The following article was originally published in the October edition of The Journal of Business Compliance.
INTRO: Jonathan Ledwidge is an author and risk professional with more than 20 years experience in investment banking and has strong views and undeniably good questions. In this opinion article, the first under the Speakers Corner column of the Journal, he asks questions of everyone in the corporate world, not merely bankers, but industrialists, regulators and all those associated with the formation of governance frameworks, the promotion of meaningful corporate culture and their implementation. He considers the many pitfalls into which a generation of business and political leaders have fallen and the consequences these have had on regulation and internal control practices. The scandals that have come to light within the banking sector have overshadowed scandals of corruption and misselling in other industries that just as crucially require answers and reflections of the existential question: Why are we here?
“Tell me again Maximus, why are we here?”
That is one of my favourite lines from one of my favourite movies—Ridley Scott’s Gladiator. The line is delivered by the Emperor Marcus Aurelius and he is asking the General of the Felix Legions and Commander of the Armies of the North, Maximus Decimus Meridius, why is it and for what purpose has Rome been engaged in continuous fighting for so many generations.
“Why are we here?” is a question in need of an answer from accountants and internal auditors, compliance officers, risk managers; indeed the legions—a most appropriate moniker—of people all the way up to the boardroom who are currently engaged in the battle—another suitable moniker—to keep the banking industry from destroying itself.
“For the glory of the Empire sire,” Maximus responded.
At least Maximus believed that there was something glorious about Rome.
The Ongoing Problem Within Banking
I have the distinct impression that there are very few people either inside, or outside, of the banking industry who actually believe that there is something glorious about banking. It is not difficult to fathom why. The financial crisis has been followed by one scandal after another. They have included illegal foreclosures, Libor manipulation, energy market manipulation and money laundering offences to name just a few.
How bad has it been for the banking industry? A recent Bloomberg online article noted the following:
The six biggest U.S. banks, led by JPMorgan Chase & Co. (JPM) and Bank of America Corp., have piled up $103 billion in legal costs since the financial crisis, more than all dividends paid to shareholders in the past five years.
That’s the amount allotted to lawyers and litigation, as well as for settling claims about shoddy mortgages and foreclosures, according to data compiled by Bloomberg. The sum, equivalent to spending $51 million a day, is enough to erase everything the banks earned for 2012.
The statistics are staggering but unfortunately there is more litigation to come.
The real answer to the question of why are we, as risk professionals, are all here is that we hope to make a difference. We hope that by doing what we do with the skill, professionalism and due diligence which all risk professionals require, that we facilitate compliance with appropriate legislation and regulation as well as safeguard the reputation of the institutions for which we work.
Yet, while most would say that that is precisely what we have been doing the question still remains;
Why have we failed?
More pointedly; why do we continue to fail?
Or to be even more precise; why are we set to continue failing?
Mired In Legislative And Regulatory Treacle
Every major crisis and every major scandal has been followed by more legislation and more regulation. Given that financial crises of one sort or another have been the story of the past 30-40 years and that each time they occur they are followed by the same remedy—that is an awful lot of legislation and regulation.
As the host of a compliance breakfast briefing recently put it, managers within the banking industry are now mired in legislative and regulatory treacle—they are literally unable to do anything other than try to interpret and abide by the rules. Unfortunately, while they are in the midst of that interpretation more rules keep coming along.
Yet, that treacle has been a boon for risk professionals. Those in the legal and compliance fields have seen a huge expansion in numbers, their professional skill requirements, their responsibilities and ultimately in their importance to the banking industry. Unfortunately, this expansion has not been sufficient to deter the scandals and failures that have come to characterise the industry.
Thus, if we are truly honest with ourselves, we are finally and irrevocably faced with the reality that the compliance monitoring and surveillance of the activities of a financial institution along with all the other risk and governance approaches, are on their own insufficient to remedy the problem. What is needed is a new approach.
Is Cultivating A Better Risk Culture The Answer?
In recent times it has come to pass that many within our industry, as well as those outside such as regulators and legislators, see the risk culture of an institution as the key to avoiding scandals and crises.
What does this mean and does it really make sense?
First we have to start by defining what risk culture is. A paper by Deloitte entitled; Cultivating a Risk Intelligent Culture defines risk culture thus:
Risk culture encompasses the general awareness, attitudes, and behaviours of an organisation’s employees toward risk and how risk is managed within the organisation. Risk culture is a key indicator of how widely an organisation’s risk management policies and practices have been adopted.
The belief is that the better the risk culture the more likely it is that an institution will be able to avoid problems. This is reinforced by another report from the Institute of International Finance, the IIF. The report is entitled; Reform in the Financial Services Industry: Strengthening Practices for a More Stable System, The Report of the IIF Steering Committee on Implementation (SCI), Institute of International Finance, December 2009. An extract from the report makes reference to risk culture as follows:
Management will need to focus on it and governance processes will have to be designed to work against erosion of risk management standards and a risk-sensitive culture, especially as the next booms emerge either in product areas or generally. Supervisors will rightly look critically at whether firms are developing and sustaining positive risk cultures taking into account the lessons of the crisis. Risk culture will always be a work in progress.
