Liz Andrews 2700041WEU email@example.com | | Tags:  openpages regulatory_compliance dodd-frank sec | 0 Comments | 1,549 Visits
The following excerpts are taken from “Compliance, complexity and the need for XBRL: An interview with former SEC Chairman Christopher Cox”:
What are the key drivers of regulatory reform? Will Dodd-Frank really reduce systemic risk? Can better compliance processes drive better financial results?
In the weeks running up to the Vision 2011 and OPUS 2011 conferences, experts within IBM Business Analytics Financial Performance and Strategy Management posed these and other questions to Christopher Cox, a former SEC Chairman and keynote speaker at both events. Below is a transcript of that interview.
Looking forward into the next three years, what are some of the key drivers in the US that will be shaping regulatory and compliance reform? How are those different from the past five years?
The most significant characteristic of the time we are living in right now is the remarkable pace of change, both in legislation and in regulations governing corporate America, in particular the financial services sector.
Of course, the Dodd-Frank 2,300-page behemoth is well-known already to senior finance executives. But what is unknowable are the hundreds of rules that will be forthcoming under that legislation. The schedule called for in the statute has the bulk of the final rule makings scheduled for completion in the third quarter of 2011. It is very clear across the regulatory agencies that these deadlines are going to be largely missed.
As a result, not only will there be regulatory uncertainty on a continuing basis this year, but also for several years into the future. There are over 100 rule makings that have no statutory deadline at all. I think a significant share of even those that were expected to be completed earlier will also be rolled into the future. So during all of this time, senior Finance executives are going to have to be reading the tea leaves – not to mention the statute itself – to determine how to comply. And it isn’t just Dodd-Frank, of course, where we have all this legislative and regulatory ferment. The unprecedented rapid pace of chance in law and regulation and the continued uncertainty about what the government will do next pertains to the tax area as well. During the last year alone, Congress enacted no fewer than six major pieces of tax legislation – including the two “Obamacare” bills, the HIRE Act, the Education Jobs Act, the Small Business Jobs Act and, of course the year-end Tax Relief Act that temporarily extended the current tax rates.
That last piece of legislation bought us at least two years of tax certainty, but when it comes to long-term capital gains or any of the other rules governing the taxation of investment, two years are scarcely enough to permit long-term planning, and so the uncertainty continues.
That uncertainty about where financial, tax and regulatory policy are headed in turn creates a challenging environment within companies and within firms when it comes to shaping their response to regulatory and compliance changes. That’s the environment in which we find ourselves. Given the extent of this change and the predictable uncertainty that will continue for several years, it is very important that companies respond to this in ways that are exceptionally flexible.
How should Finance organizations prepare for this future regulatory environment in spite of uncertainties, particularly global companies that do business in multiple jurisdictions? What sustainable practices in their control and reporting processes and systems do they need to invest in to prepare for the future?
Being globally active, of course, only ramps up the uncertainty because the requirements from multiple jurisdictions are layered on the responsibility of senior Finance executives for U.S. compliance. It is nonetheless possible to synthesize thematically many of the global requirements, because at least topically, they have very much in common.
What is most important is that the different parts of a global organization can talk to one another and that the human beings who must extract information from the IT systems that collect and disgorge that information can rationalize it. In particular, companies that address these changes in ways that are adaptable and flexible will have a clear advantage. Companies that fail to manage the process in this way will likely find their companies non-compliant and their risk management practices called into question – not only by regulators, but also by their shareholders and their customers.
Do you think that the passage of Dodd-Frank will reduce systemic risk and improve stability in our financial services institutions?
Unfortunately, the Dodd-Frank Act failed to address several of the
most significant causes of instability in the financial system and
sources of systemic risk. The first is the status of the
This is particularly salient, as the conservatorships have required the GSEs to engage in practices that support housing at the expense of their financial well-being. Likewise, the government’s completely unjustifiable practice of keeping these two GSEs off the federal balance sheet, even as they are under government ownership, makes a mockery of financial reporting norms and honest accounting. Addressing this glaring omission in the Dodd-Frank Act remains a top priority of financial reform.
Next in importance is the inadequacy of bank capital and liquidity standards. Dodd-Frank did not adequately address the obvious failure of the Basel standards in the financial crisis. Those standards continue to create powerful incentives for asset concentration in mortgages and a reliance on credit ratings, and of course both of those had a role in generating the mortgage bubble that led to the financial crisis.
