Wherever risk management starts, it is most effective when overseen by senior leadership, specifically, the board.
Execution and maintenance of risk activities occur across all departments, at all levels of the organisation. This enterprise-wide integration has two defining characteristics:
1. Each department involves all hierarchical levels in its risk management efforts and bridges across all departments
One departmental level can’t fill every function. Proximity to and familiarity with operational risk is inherently connected to larger strategic decisions, which require broad oversight.
For example, for access management to be successful, it must be broken down to the activity level.
An IT security policy can be centrally owned, but proper access rights management requires that process owners be held accountable. They must reconcile what employees should have access to with what they do have access to.
2. Measurement scales, risk criteria, and language are standardised throughout the organisation
Departments need to be able to communicate quickly and effectively. Risk events, if they happen, almost always impact multiple departments, so it follows that to prevent such events, information needs to be shared and objectively compared.
Improved communication eliminates unnecessary repetition when identifying and mitigating risks and monitoring controls, preserving time and resources.
>See also: Elevating data risk management to the board level
These characteristics are in the name: enterprise risk management (ERM). When either is absent, or if the board doesn’t have sufficient oversight of the organisation’s risk management efforts, consequences can be severe. Recent events at Wells Fargo are a good example.
Why the Wells Fargo controversy resulted from poor risk management oversight
First, consider the short-term manner in which events unfolded:
News of the illegitimate accounts, 5,300 fired employees, and $185 million in penalties hit mainstream outlets.
CEO John Stumpf denied any knowledge of the accounts and illegal sales tactics, essentially attributing the scandal to independently acting bad eggs.
Even if this assertion had stuck, neither Stumpf nor Wells Fargo itself would have found themselves off the hook. Thanks to changes – including the SEC’s Proxy Disclosure Enhancement – in the industry throughout the past decade, “not knowing” about something like this is considered risk management negligence. Negligence, by virtue of not requiring “proof of intent,” is significantly easier to prove than fraud is. It also happens to carry the same penalties as fraud.
In the face of continued pressure, Stumpf stepped down from his post as CEO and Claudia Russ Anderson took a leave of absence from her role as CRO. The scandal, rather than being the simple product of 5,300 unscrupulous employees, was shown to be the long-term result of poorly managed sales risks, inefficient (or perhaps nonexistent) risk assessments, and ineffective controls for compensation oversight and access rights review.
In the wake of Stumpf’s resignation, Wells Fargo’s senior leadership received significant criticism for unrealistic sales quotas, as well as pressure to perform at any means necessary.
This was not actually the problem. Unrealistic sales quotas exist due to a lack of risk assessments, which help set better forecasting goals and track achievement. If Wells Fargo had performed these assessments when setting such high goals, the potential for misrepresentation would easily have been identified as a consequence.
Why were sales employees able to not only activate new accounts, but append existing ones?
A risk assessment would have clarified the best preventative measure, such as stronger separation of duties (access to customer accounts control over acceptance confirmations for sales).
When controls aren’t linked to risks, it’s very difficult to verify if those controls are appropriate and even more difficult to monitor their effectiveness.
>See also: Risk management: more than a regulatory exercise
A basic ERM program would link the risk of misrepresentation to account access and customer sales confirmation controls. It would then monitor the performance of controls over that risk. Since thousands of employees were engaged in the sales activities for multiple years, it’s reasonable to conclude that:
The risk of misrepresentation was known to many. Actual misrepresentation by sales reps was taking place, even if only by a minority.
ERM makes these risks and suspected practices visible, which in turn makes fixing them straightforward; risk provides guidance for implementing and monitoring controls.
The bottom line is that this scandal was entirely preventable, and would have been fully averted with proper risk management processes.
What makes the board directly responsible for risk management oversight?
The fact that John Stumpf was forced to resign, despite his lack of direct involvement in the accounts scandal, is but the latest in a series of headline events demonstrating the accountability of the board for risk management failures.
Claudia Russ Anderson, Wells Fargo’s chief risk officer, who failed to detect and disclose the activities, thereby allowing them to occur on her watch, was also replaced. Both terminations demonstrate consequences for failed risk management, a violation of fiduciary duty.
Three items, in order of importance, have caused much of the increased pressure on boards of directors: The SEC’s Proxy Disclosure Enhancement, the Yates Memo, and the IIA’s International Professional Practices Framework.
The SEC’s Proxy Disclosure Enhancement, passed in 2010, holds boards explicitly responsible for problems caused by poor risk management. It also requires both “disclosure about the board’s role in risk oversight” and “new disclosure about a company’s board leadership structure.”
The disclosure aspect of the rule means that companies can be charged with risk management negligence even if the company never suffers an incident like Wells Fargo did.
All it takes is failing to disclose improper risk management (making it known to stakeholders), as happened this year with Dwolla, a small, private company fined by the Consumer Financial Protection Bureau for inaccurate disclosures.
>See also: Why you should be prioritising cyber security risk management
The Yates Memo has supplemented the changes brought about by the Proxy Disclosure Enhancement, encouraging prosecutors to focus on guilty individuals, rather than allowing the corporation to take the hit.
The possibility of personal liability – in cases where a company might previously have suffered fines and reputational damage but protected individual employees/executives – is a powerful incentive by itself.
The International Professional Practices Framework (IPPF), published by the Institute of Internal Auditors (IIA), as reinforced by an update effective in January 2017, requires internal auditors to investigate the effectiveness of their organisation’s enterprise risk management.
Their primary concern is ensuring the integrity of information presented to the board. In other words, confirming that information reported all the way up from the front lines doesn’t lose accuracy as it moves up the hierarchy.
Wells Fargo was an industry leader and innovator in cross-selling products, a goal shared by every institution. Their mistake was not understanding the risk that naturally accompanies positive innovation and change.
In order to achieve the benefits of innovation, boards need transparency into material risks at the front-line level of the organisation. Again, this can only be achieved with engagement throughout the entire organisation.
Front-line employees, by managing important everyday processes, have an intimate understanding of the greatest risks to those processes, and can report what controls are protecting them.
The board’s responsibility is to tap into that expertise by pushing out risk assessments and using the produced information for strategic planning.
Sourced by Steven Minsky, CEO of LogicManager
