Risk management's missing link

The moral: Risk management comes only after corporate culture management. This statement is given life in an illustrative case study. As the author asserts, "No amount of policies, guidelines, and surveillance systems is going to stop a rogue trader, an overzealous business development manager, or a fraudster."

In a routine review, the head of Operations was browsing through transactional files and documents when he saw something that warranted an ad hoc staff meeting. He began, "I am afraid that some of you don't really care about controls, do you?" Holding a fax of an outward remittance application form, he pointed at the authorization column. "Here, the Customer's Signature Verified stamp had been appended as evidence of a check. I should be happy that the officer concerned has complied with internal audit's recommendation, right? But look more carefully. The customer's signature is missing!"

Risk Management's Missing Link

Literature reviews of recent financial debacles involving Metallgesellschaft, Natwest Markets, Orange County, and LTCM shed light on the inherent riskiness of exotic financial instruments and the value of prudent risk management practices. With a showcase of financial mishaps, the international banking world is increasingly aware of fundamental risk management controls and their importance. The growth of sophisticated financial products and increased market volatility set the stage for research and development of risk management techniques to better mitigate incidences of financial losses (see Figure 1). Yet, given such knowledge, how many banks are confident of managing the full spectrum of risks effectively?

[FIGURE 1 OMITTED]

Depending on the size of the financial institution and the volume and complexity of business activities undertaken, risk management tends to focus on one or more of the following:

* Setting rules in accordance with banking best practices and regulatory guidelines.

* Crafting comprehensive bank-wide policies and procedures.

* Implementing bank-wide analytical and control processes.

* Developing sophisticated risk management systems; quantifying risks and measuring risk factor correlation.

The search for better risk management tools is akin to a better mousetrap fallacy. Though risk controls are critical, they are merely mechanistic tools. It doesn't take a genius to circumvent the bank's surveillance system. Insider fraud, lack of due diligence, or a "don't ask unnecessary questions" mentality is sufficient to crack any system. The conventional risk management approach of focusing on business processes, systems, and infrastructure issues inadvertently ignores the fact that risk management is largely a cultural issue (see Figure 2)! Far too often, the execution of risk management strategies is devoid of the bank's cultural perspective. This could be found in a situation where the bank engages in a new product and/or market.

[FIGURE 2 OMITTED]

The frequently asked question would be, "Does the bank possess requisite resources and capability to manage new products and their inherent market risks?" While most banks would subject the proposition to an analytical process known generically as New Product Approval, attention invariably focuses on risk management issues rather than the inherent product/market/cultural fit. It is highly unlikely the new product committee would query, "Is the product/market engagement in line with the bank's strategic profile? Would the proposed product/market be developed fully on a long-term basis?" It's possible bank practitioners don't care at all. After all, product implementation and/or market penetration is often carried out in test mode, and business development would carry on as usual until losses hit the books. So, what is the price of failure? Simply, market exit! In the meantime, banks will refrain from all new activities and perhaps conduct a postmortem review to analyze the plausible reasons for the loss. Consequently, with refinements in risk controls, bank practitioners once again believe they are better equipped to manage risks. However, as we keep hearing, the business cycle has not been repealed.

Bank practitioners need to conscientiously factor the culture/ business model/risk management perspective into their decision making. Not doing so would likely render risk management ineffective. An illustrative case can help illuminate the inseparable relationship between corporate culture and bank risk management. A well-embraced culture is the only assurance that far-flung overseas operations are operating in compliance with stipulated policies and directives. Indeed, a review of classic financial debacles of the 20th century revealed that irregularities tend to happen more often in branches or remote subsidiaries than at the head office.

The Case of NCBS

National Commerce Bank SEA branch (NCBS), a subsidiary of the National Commerce Banking Group (NCB Group), began offshore branch banking operations in early 1990. All overseas branches came under the direct supervision of the International and Overseas Banking Operations (IOBO), a department of the corporate banking division at the head office. As the business operations of overseas branches focused on corporate lending, this reporting structure enabled credit-related matters to be addressed promptly. NCBS's operations were fairly straightforward--the branch offered no-frills banking services. The credit department was active in bilateral lending and the treasury department was primarily responsible for funding liquidity management. Proprietary trades were mainly plain-vanilla foreign exchange deals and money market gapping.

The culture of NCB Group could be succinctly summarized as "stay close to existing business." Like its parent bank, NCBS emphasized long-term bank-client relationships, and marketing managers were discouraged from taking on unnecessary risks, e.g., venturing into new industry segments. The overall risk appetite was low. In addition, the head office's control over local business operations was evident in the centralized credit-decisioning processes. Apart from IOBO's approval, credit propositions of overseas branches were independently evaluated by the head office's credit controllers as well. Though this multilevel approving framework appeared prudent, local staff became less attuned to risk control. The head office was perceived as the "last line of defense," and nothing would go astray as long as the head office was involved in decision making.

Lending activities in Southeast Asia virtually came to a standstill following the Asian crisis. NCB Group's financial viability was severely affected by the crisis. To turn around business performance, NCB Group embarked on a major corporate restructuring in 1999, ushering in sweeping changes. Overall staff strength was reduced, and unprofitable branches across Southeast Asia and Europe ceased operations. One unprecedented change was the creation of new strategic business units (SBUs). Local and overseas branches were given the mandate to develop their investment and treasury operations, particularly in capital market instruments and structured treasury products. The supporting decision-making structure and processes were, however, not properly laid down to accommodate the change in business models.

