PwC faces 3 major trials that threaten its business

Philip Merrill’s notes:

1) Do Auditors need to be seasoned professionals in the businesses they audit?

2) Or, CPA’s that have to take the customers word for accuracy in financial statement representation including notes.

By Francine McKenna

Published: Aug 15, 2016 12:32 p.m. ET

The Big Four global audit firms go to court all the time but are rarely put on trial.

PricewaterhouseCoopers LLP, the U.S. member of the global professional-services giant, is currently facing not one, not two, but three significant trials for allegedly negligent audits. An unfavorable verdict in the trial currently playing out in a Florida state court could inflict a significant monetary wound. That, combined with a possible unfavorable judgment in another trial scheduled for federal court in Alabama in February of 2017, and a third in a Manhattan federal court within the next year, may be fatal.

The case against PwC brought by the Taylor Bean and Whitaker bankruptcy trustee is quite unusual, said Tom Rohback, an attorney with Axinn Veltrop & Harkrider. That’s because it is one of the few cases from the credit crisis seeking to hold auditors responsible for crisis-era losses to actually go to trial.

“Beyond the $5.5 billion sought, the case is unusual because the plaintiff is the trustee of the entity that committed the fraud and is suing not its own audit firm but the audit firm of the institution it defrauded,” he said. “

Settlements preferred

In the U.S. the Big Four audit firms have, in recent history, almost always settled because of the fear that one catastrophic jury verdict could shut them down for good. In addition, trials show the public just how often auditors fail to detect fraud. Settlements prevent the public from hearing that in open court and typically put partners’ pretrial testimony under confidential court seal forever.

‘The trial has the potential to influence public perception of auditors, as well as strategies used by the plaintiff lawyers that try cases against them, regardless of the eventual verdict.’

Tom Rohback, Axinn Veltrop and Harkrider

The bankruptcy trustee for Taylor Bean & Whitaker Mortgage Corp., once the 12th-largest U.S. mortgage lender, sued PwC for $5.5 billion in damages in 2012 after the bank went bankrupt in August 2009. Federal regulators, not the bank’s auditor, Deloitte, uncovered a $3 billion fraud involving fake mortgage assets. The bankruptcy trustee for Taylor, however, alleges that PwC was negligent in not spotting the fraud from its perch as auditor of Colonial Bank, which bought the allegedly fake mortgages that Taylor Bean had originated and that made Taylor Bean’s losses worse.

Beth Tanis, the lead attorney for PwC from the firm King & Spalding, issued a statement at the beginning of the trial: “PricewaterhouseCoopers did not audit or perform any other services for Taylor Bean. With regard to the services performed for Colonial Bancgroup, one of the targets of Taylor Bean’s fraud, PricewaterhouseCoopers did its job,” said Tanis. “As the professional audit standards make clear, even a properly designed and executed audit may not detect fraud, especially in instances when there is collusion, fabrication of documents, and the override of controls, as there was at Colonial Bank. We are confident that a jury will understand the applicable rules and standards in this case and decide accordingly.”

A spokeswoman for PwC declined to provide further comment.

Six Taylor Bean executives went to jail for their roles in the fraud. The bank’s former chairman, Lee Farkas, was sentenced to 30 years in prison. Taylor Bean auditor Deloitte settled with the trustee for an undisclosed amount in 2013.

The bankruptcy route

Colonial Bank, a Montgomery, Ala., institution with $25 billion in assets, also filed for bankruptcy in 2009. The Colonial Bank bankruptcy trustee and the Federal Deposit Insurance Corp. brought a lawsuit in 2012 against PwC for negligence as the auditor of Colonial Bank, claiming $1 billion in damages. That case is scheduled to go to trial in February.

The FDIC’s suit was its first against an auditor for a financial-crisis-era bank fraud or failure. Crowe Horwath LLP, Colonial’s outsourced internal audit firm, is also named in the Colonial suit. (Remember Arthur Andersen internal and external auditor for Enron?)

Tanis, in her opening statement at the trial on Aug. 9, said that no one at Taylor Bean relied on PwC’s audit of Colonial Bank, even though Colonial was Taylor Bean’s biggest mortgage buyer.

