Ramesh S Arunachalam
The importance of having properly
functioning (effectively implemented) internal control systems[i]
at investment and commercial banks and other financial intermediaries needs to
be strongly emphasized, especially in the context of what happened in the lead
up to the 2008 financial crisis. In fact, self-regulation, as a much touted and
effective mechanism, miserably failed primarily because ‘internal controls’
were either absent or compromised at the major investment/commercial banks and
financial intermediaries concerned (FCIC Report, 2011).
While specific examples of such
internal control failures will be dealt with in a separate post, this one (in a
series of posts) takes a look at such control systems and provides practical
(starter) suggestions to investment/commercial banks/financial intermediaries[ii],
regulators, policy makers, and other stakeholders on how (best) to structure
such systems so as to achieve the goal of accountable and responsible
operations in real time.
Having said that, let us now move on
to substantive issues related to the control system.
The formality of any control system
will depend largely on an INSTITUTION’s size, the scale and complexity of its
operations, its risk profile and so on. Less formal/structured internal control
systems at smaller INSTITUTIONS can be as effective as highly formal/structured
internal control systems at larger (and complexly structured) INSTITUTIONS. But
the key is that every ‘INSTITUTION’ should have an internal control system,
this system should be commensurate with the size, scale and complexity of its
operations and most importantly, the system should actually work on the ground
in real time.
Many of the problems with investment/commercial
banks/financial intermediaries[iii]
could have (perhaps) been avoided in the lead up to the 2008 financial crisis,
if and only if, the concerned INSTITUTIONS had an effective and appropriate
internal control system operational in the first place—one that did not
merely exist on paper but was rather implemented in reality. This is
something that the concerned INSTITUTIONS (be it investment/commercial
banks/financial intermediaries) will have to self-assess, with regard to their
respective organizations and bring about the necessary changes.
Regulators/supervisors and other stakeholders could also enable these INSTITUTIONS
to assess the quality[iv]
of their control systems and make the necessary changes.
That said, what then are the key
components of such a system?
In my opinion, an effective control
system (at any INSTITUTION) should have five key elements:
a) An appropriate control
environment,
b) Supported by a proper risk
management system,
c) With control activities
commensurate with the size, scale and complexity of operations,
d) Aided by a transparent and
accurate accounting, information, and communication system, and
e) Backed by dispassionate, objective and
independent self-assessment/monitoring.
Having set the context, let us now
look at what each of these elements mean in reality through a series of posts.
And in this first post, I focus on the strategic element of the “appropriate
control environment”, an issue that is seldom thought about in practice but
one that I believe is very (if not most) crucial to the long-term survival of
the INSTITUTION.
Why should each and every INSTITUTION
have an appropriate control environment?
This is because the control
environment is the foundation on which the institution’s control system is (to
be) built. Basically, it reflects the board’s[v]
(and also senior management’s) commitment to strong and effective internal
control at the INSTITUTION. In other words, it provides the discipline
and structure to the entire (internal) control system. Without this
commitment by the board of directors (and senior management) to strong and
effective controls, no (internal) control system (however well designed and
structured) can actually work on the ground. And this commitment must
clearly be visible throughout the INSTITUTION—for all staff to see and emulate.
Let us be clear on that as otherwise accountable and responsible operations can
never be the order of the day! Just
look at the 2008 financial crisis which is replete with examples where board
and senior management themselves showed scant respect for the control system
that was (to be) in place at their INSTITUTIONS. They were equally guilty of
‘control system’ breaches due to their aggressive risk posture (s) caused by a
compensation system that hugely rewarded short terms gains, when the risks were
in fact medium to long term.
And who has to play a crucial role
in establishing this at an INSTITUTION?