As part of the reorganization program, key personnel of NCB Group's overseas branches were reappointed. NCBS's newly appointed general manager, Nick Sam, a middle-management executive in his mid-thirties, was considered an excellent candidate given his experience in front-office operations. Following Nick's appointment, a series of cost-cutting measures and new business initiatives were duly implemented. The branch's securities investments--notably, short-term corporate papers and the credit derivatives portfolio--had increased sharply within two years. Improvements in NCBS's financial performance were considered remarkable, as minimal technical support came from its head office after the restructuring. NCBS remained the only branch in Southeast Asia to maintain profitability between 2000 and 2001.

Then came the audit. In the last quarter of 2001, NCB Group initiated a global audit of its overseas operations. NCBS was audited in the second quarter of 2002. Weaknesses were noted in virtually every aspect of the branch's operations. Of most concern, however, were the following issues:

* Delayed system implementation. NCBS engaged the services of its existing system vendor to upgrade the branch's back-end processing system. The auditors noted that while development costs had escalated over time, the proposed system enhancements had not been duly delivered. In addition, user acceptance testing did not involve the requisite departments. These observations were troubling, as the development contract had been signed more than a year before. According to NCBS, the vendor could not agree on several user specifications, and these unresolved issues impeded the development progress.

* Engagement in complex swaps. Contrary to the head office's new product approval procedures, NCBS transacted several structured treasury products (essentially, complex swaps) without submitting new product propositions to IOBO. According to NCBS, consent was given verbally by the head of Treasury in the head office, and formal approval was issued postmortem. Nonetheless, the auditors opined that since NCBS was new to these products, potential risk issues might inadvertently be overlooked, thereby exposing the branch to unintended risk exposures.

* Risk measurement and monitoring. There was no proper risk management framework to measure and monitor the branch's exposure to potential market risks associated with its complex swaps transactions. The auditors noted that front-end monitoring excluded periodic scenario and sensitivity analysis to ascertain the impact of the macroeconomic environment and adverse changes in interest rates on the portfolio's value. The back office's revaluation methodology also was mathematically flawed and remained undetected before the audit. Further, the improvised risk methodology had not been independently validated. The auditors were very concerned as well with the technical expertise of the staff concerned.

Beyond Audit Report--Forensic Review

A prima facie review of the case would probably conclude that controls were seriously lacking in NCBS. And it becomes easy to dish out "solutions" based on such postmortem analysis. However, any proposed recommendations would not resolve the fundamental issue. To what extent was NCBS at fault? Could there be factors that were not mentioned in the auditor's report? We need to take a step beyond the audit report to learn more about this case.

* NCBS's back-end processing system had not been upgraded since its inception. This legacy system was incapable of supporting diverse treasury products. Consequently, work processing remained largely unautomated, and frequent manual adjustments were necessary to ensure that transactional entries were accurately updated in the system. Further, manual spreadsheets had to be prepared to monitor certain transactions, as system-generated reports were inaccurate. Given such operational inefficiencies, NCBS was anxious to enhance the system's processing capability. In an attempt to kick off development, however, the branch engaged its existing vendor without initiating proper vendor selection. Further, as the agreement was drawn up in haste, important contractual terms and conditions, such as proposed system enhancements, costs, delivery schedule, etc., were not expressly stipulated. While NCBS accepted responsibility for this oversight, it argued that the head office neither provided guidance on vendor selection nor insisted on evaluating a panel of potential vendors. NCBS also pointed out that the head office's legal department had vetted and approved the development contract.

* NCBS informed the auditors that several credit propositions submitted to IOBO had not been approved, despite repeated requests to expedite the approvals. The prolonged delay resulted in several missed investment opportunities, which, NCBS claimed, affected the branch's income. NCBS further commented that while the credit committee members of IOBO were skilled in corporate lending, they were virtually inept in matters relating to investments and treasury operations. Their incompetence was reflected in the long outstanding approvals. Submitting new product propositions to IOBO in accordance with the new product procedures would only complicate matters. NCBS argued that business opportunities should not be sacrificed at the expense of "incapable decision making," and consequently, the branch sought approval from the head office's Treasury department instead.

* NCBS acknowledged that while a robust risk management framework is necessary, the branch did not have the necessary resources and expertise. Given the low transactional volume, the branch argued that its improvised risk measurement and monitoring system would suffice. It did not see the value-added of implementing sophisticated risk measurement system in the interim. NCBS also argued that risk management initiatives should be driven top-down and that the branch should not be "penalized" for improvising its own risk management system.

Much to Nick's disappointment, NCBS received a poor rating in the final audit report because of its inadequate risk management and control framework.

Redemption for Those Committed to Improvement

The above case did not have an ending like that of Barings Bank. When the global audit ended in the third quarter of 2003, the NCB Group took a serious review of the auditors' findings and recommendations on its overseas operations. They agreed that a lot of work must be done--gradually, but definitely.

Managing an entity's corporate culture is a daunting task. It is a challenge to implant a set of homogeneous values enterprise-wide. Ensuring ongoing compliance is another challenge. Don't forget that new staff are always coming on board, and they may not embrace the existing bank's culture. No amount of policies, guidelines, and surveillance systems is going to stop a rogue trader, an overzealous business development manager, or a fraudster.

The advice to bank practitioners: Manage risk by managing the firm's corporate culture. It is the panacea to curing modern-day risk management woes. And auditors should consider conducting a thorough enterprise-wide cultural audit, because risk entry points do not necessarily manifest themselves in operational lapses and lack of operating guidelines. They go deeper than that.

Jee Meng Chen, an auditor and freelance writer, currently lectures at a polytechnic institute in Singapore. The views expressed herein are the author's own, unless explicitly specified or apparent from the context. His organization assumes no responsibility for the accuracy of the information. Any resemblance between the facts of this case study and an existing situation is purely coincidental.

Chen can be reach by e-mail at guanming_insight@hotmail.com.

COPYRIGHT 2003 The Risk Management Association
COPYRIGHT 2005 Gale Group