Tommy Thompson, IT Security and Compliance Coordinator at Williams Company recently presented at OPUS 2010 on reducing the complexity of IT risk and compliance and how Williams was able to significantly reduce costs while at the same time increase the effectiveness of their IT compliance programs. In the following video, I had the chance to speak with Tommy after his presentation.
The PCAOB’s Auditing Standard 5 (AS5) is structured around a top-down approach to identify the most important controls to test during your Sarbanes Oxley (SOX) effort that address the assessed risk of misstatement for each relevant financial assertion.
At OPUS 2010, Jo Morton, Business Analyst, Internal Audit at Williams Companies, Inc. and Lawrence Joiner, Manager of Internal Audit Operations at Williams presented an informative session titled, “An OpenPages Approach to Auditing Standard 5 Compliance.” In their session, Jo and Lawrence outlined how Williams has been able to move beyond a “process by process” review and up to an Account Level review that truly is an AS5 “Top-down Approach” In the following conversation, Jo Morton describes her session and her overall OPUS 2010 experience.
While many companies have basic elements of a compliance program in place such as code of conduct and whistleblower programs, simply having these elements is no substitute for a comprehensive program. In reality, many companies have implemented a “one-off” approach in which procedures often become fragmented, duplicative and outdated over time. For these organizations, the cost of non-compliance can be extraordinarily high, whereas a well-designed, comprehensive compliance program provides numerous efficiencies and can serve as a solid foundation for effective Enterprise Risk Management.
Don’t miss Rick Steinberg, founder and CEO of Steinberg Governance Advisors and Compliance Week columnist, as he outlines steps that companies can take toward achieving a well-designed, comprehensive compliance program. In this informative Webinar, Rick describes a strategic, risk-based approach that supports business objectives and provides an enterprise view of compliance.
There are few things more devastating to a chief executive or board of directors than seeing their company’s name splashed across media headlines with allegations of having broken the law. After wondering how it could possibly happen to us, the focus quickly goes to how best to effect damage control, with accompanying thoughts of billions of dollars in fines, penalties, judgments and lost business, as well as personal exposure, and knowing great amounts of time and energy will be directed to dealing with regulators, lawyers, and investigators instead of growing the business.
It’s fascinating to see that, despite reading of such happenings at other companies, somehow many top managements can’t imagine it happening to them. Hence, too often companies put in place a code of conduct and ancillary policies, a whistleblower channel, and perhaps even a compliance officer – all useful elements – but which fall far short of an effective compliance program. And with each new law or regulation, a new policy and related procedures are installed, frequently duplicating existing procedures but still falling terribly short of an effective program. So we see fragmented and duplicative procedures that are administratively burdensome and often outdated, while the significant risks of non-compliance continue to grow.
In contrast, leading companies are proactively dealing with the associated risks. They take a holistic approach, first recognizing that laws and regulations were set forth in the first place as a reaction to damage to someone – customers, employees, investors or communities. And they recognize that companies satisfying related marketplace expectations – with “green” food products, better child safety products, better automobile gas mileage, or more desirable workplace environment – are rewarded with better workers, greater market share, and enhanced profits. With this recognition, they design a compliance program not only to ensure minimum compliance, but to seize related business opportunities geared to the underlying marketplace drivers. The compliance program is built into strategic objectives, and is risk-based and streamlined, with clarity around responsibilities and accountability, and supported by technology with meaningful communication and reporting.
Yes, there is an initial cost to doing this right, and a chief executive will expect to see a rational business case made for establishing such a program. But the benefits are real, and the CEO and board members will sleep better at night knowing an effective compliance program is in place in their company.
The Globe published an interesting article today about a Harvard Business School professor that resigned just before the scandal at Satyam broke. This was no ordinary professor. Krishna Palepu is an expert in corporate governance, control and accounting, and corporate management in emerging markets. In short, the perfect resume for a Satyam board member. So what went wrong?
