Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  grc risk_management | 0 Comments | 1,108 Visits
We know that MF Global, the firm run by Jon S. Corzine, recently imploded under the weight of bad bets and huge leverage. Reports say that Corzine, former U.S. Senator, Governor of New Jersey, and co-head of Goldman Sachs, did at MF Global what he did at GS – and that’s take large risks in trading. How, one could ask, could it have turned out so wrong?
Effective risk management processes have at their core identifying, analyzing and managing risks. It will be a while before we know all the details of MF Global’s risk management process, but it appears to have worked reasonably well. Wait, what – is that a misprint? Probably not.
Based on reports, Corzine knew the risks he was taking. Basically, he bet that the European leaders would act in a way to alleviate the sovereign debt crisis. He put over $6 billion of the firm’s money at risk, which with the associated leverage put the firm’s existence at risk. And the firm’s risk officers also knew, and they seemed to have done what they were supposed to – they brought the matter to the board of directors. Reports say a senior risk officer described the situation and the risks to the board, with Corzine present. The risk officer pointed out not only the nature and size of the risks, but also that risks included both potential defaults on the sovereign debt and the bonds losing sufficient value to cause a liquidity crisis at the firm. The directors listened, and decided to approve what Corzine was doing.
Now, we weren’t in the room with the directors, or inside their heads, so we don’t know whether they made a thoughtful and rational business judgment, or whether they rolled over under Corzine’s undue influence. If the latter, then they failed in their job. But if the former, then they determined that they and the firm had a risk appetite large enough to “bet the ranch.”
So, whether this is a failure of risk management will be decided as the investigations continue and more facts emerge. And of course the missing “segregated” client funds is another matter, likely centered on specific internal controls over that money and what control activities might have been overridden by more senior executives. Also at issue is whether regulators did their job effectively. It will be interesting, indeed, to learn more, as no doubt we will as the investigations unfold.
Richard Steinberg 270004HRBG email@example.com | | Tags:  global cro mf risk | 0 Comments | 966 Visits
A recent Congressional hearing on MF Global has shed more light on how well the company did, or didn’t, handle its risk management responsibilities. A couple of weeks ago the House Financial Service Committee’s oversight panel heard testimony from the firm’s chief risk officers. As CRO, Michael Roseman in 2010 raised concerns about the firm’s European Sovereign debt positions, reportedly clashing with top executives but in any event seeing to it that the board of directors was informed of what was going on. (For more on this, you can look back to my December 15 posting.) Then in early 2011 MF Global hired a new chief risk officer, Michael Stockman, who like CEO Jon Corzine was a former Goldman guy. One Congressman reportedly said it appeared “Stockman was hired to tell Mr. Corzine what he wanted to hear,” and another called him a “yes man.” Whether that’s fair or not is debatable, though one wonders why the change of CROs was made in the first place. In defense, Stockman said that for the first several months of his tenure he believed the firm’s “risk profile associated with the company’s European sovereign debt position was acceptable in light of then-prevailing market conditions,” but “as credit markets deteriorated in the summer of 2011, I came to the view that it would be prudent for the company to mitigate the increased risks.” Whether his initial assessment was justified and whether he pushed hard and timely enough with management and the board certainly is questionable.
Fascinating here is what was said by the Congressmen doing the questioning, reportedly saying to Stockman that it was up to the chief risk officer to “rein in their bosses risk taking.” If that indeed was said, then it shows a sad lack of understanding of what a chief risk officer’s role truly is. In highly summarized form, if the role is structured well, the CRO is responsible for establishing a process within the organization where managers timely identify, analyze, and manage risk, with communications systems in place to ensure appropriate upstream reporting. The reporting element is critical, not only within the organizational infrastructure but also going to the very top. The CRO needs to be sure top management and ultimately the board of directors are fully apprised of significant risks. And if management refuses to inform the board, then the CRO has to do it him/herself. CRO Roseman seems to have made sure the board was apprised.
A CRO’s job is not easy, especially when a company takes on what can only be deemed unusually high risk positions. The CRO needs to be sure the risks are identified, analyzed and reported, which seems to be the case here. The board was apprised of the risks when Roseman was CRO, and we’re told the directors considered the risks and acquiesced. A board of course should probe deeply enough to truly understand the risks and surrounding circumstances. If those actions occurred, and the CRO was convinced the board had sufficient understanding and insight, then he has done his job – which does not, as the Congressmen asserted, include the CRO himself reining in the risks.