“There will be no document showing you that these directors or anybody else at Taylor Bean ever received these Pricewaterhouse audit reports, actually read these Pricewaterhouse audit reports and relied on them,” she said.

Largest Banking Regulatory Fines (2008 – 2015)

Bank

Date

Fine Amount

Description

Bank of America

August 2014

$16,650,000,000

Settlement to resolve allegations of misselling mortgage-backed securities. The … Show More

Bank of America

February 2012

$11,820

Part of the National Mortgage Settlement; $8.6bn paid as relief to borrowers, $3 … Show More

Bank of America

January 2013

$11,600

Settlement resolving repurchase requests of faulty mortgage sales. Bank agreed t … Show More

Bank of America

March 2014

$9,330

Settled charges of misleading investors over mortgage backed securities.

Citigroup

July 2014

$7,000,000,000

Settled charges of misleading investors over mortgage backed securities. $4bn pa … Show More

JPMorgan Chase

November 2013

$13,000,000,000

Part of $13bn settlement; $4bn paid as relief to consumers, $2bn paid as civil penalty

Wells Fargo

February 2012

$5,350

Part of the National Mortgage Settlement; $4.3bn paid as relief to borrowers, $1 … Show More

JPMorgan Chase

February 2012

$5,290

Part of the National Mortgage Settlement; $4.2bn paid as relief to borrowers and … Show More

JPMorgan Chase

October 2013

$4,000

Part of $13bn settlement; settles federal and state claims by FHFA.

JPMorgan Chase

October 2013

$4,000

Settlement over securities laws violations in connection with mortgage-backed se … Show More

Bank

Date

Fine Amount

Description

Data collected from the Financial Times on May 20, 2015.

See more details ›

Taylor Bean’s employees, customers and creditors, who all lost something when the firm went bankrupt, were relying on Colonial Bank to operate as an honest business partner that was accurately reflecting its financial obligations to Taylor Bean, a point emphasized by Steve Thomas, the attorney for the Taylor Bean trustee, in his opening statement on Tuesday.

Thomas told the jury that PricewaterhouseCooper’s failure mattered, because many people were counting on it to do its job. “PwC was lending credibility to Colonial’s financial statements. PwC’s failure mattered because Taylor Bean and Whitaker, and others, relied on PwC to do its job,” he said.

‘PwC was lending credibility to Colonial’s financial statements. PwC’s failure mattered because Taylor Bean and Whitaker, and others, relied on PwC to do its job.’

Steve Thomas, attorney for Taylor Bean trustee

PwC and the other Big Four accounting firms all had major clients that failed, were bailed out or were effectively nationalized during the crisis. None of those cases went to trial. Ernst & Young LLP paid $99 million to investors and $10 million to the New York attorney general’s office for its role as auditor of Lehman Brothers Holdings Inc. KPMG settled its exposures early, and within a week of each other in 2010 settled for an undisclosed amount for its audit of New Century, another big mortgage originator, and paid $24 million for its audits of Countrywide Bank, which was distressed when it was sold to Bank of America BAC, +0.74% .

Deloitte settled its exposure as auditor of Bear Stearns for $19.9 million. Bear Stearns was bought for a relative pittance by J.P. Morgan JPM, +0.61%  during the crisis. Deloitte was also the auditor of Washington Mutual and contributed $18.5 million to a settlement with investors for its negligent audits. Deloitte went on to earn hundreds of millions of dollars reviewing J.P. Morgan’s exposure to foreclosure fraud claims for Bear Stearns and Washington Mutual mortgages it inherited as part of those purchases.

The litigation hit

Those settlements pale in comparison to the total of $6.5 billion that Taylor Bean and Colonial Bank trustees are looking for from PwC. On Aug. 5 U.S. District Judge Victor Marrero in Manhattan rejected PwC’s request to dismiss MF Global’s lawsuit alleging professional malpractice that contributed to the October 2011 bankruptcy of the brokerage firm once run by former New Jersey Gov. Jon Corzine. That suit is seeking $1 billion in damages, bringing the total potential claims PwC is facing over a very short period to $7.5 billion.