So the short answer to that question would be “No.”
Correct. I’d also say that Dodd-Frank has given the Financial Stability Oversight Council a strong incentive to protect competitors rather than to protect competition, which might take market share from the dominant firms. The systemically important designation implies government readiness to support those firms in a crisis, perversely encouraging more risky behavior despite the more stringent capital and other requirements and thus deepening moral hazard.
Can you discuss some of the best practices for boards of directors with regard to risk oversight? Do you think that changes in proxy disclosure with regard to risk governance has had an impact on risk management practices?
Yes. In 2010, the SEC added requirements for proxy statement discussion of a company’s board leadership structure and its role in risk oversight. Now companies are required to disclose in their annual reports the extent of the board’s role in risk oversight, and they’re required to address such topics as how the board administers its oversight function, the effect that risk oversight has on the board’s processes, and whether and how the board or one of its committees monitors risk. That increased focus on risk management has had considerable and very earnest take-up across the corporate community.
There are several types of actions that companies and their appropriate committees have been taking to step up their focus on risk management. Without question, they are spending more time with management, and isolating the categories of risk that the company faces – focusing on risk concentrations and interrelationships, the likelihood that these risks might materialize, and the effectiveness of the company’s potential mitigating measures.
Many companies have created risk management committees. Financial companies, of course, that are covered by Dodd-Frank must have designated risk management committees, but boards of other companies have carefully considered the appropriateness of a dedicated risk committee, and many of them have found it prudent to create one. In other cases, boards have delegated oversight of risk management to the audit committee, which is consistent with the New York Stock Exchange rule that requires the audit committee to discuss policies with respect to risk assessment and risk management.
For large-cap companies that have a Big Board listing, that has continued to be another way to address these heightened concerns. I think boards are carefully bearing in mind that different kinds of risks may be better-suited to the expertise of different kinds of committees, so they may not always wish to stovepipe responsibility for risk in a single committee.
Above all, best practices today are focused on the fact that regardless of how the board subdivides its responsibilities, the full board has the responsibility to satisfy itself that the activities of its various committees are co-ordinated and that the company has adequate risk management processes in place.
It’s a fascinating world. I can see why if you’re a controller or CFO it’s an exciting but intense place to be.
I think that’s absolutely right. All of these changes we’ve discussed – in particular in the US – mean that we are entering an era of unprecedented demand on companies’ governance, risk, and compliance processes and IT infrastructures. I think that companies have dealt with regulatory changes over the past half-century largely incrementally. They’ve made adjustments to their enterprise-wide systems as needed to comply with what have been modest changes from year to year. But given the enormous scope of changes in these forthcoming new regulations, companies will find it necessary to find a comprehensive and holistic approach to at least regulatory reporting – and, in my view, their management control as well.
Companies have traditionally relied on different processes to gather enterprise data to help management run the business on the one hand, and to gather data in order to satisfy regulators, on the other. In part, that was sustainable because the information that regulators were requiring was historical and post-facto. But things are rapidly changing under these new frameworks. Regulators including the SEC are now requiring information that is risk-based and predictive. While that is a big change, it’s also a significant silver lining in that this will align the process of collecting and gathering information more closely with what management needs. That means that CIOs should be looking for ways to integrate their regulatory and their management reporting processes. For that reason, regulatory reporting doesn’t have to be viewed as sheer cost, or necessary evil. Instead, there can be significant efficiencies and productivity gains for the enterprise by merging the requirements of management and regulatory data gathering processes.
This convergence will also allow companies to restructure their data in a way that will feed predictive analytical systems. That, in turn, can lead to an improvement in both risk management at the board level, and risk-based decision-making processes at the management level.
About Christopher Cox, Former Chairman, United States Securities and Exchange Commission (SEC)
Beginning in 1988, when he was elected to the House of Representatives, Christopher Cox established a record of legislative accomplishments that elevated him to the top of the Congressional leadership. His wide range of expertise in a variety of complex issues gives him the ability to take the long view of the economic future, predicting both the actions of Congress and the effects those actions will have on the marketplace. The author of the Internet Tax Freedom Act, which protects Internet users from multiple and discriminatory taxation, Cox held leadership positions ranging from chairmanships on committees and taskforces overseeing everything from budget process reform and policy to homeland security and financial services. During his tenure as chairman of the Securities and Exchange Commission, he continued this fight for justice and transparency in the world of investing.