No doubt more insights will emerge and the picture of what happened will become clearer. Investigators might even find out what happened to the more than $1 billion (one estimate is as high as $1.6 billion) of “missing” customer money, and whether internal controls were faulty or overridden as the firm was about to go under. In any event, it’s important that the different roles of a CEO, CRO and board be fully understood. The CRO does not and cannot be responsible for the ultimate actions of a CEO and board of directors. The CRO’s role includes seeing that top management and the board understand the risks and make well-informed judgments. And yes, those judgments may ultimately prove to be bad, or even fatal as was the case with MF Global.
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  dodd-frank risk risk_management openpages | 0 Comments | 953 Visits
If you’re in or work with the financial services industry, you probably know about the late December holiday "gift" from the U.S. Federal Reserve – proposed rules implementing provisions of the Dodd-Frank Act which could have a profound effect on how boards and managements deal with risk. In any event, you’ll want to keep in mind that the Fed is accepting comments only for the next month – until March 31.
The proposed rules are far-reaching, including requirements for risk-based capital and leverage, liquidity, stress tests, sing
The risk committee is required to "document and oversee, on an enterprise-wide basis, the risk-management practices of the company's worldwide operations." The committee would be chaired by an independent director, and at least one member needs to have risk-management expertise commensurate with the company's size, complexity, and other risk-related factors. Further, its members are expected to understand risk-management principles and practices relevant to the company, with specified experience in risk management. And there are rules for a committee charter, meetings, and documentation.
The committee’s responsibilities include reviewing and approving an appropriate risk-management framework commensurate with the company's size and other factors. The framework’s scope is outlined, including requirements for risk limits appropriate to each line of business, policies and procedures for risk-management practices, processes for identifying and reporting risks, monitoring compliance with risk limits and procedures, and specification of management's authority and independence to carry out risk-management responsibilities. Additionally, the larger covered companies will need to appoint a chief risk officer in charge of implementing and maintaining the risk-management framework and practices approved by the risk committee, with the rules specifying responsibilities and qualifications for the CRO and reporting relationships.
If not already under way, now is the time to analyze the proposal and its implication, and let the Fed know what changes are needed. If interested, you might want to tune into the upcoming IBM OpenPages webinar where I’ll be discussing the proposed rules, their implications and the challenges they present – March 8, 2:00 pm Eastern Time.
More great news from the analyst community! Gartner released the 2009 Enterprise Governance, Risk and Compliance Platforms Magic Quadrant report today and OpenPages was positioned in the “Leaders” quadrant for the third consecutive year!
In the report, Gartner called out OpenPages “viability” as a key strength:
Richard Steinberg 270004HRBG email@example.com | | Tags:  fraud risk_management | 0 Comments | 847 Visits
We know the Olympus Corp. suffered a major management fraud. Financial statements were manipulated to hide huge losses, resulting in its stock price dropping like a rock and jeopardizing the company’s listing status and indeed existence in its current form. For more on the fraud, you may want to look at my October 15, 2011 blog posting.
Those looking at this fiasco may well be asking why this fraud, which had been going on for more than a decade, wasn’t brought to light any sooner – that is, before newly appointed CEO Michael Woodford began to smell a rat. Well, now it’s come out that one critical element in detecting and possibly preventing fraud at the highest management levels – which is having an effective whisleblowing process – wasn’t in place at Olympus. Sure, they had a process, but now it’s reported that the very executives perpetrating the fraud were in charge of the hotline! It’s said that the company’s internal auditors and other employees wanted the whistleblower system to be run by outside parties, but at least one of the executives alleged to have been driving the fraud objected and won out. According to an independent panel investigating the fraud, the corporate atmosphere was such that the hotline was “significantly disabled.” Is it essential to have the hotline outsourced? No. But it is critical that company personnel feel comfortable that their communications will not come back to haunt them, which is said not to be the case at Olympus.