Jim Peterson, a former in-house attorney for Arthur Andersen and the author of the book “Count Down: The Past, Present and Uncertain Future of the Big Four Accounting Firms,” has periodically asked the question on his blog: “How big is the ‘worst case’ litigation hit that would disintegrate one of the surviving Big Four?”

Back in September 2006, a report by the consulting firm London Economics to the EU markets commissioner modeled the collapse of a Big Four partnership in the U.K. That model quantified the level, according to Peterson, “of personal sacrifice, beyond which the owner-partners would lose confidence, withdraw their loyalty and their capital, and vote with their feet.”

Peterson’s analysis concluded that critical numbers of partners would defect and put a firm into a death spiral, if they faced a partner-income-distribution reduction of 15% to 20% that extended over three or four years. Peterson extended the figures to the global level to calculate breakup figures for the Big Four. That brought the number down from an optimistic maximum of about $7 billion to about $3 billion.

However, global numbers assume that a Big Four network under deadly financial threat could hold it together and count on the support of its member firms and partners around the world. But that’s not what happened to Arthur Andersen after the bankruptcy of client Enron and an indictment for obstruction of justice in 2001. Instead, Andersen’s non-U.S. member firms flew the coop in 2002, and the firm itself was forced to fold.

Based on the experience of Arthur Andersen, it is unlikely, Peterson told MarketWatch, that PwC’s non-U.S. member firms would pitch in to pay a U.S.-based catastrophic court judgment or a series of them. Peterson’s most recent update of his tipping-point calculation, completed in early 2015, assumes the U.S. firm is left to pay its own way out, as was Andersen’s U.S. firm. The worst-case tipping points for the U.S. practices shrinks from the $3 billion global number down to $900 million for the most financially vulnerable of the four firms.

These numbers matter, according to Peterson, because the loss of another Big Four firm would throw the entire system into chaos.“There is no contingency plan or readiness among the three survivors to stay in an even more risky business or take on the failed firm’s risky clients or outstanding litigation claims,” he said.

The Petrobras angle

The three lawsuits against PwC that are on trial or going to trial in the next year all name only the U.S. firm as a defendant. Another large case names PwC’s Brazil member firm for its allegedly negligent audits and failure to detect a multibillion-dollar bribery and corruption fraud at the state-sponsored oil company Petrobras.

Those plaintiffs, which include the Bill Gates Foundation, could decide to name PwC U.S. as a defendant or eventually require the U.S. firm to ante up to pay a verdict that would otherwise knock out the Brazilian firm, a key cog in its service network for multinational clients.

MarketWatch asked Rohback why PwC would choose to go to trial given the stakes. “Oh, they probably didn’t choose to try the case. They just haven’t hit on a settlement number they can stomach yet,” he said.

PwC has few options at this point, Rohback said. “There’s still time to settle, and they could win it. If they lose, they can ask the judge for a stay in enforcing any judgment until an appeal can be heard.”

Florida law prohibits judgments that would bankrupt a defendant. PwC would probably be reluctant to go to court and open its books to prove it was too poor to pay a judgment. However, in a previous case against an audit firm in Florida tried by Taylor Bean trustee attorney Thomas, the court allowed audit-firm partners to be paid “profits” each year before considering claims of any parties damaged by the firm’s frauds or gross negligence.

Audit firms have no duty to reserve for or disclose serious legal contingencies, since they are partnerships. Thomas had to file a motion to force discovery because he suspected that while the case was under appeal “assets have been or are being dissipated or diverted while such a stay is in place.”

Francine McKenna

Francine McKenna is a MarketWatch reporter based in Washington.

Email Francine at fmckenna@marketwatch.com

Reforming banking’s risk culture requires breaking “accountability firewall”

Reforming banking’s risk culture requires breaking “accountability firewall”

September 11, 2013 @ 8:09 pm

By Guest Contributor

By Henry Engler, Compliance Complete

NEW YORK, Sept. 11 (Thomson Reuters Accelus) – If there is one part of the cultural makeup of Wall Street that remains firmly in place despite the financial crisis and subsequent avalanche of regulations, it is the reticence among those who lose money to come clean early.