An Accomplished Lawmaker and Reformer. During his seventeen years in Congress, Cox served in the majority leadership of the U.S. House of Representatives. He authored the Private Securities Litigation Reform Act, which protects investors from fraudulent lawsuits, and his legislative efforts to eliminate the double tax on shareholder dividends led to legislation that cut the double tax by more than half. In addition, he served in a leadership capacity as a senior member of every committee with jurisdiction over investor protection and U.S. capital markets, including the Energy and Commerce Committee, the Financial Services Committee, the JointEconomic Committee, and the Budget Committee.
An Advocate for Investors. At the SEC, Cox focused on the enforcement of securities law enforcement, bringing a variety of groundbreaking cases against market abuses such as hedge fund insider-trading, stock options backdating, and municipal securities fraud. He also helped turn the Internet into a secure environment, free of securities scams, and he worked to halt fraud aimed at senior citizens. As SEC chairman, he was one of the world’s leaders in the effort to integrate U.S. and overseas regulatory policies in this era of global capital markets, making international securities exchanges safe, profitable, and transparent. As part of an overall focus on the needs of individual investors, Cox reinvigorated the SEC’s initiative to provide important investor information in plain English, championing the investor’s right to a transparency. His reforms included transforming the SEC’s system of mandated disclosure from a static, form-based approach to one that taps the power of interactive data to give investors qualitatively better information about companies, mutual funds, and investments of all kinds.
In 1994 Cox was appointed by President Clinton to the bipartisan commission on entitlement and tax reform, which published its unanimous report in 1995. From 1986 until 1988, he served in as senior associate counsel to President Reagan. From 1978-1986, he specialized in venture capital and corporate finance with Latham & Watkins. Cox received an M.B.A. from Harvard Business School and a J.D. from Harvard Law School, where he was an Editor of the Harvard Law Review.
OpRisk Europe 2011 – now in its 13th year, commenced today at the historic Waldorf Hotel in the West End of London. Somewhat ironic that the risk management conference is taking place in the stylish hotel whose interior is said to have inspired the designers of the “unsinkable” Titanic – a classic case study on risk management.
In one breakout session, Andrew Sheen of the FSA’s risk frameworks and governance team discussed recent developments from the BIS and their impact on operational risk. Citing updates to the “Sound Practices for the Management of Operational Risk” paper recently updated by the BIS Committee, Sheen emphasized several key considerations for the board of directors and senior management team. In particular, he emphasized the need for the board to set the tone at the top in order to promote a strong risk management culture and that banks should “develop, implement and maintain an operational risk management framework that is fully integrated into the banks overall risk management processes.” He also provided guidance for senior management. In particular, he noted that senior management should:
There’s been a lot of great content in Day One of OpRisk Europe, looking forward to tomorrow’s panel discussion on “The Impact of New Regulation on Operational Risk Management.”
If you’re involved with compliance, you must know that the SEC issued its final rules on whisleblowing. The original proposal was hugely contentious, with serious concern that employees will bypass companies’ internal reporting channels established as part of comprehensive compliance programs instituted and enhanced over recent years, and instead run directly to the SEC for a lottery-size payday.
You’re a CEO, senior manager, or board member watching your once-great company brought to its knees. You imagine yourself on the deck of the Titanic, your world coming to an end—your once confident self embarrassed in front of colleagues, competitors, friends, family, and the larger communities in which you once thrived and were held in such high esteem.
As you may know, the Dodd-Frank Act gave institutional investors and shareholder activists perhaps the item highest on their wish list – gaining ready access to the proxy statement with ability to name its own director nominees. And the SEC developed enabling rules to make it happen. Well, the U.S. Court of Appeals for the D.C. circuit just pulled the rule out from under shareholders. If you’re a shareholder activist, you’re probably outraged, but if you’re a board member or member of the senior management team, you’re likely breathing a sigh of relief!
It’s well known that a company’s tone at the top is critically important in determining its culture, including whether or not it will act with integrity and ethical values – fundamental elements of effective internal control and risk management. And we know it’s not only the words spoken at the top, but also the CEO’s actions that drive culture. What brings this to mind is the recent conviction of the CEO of fraud detection firm Fraud Discovery Institute. While a conviction of the head of this type of firm might appear unusual though not particularly noteworthy, what’s truly compelling about this news is that the CEO is none other than Barry Minkow.
