Archive for the ‘Risk Governance and Combined Assurance’ Category

UBS’s $2B fraud: Teachable moments for risk management, corporate governance & banking regulation

After the 2008 financial crisis, I wrote to Professor John Hull, a derivatives expert at University of Toronto’s Rotman School, and asked whether the boards of investment banks should have directors with derivatives expertise on them. His response was “There is no question in my mind that a large financial institution should have on its board people (perhaps 2 or 3) who understand derivatives and other complex financial products. They should also receive stress test results. One of the problems is that, although stress tests are carried out, their results are often ignored by senior management.”

We now are witnessing a stunning 2B alleged fraud by a 31 year-old so-called “rogue” trader – one Kweku Adoboli – at the Delta One desk (read: ETFs – Exchange-Traded Fund and index related trading) of UBS, who had intimate back-office booking knowledge of how trades are reconciled with counterparties. This is a teachable moment, namely that the risk management, corporate governance and banking reforms to date have been wholly inadequate. The 2008 crisis can occur again and “Too Big to Fail” has not been addressed.

We need to admit that most – if not the vast majority – of corporate directors simply do not understand complex derivative products, and we are demanding too much of them when we expect that they do. If we want directors to understand derivatives, they need to be chosen differently. A current or former CEO may not understand. And there is evidence that CEOs do not make better directors. A common refrain from directors I interview of large complex institutions is “Richard I don’t understand.” And these are very senior business people. In the words of one Chief Risk Officer of a bank, “Directors cannot possibly understand.”

Derivatives experts exist. They have narrow subject-matter expertise. What are the odds this type of person would be asked to serve on an investment bank board, pushing back on management all the time, when management and directors themselves select one another under the current system, rather than directors being selected by shareholders? The derivatives expert may not be asked because “they haven’t run anything.” As we move towards expert and diverse boards, these types of individuals need to populate boards to make them more effective.

Next, the trader, Mr. Adoboli, is not simply a “rogue” as UBS maintains. He is an employee operating within a system of deficient internal controls. The bank, the management and regulators are at fault.

Surveys and studies indicate that risk management is presently inadequate. There needs to be a significant restructuring of risk and assurance of risk. Risk management is a cost, and money spent on internal controls to mitigate risk does not contribute to the bottom line. CEOs resist, boards don’t understand, and regulators need to regulate.

The BP disaster resulted from flawed risk management according to expert reports. NewsCorp phone hacking is flawed risk management. The Canadian corporate governance guidelines on (National Policy 58-201) mentions the word “risk” twice in its entire set of guidelines, and the risk management provision is twenty-one words in length (section 3.4 c). Many governance codes addressing risk are similarly sparse and written at high levels, with rare exception. Without proper regulation, as a “stick,” boards have little to point to in insisting on robust risk management and internal controls.

When a CEO or CFO attests to a board of directors that the internal controls over risks are adequate, that attestation should be subject to external review, especially for operational risks such as environmental compliance, information technology, bribery, or complex derivatives – whatever it is that can materially affect – and if unchecked bring down – a company.

Internal controls exist – authorization of transactions, electronic safeguards, segregation of duties, control limits, and prevention of manual override. They cost money to implement and are often perceived by management as a “drag” on profit-making.

The rigor of internal controls over financial reporting for S-Ox needs to apply to all major business risks, not just financial. Companies will resist because of cost and distraction, so policy choices needs to be made. Are we willing to live with trusting a CEO?

More needs to be done as well in the governance context. Here is advice to the chairs of investment banks, in light of UBS:

The chair of the compensation committee should retain an independent compensation consultant to study the compensation for each material risk-taker, and report to the chair on how their remuneration is incenting adverse risk-taking. The compensation consultant must tailor risk-adjustment advice to suit that bank, and comply fully with all Basel Committee on Banking Supervision reports and recommendations. (Any blowback by management that we need to pay our people and traders this way or they will move to a competitor should be met by requests for empirical evidence, which, according to Ken Feinberg, the former US pay czar, does not exist.)

The chair of the audit committee of the investment bank should instruct internal audit to complete a thorough review of the design and effectiveness of internal controls over all trading activities, and report directly to the chair. The chair should approve the budget, resources and work plan. If the head of internal audit is not up to the task, the chair should fire him or her and find someone who is. If necessary, external assurance providers —not the external auditor— should be retained by the chair as well, and report directly to the committee not management.