Many of the most spectacular losses in recent years — whether the JPMorgan “London Whale” episode, the UBS “rogue trader” incident, or Jerome Kerviel’s manipulation of internal systems at Société Générale — have all had one thing in common: concealment of trades gone badly wrong, or at a minimum, a lack of transparency and early acknowledgement of losses. And if one can point to a single reason for such behavior, it is the well-known fact that raising the red flag would mean the individual responsible would be shown the door.

The blowup at JPMorgan was noteworthy not just for the size of the loss ($6.2 billion), coming in a unit that was supposed to hedge risk, but also for senior management’s role in cultivating a culture that discouraged individuals to identify problems.

“Ina (Drew) never wanted to hear bad news,” said a JPMorgan bank executive familiar with the management style of the former Chief Investment Officer where the loss was incurred.

In a lengthy piece by the New York Times [1] last year that examined the failure of controls at JPMorgan, CEO Jamie Dimon said: “Honestly, I don’t care what second-guessers say in life If anyone in the company knew, they should have said something. No one came to us beforehand and said we have a problem we should be looking at.”

Dimon’s comment could well have been made by other chief executives. In a scathing review of banking practices by the UK Parliamentary Committee on Banking Standards [2] earlier this year, the panel highlighted a disturbing lack of awareness and accountability by senior managers:

“Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making… Ignorance was offered as the main excuse. It was not always accidental. Those who should have been exercising supervisory or leadership roles benefited from an accountability firewall between themselves and individual misconduct, and demonstrated poor, perhaps deliberately poor, understanding of the front line.”

The “accountability firewall” might well have been facilitated by management practices that hindered the type of information flow necessary in an effective risk culture. In a separate survey [3] by the London School of Economics, the findings of which are due to be updated in coming weeks, researchers pointed to the fear of punitive action as a primary concern. The study quoted one individual who summarized the views of many:

“One of the things that helps greatly with the flow of information through the organization is how it’s reacted to when it gets to the next level. So being able to report risks openly and honestly without getting your head bitten off from the second that’s done is crucial […] For example, if I told you something that might be happening you do not want your directors on your back saying ‘What have you told them? Why?’ So managing the flow of information through an organization to ensure key stakeholders are properly engaged is quite important […] to avoid the wrong reaction happening.”

What has led us to this state of affairs? And how might it be corrected?

Excesses of short-termism

Establishing a robust risk culture is a subject that management consultants have written volumes on. And when one scours the long list of recommendations, embedding risk awareness across the organization and fostering an environment in which people are comfortable challenging others without fear of retribution are critical components.

But this ideal state would appear far from the current reality at many institutions. In understanding what has led us to an environment of fear and lack of accountability, some argue that the finance sector has taken short-termism to the extreme. The enormous pressures that individuals are under to meet their financial targets, and how those goals are wrapped-up in the quest to meet quarterly revenue and profit objectives, create disincentives to identify risk events early.

“The connection that hasn’t been made is how short-termism invites corrupt behaviour — lawful, but corrupt” says Malcolm Salter of the Harvard Business School, who has written extensively on institutional corruption [4] on Wall Street. In order to rectify the problems, many banks have taken a much closer look at compensation policies, but this may not be enough. “Who is modeling the behavior at the banks?” asks Salter. “There is the cultural aspect of the business: how do you change that culture short of the firm having a breakdown.”

In the UK, the Committee on Banking Standards proposed a series of sweeping reforms aimed at establishing much great accountability on senior management. Among these would be the “replacement of the statements of principles and the associated codes of practice, which are incomplete and unclear in their application, with a single set of banking standards rules to be drawn up by the regulators. These rules would apply to both senior persons and licensed bank staff and a breach would constitute grounds for enforcement action by the regulators.”

The rules proposed, and which have been embraced by the UK government, are intended to shift the burden of proof of management failure away from the regulator and onto senior management, who will have to “demonstrate that they took all reasonable steps to prevent or offset the effects of a specified failing.” But the new regulatory standards are only UK-specific. International coordination is needed to guard against regulatory arbitrage.