This is not an isolated incident. In this financial crisis, many good people on boards of struggling companies have been surprised. And we’ll likely see more of that in the months to come. I think it’s overly simplistic to blame the board, and certainly in this case in which Palepu is so obviously qualified. What we see frequently is that internal control systems and risk assessment processes are not mature enough to catch wrong doing or, and this may be more important, change behavior. Companies that are growing quickly, like Satyam, have the most difficulty putting in place the risk management process to catch the kind of fraud perpetrated at the company. My guess is that in the future business process will be designed from the bottom up with risk management in mind. As we’re learning, it’s too hard to do it after the fact, especially for the complicated businesses we’re trying to govern today.
The SEC’s final rules implementing Dodd-Frank’s whistle blowing provisions failed to remove angst among compliance officers and general counsels. While there are some incentives for potential whistleblowers to first report alleged misconduct via internal reporting channels, there’s no requirement to do so – and many are concerned the internal channels will be bypassed. And going outside is on the rise. It’s been reported that in only seven weeks after the SEC’s program began, there were 334 whistleblower filings. Compliance officer concerns are well founded – that bypassing internal channels will deprive the company of being able to investigate and fix problems before they grow, and company personnel will need to play catch up with investigations in reaction to SEC probes.
We can point to many resolved whistle blowing cases for clear evidence of the potential impact of the SEC’s still relatively new program. One homeowner delinquent on her mortgage ultimately received $18 million for reporting suspected use of fraudulent documents in the bank’s foreclosure process. It’s said that in acting against this homeowner – an attorney and career insurance fraud investigator – the bank “picked the wrong person at the wrong time in the wrong place,“ but the robo-signing and other compliance failures were widespread and surfaced from a number of sources. Nonetheless, this individual was one of six whistleblowers receiving $46.5 million said to be part of the five-bank $25 billion settlement. In an unrelated case, a member of a major bank’s quality control team who reportedly was displeased that the misconduct wasn’t reported to regulators, decided to do so herself – ending up with a settlement of $31 million. And there are many more.
Worth noting is a recent survey that indicates more than one-third of American workers have seen misconduct on the job. While many instances of misconduct have been reported through internal channels, it appears the vast majority have not. Why? The survey shows it’s because of fear of not being able to remain anonymous, and of retaliation. Those two factors, plus the possibility of monetary reward, are reported as key factors in incentivizing internal reporting. And the survey also shows two-thirds of respondents didn’t know about the SEC’s program – at least not yet.
Certainly it’s in a company’s interest to be first to know about alleged misconduct, and compliance officers are working hard to upgrade policies, training, communications, and the internal whistleblower systems, all to encourage internal reporting. Actions to ensure anonymity, with positive responses and nothing close to retaliation, are expected to help. Some companies have begun to pay bounties for valued reports. There are indications that when employees believe their reports will be taken seriously without adverse repercussions, there’s increased likelihood for internal reporting. Law firms and others have provided guidance on which companies are acting. However, it remains to be seen the extent to which the possibility of a huge, life-changing payday by the SEC will be too much to resist. Time will tell.
For readers interfacing with your companies’ audit committees, a just released survey from Directorship Boardroom Intelligence highlights what’s in the forefront of committee members’ minds today. The results are reported in a top-ten list (unlike the Letterman top ten lists, this one appears to begin with the most significant):
Uncertainties of economic/legislative environments
Or more to the point, was he thinking at all? We’re talking about Rajat Gupta, operating at the highest echelons of multinational business, who finds himself charged by the Securities and Exchange Commission with illegally passing inside information to Raj Rajaratnam, the Galleon Group founder about to go on trial on charges of insider trading. Mr. Gupta, a Harvard Business School graduate and former head of McKinsey & Co., has been a board member of the likes of Goldman Sachs, Proctor & Gamble, and American Airlines.
