blog post

The Financial Stability Oversight Council is a new regulatory body created by the law that is tasked with monitoring and regulating companies that are deemed by the Council to be “systemically important.” The Council has the authority to instruct the Federal Reserve to impose new requirements on systemically important companies such as increased capital and liquidity levels as well as disclosing risk practices, regulatory gaps and resolution plans or “living wills.” In its role as systemic risk monitor, the Council will collect risk data from various sources including Federal and State financial regulatory agencies and the newly created Office of Financial Research (OFR) – which will among other things be responsible for collecting data from financial services companies.

The Dodd-Frank law also calls for a Risk Committee to be established by all public, non-bank financial companies, as well as all public, bank holding companies with over $10B in assets under management. Supervised by the Board of Governors of the Federal Reserve, the Risk Committee will be held responsible for enterprise-wide risk management oversight and practices, and be required to include “at least 1 risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”

To meet these requirements for risk exposure data, financial services institutions need an information architecture that provides full transparency and reporting for the Board, Risk Committee and potentially the OFR. If you’re looking to develop an information architecture that will meet the requirements of Dodd-Frank and new regulations to come, here are a few things to consider:

1. Create a central platform to pull all of the different data elements together and maintain the relationships between elements (RCSA, Loss Events, KRIs, Issue Management, Policy Management, etc.)

2. Establish a common taxonomy and library for policies, processes, risks, controls, regulatory requirements and other key data elements

3. Integrate multiple areas of risk (operational, compliance, strategic, etc.) to provide aggregated analysis and full reporting of all risks across the enterprise

Recently I came across an article in Directors & Boards by a former colleague of mine that offers a different perspective, which in my view is worth considering. His view is, in addition to the SEC losing credibility – agreeing to another deferral after making clear and definitive statements that no more would be forthcoming – that requiring and adhering to section (b) offers benefits beyond the costs, for a number of reasons. These include (1) Smaller companies traditionally have less sophisticated systems and less experienced individuals in management positions, with statistics showing greater incidences of fraud and restatement of financial results (2) The 404(b) compliance costs have come down with the advent of AS 5 and COSO’s guidance for smaller businesses (3) Studies indicate that companies that are not SOX compliant or have material weaknesses in their internal controls receive a lower valuation, whereas those that are compliant receive higher multiples when sold (4) These companies are less likely to take advantage of IT solutions that provide enhanced efficiently and management capabilities well beyond better controlled financial reporting, and (5) CEOs and CFOs who already must certify to the effectiveness of financial reporting controls are on the hook by themselves, failing to receive the comfort provided by auditor attestation.

Certainly, these arguments are worth considering by senior managements and boards of companies still waiting to see whether and when the 404 (b) requirement ultimately will become effective.

I’ve been working with a large multi-national company’s board of directors to identify shortcomings in corporate governance and enhance practices and performance. This has involved spending some time with each of the directors individually to get to know how they approach their board roles and are carrying out their responsibilities. Of particular interest is a highly educated, nationally known and well-respected business advisor, with whom I got into a discussion involving the boards’ role in overseeing the company’s risk management. 

His message was that since the company already complies with SOX 404, including auditor attestation, risk management is well addressed in the organization. There’s no need, he said, for the board to do much more in that area. Working hard to contain my disbelief, I asked whether he had considered that the SOX 404 rule focuses only on internal control over financial reporting, and while there is a risk identification/analysis element therein, it does not expand beyond financial reporting. After he reiterated his position, I explained, as tactfully as possible, that the company’s and auditor’s compliance with 404 provides little if any comfort regarding strategic, operational, or other business objectives and their related risks. 

Interestingly, we’ve also seen numerous instances where CEOs truly believe their companies already have enterprise risk management processes in place when reality is that they have elements of risk assessment performed ad hoc in pockets within their organizations. 

For anyone looking to encourage their company’s boards or senior managements to consider establishing a disciplined and effective risk management process, it’s important to be sure there is no misconception about what is – or is not – already in place. Too often misconceptions exist, and they must be dealt with in order to move forward with a constructive development plan.

Gordon Burnes, OpenPages’ vice president of marketing commented in the story about the desire for convergence in the risk and compliance space continuing for financial services firms and other highly regulated industries: "The broader trend towards convergence in compliance is accelerating because the environment that the control groups are putting in place for regulatory and internal policy compliance frequently overlap with the mandate of the operational risk group. Business managers are realising that, while complying with regulatory mandates and mitigating risks to a certain business process certainly have different objectives, a single loss event can affect the outcome of each."

This is not an isolated incident.  In this financial crisis, many good people on boards of struggling companies have been surprised.  And we’ll likely see more of that in the months to come.  I think it’s overly simplistic to blame the board, and certainly in this case in which Palepu is so obviously qualified.  What we see frequently is that internal control systems and risk assessment processes are not mature enough to catch wrong doing or, and this may be more important, change behavior.   Companies that are growing quickly, like Satyam, have the most difficulty putting in place the risk management process to catch the kind of fraud perpetrated at the company.   My guess is that in the future business process will be designed from the bottom up with risk management in mind.  As we’re learning, it’s too hard to do it after the fact, especially for the complicated businesses we’re trying to govern today.

For instance, implementing an effective and non-disruptive Sarbanes-Oxley initiative can do more than just meet regulatory compliance.  In fact, it can play a key role in moving to a successful GRC initiative.  Eric Krell, a contributing writer to Business Finance magazine who focuses on GRC, wrote in a recent blog that "Sarbanes-Oxley compliance continues to prevent many companies from launching and/or successfully executing broader GRC initiatives that promise greater returns (than "avoiding non-compliance").  

Eric recently interviewed Dun & Bradstreet’s CRO Charles Pavlounis who concluded in Eric’s blog that ERM success hinges on "getting SOX [compliance] to be something that is not disruptive, that is almost embedded in the core DNA of the company."  To learn more about D&B’s ERM program, look for Eric’s interview with Charles and the D&B case study in the December issue of Business Finance.

However there are other regulations that have also been passed which also have a significant impact on how Japan Inc carries out business. One example is the new Financial Instruments and Exchange Law (known as FIEL) which came into effect Oct 1st 2007.

The highlights of this law include:

• Quarterly Disclosure (up from Annual or semi- annual) by all listed companies as well as demonstrating internal control framework
• Increased penalties for market manipulation
• Explanation of potential risks to non professionals as well as clear disclosure of risks in all sales literature
• Expanded scope of all regulated instruments

This Law has been created as a response for greater regulatory oversight to reduce the growing number of problems seen by banks and brokerages selling to inexperienced investors. Until now this area had been fairly vague but this law will help bring the world’s second largest economy better transparency, closer to other developed economies regulations and hopefully improve investor confidence.

Currently, the Japanese population has over US$ 13 trillion in savings accounts earning only 1% a year. Such changes in recent regulations, such as Companies Law, J-SOX act, the privatization of the post office (which is Japan’s biggest ‘bank’ with $1.6 trillion in deposits) is to enable and encourage the Japanese to invest their saving with more confidence.

Such expectation of large investments into the stock market by investors has led to foreign companies, such as Citibank, to make significant investments by acquiring Japanese financial institutions in order to benefit from these changes. Time will tell….