Indeed, what Salter and others see within the industry are ongoing attempts to “game” the system, and legally circumvent many of the regulations that have been piled on since the 2008 crisis. It is this legal gaming, if you will, that remains problematic when envisioning an enhanced risk culture and ethical banking environment. To change that type of behavior requires the type of leadership from the top that we have yet to see, and a regulatory environment that enforces accountability.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus [5]. Compliance Complete provides a single source [6] for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus [7])

[1] New York Times: http://www.nytimes.com/2012/10/07/magazine/ina-drew-jamie-dimon-jpmorgan-chase.html?pagewanted=all&_r=0

[2] UK Parliamentary Committee on Banking Standards: http://www.parliament.uk/documents/banking-commission/Banking-final-report-volume-i.pdf

[3] separate survey: http://www.lse.ac.uk/researchAndExpertise/units/CARR/pdf/Risk-culture-interim-report.pdf

[4] institutional corruption: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2247545&download=yes##

[5] Thomson Reuters Accelus: http://accelus.thomsonreuters.com/

[6] provides a single source: http://accelus.thomsonreuters.com/solutions/regulatory-intelligence/compliance-complete/

[7] @GRC_Accelus: https://twitter.com/GRC_Accelus

© Thomson Reuters 2011. All rights reserved. Users may download and print extracts of content from this website for their own personal and non-commercial use only. Republication or redistribution of Thomson Reuters content, including by framing or similar means, is expressly prohibited without the prior written consent of Thomson Reuters. Thomson Reuters and its logo are registered trademarks or trademarks of the Thomson Reuters group of companies around the world.

Thomson Reuters journalists are subject to an Editorial Handbook which requires fair presentation and disclosure of relevant interests.

JP Morgan fined $920m and admits wrongdoing over ‘London Whale’

US’s biggest bank to pay penalties to US and UK regulators for ‘unsound practices’ relating to $6.2bn losses last year

JP Morgan has agreed to pay about $920m in penalties to US and UK regulators over the “unsafe and unsound practices” that led to its $6.2bn London Whale losses last year.

The US’s biggest bank will pay $300m to the US office of the comptroller of the currency, $200m to Federal Reserve, $200m to the securities and exchange commission (SEC) and £137.6m ($219.74m) to the UK’s financial conduct authority.

JP Morgan admitted wrongdoing as part of the settlement, an unusual step for a finance firm in the crosshairs of multiple legal actions.

“JP Morgan failed to keep watch over its traders as they overvalued a very complex portfolio to hide massive losses,” co-director of the SEC’s division of enforcement, George Canellos, said.

“While grappling with how to fix its internal control breakdowns, JP Morgan’s senior management broke a cardinal rule of corporate governance and deprived its board of critical information it needed to fully assess the company’s problems and determine whether accurate and reliable information was being disclosed to investors and regulators.”

In a statement the OCC blamed “unsafe and unsound practices related to derivatives trading activities conducted on behalf of the bank by the chief investment office (CIO)”, for the fine.

The OCC said its inquiries had found inadequate oversight and governance to protect the bank from material risk, inadequate risk management, inadequate control over pricing of trades, inadequate development and implementation of models used by the bank, and inadequate internal audit processes.

The US authorities are still pursuing JP Morgan. The Justice Department is pursuing criminal charges against some of the bankers responsible for the massive loss. In an indictment unsealed in federal court this week Javier Martin-Artajo, who oversaw trading strategy at the bank’s London office, and Julien Grout, a trader who worked for him, were charged with securities fraud, conspiracy, filing false books and records, wire fraud and making false filings to the SEC.

Grout’s lawyer said this week that his client was being “unjustly played as a pawn in the government’s attempt to settle its highly politicized case against JP Morgan Chase”.

The bank also faces another fine from the commodity futures trading commission which is still investigating whether the bank is guilty of market manipulation.

Jamie Dimon, the bank’s chairman and chief executive, initially dismissed the mounting losses at the bank’s London offices as a “tempest in a teapot”. In a statement Dimon said: “We have accepted responsibility and acknowledged our mistakes from the start, and we have learned from them and worked to fix them. Since these losses occurred, we have made numerous changes that have made us a stronger, smarter, better company.”

