulators adopt a more aggressive attitude. Over-enforcement of regulation can seriously damage the overall fitness of the economy. The critical point at which this starts to take effect is hard to identify, but there is a risk that we are getting close to it.”

Source: Paul Ormerod, Author of Butterfly Economics and Death of Economics in Rethinking Regulatory Risk by Baldwin and Anderson, published by DLA Piper, 2002

The counter argument was put as follows:

“Regulation is necessary to control corporate excess. Workers, shareholders and customers need protection from directors breaking the law and punitive liabilities send a clear message. Directors should act honestly or be jailed.”

Source: John Monks, General Secretary, Trades Union Congress in Rethinking Regulatory Risk by Baldwin and Anderson, published by DLA Piper, 2002

For a long time the former view held sway, as shown by Lord Turner’s evidence to the Treasury Committee recently in which he effectively said that even if the FSA had wanted a more interventionist approach in looking at the business models of banks, politicians of all political hues would have called them off. As far back as October Lord Turner was indicating a new approach:

“Financial regulators should be prepared to ‘wipe the slate clean’ as they search for a more effective global regime in the wake of the credit crisis, the chairman of Britain’s financial watchdog has said.

“Lord Turner also warned banks and insurance companies regulated by the FSA they would have to pay higher fees so the regulator could strengthen its supervision of institutions that pose a potential risk to the stability of the financial system.”

Source: Source: Financial Times interview with Lord Turner, Chairman of the FSA, published 17 October 2008

And this is not just a UK phenomenon: summarising Charlie McCreevy’s speech to the ICSA Corporate Conference, he effectively said:

Risk management

• Has been poor/disastrous
• Needs to be embraced
• Role of senior management
• Requires transparency
• Needs oversight by shareholders

Source: Charlie McCreevy, European Commissioner for Internal Market and Services at the Institute of Chartered Secretaries and Administrators (ICSA) EU Corporate Governance Summit Brussels, 8 October 2008

Compliance revisited
One of the consequences of this is that there is a renewed interest in compliance programmes. Some, like Siemens, who suffered spectacular compliance failings, have developed a top-down, heavy bureaucracy compliance programme based on Prevent, Detect, Respond, with the response to problems being Dismiss, Warning, Reduce Remuneration[4]. Their quarterly report shows 621 compliance staff worldwide in 2008, compared to just 86 in 2006. The compliance helpdesk had 3,836 calls during 2008 alone.

Others, who are not subject to the same level of intense regulatory scrutiny, have the luxury of doing this at their own time and pace. They are more likely to be able to justify the development of risk based compliance programmes. Best practice is pointing towards a programme that has three facets:

• A process to manage “compliance” risks: in other words one that identifies, assesses, monitors and responds to risks in a pro-active way;
• An ethical and supportive culture such that attitudes, skills and knowledge all support an ethical stance with regard to compliance; and
• A view to supporting the organisational objectives: in other words this is not just compliance for the sake of compliance, it will help the organisation to achieve its ultimate goals.

But to make this style of compliance programme work the organisation has to balance two sets of pressures. In the first instance, CEOs are always under intense pressures from institutional investors who, needless to say, are always looking for ever increasing share values (or in the current environment – at least a containment of the fall). In the second instance, CEOs are placing ever greater pressures on the staff with a demanding performance culture shaped through rewards, incentives and disciplinary actions. If the staff fail, the CEO will fail. So there is something of an incentive to cut corners, chat to competitors who are in a similar situation or to incentivise customers to award you the contract. In other words, the slippery and dangerous route to unethical, or even worse, illegal actions.

The consequences can be horrendous. Ask the people at Siemens, or look at the volumes of time taken up at BAe, where accusations remain unproven. From the fines, through the time spent dealing with regulators to the sheer loss of personal and corporate reputations, the costs can be crippling. Above all regulatory penalties destroy shareholder value and consume enormous amounts of management time, and even worse you run the risk of having a solution imposed on you which will be expensive – because you will be on the back foot, and it will not necessarily fir your preferred business model, especially if there is any risk that the extra-territorial ambitions of the US agencies can finger you.

So, the argument goes, in this time of recession, when the pressures are really on everyone in the organisation to perform, it is time to make sure that your compliance house is in order. Make sure that there is total commitment from the Board right down through the organisation. All managers have to be able to walk the talk, as well as just talk it! This needs to be right up near the top of both the board’s and the CEO’s agenda or it will not work. You have to have the right resources available in the group to make this work, to make sure that the programme is aligned with your other risk management activities. Think through the involvement of Internal Audit and whether there are any other “assurance” programmes that this can link to. Be clear about the likely scope in terms of areas and geography, and appropriate timescales. Think about the need for, or use of existing risk management software. And in case you were in any doubt: compliance is not just about Sarbanes-Oxley – it covers a much broader spectrum of issues, from corruption, through competition, data privacy, health & safety, environmental and many other potential pitfalls.

The first steps
The first step is to understand what will influence the shape of your compliance programme. No doubt a history of past regulatory problems can encourage greater focus on the nature of the programme: escalating cartel fines for repeat offenders under EU rules can be horribly costly. Equally, current economic conditions and the associated investor pressures are forcing people to put the ethical dimension back in to their businesses so that they are not forced down inappropriate avenues. And all of this is backed up by the changing tide of regulation, let alone the extra-territorial ambitions of US law-makers. Boards have to consider all of these influences on themselves and their organisations as they consider their (and shareholders’) risk appetite as compared to their propensity to exercise control. Where there is a mismatch, something needs to be done.

But above all, remember that effective compliance programmes require full time leadership to work.

[1] For further details see: http://news.bbc.co.uk/1/hi/business/7817651.stm
[2] For more details see: http://news.bbc.co.uk/1/hi/world/americas/7821600.stm
[3] For more details see, amongst others: http://news.bbc.co.uk/1/hi/uk/7822902.stm
[4] In fact the third category in the quarterly reports is “Other”, one element of which is reduced remuneration. For more details see http://w1.siemens.com/responsibility/en/compliance/index.htm, and their quarterly compliance report at http://w1.siemens.com/press/pool/de/events/2009-q1/2009-q1-compliance-progress-report-e.pdf.