Tell us
what you think
Our Sponsors
 |
Our Sponsors
|
Corporate Governance: Governing the Governors
The Board of Governors of the Federal Reserve means business. Governor Susan Schmidt Bies continues to speak clearly, strongly, and often on the need for strong corporate governance and the responsibility of all management to maintain high ethical standards. Most recently, Governor Bies spoke to the American Bar Association at its annual meeting. She delivered a similar message to bank directors at the Community Bank Directors Conference of the Federal Reserve Bank of Chicago. These two speeches dovetail with those already reported on in Compliance Action. The message is important and this time was delivered to those who lead financial institutions and those who provide institutions with advice.
What can go wrong?
In her words, "we've seen some astonishing corporate governance and internal control breakdowns in companies that exhibited no outward indication of serious problems." To convince any doubters that problems can happen in their institution, Bies listed a number of problems that Federal Reserve System examiners have uncovered. Already familiar to the public are situations where weak and ineffective anti-money laundering programs allowed criminals to launder money through the institution. These programs were deficient in audit, management oversight, and had inadequate compliance and legal review. These problems point out the need for an independent BSA audit that looks carefully at the program.
Bies stated that a repeated problem is inadequate management and audit committee oversight of business lines. Closely related to this problem is allowing business line managers to drive decisions to enter novel or complex products or services without adequate risk review.
A clearly dangerous practice is allowing business line managers to make product decisions without adequate review and analysis of risk. Other problems found by examiners include failure to segregate duties, enabling internal fraud, inadequate management oversight, elevation of form over substance, and lack of independence of outside audits.
A general pattern tends to emerge: cost center advice or support is only sought after the problems emerge when it is too late to do anything other than damage control. The common denominator is that the institution failed to give risk management the appropriate emphasis until it was too late to fix the problems without damage to the institution.
Governor Bies put it succinctly: "Banks which try to delegate the update of annual control assessments to junior auditors, rather than 'wasting the time' of management, lose an opportunity to remind managers that they have the responsibility for maintaining effective internal control - a responsibility that cannot really be delegated."
The situations identified by examiners are all familiar to compliance managers. In fact, they are part of the uphill battle that compliance managers fight every day. Finding funds to provide an independent BSA audit and getting cooperation of business line managers in developing and delivering new products is an everyday struggle. The reason is simple. Compliance costs money. What Governor Bies is doing through these speeches is explaining to management why the expenditure of resources on cost centers is important to the overall health and productivity of the organization.
The Framework
The most critical step is to maintain an environment and a corporate culture that is open to assessing risk. Governor Bies offers COSO's (Committee of Sponsoring Organizations) recent report, Internal Control - Integrated Framework, as an essential resource. The goal of the internal control process is to achieve effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
What the COSO document makes clear is that risk management is a process that must be an integral and ongoing part of the organization. It is not a "been there, done that" type of exercise. Much as many managers would like to put compliance and risk management behind them with a single gesture, it is simply not possible. This is not how risk works. Risk involves change. Responding to change requires versatility and flexibility and constant attention.
At least once a year (a minimum) the organization and managers within it should take a careful look at risk and the ability to respond to it. Think of this as checking the map while on a hike. You don't look at the map before setting out. You check it periodically to be sure you are on the planned route. Regular risk reviews do the same.
Risk reviews should consider current and planned operational changes, the risk related to those changes, and the method the organization has for controlling risk, identifying problems, and correcting them.
Another core element of a risk review is internal communication. Not only must management avoid the "been there, done that" mentality; management must also be open to information that may not support immediate goals or ideas. Bies stressed that internal communication between lines of business is essential to risk management.
The Director's Role
As a director, a board member has specific responsibilities to ensure that the organization identifies and controls risk. Directors should understand that risk management is part of their responsibility. They should understand how the organization identifies and manages risk. They should establish what level of risk the organization will accept. They should include risk assessment in business decisions, including development and adoption of a strategic plan.
The board also has responsibility for management. Bies reminds board members that they should periodically assess whether management is actually adhering to the risk guidelines set by the board. Ultimately, the board is responsible for management's decisions. And ultimately, the board is responsible for hiring - or firing - management.
Regular reports to the board should give the board confidence that risk is being managed or raise concerns about weaknesses in risk management. Reporting, and the candid content of reports, is critical to the program. Reports must report what is actually going on, not simply what management wants to hear. Directors should consider reports carefully to be certain that the reporter is not simply saying what management wants to hear.
A key question to ask is whether the organization is getting by on technicalities but not following the spirit of the law. The board and management should also consider how things look from the outside in. For example, does their compensation package withstand scrutiny or does it damage the organization's reputation?
Line managers
Compliance managers have long tried to communicate that compliance is everyone's job. When it comes to line managers, Governor Bies gets straight to the point. "Internal controls and compliance are the responsibility of line managers, who must determine the acceptable level of risk in their line of business and assure themselves that the combination of earnings, capital, and internal controls is sufficient to compensate for the risk exposures."
The Lawyers
It isn't just the auditors that may be responsible for telling the organization when it is out of line. Governor Bies reminded the American Bar Association that lawyers have clear responsibilities. Lawyers are charged with the responsibility of making clients understand the need for internal controls, state of the art accounting practices, and "robust corporate governance systems." Finally, lawyers are responsible for ensuring that the clients understand the liabilities.
Risk Controls
- Policy to address the organization's tolerance for legal and reputational risks, including a regular reassessment of risk tolerance by senior management.
- Procedures for assessing legal and reputational concerns, including process and methods for reporting concerns to senior management.
- Transaction approval and monitoring procedures that include all relevant areas, including legal and compliance.
- Due diligence on control processes within the organization and with outside parties such as vendors, including procedures to address deficiencies.
- Review of overall customer relationship in the context of the entire organization so that risks and the impact of decisions are identified on a comprehensive basis and not in silos.
- Procedures to ensure that business lines comply fully with company policy.
Control assessments
- Conduct a comprehensive review of risks and determine the level of risk which is appropriate for the organization and its goals.
- Evaluate mitigating controls and monitoring processes to determine whether they are effective in achieving and maintaining the targeted level of risk.
- Review the organization's business plan to see how risk exposures are expected to change.
- Determine whether new controls, or changes in existing controls are needed to manage risk.
- Prepare action plans for building or modifying existing controls to effectively manage risk.
ACTION STEPS
- Make sure that everyone who should see these speeches does so. Send copies to your CEO, include them in the board package, and send copies to your in-house and/or outside counsel.
- Schedule an annual risk assessment. Prepare by developing a risk assessment of your compliance program.
- Recommend that risk assessment and its findings be a part of development and review of your institution's strategic plan. Also include CRA in the strategic plan.
- If compliance and risk management responsibilities for line management are not clear, take steps to make it clear. This is a critical part of the compliance team.
- Look for ways to build in accountability for risk management and compliance. Also look for ways to reward success.
- Get copies of the COSO report at www.coso.org.
Copyright © 2003 Compliance Action. Originally appeared in Compliance Action, Vol. 8, No. 10, 10/03
|