This week in a letter to staff he warned: “Unfortunately, we are all well aware of the news around the legal and regulatory issues facing our company, and in the coming weeks and months we need to be braced for more to come.”

The admission of wrongdoing is a major victory for the SEC. US judges in recent years have questioned fines where banks were allowed to neither admit nor deny wrongdoing. Judge Jed Rakoff blocked a 2011 SEC settlement with Citigroup because he said the lack of an admission of wrongdoing made it impossible for him to determine whether the fine was “fair, reasonable, adequate and in the public interest”.

 

theguardian.com © 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved. | Use of this content is subject to ourTerms & Conditions | More Feeds

 

Deloitte survey: Financial institutions increasing focus on risk management

Thursday 22, August 2013 by Robin Amlôt

Deloitte survey: Financial institutions increasing focus on risk management

 

Heightened regulatory scrutiny and greater concerns over risk governance have led financial institutions to elevate their focus and attention on risk management, a new global survey from Deloitte finds. In response, banks and other financial services firms are increasing their risk management budgets and enhancing their governance programs.

 

According to Deloitte’s eighth biennial survey on risk management practices, titled “Setting a Higher Bar,” about two-thirds of financial institutions (65 per cent) reported an increase in spending on risk management and compliance, up from 55 per cent in 2010.

 

A closer look at the numbers finds, though, that there is a divergence when it comes to the spending patterns of different-sized firms. The largest and the most systemically important firms have had several years of regulatory scrutiny and have continued their focus on distinct areas like risk governance, risk reporting, capital adequacy and liquidity. In contrast, firms with assets of less than $10 billion are now concentrating on building capabilities to address a number of new regulatory requirements, which were applied first to the largest institutions and are now cascading further down the ladder.

 

“The financial crisis has led to far-reaching major changes of doing business in financial institutions’ risk management practices, with stricter and ruled based regulatory requirements demanding more attention from management and increasing their overall risk management and compliance efforts,” said Joe El Fadl, Financial Services Industry Leader at Deloitte Middle East. “That said, risk management shouldn’t be viewed as either a regulatory burden or a report destined to gather dust on a shelf. Instead, it should be embedded in an institution’s framework, philosophy and culture for managing risk exposures across the organisation.

“Knowing that a number of regulatory requirements remain in the queue, financial institutions have to be able to plan for future hurdles while enhancing their risk governance, enhancing management capabilities with better risk awareness using data analytics, and improving in data quality,” added El Fadl. “Those that do will be well placed to steer a steady course though the ever-shifting risk management landscape.”

The majority of the institutions participating in the survey (58 per cent) plan to increase their risk management budgets over the next three years, with 17 per cent anticipating annual increases of 25 per cent or more. This is not a trivial matter as 39 per cent of large institutions – particularly those based in North America – reported having more than 250 full-time employees in their risk management function.

 

Risk management moves up the boardroom agenda

Alongside increased spending, risk management has also significantly risen up the agenda in the boardroom. According to the survey’s results, 94 per cent of company boards now devote more time to risk management oversight than five years ago, and 80 per cent of chief risk officers report directly to either the board or the chief executive officer (CEO). Additionally, 98 per cent of company boards or board-level risk committees regularly review risk management reports, an increase from 85 per cent in 2010.

 

“Regulators have been focusing more and more on the role of the board of directors in risk governance, engaging them to approve the institution’s risk appetite and risk policies, overseeing their implementation by management and increasingly looking to understand the challenge that the board makes in its oversight of the financial institution’s risk management of key issues,” said Fadi Sidani, partner in charge, Enterprise Risk Services at Deloitte Middle East.

Other major findings in the survey include:

Almost three out of four risk managers rated their institution to be either extremely or very effective in risk management overall, an increase from 66 percent in 2010’s survey results.

 

The impact of increased regulation is having a significant effect on business strategy and the bottom line, with 48 percent of firms confirming that they have had to adjust product lines and/or business activities, a percentage that doubled from 24 percent in 2010.

The use of institution-wide enterprise risk management (ERM) programs is continuing to grow. Today, 62 percent of financial institutions have an ERM strategy in place, up from 52 percent in 2010, while a further 21 percent are currently building a program. The total of 82 percent of firms either with or building an ERM program is significantly up from 59 percent in 2008.

