Another Example of the Value of Risk Management

It seems that some financial institutions have not fully learned the lessons from past rogue trading incidents such as the ones that occurred at Societe Generale and Barings. Officials at UBS announced today that they are facing massive losses at the hands of a lone trader. Here’s what BBC reported this morning.

Police in London have arrested a 31-year-old man in connection with allegations of unauthorised trading which has cost Swiss banking group UBS an estimated $2bn (£1.3bn). Kweku Adoboli, believed to work in the European equities division, was detained in the early hours of Thursday and remains in custody. UBS shares fell 8% after it announced it was investigating rogue trades. ZKB trading analyst Claude Zehnder said the news would damage confidence in UBS. “They obviously have a problem with risk management.”

This is yet another example of the value of having a strong risk and control program. While it is difficult to control external events, companies can certainly implement proper internal controls to protect from massive losses such as this one.


Sarbanes-Oxley Executive Compensation Clawbacks Continue

Yesterday, the U.S. Securities & Exchange Commission (“SEC”) announced another successful “clawback” of executive compensation under the Sarbanes-Oxley Act of 2002. James O’Leary, former Chief Financial Officer of Atlanta-based Beazer Homes USA, was forced to return over $1.4 million in bonus payments and stock sale profits that he made as a result of fraudulent financial reporting in 2006. What is somewhat unique about the case is the fact that the CFO was not implicated in any wrongdoing other than certifying that the financial statements were accurate. The individual who is being criminally prosecuted for the fraud is the Chief Accounting Officer who reported to the CFO during the time period in question.

“Section 304 of the Sarbanes-Oxley Act encourages senior management to take affirmative steps to prevent fraudulent accounting schemes from occurring on their watch,” said Rhea Kemble Dignam, Director of the SEC’s Atlanta Regional Office. “O’Leary received substantial incentive compensation and stock sale profits while Beazer was misleading investors and fraudulently overstating its income.”

This announcement comes on the heels of a related clawback from the CEO of Beazer Homes that totaled more than $6.4 million. Again, in this case, the CEO was not implicated in any criminal wrongdoing. The SEC’s enforcement approach regarding both the CEO and the CFO in this case serve as a reminder to senior executives to ensure their annual certifications are accurate. The only way to know is to have a strong risk and control program in place. Wheelhouse Advisors can help. Visit to learn more.

Collaboration is Key for GRC Success

An interesting study on the current state of Governance, Risk Management & Compliance (“GRC”) programs has just been released and the results are quite revealing. Entitled “The Role of Governance, Risk Management & Compliance in Organizations”, the study was conducted independently by the Ponemon Institute for EMC.  The study covered four primary domains – IT GRC, Operations GRC, Finance GRC and Legal GRC – and surveyed 190 GRC practitioners across the United States.

One of the primary findings was the fact that organizations are still limited by their ability to collaborate and communicate risk information across the enterprise. Part of the problem lies in the lack of a comprehensive strategy to improve collaboration. Beyond the lack of a strategy, organizations are also limited by their technological support of GRC programs. Here’s what the Ponemon Institute surmised.

We believe this study reveals the importance of an enterprise-wide strategy and increased collaboration among domains to meeting eGRC objectives. Currently, only 20 percent have an enterprise-wide strategy and collaboration among GRC areas is far from perfect. Only 28 percent of respondents say their organizations enjoy frequent collaboration or cooperation among GRC areas. However, the good news is that only 12 percent say GRC areas operate in silos in their organizations.

In order to address the barriers related to collaboration, it has been recommended that organizations make it a priority to encourage people from the various lines of business to talk together and establish “risk ambassadors”. The need to gain visibility and control through effective cross-enterprise eGRC collaboration is important to reducing gaps in how risk is assessed and managed.

Finally, according to respondents, managing risk is and will continue to be the biggest eGRC focus for their organizations. This is understandable because organizations are finding that the cost of complying with the plethora of regulations can be daunting. Taking a risk-based approach toward compliance requirements enables them to focus their resources on the most at-risk areas of their business and achieve real value from their eGRC activities.

Building the right processes, involving the right people and utilizing the right technology are all key to achieving the sort of value that GRC programs should provide. Wheelhouse Advisors is uniquely qualified to bring these key elements together for your organization. Email us at to learn more.

Who Is Really to Blame?

Yesterday, the infamous Jerome Kerviel was sentenced to three years in prison and ordered to repay the estimated €4.9 billion that the French financial institution Société Générale lost as a result of his failed derivative trades. What is surprising to many who have weighed-in on the verdict is the fact that the sole blame for the massive losses has been placed on the young trader.  Here’s one common view as reported in the New York Times.

“It’s a whitewash,” Bradley D. Simon, a white-collar criminal defense attorney at Simon & Partners in New York who specializes in securities and bank fraud, said of the verdict. “The evidence does not support absolving the bank completely,” he said. “This was a lot larger than Kerviel.”

Société Générale had admitted to management failures and weaknesses in its risk control systems. An internal audit published in May 2008 described Mr. Kerviel’s immediate supervisors as “deficient” and acknowledged that the bank had failed to follow through on at least 74 internal alerts about Mr. Kerviel’s trading activities dating to mid-2006.

While an appeal of the verdict is virtually guaranteed, the larger question remains. How can a situation like this unfortunate one be prevented in the future?  The answer certainly begins with stronger risk and control programs as demonstrated by the numerous weaknesses found at Société Générale.

Many Financial Services Companies Lack a Clear Risk Strategy

In a recently published study by the Economist Intelligence Unit, the current maturity of risk management practices in financial services companies is examined. For long-time readers of this blog, most of the key findings (see a complete list below) will not be surprising.  According to the study, companies have realized the need for greater investment in risk management, both in terms of people and technology.

