In recent years too much regulatory emphasis has been placed on perceived enhanced control through layers of oversight, when it should have been on ensuring businesses and senior executives actually taking responsibility. This environment is highlighted in the findings of the latest Royal Commission into conduct in the financial services industry in addition to the Prudential Inquiry into the Commonwealth Bank of Australia (CBA), which merely serve to allow that industry to make excuses and avoid responsibility.
After more than 40 years working across different industries, but primarily focused on 30 years in banking, I have spent the past few months studying the discussions and outcomes of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry and the Final Report of the Prudential Inquiry into CBA. In this context, while I fully respect the intent of the reviews and acknowledge their findings, I believe that unfortunately they echo the mindset and activities of regulatory bodies over the past 15 to 20 years – if we cannot control the business let’s impose more regulation, larger frameworks, more complex processes and increased governance, so that we can at least be perceived as enhancing control.
This approach merely allows the financial industry the leeway to use what are often well intentioned, but flawed changes as an excuse to avoid taking responsibility and being held accountable. They use poor oversight or inadequate governance as an excuse for the business activities and decisions they are making as business leaders, and the regulators respond by trying to improve the oversight and governance as opposed to addressing the business activities.
In my 40 year career I have occupied numerous senior, global roles including:
- 20 years in global risk roles in banking;
- 8 years as a Chief Operating Officer (COO) or running operations and other control functions in global banks;
- 6 years as a senior auditor with global responsibility for major audits;
- Assigned to major investigations, risk transformation activities following regulatory reviews and risk due diligence on numerous M&A activities;
- 8 years in government including Chief Risk Officer
- 5 years in accounting
My globally-recognised success in banking is driven by a broad and diverse skill set which allows me to partner with the business, ensuring risk management activities are embedded in their normal business routines and not a token overlay that is largely ignored by the revenue generators. This has been achieved at four major international banks and is always self-measured against the value it can bring me as COO. Every framework, process, idea driven from regulatory overlays needs to be assessed and questioned as to whether it can assist in the COO’s decision making and help them protect their financial institution.
As a COO I believe I am there to ensure that my organisation operates efficiently, effectively and in accordance with rules and regulations. I quickly recognised that each risk-related activity needs to provide me with information that is valuable for me to make decisions, to exercise control or to understand business activity.
In my career, I have worked closely with both the Australian regulatory bodies as well as many other leading regulatory bodies in numerous countries and jurisdictions. I fully support their work and their intent, which is to protect the financial system of their jurisdiction, however I am concerned, about this over-emphasis on layers of oversight such as the ‘three lines of defence’; the ‘independence of a risk function; an ‘independent internal audit function; and a robust governance to challenge the activities of organisations.
What regulatory change should really be about is making people responsible and holding them accountable for their decisions and actions. Regulators have struggled with how to achieve this and the aforementioned additional layers are a substitute. There have been attempts at directly dealing with shortcomings in ‘conduct and culture’ through attempts to deal with specific behaviours and business decisions, but again, the result has too often been more theory and yet more processes to deal with what is undeniably a tough challenge.
A Better Approach
So instead of an approach that involves heaping complexity upon complexity and fails to deal with the issues directly, the answer surely is to address the issue at the core, by making people responsible and holding them accountable. It is important to understand that while banks pay revenue-generating executives well, those that operate support functions, who should also be exercising control over business activity and decision making, are also paid incredibly high salaries and bonuses.
My experience has allowed me to work in more than 20 countries, dealing with a diverse range of cultures, working with multiple regulatory bodies – all of which require their own, unique consideration of the business activities and the control environment relevant to that business. It is certainly not the one size fits all which is defined by most regulatory models.
Imagine Japan for example in the mid 1990’s, where, at the time, in response to the question of why there were not two signatures required on cheques, you would be advised that there was no need because people would not take the opportunity to commit fraud. Obviously this was not considering the changing international business environment where not all of those making decisions in Japan were Japanese. In that same Japanese environment, those occupying the revenue generating roles were predominantly from a western culture and all of the support functions were predominantly Japanese – and too often they were required merely to serve and not to challenge and ask questions. That was why I was appointed to my role as a Chief Operating Officer (COO) in Japan, to provide a strong western presence and mentality to ensure that things were being done as they should be.
