THE ROAD OF IMPROVING RISK CULTURE 24 August 2015 There is much hand-wringing on the question of risk culture. The failures of the recent past associated with bid-rigging, product mis-selling, rogue trading and the like are viewed by governments, regulators and the media as evidence of an increasing prevalence of unprincipled banking practices and poorly educated and managed bank employees. This negative perception of the culture within banks and declining standards of conduct is of great concern to regulators, senior bankers and their stakeholders. Perhaps, however, the current state of accounting and control systems should be of parallel concern, as it could provide the controls and metrics to govern and oversee the frameworks of improved risk culture demanded by all. We offer this simple metaphor to illustrate the current state of banks’ accounting and control systems and their effect on culture: Car drivers intuitively respect and follow road traffic controls – the signage and road markings that are designed to enhance traffic flow and prevent accidents. It has become a societal norm. If we were to look into the future and imagine that cars are being manufactured that can also fly, it wouldn’t require much imagination to envision the chaos that would ensue if today’s road traffic controls were not adapted to also function above the ground. This metaphor, in effect, describes today’s global financial system. Banks are “flying” above the financial accounting and control systems that were designed for a bygone era when risk concentrations within and between financial firms were innocuous. Those systems’ purpose for well over a century was to provide static, point-in-time statements of financial condition based, primarily, on the prevailing fair values of assets and liabilities. They were not designed to consider the potential financial consequences of the often massive concentrations of risk that have become a feature of today’s banks and the global financial system. In these circumstances, if accounting and control systems are not risk-adjusted, the result will be chaos and a breeding ground for negative behaviors. Some would say we already descended into chaos during the credit crisis of 2007-’08. Risk Culture and Risk Control In its April 2014 Guidance on Supervisory Interaction with Financial Institutions on Risk Culture, the Financial Stability Board (FSB) stated, “A sound risk culture should emphasize . . . the importance of ensuring that: i. an appropriate risk-reward balance consistent with the institution’s risk appetite is achieved when taking on risks; ii. an effective system of controls commensurate with the scale and complexity of the financial institution is properly put in place; iii. the quality of risk models, data accuracy, capability of available tools to accurately measure risks, and justifications for risk taking can be challenged; and iv. all limit breaches, deviations from established policies, and operational incidents are thoroughly followed up with proportionate disciplinary actions when necessary.” In this article, we refer to these attributes collectively as risk controls. From EY’s excellent 2014 annual risk management survey, “Shifting Focus: Risk Culture at the Forefront of Banking,” it would appear that banks still have much work to do if their risk controls are to achieve the required degree of effectiveness. EY commented, “This sharpened focus (on risk culture) is the result of numerous regulatory breaches and misconduct issues, such as LIBOR and product mis-sellings, that have shocked the industry over the past several years. These problems have shaken boards’ certainty about prevailing enterprise risk culture. An overwhelming 93% of GSIBs [global systemically important banks] agree that weak oversight and controls led to the failures.” This is a truly shocking admission. It presumably means that significant risks are knowingly or unknowingly created and accepted by bankers, with limited assurance that they will be properly identified, quantified and reported to boards, senior managements, regulators, investors and other stakeholders. There are few industries where such operating conditions would be tolerated due to safety concerns; products would be removed from shelves or recalled; transportation systems would be halted; production lines would be shut down. The EY report also found risk appetite frameworks to be inadequate. “Despite the fact that risk appetite has been a key area of focus for both boards and chief risk officers in recent years, many firms are still finding it difficult to translate the firm-wide risk appetite strategy into the day-to-day planning and operations of the business.” This view is consistent with the FSB’s November 2013 paper Principles for an Effective Risk Appetite Framework, http://www.financialstabilityboard.org/wp-content/uploads/r_131118.pdf which said in its introduction that “effective risk appetite frameworks that are actionable and measurable by both financial institutions and supervisors have not yet been widely adopted.” Regulators’ Alarms A June 2015 GARP article, IOSCO Chairman Joins the Chorus on Culture, IOSCO Chairman Joins the Chorus on Culture provided insights into contemporary regulatory thinking on the state of risk culture in banks. The article cited Federal Reserve Bank of New York president and CEO William Dudley comment in a recent speech that the ethical problems of the financial industry couldn’t be the fault just of “isolated rogue traders or a few bad actors within these firms.” The Federal Reserve Board governor Daniel Tarullo, also quoted in that article, warned, “If banks do not take more effective steps to control the behavior of those who work for them, there will be both increased pressure and propensity on the part of regulators and law enforcers to impose more requirements, constraints and punishments.” What’s more, “U.K. officials including Financial Conduct Authority chief executive Martin Wheatley and Bank of England governor Mark Carney have made similar statements on cultural matters, and in May, the G7 finance ministers charged the Financial Stability Board, of which Carney is chairman, to draft a code of conduct that would stress individual accountability.” Risk Control Frameworks The global financial industry’s prevailing