Next, the chairs of these two committees, together with the board chair should meet with the CEO and CFO to inform them of the above two studies, and direct them to cooperate fully with all requests for information. Directors need to direct more, if and when required.

How many chairs have the fortitude to do this, I wonder? If directors are there to control management, then they must have the statutory authority and resources to do so.

Lastly, regulators need to regulate if and when required. Specifically, all regulators should separate, permanently, global wholesale/investment banking’s proprietary trading from retail banking. Otherwise taxpayers will be on the hook for a very dangerous industry, akin to “casino gambling” by critics. It is totally unacceptable that one person, reputed to have “bet $10bn,” can cause this much damage. If you multiply it, with contagion, the investment banking system is broke and dangerous. Regulators need to address this issue. It has been three years since the financial crisis. In the words of Martin Wolf, a member of the UK’s Independent Commission on Banking, “No sane country can allow taxpayers to stand behind such risks.”

Audit Committee and Risk Management Oversight Questions for Boards

Many of the questions below are based on hypothetical and disguised but plausible scenarios that I researched, or upon which I directly advised.

Let’s say a worker is responsible for maintenance of a machine, but because of time pressures, cuts corners and does not address fatigue (or wear and tear) in the machine, and no one oversees this person’s omission. The machine fails and affects the failure of other machines nearby. The company is in an industry where, if that machine fails, 300+ customers will likely die.

Or let’s say it is another machine where, if it is not treated properly, the company’s product can be poisonous. Or another machine where, if procedures are inadequate or not followed, property destruction and death can result. Or another process in an institution, where if internal controls are inadequate or not implemented, millions of dollars of losses can result.

Aside from senior management, is it fair to hold the board responsible for the above failures in risk management and internal controls, in the above hypotheticals? Is it fair to hold the committee chair or committee overseeing this risk responsible, in part?

I am not sure. It would depend on the actions (or inactions) vis-à-vis best practices and legal tests. One thing I can say however, is that I have had the good fortune of interviewing and seeing how one or two excellent board or committee chairs, or directors on a board, can completely reform and turn around risk management of an entire large, complex organization by pressing management and holding them accountable. This is a pleasure to watch and see, how effective a strong board and strong directors can be. This is how boards should be.

I recently interviewed directors and senior management of an important organization, along with nine leading Canadian directors and audit committee chairs. Here are some questions that address the above scenarios and incorporate learning I have developed from my research and assessing audit committees.

  1. Risk Management Coverage and Assurance Mapping

    Is each material financial and non-financial risk (no more than 12-15) covered (via explicit mapping) through identification, treatment, independent assurance and upward reporting? Do board guidelines and committee charters cover off all material risks so none slip through the cracks?

  2. Whistle blowing and Code Compliance

    Employees may now go directly to regulators without utilizing the company’s internal investigation procedures, and participate in a monetary reward. Does the company code of conduct have fair, impartial, credible investigation procedures that employees trust and actually use? Does effective oversight occur of ethical reporting by the Audit Committee

  3. Internal Audit

    Does the Audit Committee approve the appointment, compensation, work-plan, independence and accountability of this function? If not, why not? This person should report directly to the Audit Committee.

  4. IT Governance

    Is IT risk and opportunity management adequately overseen by the board (or a committee), including over IT investment, cloud computing, social media, security of information, privacy, business interruption and crisis planning? Does management (and the board) have competencies in these areas?

  5. Stress and Scenario Testing

    Is the capital structure, quality of earnings and revenue tested under various adverse conditions (including regulatory, competitor and contagion), such as “what if” or “when”?

  6. Audit Committee Bench Strength

    Does the Audit Committee have the competence and courage to understand and constructively challenge the basis and rationale for management’s estimates, assumptions, judgments and forecasts, both in terms of potential manipulation by management, and the fairness, balance and quality of financial disclosure?

  7. Chair Reporting to the full Board

    Does the Audit Committee Chair (and other committee chairs overseeing non-financial risk) submit a written report that enables non-committee members to understand the deliberations, recommendations and reporting, and ask questions and receive satisfactory answers?