What did he do? Well, he of course is innocent until proven guilty, and according to media reports, his lawyer says he has done nothing wrong. But the SEC says otherwise. It alleges Gupta gave the Rajaratnam advance information about earnings at both Goldman and P&G. On top of that, the SEC maintains that Gupta called the Galleon head with the inside scoop of the Goldman Board’s approval of Warren Buffett’s $5 billion investment in the firm. The allegations speak to multiple phone calls between the two men, enabling Galleon to reap millions in profits. What must be particularly troubling for both is that the SEC says it has recordings of numerous telephone conversations.
Let’s presume for a moment that the allegations are factual. A relevant question is, is this a black eye on the companies on whose boards Gupta sat (by the way, the reports say he resigned months ago from the Goldman board, and recently from P&G). My answer, based on the information available, is “no.” Certainly, if the allegations are true, a statement by SEC Director of Enforcement is on point: “Mr. Gupta was honored with the highest trust of leading public companies, and he betrayed that trust by disclosing their most sensitive and valuable secrets.” But what could or should have been done to prevent wrong doing at the board level?
We know well the importance of a company’s board of directors in keeping a close eye on what the CEO and senior management team do, and on the company’s system of internal control. We recognize the importance of compliance officers, risk officers and internal audit functions. But who keeps an eye on the board, especially when their actions are outside the inner workings of the company itself? We can look to what happened years ago at HP, when a board member leaked information to the media, which resulted in the pretexting fiasco.
There are no immediate answers, other than to continue to ensure full vetting of director candidates, and maintaining effective board and internal audit processes to best identify and manage potential misbehavior. With the thousands of directors of major companies acting with extraordinary integrity and ethics and in the best interests of their companies and shareholders, I believe we don’t have much to worry about. But it is worth more thought going forward.
We know that MF Global, the firm run by Jon S. Corzine, recently imploded under the weight of bad bets and huge leverage. Reports say that Corzine, former U.S. Senator, Governor of New Jersey, and co-head of Goldman Sachs, did at MF Global what he did at GS – and that’s take large risks in trading. How, one could ask, could it have turned out so wrong?
Effective risk management processes have at their core identifying, analyzing and managing risks. It will be a while before we know all the details of MF Global’s risk management process, but it appears to have worked reasonably well. Wait, what – is that a misprint? Probably not.
Based on reports, Corzine knew the risks he was taking. Basically, he bet that the European leaders would act in a way to alleviate the sovereign debt crisis. He put over $6 billion of the firm’s money at risk, which with the associated leverage put the firm’s existence at risk. And the firm’s risk officers also knew, and they seemed to have done what they were supposed to – they brought the matter to the board of directors. Reports say a senior risk officer described the situation and the risks to the board, with Corzine present. The risk officer pointed out not only the nature and size of the risks, but also that risks included both potential defaults on the sovereign debt and the bonds losing sufficient value to cause a liquidity crisis at the firm. The directors listened, and decided to approve what Corzine was doing.
Now, we weren’t in the room with the directors, or inside their heads, so we don’t know whether they made a thoughtful and rational business judgment, or whether they rolled over under Corzine’s undue influence. If the latter, then they failed in their job. But if the former, then they determined that they and the firm had a risk appetite large enough to “bet the ranch.”
So, whether this is a failure of risk management will be decided as the investigations continue and more facts emerge. And of course the missing “segregated” client funds is another matter, likely centered on specific internal controls over that money and what control activities might have been overridden by more senior executives. Also at issue is whether regulators did their job effectively. It will be interesting, indeed, to learn more, as no doubt we will as the investigations unfold.
It seems we can’t pick up a newspaper today without seeing another story on top management compensation, and its role in the near financial system meltdown. As Congress and the Administration wrestle with regulatory reform, fingers continue to point at CEOs and other senior executives who reaped huge rewards for taking what are deemed to be outsized risks – risks that brought some of their companies, and indeed the financial system, to the brink of disaster. The SEC’s new disclosure rules will shed more of a spotlight on executive pay and how companies and boards deal with corporate risk, and anger over “outsized” pay is boiling over in the form of regulatory reform and additional proposed taxes on financial services industry participants.