However, a surprising 40% of companies still have yet to define their overall risk strategy.  This may indicate that some companies are taking a “bottoms-up” approach to improving their risk management practices.  By doing so, these companies will ultimately spend more time and money on risks that may not be material or emerging as a future threat.  Senior management and board members of these companies should refocus efforts to address risks that are inherent in strategic objectives of the overall enterprise.
Key Findings
  1. Confidence levels are high but there is a risk of complacency. Financial institutions are feeling much more confident about the future compared with 12 months ago. Around three-quarters of respondents believe that prospects for revenue growth over the next year are good, whereas 68% are positive about the prospects for profitability. These levels of confidence, which are around double the levels reported in a similar survey conducted last year, reflect a widely held view that the financial system has stabilised. There is a risk of complacency, however. As governments withdraw stimulus packages and liquidity support for the financial sector, revenues and profitability could yet fail to meet expectations.
  2. The focus on regulatory compliance could distract attention from emerging risks. Around the world, regulators have stepped up their scrutiny of financial institutions. While few people would argue against a tougher regulatory regime in financial services, respondents to the survey highlight uncertainty regarding regulation as the main barrier to effective risk management. There is a danger that the focus on compliance could be “crowding out” day-to-day risk management at a time when formerly low probability risks, such as sovereign debt crises, are becoming more commonplace.
  3. A clearly defined risk strategy is in place at most institutions, but significant areas of weakness remain. Investment in risk management is increasing almost across the board, with risk processes, data, information systems and training being key areas of focus for the majority of institutions. Six out of 10 respondents now say that they have a clearly defined risk strategy in place at their organisations that is updated on a regular basis. However, this still leaves a worrying 40% whose companies do not conduct regular updates or do not have a clear risk strategy in place.
  4. Banks and insurers are filling gaps in risk expertise with investment in training and recruitment. Respondents recognise that shortfalls in the quality and quantity of risk experts have been an important part of the problem in risk management. Asked about key areas in which shortcomings need to be addressed, respondents list issues related to expertise as three of their top four priorities. More than one-half of respondents say that they are increasing their investment in training, both of risk professionals and across the broader business, and a similar proportion say that they are spending more on recruitment.
  5. Financial institutions need to further improve data quality and availability. An over-reliance on risk models, and problems with the data used to populate those models, have been widely seen as a key failure in financial risk management. Financial services firms recognise that data quality and availability need to improve further. Collecting, storing and aggregating data is an area of weakness for many institutions, with only 39% of respondents believing that they are effective at all these activities.
  6. The silo-based approach to risk management continues to pose problems. In the days leading up to the financial crisis, the separation of risk management into separate departments led many financial institutions to underestimate risk concentrations and correlations. Even now, less than one half of respondents to our survey are confident that they understand the interaction of risks across business lines and poor communication between departments is seen as a key barrier to effective risk management.

Common Sense Prevails

This week, the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) released its highly anticipated guidance for monitoring internal controls (see graphical overview below).  This guidance will prove very useful in helping companies improve the effectiveness of their internal controls and also increase the efficiency of their internal control evaluation efforts.  Many companies have struggled with their external auditors and regulators to find ways to lower the cost of their evaluation efforts by leveraging activities that are performed in the normal course of business.  This guidance will provide a solid basis for management to utilize in determining the best way to evaluate internal controls.  Here is a sample of activities that are specified within the guidance.

  1. Periodic evaluation and testing of controls by internal audit,
  2. Continuous monitoring programs built into information systems, 
  3. Analysis of, and appropriate follow-up on, operating reports or metrics that might identify anomalies indicative of a control failure,
  4. Supervisory reviews of controls, such as reconciliation reviews as a normal part of processing,
  5. Self-assessments by boards and management regarding the tone they set in the organization and the effectiveness of their oversight functions,
  6. Audit committee inquiries of internal and external auditors, and 
  7. Quality assurance reviews of the internal audit department.

Much of the guidance is really common sense applied to an exercise that for years has defied common sense. To learn more about how you can streamline your control evaluation process, visit


A View from Across the Pond

Last week, an article from the Wall Street Journal provided unique perspective of the current financial crisis in the United States from “across the pond” in Europe.  The article rightly points out that the crisis is not the result of a lack of regulation, but a lack of effective regulation due to overwhelming complexity and redundancy.  Here is an excerpt:

“American financial regulatory bodies have historically been fragmented. In a report published in November 2007, the U.S. Financial Services Round Table counted 10 different federal regulatory bodies with over 30,000 employees, and that’s not even counting regulators for the 50 states. The report frequently describes U.S. financial regulation as prescriptive, complex, formalistic, expensive and inefficient. Regulations often overlapped, making the same financial institutions subject to different rules and different enforcers. The U.S. regulatory landscape may resemble a jungle, but only because of all the choking vines.”

The report they reference in the article provides a very relevant example of the excessive and redundant requirements.  

“large U.S. banking organizations are being required to establish overlapping internal control reporting and compliance structures, as well as specific operational risk data collection, validation processes, and IT systems requirements. For example, the requirements of FDICIA and GLBA implicitly, and the requirements of SOX and [Basel II] explicitly, require a comprehensive system of “risk control self assessments” (RCSA) and related documentation. The cost of compliance with each of these regulatory requirements is significant, albeit difficult to quantify and segregate.”

As the U.S. works to improve the effectiveness of its regulatory system, companies also need to look for ways to streamline and improve their compliance programs.  Wheelhouse Advisors can help.  Visit us on the internet at to learn more.