Much has been written about management fraud, and what internal controls are needed to prevent or detect it. But my experience is that it really comes down to four key factors. One is having a culture of integrity and ethical values, with the “right” tone at the top of the organization and open communication channels. Another is a board of directors (and audit committee) that is independent and providing effective oversight. One more is an effective internal audit function. And then there’s an effective whistleblower process. Based on what’s been reported, Olympus evidently didn’t have any of these big four – we don’t know much about the functioning of its internal audit function, but now learn that the company is suing the former internal auditor along with two other executives who an independent panel said “orchestrated the scheme.” So is it surprising that such a fraud could have existed for so long? In light of its governance, risk management and internal control processes, the answer is “not really.”
When we look at the potential of management fraud, it’s critical to look at these four elements. If even one is missing, the chance of fraud going undetected increases greatly. And no one should proceed with the odds stacked in favor of bad actors.
In a previous blog, I recommend Gillian Tett’s book, Fool’s Gold: How the Bold Dream of a Small Tribe at J. P. Morgan Was Corrupted by Wall Street Greed and Unleashed a Catastrophe. In this blog I want to describe a few of the key risk management lessons that I was able to glean from reading the book. We’ll start with the first two here.
Lesson 1: If it sounds too good to be true, it probably is.
Fool’s Gold is a great title for this book. As Tett writes, “For the first time in history, banks would be able to make loans without carrying all, or perhaps even any, of the risk involved themselves. That would, in turn, free up banks to make more loans, as they wouldn’t need to take losses if those loans defaulted.” Doesn’t this sound like a too-good-to-be-true story? It was and the mistakes that financial institutions made nearly brought down the global banking system. As risk managers we need to dig deeper and get to the bottom of “deals” that are too good to be true.
Lesson 2: There are many tools that can help reduce risk, but used inappropriately they can actually increase risk.
Warren Buffet defined prophetically in 2003 that the new financial tool called derivatives were “financial weapons of mass destruction.” The crucial point about derivatives is that they can do two things: help investors reduce risk or create a good deal more risk. Everything depends on how they are used and on the motives and skills of those who trade in them. Some investors like derivatives because they want to control risk, like wheat farmers who prefer to lock in a profitable price. Others want to use them to make high-risk bets in the hope of making windfall profits, kind of like playing the lottery. Credit derivatives were used to manage the risk attached to the loan book of banks and these tools offered a way of controlling risk, but they could also amplify it; it all depended on how they were used. In the subprime CDO market they greatly amplified the risk and the majority of senior managers within the financial services firms did not understand this risk.
Check back tomorrow for the next three lessons from Fool’s Gold.
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  erm coso | 0 Comments | 783 Visits
In case you were too busy watching your kids open their holiday presents you might have missed a “gift” for you – COSO’s updated internal control framework. During the holiday season the draft was exposed for public comment, so if you haven’t already done so, you might want to get your hands on it and tell COSO what you think, and how it might be further improved.
In looking over the draft you’ll see that the fundamental concepts and structure remain. The definition of internal control, the five components, and the COSO cube are unchanged. So are the three categories of objectives, except that the reporting category is expanded to include all reporting by an entity: financial and non-financial, internal and external. This brings the internal control framework in line with how the reporting category of objectives is defined in COSO’s Enterprise Risk Mana
Other enhancements include:
You’ll see the term “ICEFR” (pronounced ice-eh-fer), which is the acronym for internal control over external financial reporting. Because of the importance of the internal control framework for reporting under such requirements as Sarbanes-Oxley, COSO decided to offer a separate guidance document highlighting how the framework can be effectively applied for that purpose. It’s organized around the five internal control components, containing approaches for and examples of their application, with direct linkage to the principles and attributes in the framework. It’s important to keep in mind that the ICEFR guidance is just that, guidance; it will neither replace nor modify the framework. It will be exposed for comment later on this spring.
Well, it’s a case of speak now, or…. If you’re involved in any way with internal control, you’ll want to provide your input on the document. By the way, I’m biased in a positive way – for full disclosure, I was the lead PwC project partner of the team that developed the original Framework, played a similar role with the COSO ERM framework, and advised the project team that developed this updated framework. But you may have different views, and it’s important to make them known. The comment period ends March 31.
Rounding out the 2010 GRC Wish List at #10 is “Increased Agility to Respond to New/Changes in Regulations.” While there’s a lot of talk about regulatory reform, and Gordon Burnes noted that “Regulatory Clarity” was #1 on the 2010 GRC Wish List, we may be getting closer to actual regulation this year.