Certainly executive compensation should recognize the degree of risk inherent in performance. No one wants to see a CEO “bet the ranch” in a “heads the CEO wins, and tails shareholders and the taxpayers lose” scenario. So, yes, getting risk-reward back in balance at the top management level makes eminent sense, and already is under way.
With that said, however, we shouldn’t fall into a trap of thinking that dealing with the compensation issues can by itself address corporate risk. Those of you with leadership roles in risk management, compliance, auditing, and related areas in your organizations know full well that dealing with risk at the CEO level will not by itself transform how risk is managed throughout the organization. One can argue that CEO compensation has played only a limited role in causing financial institutions to take on such massive risks in the first place. Chief executives already have solid motivation to ensure the companies they lead achieve long term success, and certainly simply keeping their prestigious and lucrative job and reputation in tact are strong motivators. CEOs I’ve dealt with put the success of the company at the same if not higher level than acquiring personal more riches. Make no mistake, many do want to enhance their wealth, and some continue to keep score with peers, but putting their own personal objectives ahead of the company’s and its shareholders is not typical.
So, I hope and trust that neither the powers inside the Beltway nor corporate leaders and boards will think risk management is primarily about managing CEO’s motivations. The focus needs to be on risk management processes throughout the organization, linking risks with corporate objectives and initiatives, and managing risk to best achieve corporate goals.
Recently, much has been written about the fate of financial services technology spending given the recent financial crisis. The Wall Street Journal’s Business Technology blog, for instance, points out here that Lehman spent $309 million on technology and communications in the quarter ending August 31. It’s hard to know exactly how much of that spending would be cut under a dramatically reduced operation under Barclays, but clearly, at Lehman and elsewhere tech spending’s going to take a hit in the financial services sector.
However, there is one technology area that will certainly get increased attention and that is in risk management. It’s very likely that 2009 regulation will include greater checks on leverage and an expansion of banking-like regulation to other businesses with banking-like activities. And regulators are already focused on improving the risk management functions of financial services institutions. For instance, WaMu announced on Sept 8th that they had signed an MOU with the Office of Thrift Supervision concerning different areas of the business, including the risk and compliance functions.
Risk management technology, the systems that provide visibility into the state of risk in the business, is a critical component or early warning system for risk managers trying to run the business. Of course, knowing about the risks is not always sufficient. Just ask David Andrukonis of Freddie Mac who’s CEO apparently ignored the early warning signs of excess risk exposure, according to the New York Times. Nevertheless, having the risk managment infrastructure in place at least allows management to make informed decisions about what risks to take or not.
And there’s another driver here for risk management technology. Over time, shareholders, not just regulators, will want to have better visiblity into the risk exposures in a company. The Fed demonstrated that they are willing to let large entities fail (well, sort of), and as such it will be up to the market to assess risk in the business. Management will be encouraged to provide transparency as to the state of risk in the business through a lower cost of capital, the benefit for which would dwarf the cost of any risk management technology. Which is why I think spending on risk management technology will not drop as much as the overall market for financial services IT spending.
In February, British Banker and former chairman of Morgan Stanley International, Sir David Walker was appointed to lead a government inquiry into corporate governance in the banking sector. This week, he published the Walker Review which recommends overhauling the boards of banks and other big financial institutions by strengthening the role of non-executives and giving them new responsibilities to monitor risk and remuneration.
“We need to get governance back to centre stage,” said Walker in a statement regarding the report. “The fundamental change needed is to make the boardroom a more challenging environment than it has often been in the past. This requires non-executives able to devote sufficient time to the role in order to assess risk and ask tough questions about strategy.”