 

Institutions are increasingly confident about their effectiveness in managing liquidity risk (85 percent rate themselves as extremely or very effective vs. 77 percent in 2010); credit risk (83 percent against 71 percent in 2010); and country/sovereign risk (78 percent vs. 54 percent in 2010).

 

Stress testing has become a central plank in many institutions’ risk management efforts. Eighty percent of the institutions surveyed stated that stress-testing enables a forward-looking assessment of risk, and 70 percent said that it informs the setting of their risk tolerances.

Technology used to monitor and manage risk is a particular concern and, according to the report, significant improvements in risk technology are needed. Less than 25 percent of institutions rate their technology systems as extremely or very effective while 40 percent of institutions are concerned about their capabilities in the management of risk data.

 

Progress in linking risk management with compensation has changed only incrementally since 2010’s survey results. Currently, 55 percent of institutions incorporate risk management into performance goals and compensation for senior management, which is little changed from 2010. The use of “clawback” provisions in executive compensation, however, has increased (41 percent vs. 26 percent of institutions in 2010).

 

“Financial institutions are becoming increasingly confident in their risk management abilities, but they also recognize where there are gaps,” said Sidani. “Where concerns linger particularly is around operational risk, with a number of recent headlines – like management breakdowns and large-scale cyber-attacks – underscoring the important impacts this area can have on an institution’s reputation. This is a gap that may trigger significant operational risk combined with reputational risk that needs to be properly addressed.”

According to the report, operational risk, which is a key component of Basel II, has been a continuing challenge for institutions. The lack of ability to measure operational risk and the complexity of many operational processes are key causes of this. Only 45 per cent of firms rated themselves as extremely or very effective in this area, down slightly from 2010.

 

Deloitte’s survey assesses the risk management programs, planned improvements, and continuing challenges among global financial institutions. The eighth edition surveyed chief risk officers – or their equivalent – at 86 financial institutions, and represents a range of financial services sectors, including banks, insurers, and asset managers, with aggregate assets of more than $18 trillion. The survey was conducted from September to December 2012.

 

The report may be viewed at http://www.deloitte.com/us/globalrisksurvey

 

Eight Ways to Move Toward a Culture of Compliance

Originally Published June 7, 2013, 12:01 AM ET

Eight Ways to Move Toward a Culture of Compliance

More than just a set of policies and procedures, effective compliance risk management at the enterprise level can be viewed as a cultural ethic that should function like any other business asset that reaches across an organization. An effective way to get there is through a risk intelligent framework that brings compliance into the open, running throughout all business processes, with responsibility shared among all employees.

“A risk intelligent framework can be a radical shift from the way most companies see compliance today,” says Donna Epps, a partner and U.S. co-leader of Governance and Risk Management at Deloitte Financial Advisory Services LLP. “To move a company in that direction, the chief compliance officer will need to gain the backing and support of stakeholders from across the organization, including executive peers, business-unit and functional leaders, and the board of directors.”

Following are eight initiatives a Chief Compliance Officer (CCO), working with the CFO, can lead to help bring about a more holistic program of compliance risk management through a risk intelligent approach and elevate awareness at the enterprise level.

1. Get the Top Brass on Board

The road to holistic risk compliance can be much smoother if the CEO, CRO and the board of directors understand what the CCO is trying to do and why they should want to help. Risk intelligent compliance requires clear channels of communication between the compliance risk management program and the enterprise risk management (ERM) program, and the CRO’s engagement is critical. Luckily, the CRO’s shared interest in improving risk management effectiveness can make risk intelligent compliance a relatively easy sell.

The CEO’s role in supporting risk compliance is to empower the CCO with the authority needed to drive meaningful change, as well as to provide the necessary investment, political support, and, if needed, enforcement. Gaining the CEO’s support can require the CCO to make clear the risk management benefits of robust compliance processes, as well as collateral benefits of cost reduction and revenue enhancement. Any up-front investments must also be addressed early, such as the purchase of more effective technology to replace spreadsheet-based tracking and reporting.

