After the 2008 financial crisis, I wrote to Prof. John Hull, a derivatives expert at the University of Toronto’s Rotman School of Management, and asked if boards of investment banks should have directors with derivatives expertise. His response: “There is no question in my mind that a large financial institution should have on its board people (perhaps two or three) who understand derivatives and other complex financial products. They should also receive stress test results. One of the problems is that, although stress tests are carried out, their results are often ignored by senior management.”
We’re now witnessing an alleged $2-billion fraud by a 31-year-old so-called rogue trader working for UBS, Kweku Adoboli, who had intimate back-office booking knowledge of how trades are reconciled with counterparties. We can take something from this: Risk management, corporate governance and banking reforms to date have been wholly inadequate. We need to admit that most corporate directors simply do not understand complex derivative products, and we are demanding too much of them in expecting otherwise. If we want directors to understand derivatives, they need to be chosen differently.
Current and former CEOs may not understand derivatives, and there is evidence that CEOs do not make better directors. A common refrain from directors of large institutions whom I’ve interviewed is simply that they don’t understand. And these are very senior business people. In the words of one bank’s Chief Risk Officer, “Directors cannot possibly understand.”
Derivatives experts exist. They have narrow subject-matter expertise. What are the odds this type of person would be asked to serve on an investment bank board, pushing back on management all the time, when management and directors themselves select one another under the current system, rather than having directors selected by shareholders? The derivatives expert may not be asked because they haven’t run anything, but they really do make boards more effective.
Next, the trader, Kweku Adoboli, is not simply a “rogue” as UBS maintains. He is an employee operating within a system of deficient internal controls. The bank, the management and regulators are at fault.
Surveys and studies indicate that risk management is presently inadequate. There needs to be a significant restructuring of risk and assurance of risk. Risk management is a cost, and money spent on internal controls to mitigate risk does not contribute to the bottom line. CEOs resist, boards don’t understand, and regulators just need to regulate.
The BP disaster resulted from flawed risk management according to expert reports. News Corp. phone hacking is flawed risk management. The Canadian corporate governance guidelines (National Policy 58-201) mentions the word “risk” only twice, and the risk management provision is twenty-one words in length (section 3.4 c). Many governance codes addressing risk are similarly sparse and written at high levels, with rare exceptions. Without proper regulation, boards have little to point to in insisting on robust risk management and internal controls.
When a CEO or CFO attests to a board of directors that the internal controls over risks are adequate, their evidence should be subject to external review, especially for operational risks such as environmental compliance, information technology, bribery or complex derivatives—whatever it is that can materially affect or even bring down a company.
Internal controls exist—authorization of transactions, electronic safeguards, segregation of duties, control limits, and prevention of manual override. They cost money to implement and are often perceived by management as a drag on profit-making.
The rigor of internal controls over financial reporting for S-Ox needs to apply to all major business risks, not just financial. Companies will resist because of cost and distraction, so policy choices needs to be made. Are we willing to live with trusting a CEO?
More needs to be done as well in the governance context. Here is advice to the chairs of investment banks, in light of UBS:
The chair of the compensation committee should retain an independent compensation consultant to study the compensation for each material risk-taker, and report to the chair on how their remuneration is incenting adverse risk-taking. The compensation consultant must tailor risk-adjustment advice to suit that bank, and comply fully with all Basel Committee on Banking Supervision reports and recommendations. (Any blowback by management that we need to pay our people and traders this way or they will move to a competitor should be met by requests for empirical evidence, which, according to Ken Feinberg, the former U.S. pay czar, does not exist.)
The chair of the audit committee of the investment bank should instruct internal audit to complete a thorough review of the design and effectiveness of internal controls over all trading activities, and report directly to the chair. The chair should approve the budget, resources and work plan. If the head of internal audit is not up to the task, the chair should fire him or her and find someone who is. If necessary, external assurance providers—not the external auditor—should be retained by the chair as well, and report directly to the committee, not management.
Next, the chairs of these two committees, together with the board chair, should meet with the CEO and CFO to inform them of the above two studies, and direct them to cooperate fully with all requests for information. Directors need to direct more, if and when required.
How many chairs have the fortitude to do this, I wonder? If directors are there to control management, then they must have the statutory authority and resources to do so.
Lastly, regulators need to regulate if and when required. Specifically, all regulators should separate, permanently, global wholesale/investment banking’s proprietary trading from retail banking. Otherwise taxpayers will be on the hook for a very dangerous industry, akin to “casino gambling” by critics. It is totally unacceptable that one person, reputed to have bet $10 billion, can cause this much damage. If you multiply it, with contagion, the investment banking system is broke and dangerous. Regulators need to address this issue. It has been three years since the financial crisis. In the words of Martin Wolf, a member of the U.K.’s Independent Commission on Banking, “No sane country can allow taxpayers to stand behind such risks.”