Some of the specific recommendations in the Walker Review include:
Banks should have board level risk committees chaired by non-executive
Risk committees to scrutinise and if necessary block big transactions
Chief Risk Officer to have reporting line to risk committee
Chief Risk Officer can only be sacked with agreement of board
The Walker Review proposes that most of the recommendations are enforced through inclusion in the Combined Code on Corporate Governance or a separate Stewardship Code for institutional investors, both operating on a ‘comply or explain’ basis.
It is clear that risk management will be under increasing scrutiny in the UK (and across the globe), and that the risk function will be increasingly important. To keep up with new regulation, companies will have to invest in systems to support the risk information sharing that such changes imply.
The ERM Initiative at North Carolina State University was commissioned separately by the American Institute of CPAs (AICPA) and the Chartered Institute of Management Accountants (CIMA) to conduct surveys of their respective members on the state of enterprise risk oversight. While the AICPA survey was focused on US companies and the CIMA survey on global companies, not surprisingly respondents in all regions agreed in a new study titled ‘Enterprise Risk Oversight, A Global Analysis,’ that the volume and complexity of risks are increasing and that the need for increased risk oversight is being driven by senior executives and board members. Of greater concern, however is the number of respondents who feel that their risk oversight processes are immature. In the US, 84% of respondents rated their risk oversight processes as either ‘very immature’ or ‘only moderately mature.’ The study found that ‘46% of global respondents describe their risk oversight process as systematic, robust, and repeatable in contrast to 11% of U.S. respondents who believe they have a complete enterprise-wide risk management process in place.’
With recent disclosure rulings from the SEC including the board’s role in risk oversight and Dodd-Frank rulemaking on its way in which ‘risk committees’ will be required, companies rating their risk oversight processes as immature should begin preparations now. If you’re considering where to start, begin with the design goal of delivering an integrated and automated risk and compliance framework. A siloed approach limits an organization’s ability to streamline risk and compliance processes and reduce costs. It also limits your ability to gain a comprehensive view of the firm’s risk exposure.
Managing IT Risk and
Compliance with IBM OpenPages ITG (Track 1068)
IBM Vision 2012, Tuesday May 15th, 1:15 – 2:15 pm I will be presenting Managing
IT Risk and Compliance with IBM OpenPages IT Governance.
this session I will take you through the results of the IBM CIO Study 2011 that
was recently published and guide you through the IT Risk related subjects.
you want to understand how Big Data, Cloud, Regulatory Pressure, Business
Continuity Management, Disaster Recovery, Identity and Access Management, Segregation
of Duties, Automated Controls and Endpoint Controls will influence your GRC
all comes together in IBM Smarter IT Governance, Risk and Compliance.
Revised reporting of stock and option awards to company executives and directors in the Summary Compensation Table
Potential conflicts of interests of compensation consultants
What might not be entirely self-evident is when they take effect. Help is provided by PricewaterhouseCoopers, which issued an advisory highlighting the timing for these new disclosure requirements, as follows:
The effective date of the new rules was February 28, 2010. Accordingly, the Form 10-K and proxy statement of a calendar year company must be in compliance with the new disclosure requirements if filed on or after February 28, 2010. If a calendar year-end company files its proxy statement on or after February 28, 2010, the proxy statement must comply with the new disclosure requirements. This is true even if the 2009 Form 10-K was filed before February 28, 2010.
An existing SEC registrant with a 2009 fiscal year that ended before December 20, 2009 is not required to comply with the Regulation S-K amendments until it files its Form 10-K for fiscal year 2010. As a result, any registration statements filed before its 2010 Form 10-K is required to be filed would not be subject to the new Regulation S-K amendments. A company may early adopt the new disclosure provisions; however, if the company elects to voluntarily comply with the disclosure changes regarding stock and option awards, it must also comply with all the other applicable Regulation S-K amendments.
If a new registrant (e.g., a company completing an IPO or a registration statement on Form 10) first files its registration statement on or after December 20, 2009, compliance with the Regulation S-K amendments would be required for such registration statement to be declared effective on or after February 28, 2010.