At a very basic level, it is an INSTITUTION’s
board of directors (perhaps along with and through senior management) who must
assume responsibility for establishing and maintaining an effective internal
control system that: a) meets statutory and regulatory requirements (if any);
b) protects the INSTITUTION, its assets, operations, investors and other
stakeholders; and c) responds to changes in the INSTITUTION’s
environmental conditions. They need to
ensure that the control system operates as it is intended to and is also
modified (appropriately) when circumstances so dictate. Again, there are
so many examples from the 2008 financial crisis that tell us that at many so
called big and supposedly well run INSTITUTIONS in the United States, this sadly
did NOT happen! And in India, the case of the erstwhile SATYAM
COMPUTER’s is a great example where highly reputed independent directors[vi]
merely sat on the board, watching the fraud that was being perpetuated by the
founder promoter[vii]
And for discharging the above
duties, the board of directors must fully understand the risks that the INSTITUTION
could face, set the acceptable limits for these risks, and ensure that senior
management takes the steps necessary to identify, monitor and control these
risks. In turn, the senior management must then take the responsibility to
implement the strategies approved by the board, to set appropriate internal
control process/procedures, and to monitor the effectiveness of these process/procedures.
There can be no substitute for this. And not to sound like a broken record
but the fact of the matter is that this did not happen in the lead up to the
2008 financial crisis at many of the big institutions!
This makes it quite clear where the
main responsibility for control rests and that is fairly and squarely on the
strategic shoulders of the INSTITUTION’s board of directors (along with the
senior management)—not on the compliance and audit departments. Please note this critical issue. However,
having said that, everyone in an institution should share the responsibility to
some extent and that is where the board (through the senior management) must
play a catalytic role in shaping a positive control culture throughout the
entire organization so that all stakeholders within the INSTITUTION respect the
control system and act in accordance with it. Thus, a key task for the board
(through senior management) is to establish the right culture within the INSTITUTION—a
culture in which the importance of internal controls is STRONGLY stressed, and
high ethical and integrity standards are promoted and adhered to. And
this culture cannot be determined simply by what the board or top levels of
management (merely) say in their policy pronouncements - it will have to be judged
more importantly by what they (actually) do in real time?
For example, do the INSTITUTION’s
policies (remuneration etc) reward risk-taking at the expense of accountable
and responsible operations? For example, the pressure (at INSTITUTIONs) to achieve
faster growth through highly innovative financial products have been known to
be associated with remuneration policies that reward (immense) short term risk
taking by individuals within INSTITUTIONs. And a related issue here is the
question of whether the board/senior management displays a casual attitude
towards breaches of (control) limits? Do they encourage the right attitude
towards regulatory and/or control system compliance? Is there backing and
respect at board/senior management levels for the internal audit and compliance
functions?
Thus, the response of the
board/senior management of the INSTITUTION to these kinds of issues will
clearly determine how other staff (at the INSTITUTION) actually behave in
practice, including their attitude to control issues and the overall control
environment. This point needs emphasis
here! If the board and senior management are casual towards control system
breaches, then, managers and others down the line will behave in a similar or
worse fashion, showing total disregard for control system limits. This is what
happened at many big institutions in the 2008 financial crisis!
In summary, it is the responsibility
of the board (along with senior management) to see that there are no differences
between policy statements and actual implementation with regard to controls.
This will go a long way in building a positive control culture at the INSTITUTION,
which is a very necessary and integral component for building a proper internal
control system, which, in turn, is very vital for accountable and responsible
operations in real time.
[i] The term control system is used synonymously with the word internal
control system
[ii] The term INSTITUTION is used to refer to commercial banks,
investment banks and other kinds of financial intermediaries, as defined in
common parlance!
[iii] Please see FCIC Report (2008)
[iv] Judging the quality will require not merely the examination of
whether or not an appropriate internal control system exists on paper but
rather studying if indeed what is said on paper actually works on the ground.
That is the key to making inferences about quality.
[v] Board = Board of Directors or Equivalent as may be as per the legal
form of the institution as per the relevant laws in the country of
incorporation.
[vi] A separate article on independent directors will be posted!
[vii] The first court pronounced the founder promoter of Satyam
(Ramalinga Raju) guilty, in line with his own famous confession dated Jan 2009.
An appeal court is said to have however suspended the sentence however but the
case is on-going. Nevertheless, it must be remembered that the founder promoter
(Ramalinga Raju) himself self confessed to perpetrating a major fraud at the
erstwhile Satyam Computers.
No comments:
Post a Comment