The board of directors can play a role in holding management accountable for results of the enhanced programs. “The CCO’s task is to set expectations, develop metrics and establish milestones that are both substantive and realistic, as well as establish a multiyear master plan,” says Scott Baret, partner, Governance, Regulatory and Risk Strategies, Deloitte & Touche LLP, who also serves as global leader, Financial Services Enterprise Risk Services. “Many boards prefer to spend time on risk management rather than on compliance, so CCOs may want to consider framing board discussions in the context of ERM.”

2. Take the Company’s Bearings

Like any transformation, the pursuit of risk intelligent compliance begins with understanding the current state. Important questions include:

What are the company’s current compliance obligations and risks?

Who owns each risk?

What controls are in place against them?

How does the organization respond to control failures?

How are remediation priorities set?

What supporting technologies are used?

3. Develop the ERM-aligned Compliance Risk Management Program

Coordinating compliance risk management with ERM provides CCOs the operational basis for establishing, strengthening and validating the link between compliance and enterprise value. How a CCO accomplishes this at any particular company will depend greatly on internal organizational dynamics. “For insights on how to maintain effective cross-communication with ERM, the CCO may want to look at the way the internal audit function interacts with ERM to evaluate company risks,” says Mr. Baret.

4. Align the Compliance Function

The process of aligning compliance activities and investments with business priorities starts with the compliance function itself. The CCO should allocate the compliance function’s activities across the company’s compliance risks according to the relative importance of each compliance risk to enterprise value. In some cases, this may mean deploying people and infrastructure to countries, programs and/or activities where greater investment seems counterintuitive. In others, it may mean scaling back on one or more “sacred cows.” In either case, the CCO should be able to back up his or her decisions with reasons that tie solidly back to ERM priorities.

The corollary is that CCOs themselves should prioritize requests for investments in the compliance function based on their expected risk management benefit. Barring obvious infrastructural or resource gaps, the choice of what to ask for first may sometimes come down to a frank judgment call.

5. Lobby Hard for Effective Technology

The “right” technology and data architecture, both within and outside the compliance function, can go a long way toward improving compliance efficiency and effectiveness. Automating controls, for instance, can help lower costs and increase reliability, especially if the controls are first rationalized to reduce duplication. Companies can also avail themselves of a growing array of tools to support the compliance risk management process, some stand-alone, some sold as part of larger “enterprise governance, risk and compliance” solutions.

Some of the newer compliance tools feature: automated monitoring of regulatory releases; workflow capabilities to facilitate compliance process execution and tracking; and integrated “front end” interfaces that allow users to execute, document and track compliance activities in multiple areas from a single point of access.

6. Piggyback on Each Other’s Work

Looking for ways to reduce duplication of effort with other internal groups can help a CCO stretch the compliance function’s limited budget and resources. In particular, the CCO should enlist internal audit in supporting compliance oversight by testing and auditing compliance-related internal controls and business processes. Compliance personnel can advise internal audit on what tests would be most useful to the compliance function, as well as on what tests might be better left to the compliance function’s specialists to perform.

7. Foster a Culture of Compliance

Changing corporate culture can take years. CCOs should expect to work with the office of the CEO—as well as human resources, legal and communications—to supervise the change initiative and supply compliance-specific guidance as needed. Important areas to address include:

Performance management and compensation

Training

Leadership development

Communications

8. Participate in Strategic Planning

The risk intelligent CCO should help leaders set a strategy that takes compliance into appropriate account by bringing relevant compliance perspectives to the strategic planning process. For instance, the CCO should explain what compliance obligations are associated with each of the strategic options being considered, help evaluate the likely compliance risk associated with each option and describe the nature and extent of the investments that may be needed to maintain compliance risk exposures within acceptable tolerances under a variety of conditions. “Once the strategy is set, the CCO should help the company understand and prepare to address compliance obligations that are expected to arise in execution,” adds Ms. Epps.

Related Resources

Aligning Compliance Risk Management to Business Priorities

The Risk Intelligent Chief Compliance Officer

This publication contains general information only and Deloitte LLP and its subsidiaries (“Deloitte”) are not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Copyright © 2013 Deloitte Development LLC.