Two recent events involving hurricanes provide insight into what risk management is about. Many of us who live in on the east coast of the U.S. know all too well the damage wrought by Irene. And many in the Florida are dealing with damage to the University of Miami “Hurricanes” football team.
The name is Kweku Adoboli, and you’ll be hearing a lot more about him. He works – or rather, worked – at UBS, Switzerland’s largest bank. He graduated from the well-regarded University of Nottingham, and moved up at UBS. What did he do? Well, UBS executives say he engaged in unauthorized investment trades, and cost the bank $2 billion! We’re no longer talking in terms of millions, or even hundreds of millions – but billions of dollars – enough to wipe out the bank’s profit for the entire quarter and send its stock price tumbling.
If you’re into playing poker or watching it on TV, you probably know the name Full Tilt Poker – the web site for playing Texas hold ’em and presumably other poker games. You may know of Howard “The Professor” Lederer and Chris “Jesus” Ferguson and have seen them on TV wearing Full Tilt Poker hats. On-line players put real money into supposedly secure accounts to use as they gambled on line on this company’s and other off shore web sites. One analyst estimates U.S. players alone bet $14 billion each year in on-line poker.
John Kelly 270004J7VQ firstname.lastname@example.org | | Tags:  grc enterprise operational risk | 0 Comments | 2,717 Visits
This week I had the pleasure (aside from the Sunday morning flight) of attending the RMA Annual Risk Management Conference in Washington, DC. Based on the standing room only crowd (even in the second repeat session), I’d have to say one of the most popular topics was “Developing a Risk Appetite” delivered by Bill Perotti of Frost Bank and Bob Rose of Brookline Bank. The duo defined Risk Appetite as “the amount of risk you will take in pursuit of a desired financial return”, which makes sense, but an effective risk appetite exercise, the presenters emphasized, really needs to be taken to the next level to reflect risk tolerance in all key areas of enterprise risk management (operational risk, credit risk, reputation risk, compliance risk, liquidity risk, sustainability, etc.).
Several examples were provided for how to develop a risk appetite statement for each of these key areas. One example included Operational risk and provided an example of how to create a risk appetite statement:
Operational Risk Appetite example:
We are committed to implementing practices and controls that will minimize financial losses from failures of systems, people and processes.
Quantitative measure examples:
Most importantly, risk appetite statements should reflect your company’s mission statement and values. Benefits outlined in the session included:
Of course the direction and communication on risk appetite needs to start at the top with the board of directors and CEO and be communicated and demonstrated throughout the organization. Looking forward to more informative sessions.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  grc analytics busness management openpages ibm erwin risk performance boeren | 0 Comments | 1,547 Visits
Last year IBM acquired OpenPages as a strategic move into the area of Governance, Risk and Compliance. The lasest announcement to acquire Algorithmics (quantitative risk management) shows the continuous commitment of IBM in the GRC market. GRC software will integrate into the Business Analytics Software group, the area where the former acquisitions like Cognos, SPSS and Clarity systems already resides.
Now that Risk Management is evolving, more and more organizations are starting an enterprise approach to risk management. And this is where I see the need for Risk and Performance Management convergence.
In past Risk Management implementations I see that a major portion of time and budget was spent on Risk Reporting and Dashboarding. Especially the need for self service reporting, where users can ad hoc create their own risk reports, is growing. We do not want to wait in the queue waiting for our report to be created. 2 days later you missed the opportunity to respond and the loss is there.
With this self service capability the question automatically pops up 'can I trust my data'. And now we are back in the area of data governance. This is exactly where the area of Performance Management is today.
Apart from these reporting and dashboarding capabilities Enterprise Risk Management means alignment of risks and controls to the strategic initiatives of the organization. What will prevent me from reaching my business goals? Isn't this defined as a risk? And how will we prevent this from happening? Wasn't that defined as a control?
Even more interesting are questions like, 'What if I was able to perform risk scenario planning?', 'What if I could predict risks from happening?' or 'What is the correlation between the risks that have materialized?'.
And there is the proof that Risk Management and Performance Management have lots in common and should be integrated. Lets call it Business Analytics.