As someone who works for a firm that is devoted to assisting institutions in developing good, world class approaches to internal audit, risk and compliance, I do not have a fundamental disagreement with the general ethos of the above statements. The problem however is that neither goes far enough. Neither statement fully recognises that the extent of the problem goes well beyond risk and risk culture to the very nature of the institutions and the business activities in which they are involved.
This is because in the long term, irrespective of how good the risk culture, if the culture of the organisation and the culture of the business being conducted e.g. purchasing of ninja loans for securitisation, are not good then they will subvert and destroy that risk culture—along with the rest of the organisation.
As a risk professional, what this means for me is that while I work with institutions to facilitate their cultivation of a good risk culture, I also have to face up to the reality that cultivating a good risk culture in, and of itself, while worthy, is simply not enough. It means coming to terms with the limitations of my own work and by so doing encourage others, i.e. other risk professionals and compliance officers, to join me by going even further.
What does further mean?
It means looking at the organisational culture and the business culture within which the risk culture operates.
Organisational Culture Is Far More Important Than Risk Culture
The traditional problem for compliance offers and other risk professionals is that all too often their work focuses on what happens after the business decision has been taken and the risks have been incurred.
The above is somewhat mitigated by the fact that compliance and risk are usually involved in establishing the governance framework and ensuring that rules are properly established in the hope that said rules will be adhered to. Examples of this include the checks and approvals with respect of the Know Your Client and Anti Money Laundering regulations commonly known as KYC/AML.
However, while compliance will also define the processes and procedures that should be followed in specific circumstances such as; new customer approvals, the monitoring of payments and what lists must be used for embargoed names, the compliance officer might not be aware that such measures have not been properly implemented. In fact he/she may not receive such information until internal audit report the deficiency.
The question then becomes not one of why compliance did not ensure the appropriate procedures were followed and established, but rather what was the cause of the compliance failure—and this is where the nature of the business and the overall business culture plays a far more important role than the work of risk professionals. The issues then become:
- Has the business undergone rapid expansion in recent years as a result of which compliance and the other risk and control functions have simply not been able to keep pace?
- Are the products too complex?
- Have the IT systems, processes and procedures become so complex and difficult that it has become almost impossible to establish where controls are supposed to begin and end? If you have seen the bowl of spaghetti diagrams that pass for the IT systems architecture in most major banks then you will know exactly what I mean.
There are many compliance officers within banking and financial services who have either experienced, or perhaps been totally frustrated by the circumstances referred to above. More often than not, these are the by-products of an organisational culture that places very little emphasis on cultural issues—believing instead that once decisions are taken at the top then everything else and everyone else simply has to fall in line.
One of the biggest causes of these problems is the less than erudite approach to mergers and acquisitions.
A KPMG paper entitled; Unlocking Shareholder Value: The Key To Success Mergers & Acquisitions – A Global Research Report, looked at international mergers and acquisitions and determined that:
…as many as 53% actually destroyed value…83% of mergers were unsuccessful in producing any business benefit as regards shareholder value.
Given the fact that banking and financial services has in the past 20 years undergone more rapid consolidation than virtually any other industry, we should not be surprised that these cultural issues continue to subvert and deter the best that compliance officers and other risk professionals have to offer.
Yet, that is far from being the only problem as the very nature and the timing of the business being pursued brings it own problems and it has been the source of many financial crises.
A History Of Financial Crisis: Banking Cultures Gone Wrong
When our eponymous hero Maximus is placed in the Coliseum along with a small band of gladiators, described in the movie as the “barbarian hordes”, it is to enact the famous Battle of Zama. History informs us that it is in this battle that the Roman legions under Scipio Africanus demolish the Carthaginians and put an end to the ambitions of Hannibal.
To facilitate this recreation, Maximus and his barbarian hordes are forced to defend themselves against a superior force. However, much to the amazement of the baying mob and the puzzlement of the villainous Emperor Commodus, Maximus and his small band defy history as well as gladiatorial norms and eventually triumph.
It is that said defiance of history or the breakdown of the latest prevailing paradigm that has been the main source of a series of financial crises and the downfall of many financial institutions.
During the 1970s and 80s western banks took the vast amounts of petro-dollar deposits from the newly rich Gulf Arab states and loaned them to Lesser Developed Countries or LDCs as they became known. As the level of debt grew and grew and concerns were being expressed in some quarters, then Citibank CEO Walter Wriston stated; “countries don’t go bust”.
When, despite Mr. Wriston’s utterances, Mexico defaulted in 1982, it set off what became known as the LDC debt crisis. This particular crisis was to cost western banks billions of dollars; almost bankrupting Citibank amongst others.
We move on to the late 1980s and early 1990s when Japan Inc was or appeared to be all powerful with the Nikkei hovering at 40,000 and Japanese banks rapidly expanding at the expense of their western counterparts. At that time, the general consensus was that investing in Japanese equities and real estate was the way to go. We were also told that since Japan was going to rule the world we should all not only learn Japanese but also how to bow at the right angle.