Recently purchased by The Bank of Tokyo Mitsubishi (the 2nd largest banking group in the world), Union Bank, N.A. out of San Francisco has been asked to lead the way for the entire organization with respect to adopting Basel II and the advanced measurement approach for operational risk measurement.
Marty Blaauw, Senior Vice President of Operational Risk at Union Bank stated, “At Union Bank, we are striving to use the advanced measurement approach for operational risk measurement and OpenPages provides an integrated operational risk management framework that will assist us in this goal. We are confident that OpenPages’ solution will allow us to streamline our operational risk management and measurement process and provide the integrated risk reporting and dashboards being requested at the executive level.”
With $86 billion in assets under management and 340 banking offices in California, Oregon, Washington and Texas as well as two international offices, this is a strategic initiative with enterprise-wide implications. Union Bank purchased licenses for the entire OpenPages Platform and selected OpenPages ORM as the operational risk system of record for managing risk assessments, key risk indicators (KRIs), issue management and scenario analysis, as well as integrated risk reporting.
As you may know, the Dodd-Frank Act gave institutional investors and shareholder activists perhaps the item highest on their wish list – gaining ready access to the proxy statement with ability to name its own director nominees. And the SEC developed enabling rules to make it happen. Well, the U.S. Court of Appeals for the D.C. circuit just pulled the rule out from under shareholders. If you’re a shareholder activist, you’re probably outraged, but if you’re a board member or member of the senior management team, you’re likely breathing a sigh of relief!
The suit was brought by the Business Roundtable and U.S. Chamber of Commerce, and many thought it didn’t have much chance of succeeding. But succeed it did. The court ruled the S.E.C. “acted arbitrarily and capriciously” in failing to adequately consider the rule’s effect on “efficiency, competition and capital formation.” In its unanimous decision, the court added that the SEC “inconsistently and opportunistically framed the costs and benefits of the rule; failed adequately to quantify the certain costs or to explain why those costs could not be quantified; neglected to support its predictive judgments; contradicted itself; and failed to respond to substantial problems raised by commenters.”
And this isn’t the first time the Court shot down SEC rules – it’s happened several times in the last few years, also on the basis that the SEC didn’t properly assess the economic effects. So, where does the Commission go from here? Since this decision was issued by a panel of the Court, the SEC could ask the entire Court to review the case, or appeal to the U.S. Supreme Court. Or, it might want to conduct a more in-depth economic assessment of the rule to satisfy the Court, or come up with another rule. As the U.S. Chamber calls its victory “a big win for America’s job creators and investors,” the SEC is “reviewing the decision and considering our options.”
For what it’s worth, my view is that direct shareholder nominating of directors can be counterproductive. While seemingly supported by the concept of a democratic process, putting dissident or one-issue directors on the board, which might have occurred, would normally not serve a board, the company or its shareholders well. While the SEC’s rule seemed reasonable in terms of effecting the law’s mandate, perhaps the SEC can come up with something better.
You’re a CEO, senior manager, or board member watching your once-great company brought to its knees. You imagine yourself on the deck of the Titanic, your world coming to an end—your once confident self embarrassed in front of colleagues, competitors, friends, family, and the larger communities in which you once thrived and were held in such high esteem.
This is the first sentence a just-released book published by John Wiley & Sons. I got my hands on an advance copy, and it is compelling reading. It analyzes how – while facing different circumstances in different industries – common themes underlie why once-great companies have seen their fortunes sink, while others withstand economic turbulence and hazards to continue to grow and reap the rewards of success. But the book is not solely about how to avoid disaster. It highlights how having the right infrastructure enables an organization’s positive qualities to lead to success. This includes what’s needed to avoid the kinds of disasters that can befall any organization, but also essential to identifying opportunities and being positioned to seize them for competitive advantage.