Governance, Risk & Compliance Leader
IBM IOT Southwest Europe
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  openpages grc ipad solvency reporting | 0 Comments | 1,480 Visits
With Cognos 10.1.1 released you must have noticed the ability of having your reports and dashboards on mobile devices like iPad and iPhone.
With these mobile capabilities CROs (Chief Risk Officers) will now have the ability to measure risk from their mobile devices. For volatile risk areas like Market and Credit Risk this can make a huge difference.
IBM developed a risk monitoring system for CROs where one single version of the truth is provided of different risk areas like Credit Risk, Market Risk, Counterparty Credit Risk, Liquidity Risk, Basel II, Solvency II and Operational Risk. Not only does a CRO have the ability to monitor all these risk areas but he can also monitor the correlation between those risk areas and he is able to respond immediately to changes. Responses can immediately be formulated in the integrated social media platform.
One version of the truth and guaranteed quality of your data is simple to say but how do you govern this? This is where IBMs investment in data models starts to pay off. Since decades IBM develops and maintains data models for financial services including out of the box technical and business definitions. This enables organizations to come to one definition of risk over the entire organization. Taking definitions centrally will add value in the process of taking down the silod approach we spoke about in earlier articles. It will also help you in the accountability process of the business. Finally it is the business that should own the business definitions.
As discussed in our previous published blog (The convergence of GRC and Performance Management) Business Analytics capabilities like risk forecasting, risk adjusted profitability calculations, scenario planning and predictive risk analysis are part of this risk monitoring system called FIRM (Finance Integrated Risk Management).
The new regulation for Insurance companies, Solvency II requires organizations to plan their risk assessments and capital requirements 2 to 5 years ahead and to reflect impact on financial positions when a risk materializes. All this means that an integrated approach to risk management is a must. In next blogs we will go deeper into the Solvency II regulation.
You may have heard the news about an SAT cheating scandal, where students were accused of accepting payments or paying others to take the test for them. It seems to have started at Great Neck North High School on Long Island, New York, which I happen to know well – it’s where I went to the high school, which has a proud heritage of being regularly rated among the top high schools in the nation, with a high percentage of graduates going on to top colleges. Rumors of the cheating is reported to have sounded alarms with the school principal, who did the right thing in reporting to the proper authorities.
What’s relevant from a risk management and control perspective is what the College Board, which owns the SAT, and the Educational Testing Service (ETS), which administers the tests, have done. Based on reports, prosecutors relayed that the first thing ETS said was that there’s no problem – the cheating was an “isolated incident,” and the SAT is “secure.” At a state senate meeting, where legislators and school officials accused both the College Board and ETS of having lax security and a system that failed to punish cheats, ETS said if cheating is discovered the score is cancelled, and the student can get a fee refund and retake the test – that’s it! No one, not the high school nor any college, is notified. ETS claimed that state law prohibits it from releasing information about cheating, but prosecutors say that’s just not so. ETS’s approach of downplaying the problem is all the more surprising in light of past problems. Media reports speak to extensive incorrect scoring of tests and losing test results in England in 2008, with the UK Parliament calling their operation a “shambles.” And going back to 1983, cheating was suspected in California.
We can learn lessons from what’s happened here. Importantly, as with ETS, this isn’t the first time the College Board has had a serious problem with the SAT. Regular readers of this blog may remember my posting of a year ago that highlighted what the College Board did when it learned of problems with incorrect scoring of test results. At that time the president said, to the dismay of many, that it wasn’t necessary to look back to see what caused the incorrect scoring – that it would take too long, and in any event it was sufficient only to re-score the tests results. There was no interest in looking at the risks related to incorrect scoring and determining how they could be managed going forward! There was no attempt at risk identification, analysis and mitigation to deal with potential future problems; rather, it was like putting the organization’s collective head in the sand. Well, maybe the College Board has learned something – when this cheating scandal broke, the College Board president said it has hired a former FBI director to investigate security matters.