When the Nikkei crashed and the real estate bubble burst investors and banks lost billions. Some twenty years later Japan is still trying to recover from that disaster—the disaster of another blown paradigm.
Then there were the events of the latter half of the 1990s. Who remembers the dotcoms and how quickly they became the dot-bombs as the Internet stock craze came and went at warp speed? Investors and banks again lost billions because for some strange reason it was the in thing at that time to place very large bets on any company that had a .com after its name.
Finally, we come full circle to the subprime crisis. In this regard, perhaps the most relevant of all quotes is the one by Alan Greenspan—a sort of mea culpa on the lack of regulatory rectitude which preceded the crisis. During his testimony to the US Congress Greenspan stated:
“I made a mistake in presuming that the self-interests of organisations, specifically banks and others, were such that they were best capable of protecting their own shareholders and their equity in the firms.”
Imagine that, a Chairman of the Federal Reserve that had never heard of a banking failure before the subprime financial crisis! Surely, this observation was even more pitiful than that of Walter Wriston.
In none of the instances above would a better compliance or risk culture, on its own, have enabled individual institutions or even the industry as a whole to avoid the problems that they got themselves into. Not even if they had an army of 10 million compliance officers, risk managers and internal auditors would it have made much difference.
The story of the banking industry is one of individual institutions that have lost, or perhaps more precisely failed to develop, their own unique value-driven culture that sets them apart from their competitors. This is the primary cause of the herd-like tendencies demonstrated by the industry and it is directly responsible for the regular bouts of collective and spontaneous combustion which we call a financial crisis.
What we also now know is that more regulation and more legislation cannot solve the problem, and that the only thing that can is cultural change and transformation—and that has to be the responsibility of bankers.
Now we know what the problem is, the questions are;
- How do we make the necessary change?
- How do we ensure our businesses stay on an even course for sustainable success?
- How do we stop the frequent bouts of collective and spontaneous combustion of the financial industry?
- What is the role of the individual compliance officer, internal auditor, financial controller, risk manager, credit controller, SOX professional etc. etc. etc. in protecting their own institution?
The only way we can answer that is by answering the question; why are we here?
Answering the question why are we here takes us into a realm where we can, by paraphrasing Warren Bennis’s famous quote on the difference between managers and leaders, ask ourselves “are we doing things right or are we doing the right thing?”.
If you believe you are here merely to do things right by ensuring your institution’s compliance with regulation, legislation, governance, internal controls, accounting standards etc. etc. etc., then you should read no further and simply wait for the next collective and spontaneous combustion to come your way and pray that you don’t get burned.
However, if you want to do the right thing and be a part of real change then I invite you to read on.
Becoming Part Of The Cultural Transformation
“If we stay together, we survive.”
This is what Maximus said to his fellow “barbarians” before the faux legions of Scipio Africanus burst through the gates of the Coliseum and descended upon them. Maximus and his band not only survived this onslaught they triumphed.
The question is; how does the risk professional move beyond mere survival and become triumphant? Triumphant in this case meaning that they at least begin to believe that they can and are making a difference by reducing the possibility of collective and spontaneous combustion.
Like Maximus, when placed in the unfamiliar territory of the gladiator’s arena, we must gird our loins, adapt our culture of thinking to fit the new circumstances and be prepared to change the script. This includes working together with other professionals—as Maximus so ably demonstrated in the Coliseum.
Consequently, the single most important skill compliance officers, internal auditors, risk managers accountants and other risk professionals must acquire is that of joint action; challenging management with a strong and collective voice that cannot possibly be ignored—and ask of them; why are we here? Immediately followed by its imperative counterpoint; why are you here?
Once we have collectively convinced management that we are not here to accept failing as a either a fait accompli or a mere “risk of business” then questioning and challenging management to change becomes easy:
- What are we trying to achieve in the development of our business?
- Who is going to focus on the cultural aspects of a proposed acquisition, merger or new venture?
- Even if our business initiatives are strategically sound, how do we ensure that our standards of compliance, corporate governance and commitment to our customers remain sound?
- What resources will you commit to guarantee that?
- Are we following the herd in engaging in a new product or business activity?
- Are we getting into more complex products when we can only just handle the ones we already have on spreadsheets?
- What additional risks are we being exposed to, and what control mechanisms are needed?
- How do we ensure that the mission and values of the organisation remain consistent irrespective of the changing profile of customers, products and markets?
- Why are we going into new areas of business when the systems we currently have are being held together by a piece of string?
- What does this product do to benefit our customers both now and in the longer term?
- Would you sell this product or provide that kind of service to your mother?
- Do we have a reward and incentives structure that encourages good behaviour?
- When will we develop a mission and set of values that are actually meaningful and unique to our institution and the values we should hold dear?
- Can we honestly say that everything we are doing is making the world a better place?
- Is it at all possible for us to think independently of the herd and effect real and sustainable change?
Finally, if you have not already watched Gladiator maybe you should.
Jonathan Ledwidge is the author of the book Clearing The Bull, The Financial Crisis And Why Banks Need A Human Transformation (iUniverse).