As the COO, all non-revenue generating functions, those that operated controls around the business activity, reported to me. These were:
- Product Control
This approach meant there could be no business activity that I was unaware of from the point of hiring to the oversight performed by Risk. This meant the COO had direct insight, understanding and control over:
- Hiring and HR
- Providing desk space and other facilities through Administration
- Providing systems through Technology to capture their business;
- Processing the settlement of the business through Operations;
- Pricing the business and assessing the profit and loss and return on investment through Product Control
- Accounting and providing capital for the business through Finance
- Oversight by Risk
To achieve this the COO has to be constantly provided information across all of these activities that allows them to view business activity on an end-to-end basis.
In my own case, I assumed full responsibility and accountability across multiple disciplines as this all came back to my role as the COO. I could not make excuses, I had all the information at hand to know exactly what business was being conducted and how. Unfortunately current COO roles in banks typically take care of only the Operations and Technology activity and have little alignment and awareness of the other support activities.
Should we therefore assume in the current financial services industry, in the absence of such an all inclusive COO role that we must assign the combined responsibilities to oversight, to Risk, to Internal Audit and to Governance bodies? Should we not rather try to write risk frameworks and processes to manage the business on an end-to-end basis in place of responsibilities and accountabilities?
Financial institutions still employ Heads of Finance, Operations, Technology, Product Control, HR and Administration and pay them very high salaries and bonuses. Are these roles paid to merely process business and not to take responsibility to challenge and provide oversight of business activities? Are they not all part of an overall leadership team that holds joint responsibility and accountability for business operations?
Currently, it can be argued, this framework does not exist, as highlighted by the outcomes of the Royal Commission and the Prudential Inquiry, which once again have allowed the financial industry to make some familiar excuses. The risk framework is too long and complex; governance and challenge was not strong enough; the Risk Committee agenda was not forward looking; and Reporting was not sufficiently robust.
The excuses do not stop there, however. The second line was not empowered; there were flawed assurance models; risk IT systems are too difficult to use; the leadership team was too collegiate and failed to challenge each other. In the broader picture, the tone from the top was unclear; the culture of the organisation was “not right”; there were inappropriate remuneration structures and, finally, poor relations with regulatory bodies.
This long list represents nothing more than excuses and examples of not holding the end-to-end business functions accountable.
The inevitable result of this will be another round of increased regulation and rules instead of dealing with the real issue. Regulators will continue to impose multiple layers as the best means of avoiding a repeat, but this is ill conceived. These multiple layers of perceived defence merely serve to diminish the visibility of what is really happening and instead all of the questions are about the effectiveness of the layers of defence and not where true responsibility and accountability should rest. As an example, I recall HSBC hiring thousands of ‘compliance’ staff following a compliance breach. Is that the answer, hiring more and more people to catch the errors and misdemeanours of a few? Surely the correct response should be to focus on ensuring this misbehaviour cannot happen again by creating a positive and proactive structure with responsibility explicitly assigned, rather than reinforcing a function that will only act after the event?
In closing and as an analogy that I always use in my risk discussions, over the same 30 year period of my banking career, my wife and I raised four very respectful and now mature children. They learned the basic values of respect, being polite, taking responsibility for their actions and always leaving the house with one word ringing in their ears “behave”. There were times they didn’t of course and they were reprimanded for it. Thirty years on they are mature adults who take responsibility for their actions.
If two people can achieve that with four children surely financial institutions with their thousands of employees can bring back control and hold people accountable for their actions, does it really need layers of additional parenting to achieve the outcome?
Institutions must get to heart of issue, they need to stand up and take responsibility. Where are the responsibilities of all support functions within the business being held to account? With the right people in the right positions, taking responsibility and being held accountable, only then will a financial institution be able to assure its shareholders, stakeholders and regulators that is operating in a controlled manner.
Over my career I have assessed the effectiveness of the end-to-end business management structure. I would be happy to assess any organisation and the effectiveness of individuals in key positions of responsibility because this remains a vital issue that is not being dealt with adequately by the regulatory functions. A strong and trusted financial system is vital to the functioning of the global economy and society at large, and as such it is incumbent upon institutions to ensure they have the appropriate risk framework in place. That only comes with the responsibility and accountability of senior management.