  8. Auditor and Financial Management Bench Strength

    Does the board have confidence in the quality of finance and risk management, and external and internal audit (including integrity, competence, responsiveness and reporting)? The board should oversee all of these positions, subject to shareholder approval for the external auditor.

  9. Internal Controls over Non-Financial Reporting

    This area may be a weakness for many boards. Has the regime for financial reporting and assurance been adopted for the most important non-financial reporting risks of the organization (e.g., operations, compliance, environmental, social, reputation)? Has the effectiveness of the design and implementation of internal controls been tested on and reported to the board or relevant committee, for these areas? Boards should press management for this reporting and obtain independent (outside) assurance for risks of concern, to put the heat on management.

  10. Undue Influence / Reliance, Integrity and Fraud Risk

    Are there any pockets within the organization or executives who may have the opportunity, pressure or incentive to take inappropriate risks, or engage in potential fraud, that may be exacerbated during an economic downturn? As two audit committee directors said, the systems must be “person-proofed” and run on “auto pilot.” Can the board demonstrate that it has taken reasonable steps to satisfy itself that executive officers possess integrity? (The board is responsible for satisfying itself that executive officers have integrity under NP 58-201.)


Back to our original hypothetical scenarios. Directors have said to me, “we missed it,” or that you cannot protect yourself against a “rogue” or someone who is intent on committing fraud. I am not sure these answers are entirely satisfactory.

It seems to me that if the above steps are followed, and a culture of risk management and tone-at-the top is set by the board, there is a much lesser likelihood that “we missed it” will occur.

Risk Management Oversight by the Board ~ To What Extent?

A bus driver veers off course and travels under a bridge killing and injuring several people.  A natural gas pipeline containing numerous welds of smaller segments explodes in a residential neighborhood, destroying several dozen homes.  A food company sells bacteria-infected meat, killing several people.  An oil company’s deep water rig explodes, causing catastrophic environmental damage.

Internal controls over reporting of non-financial operational risks in moving from gross to residual risk — such as automated GPS dispatch monitored systems, safety checks for compliance, pipe construction and fatigue, segmentation of duties and oversight for cleaning food processing machines, and tests to detect hydrocarbons running up a well, all exist.

In management’s reporting of risk and the design and effectiveness of internal controls to a board, can or should a board be able to understand and identify key risks, and if necessary – in its or a committee’s discretion, particularly when it is aware or should be aware of material and anomalous safety infractions for example – require independent (internal or external) assurance over that risk?  It is not the case that a CEO is not disconnected from – or should not be held responsible for – treatment of risks lower down in an organization, for a CEO holds levers of power and signals to the entire organization how risk (including the treatment of internal controls) is treated, by how similar risks are and have been treated.  A CEO sets the culture as directed by the board.  It is not the case that a board – or even a single director – cannot have significant influence over the CEO – in understanding and directing that CEO and other direct reports to comply with best risk oversight practices.  Indeed one director or chair with leadership skills, industry knowledge and independence, can direct the turn around of the entire risk management system in a large complex organization, simply by relentlessly pressing management and building consensus with the board that the tone at the top is to be properly established.  The author has seen this happen.

This question of the role of the board in risk means that a board needs to understand fully the business model of the company and its material risks.  It means that directors should be recruited with a view to understanding risk.  (For example, a director of an airline could be recruited with military experience who would understand internal controls over labeling (and poisoning) the pilot’s food.  A director of a bank could be recruited with 25 years of risk management experience.)  In addition, a director or committee overseeing risk (particularly non-financial for non-financial companies) should be empowered to seek outside assurance that management’s attestations are accurate – as a constant check on management.  The Walker report in the UK came very close to giving risk committees of financial institutions this responsibility and power.  King III in South Africa recommends that the audit committee of a board obtain “combined” assurance (which means management, internal and external assurance), and that sustainability risks (defined broadly to be non-financial) be “independently” assured.  In addition, financial and sustainability reporting is to be “integrated”.  This would mean that non-financial risks have parity in treatment and reporting with financial risks.  One non-executive chair of a large American food company interviewed last week agreed with this parity of non-financial risks and indicated the most significant improvement to risk oversight by the board, other than the appointment of a non-executive chair, was to remove the oversight of non-financial risk from the purview of the audit committee and lodge it with the governance committee.

Back to top