There’s little doubt that for both the College Board and ETS their reputations and indeed survival may well depend on academic communities having confidence in their ability to identify in advance what could go wrong, and take prudent actions to proactively prevent problems – to ensure the test results are those of the identified students and accurately reflect their performance. Anything less is unacceptable. And those organizations must fully understand that reputations are intertwined. Although the College Board outsources SAT test administration to ETS, that of course doesn’t mean it removes responsibility, certainly not in the eyes of the marketplace. It doesn’t work that way. It’s critical that these organizations get their risk management and crisis management right, with an appropriate level of coordination.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  grc research openpages enterprise algorithmics ibm management risk | 1 Comments | 2,544 Visits
In the last 2 months three independent researchers have given their opinion on IBM’s approach to risk management. All 3 are very positive towards the areas of Innovation, Market Presence, Functionality and Enterprise GRC capabilities.
Forrester in the Forresterwave EGRC 2011: The OpenPages platform remains one of the most consistently strong enterprise GRC platforms on the market today. The company’s vision is to enable senior management to make strategic risk and reward decisions to improve business performance and reduce exposure to risks and loss on investments. The OpenPages platform’s GRC management and analytics features are just one example of where this mission will play out."
Gartner in its September update: The OpenPages platform has solid capabilities in all the core functions, has above-average support for ERM and ORM, and is rated very high on financial reporting integrity compliance. It continues to execute consistently on a well-planned road map.”
Chartis published its Risk Top 100 last November with IBM ranked the No.1 vendor in the area of Risk Management. With special rewards for Functionality, Market Presence, Innovation, Fund & Asset Management, Market Risk, Operational Risk and Enterprise GRC.
In the Chartis RiskTech 100 IBM was measured for the first time along the qualitative and quantitative risk capabilities (read the acquisitions of OpenPages and Algorithmics). In the Gartner and Forrester publications the latest Algorithmics acquisition was not taken into account.
Interesting enough researchers praise IBM for immediately adding value to its acquisitions. One year ago IBM was ranked number 7 in the RiskTech 100 and now IBM is on top of the list. Not because the individual products are that good but because the minimal overlap and immediate integrations create added value for customers.
Adding Risk to the area of Business Analytics (Business Analytics is one of the 4 key initiatives of IBM towards 2015, driven by our new CEO Gini Rometty) is a great step into Smarter Risk. Capabilities like predictive intelligence, driver based planning, regulatory reporting, scenario testing, forecasting, dashboarding, scorecarding, reporting and analysis will give a great boost if you apply this to risk. This is where the convergence of performance management and risk management create great value for our customers.>
Blog post from Erwin Boeren, Governance Risk & Compliance Leader IBM Europe
Richard Steinberg 270004HRBG email@example.com | | Tags:  grc risk_management | 0 Comments | 1,151 Visits
We know that MF Global, the firm run by Jon S. Corzine, recently imploded under the weight of bad bets and huge leverage. Reports say that Corzine, former U.S. Senator, Governor of New Jersey, and co-head of Goldman Sachs, did at MF Global what he did at GS – and that’s take large risks in trading. How, one could ask, could it have turned out so wrong?
Effective risk management processes have at their core identifying, analyzing and managing risks. It will be a while before we know all the details of MF Global’s risk management process, but it appears to have worked reasonably well. Wait, what – is that a misprint? Probably not.
Based on reports, Corzine knew the risks he was taking. Basically, he bet that the European leaders would act in a way to alleviate the sovereign debt crisis. He put over $6 billion of the firm’s money at risk, which with the associated leverage put the firm’s existence at risk. And the firm’s risk officers also knew, and they seemed to have done what they were supposed to – they brought the matter to the board of directors. Reports say a senior risk officer described the situation and the risks to the board, with Corzine present. The risk officer pointed out not only the nature and size of the risks, but also that risks included both potential defaults on the sovereign debt and the bonds losing sufficient value to cause a liquidity crisis at the firm. The directors listened, and decided to approve what Corzine was doing.
Now, we weren’t in the room with the directors, or inside their heads, so we don’t know whether they made a thoughtful and rational business judgment, or whether they rolled over under Corzine’s undue influence. If the latter, then they failed in their job. But if the former, then they determined that they and the firm had a risk appetite large enough to “bet the ranch.”
So, whether this is a failure of risk management will be decided as the investigations continue and more facts emerge. And of course the missing “segregated” client funds is another matter, likely centered on specific internal controls over that money and what control activities might have been overridden by more senior executives. Also at issue is whether regulators did their job effectively. It will be interesting, indeed, to learn more, as no doubt we will as the investigations unfold.