|
Governance is King (or it should be!)
By Colin Johnston, Risk Director Barclays Capital
“We had no idea that this was going on” “How this was hidden from the board is unexplainable” “if we had only known” If, If If. How many times have we read hindsight statements like this from senior executives after a serious malpractice or scandal has been unearthed in a large corporate?
So how do incidents alluded to above come about? How do individuals or groups get away with large fraudulent activities in modern organisations, only being discovered when it’s too late?
There have been some ‘spectacular’ fraudulent incidents over the past few years within the financial services and each time we ask ourselves could this be happening within our walls and for some period of time after such incidents special projects teams or working committees are established to look at in-house procedures. It is also during these times that the risk departments are asked if such a ‘risk scenario’ was considered in-house and stress tested. The answer is usually yes; as incident data is shared in the banking community, and several third party enterprises do exist to provide key risk scenario information to enable organisations to stress test and model for such incidents in-house.
Large incidents, such as the recent Soc Gen £3.7Bn loss, are known in the risk managers' world as fat tail events, i.e. events that sit way out on the right hand side of a loss distribution curve. They are also known in Basel II parlance as unexpected losses as these losses are of relatively low frequency of occurrence (but high financial impact) thus being difficult to statistically model in an a loss distribution curve. However data from such an incident will be shared and used within the financial markets via the third party enterprises mentioned, as external data for in-house loss distribution models.
So if this good risk management work is all happening ‘behind the scenes’ and we know that such similar future incidents will still occur, albeit in frequently, what else can or should we be doing to further reduce losses of this nature? I believe that an answer to this question lies within our organisational governance frameworks.
A governance framework should be the integrated decision making, communication, and control architecture of an organisation, whether it be government, military, manufacturing, banking, charity or home. It should be a top down and bottom up process with clear and unambiguous communication channels enabling a ‘transparent organisation’. That is not by any means meant to mean a “death by committee” culture but a clear holistic mechanism that is understood by and includes all members of the organisation who in turn are rewarded and accountable for their actions. It should facilitate an empowering and accountable culture that has the right people in the right place to make the right decisions to enable effective and efficient achievement of unit and total entity targets and goals.
Organisational governance should be King, in that no individuals’ actions should be opaque, whether good or bad. It is critically important therefore that an organisation ensures that it has the right people on board the team from onset who not only are highly professional within their area of expertise, or subject matter, but also fully understand and acknowledge from day one their role and responsibilities within the governance framework. Organisational objectives, departmental objectives, team objectives and personal objectives all enable acknowledgement and accountability by individuals. This is fundamental for governance and control of an organisation.
With a robust governance framework that is fully and rigorously embedded across the organisation where the governance framework becomes king, and not an individual(s), the environment that enables fraudulent activity to be achieved could be reduced. A good example of such simple and basic governance controls can be observed from some of the recommendations coming out of the Soc Gen incident post mortems undertaken by some of the larger city institutions. A recent report in the Financial Times, quoted the FSA as agreeing with a number of recommendations such as; all staff must take ten consecutive days leave, computer passwords must not be shared, user computer system accounts of leavers must be closed. All simple stuff but very effective in reducing fraudulent activity, so why have the simple examples given here not been adhered to?
But ultimately we still are very effective in reducing fraudulent activity.
__________________________________________
London, April 2008 |