President Obama, in his first State of the Union address, called for “serious financial reform.” He stated, “We can’t allow financial institutions, including those that take your deposits, to take risks that threaten the whole economy. Now, the House has already passed financial reform with many of these changes. And the lobbyists are trying to kill it. But we cannot let them win this fight. And if the bill that ends up on my desk does not meet the test of real reform, I will send it back until we get it right. We’ve got to get it right.”
As regulatory pressures continue to mount, and given that the regulatory environment will only increase in complexity, businesses that take a more practical, cross-regulatory approach to managing compliance will alleviate increasing cost and complexity while gaining valuable insight into risks to key business processes that could affect corporate performance in the form of legal action, fines and penalties or damage to company reputation.
This is where the need for “Increased Agility” comes in. Your risk and compliance processes will evolve over time to meet these changing business and regulatory requirements. Your GRC solution needs to be flexible and allow you to quickly adapt your risk and compliance management framework to meet changing requirements, while minimizing the impact on your business operations. Be careful of solutions that either force you to change your processes or develop custom extensions to the software to meet new regulations or requirements. Changes to your methodology due to an inflexible technology solution will negatively affect your ability to incorporate integrated risk management into your business operations.
Tags: 2010 GRC Wish List
Regular readers of this blog undoubtedly are familiar with the FCPA and related Justice Department and SEC enforcement activities. On a personal note, I remember well when the FCPA was enacted, as I took on responsibility in my firm for providing our clients with analysis, guidance, and support materials to help deal with the new law. Emphasis was put as much on the Act’s internal control provisions, which require (with somewhat different terminology) effective systems of internal control over financial reporting – this of course, long before SOX. Companies did look at their internal control systems for opportunities for strengthening, but without required management reporting or auditor involvement, we did not see the kind of focus that came in more recent years under SOX. Significant attention was given to the bribery provisions, though with little regulatory enforcement activity for many years, attention subsequently waned.
But life under the FCPA now is very different. It’s reported that in the last four years 58 companies paid almost $4 billion in settlements – including Siemens (whose securities are traded in the U.S.) paying $800 million each to the German and U.S. regulators – and 42 individuals have been convicted. Early this year, for example, an oil company executive was sentenced to a two and one-half prison term. “I am truly sorry,” he said, “I lost touch.” At the moment some 78 companies are reportedly under investigation, including the likes of Alcoa, Avon, Goldman Sachs, HP, Pfizer, and Wal-Mart – it remains to be seen whether they will be formally charged. And we know that Rupert Murdoch’s News Corporation, among others, is in regulators’ sights.
There has been pushback by business, saying regulators have been overzealous and thereby stifling legitimate business initiatives – especially so with their going after not only companies but individual executives as well. The United States Chamber of Commerce is looking to have the law amended, with a Chamber official recently noting “The last time I checked, we were not living in a police state.” But enforcement officials don’t seem to be perturbed, with the assistant Attorney General making clear that the Department is expanding its staff and enforcement actions are on the rise. With that said, discussions between the groups have begun, and desired guidance may be forthcoming.
What to do? Clearly there’s no silver bullet. Close attention needs to be paid to ensuring strong compliance programs – which, importantly, the DOJ has said it will look to in a positive way when considering enforcement actions. Yes, further clarity has been requested from the Department in that regard, and we know about concerns with Dodd-Frank’s whistleblower provisions, but that shouldn’t stop compliance officers and senior managements from continuing efforts to strengthen internal programs. Many law and other firms have provided guidance on identifying high-risk areas and steps to be taken, which certainly are worth serious consideration. Among important areas of focus are risk assessment, policy management, clear authorities and fixed responsibility among line managers, real time communication, close monitoring by line management as well as compliance and internal audit personnel, and immediate and decisive action when red flags appear. It’s not easy, but with the Act in place and regulators expanding scope, close attention is critical.
Mark your calendars! OPUS 2011 will be hosted at the Renaissance Boston Waterfront Hotel, May 17-19, 2011. We’re developing an extensive lineup of speakers and domain experts based on your feedback and look forward to seeing you. A lot has changed since we last met and the world of risk management has evolved dramatically.