I don’t often recommend books to others, but this one is exceptional. It has a long title: Governance, Risk Management and Compliance – It Can’t Happen to Us: Avoiding Corporate Disaster While Driving Success. I believe the substance stands up to its claim that “unlike other books, this one is not aimed solely at senior managers or solely at members of boards of directors. It’s directed to both, with an added objective of providing insight into the interface between the two.”
You might be asking why Steinberg is spending so much space here touting this book – it is because the book is really that valuable, or does he have some ulterior motive? Well, okay, I’ll fess up – the answer is “both.” Yes, as you may have guessed, I wrote the book. And I apologize for withholding that important fact until now! But I do believe virtually any reader of this blog will greatly benefit from reading the book. And I’m pleased that I’m not the only one who thinks so. Here’s what some others, whose names you might recognize, are saying:
Rick Steinberg is a time-tested expert in this ever more essential field. His refreshing candor in assessing recent shortfalls makes this book a must-read for corporate leaders — Mark R. Fetting, Chairman and CEO, Legg Mason, Inc.
This outstanding book provides a critically important perspective on how risk management can only be truly achieved by aligning culture, strategy, compliance programs, and compensation. It should be must reading for any board member concerned with improving the management of risk — Jay Lorsch, Louis E. Kirstein Professor of Human Relations, Harvard Business School
A comprehensive and insightful examination of corporate governance. A must-read for those of us who are CEOs and serve on public boards — Randall L. Clark, Chairman and CEO, Dunn Tire LLC; former Chairman and CEO, Dunlop Tire North America
Attention directors and officers: Ignore this book at your own peril. Richard Steinberg has crafted a careful, thoughtful approach to managing risks, and it should be required reading for Corporate America — Scott S. Cohen, founder and former Editor and Publisher, Compliance Week
Richard Steinberg’s comprehensive and clearly written work will substantially benefit both new and experienced directors. It will help corporate boards recognize the challenging forces businesses face, as well as the techniques and standards available to intelligently monitor and supervise firms and their senior management. An easy and engaging read, this book should be on the bookshelf of every corporate director — William T. Allen, Director, NYU Pollack Center of Law & Business; former Chancellor, Court of Chancery of the State of Delaware
Richard Steinberg, a respected and time-proven governance hand, has written a most enjoyable and thought-provoking work—an excellent addition to anyone’s governance shelf! — Charles Elson, Edgar S. Woolard, Jr., Chair in Corporate Governance and Director of the Weinberg Center for Corporate Governance, University of Delaware
By the way, the IBM Open Pages people were kind to allow me to use a paper I wrote for them as the basis of one of the chapters. I hope you will consider reading the book, and I trust you will not be disappointed!
The first keynote was delivered by Eric Rosengren, President and CEO of the Boston Fed. Rosengren opened by showing an interesting chart on the LIBOR to Overnight Swap spread, which jumped last summer and has been very volatile ever since, evidence of the reluctance of banks willingness to lend to each other.
Rosengren covered the role of liquidity in risk modeling, which he noted was largely underestimated in many models over the last year. He also noted that other fundamental assumptions were wrong, like the one that housing prices across the US are not correlated (he showed a chart of regional housing data over the last five years that looked highly correlated.)
Rosengren also spoke about the impact of rogue trading and legal settlements. Many institutions think these losses are 1 in a 1000 year events, but as we get more data, it’s emerging that these events are much more common than previously thought.
Regarding scenarios analysis and stress testing, Rosengren asked how much confidence should we put into this? In many cases, the stress tests did not accurately take into account the risks. He noted that the effect of falling housing pricing was not accurately assessed. He also noted that the impact of mortgage defaults on liquidty was universally missed.
In the Q&A period, he went on to say that we need to be more humble about the effect of some of these unexpected events and that we need to broaden our thinking about what could possibly happen.
A key theme of Rosengren’s talk is that organizations are too willing to ignore what they consider 1 in a 1000 year events, when in fact these events are turning out to be quite frequent. For instance, last year there were 14 losses over $1 billion reported. He reinforced this notion in the Q&A session that extreme losses have occurred much more frequently than we would have assumed a couple years ago.