cultures evolved in the context of both a highly complex risk management ecosystem and a similarly complex information technology environment. Substantial concentrations of risk are now a permanent feature of banks as a consequence of technological advances, increased sophistication of banking products, escalating business consolidations through successive mergers, and a growing dependency on globalized and interconnected electronic banking data and information networks. If we are to successfully address prevailing negative risk cultures, a framework of effective controls to govern and oversee the new risk culture must be designed within these two ecosystems. Precedents for such a framework already exist. They can be found in the financial accounting and control systems of banks that comprise: i. the general ledger as the single source of aggregated financial information that provides the foundation on which firms’ financial statements are prepared; ii. systems of internal control that provide assurance that transactions accepted for processing are properly authorized and are processed in a complete, accurate and timely manner, thereby ensuring that official accounting books and records are reliable; iii. the verification of accounting information through the reconciliation of general ledger balances with associated sub-ledgers and product systems; and iv. the proofing and substantiation of the composition of individual ledger balances by reference to documentary evidence and, where applicable, through physical inventory-taking. As discussed above, financial accounting and control systems matured in banks at a time when risk concentrations within and between financial firms were innocuous. But these systems failed to keep pace with dramatic changes in the evolving risk landscape that occurred in little more than a generation rendering them to be of limited value. The Wikipedia entry for Managerial Risk Accounting aptly describes the current state of play: “As of now, no specialized comprehensive accounting system for the purpose of representing risk, organization wide, in comparable terms has evolved.” The Way Forward Negative cultures thrive where there is weak or ineffective accounting systems and controls. It follows that the imperative for financial firms is to adapt extant accounting and control systems to encompass accepted risks. The urgency and scale of the challenge demands the combined endeavor of both accountants and risk professionals; for far too long they have been working independently of each other with respect to the design of integrated finance and risk control frameworks, hence the lack of progress. There is another revealing passage in Wikipedia under Managerial Risk Accounting: “Existing accounting systems are primarily ‘monovalent’. That is, a single accounting value is attributed to a specific object or purpose. In contrast, risk and uncertainty are formally characterized by a whole range of possible values connected to an object.” As is the case for risk, there is more than one value that can be potentially assigned to a transaction for accounting purposes, such as historic cost, fair value, and net present value. Accountants learned a long time ago that financial accounting and control systems must be constructed around a common metric embodying a single and universally accepted accounting value assigned to each transaction. This is the monovalent accounting system referred to above and is defined in accounting standards such as IFRS and U.S. GAAP. Only through a monovalent system is it possible to: embed controls in financial operating infrastructures (reconciliations, substantiations etc.); effectively aggregate accounting data; achieve direct comparability of outputs from accounting systems; create single authoritative sources of accounting data; and create firm-wide operating limits and budgets (the financial equivalent of ‘risk appetite’). An Essential Measure This monovalent concept must now be applied to “risk adjusting” these same accounting transactions to embody a single and universal risk-adjusted value denominated in a common risk metric. For without a common risk metric, the risk controls set out in the FSB’s risk culture paper referred to above cannot be realized. Neither can the control features ascribed to accounting data in the foregoing paragraph be replicated for risk data to conform to new regulatory requirements contained in BCBS 239, the Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation and Risk Reporting. BCBS 239, now set as a mandate for supervisory reviews beginning in 2016, recognizes that banks’ inability to properly identify and aggregate risk data across many business silos has left the financial system vulnerable to unaccounted and unobserved risks that provide the breeding ground for negative cultures to evolve. It is, presumably, with this in mind that BCBS 239 calls for accounting-type controls to be applied to risk data, along with the ability to reconcile risk data to the books and records of the firm. A new risk-adjusted culture remains to be constructed against the backdrop of the prevalent short-term performance and incentive culture that has characterized much of finance in the last half century. The road to transforming such negative cultures must begin with the design and implementation of effective risk accounting and risk control systems. These imperatives are the stepping-stones to governing and overseeing fundamental cultural change that gets us to a new societal norm in the promising next stage in the evolution of the global financial system. Allan D. Grody (firstname.lastname@example.org), president of Financial InterGroup Holdings, is a former partner and founder of Coopers & Lybrand’s (now PricewaterhouseCoopers’) financial consulting practice and former adjunct professor at New York University’s Stern Business School, where he founded and taught its Risk Management Systems course. Peter J. Hughes is managing director of Financial InterGroup (UK) Ltd., a chartered accountant, a former banker with JPMorgan Chase and visiting research fellow at the Leeds University Business School. Their previous contributions to www.garp.org have included “The HFT Uproar: What Went Wrong and How to Fix It" and “BCBS 239: Is Spending $8 Billion on IT the Answer?"