Rosengren was followed by Randall Kroszner, Member of the Board of Governors, Federal Reserve. Kroszner took a broader perspective on Basel II, and the enhancements the framework committee is considering. He noted that banks pursuing AMA qualification need strong senior management and board oversight. He also noted that senior management can create an AMA that’s reflective of organizational realities.
Kroszner noted that Basel II has been the official regulation for just one month, but the implementation will take some time. Implementation must be taken “thoughtfully and deliberately” by individual banks which should first start with a sober and frank appraisal of their current state.
The core banks will have to plan in place for AMA qualification by Oct 1, and Kroszner noted that this will require buy-in and resource commitment from the top.
Kroszner also noted that their hope is to provide more information over the next couple months but provided some initial thoughts on what the plan will have to cover:
Gaps between existing practice and AMA
Objective and measurable milestones
Planning and governance process for meeting qualification requirements fully
He noted that the final rule allows 36 months before exiting the parallel run phase.
After some discussion of upcoming improvements to the Basel II framework, Kroszner addressed the standardized approach for non-core banks. He stated that the Fed expects that Basel II (referring to both the AMA and standardized approaches) will make the US banking system more resilient.
A key theme that emerged from Kroszner’s talk and the subsequent Q&A period was that a one size fits all approach is probably not best for the range of institutions we have in the US. Rosengren noted in the Q&A period that the final rule is more of a principles-based than a rules-based document and repeated that “it’s not clear that one size fits all.” He also noted that there’s already a wide range of practices in play right now.
Someone asked if Basel II make us more vulnerable to systemic risk because of model convergence? Kroszner responded that the flexibility of the final rule and the judgement afforded by the icap process should mitigate systemic risk. Rosengren said that oprisk has enough variety in the modeling, but that credit risk calculations over the last year may have been too reliant on the same historical data.
The Stress Tests for the US Bank Holding Companies (BHC) have been released by the Fed. As had been leaked, the industry must raise $74.6 billion. The biggest number is for the Bank of America, which must raise $33.9 million, as they are unlikely to convert the preferred shares owned by the Treasury. The New York Times is reporting that the US Government will end up owning 36 pct of Citi after they convert their rescue funds into common stock. They will still have to raise $5.5 billion. Other interesting details:
Residential and consumer loans account for 70% of the losses projected under the adverse scenario, which would amount to $599.2 billion. The adverse scenario has unemployment at 8.9% in 2009 and topping out at 10.3% in 2010. Assuming that residential and consumer loans losses are a function of the unemployment rate, a lot is riding on what some economists think is an optimistic number. According to the Bureau of Labor Statistics, we’re already at 8.5% as of March (April’s numbers are being released tomorrow at 8:30 am). These results also suggest that commercial lending comprises a much smaller portion of the overall losses and won’t be the "next shoe to drop" for the economy as many people have suggested.
In the adverse scenario, each BHC was given a range of loss percent for the various categories. Each BHC could use firm-specific data to come up with their own assessment of the loss rate. Interestingly, for the First Lien Mortgages Bank of America came up with 6.8% while JP Morgan Chase 10.2%–a differential that seems quite high. Of course, JPMC bought WaMu, which had a large market share on the west coast. Another west coast bank, Wells, used 11.8% as their loss rate.
The Fed refers to the SCAP buffer–the capital needed to be raised under the Supervisory Capital Assessment Program, as a way for market participants, as well as the firms themselves, to have "confidence in the capacity of the major BHCs to perform their vital role in lending even if the economy proves weaker than expected." The press surrounding this announcement suggests that certainly the former will benefit from these results. What’s less clear is whether the banks themselves will magically start lending again. And, as discussed here, in this dynamic market, how will business models evolve to account for emerging opportunities and risks?
A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.