Navigating GRC and Audit
Information and Communication – the often overlooked part of GRC
When I listen to people talk about COSO, I hear words such as ‘tone at the top’, ‘top down’, monitoring of internal control, risk assessment and control activities. I rarely hear about the COSO domain Information and Communication – it’s there, but it seems to be pushed to one side or lessened in importance. Yet, when I look at recent corporate failures, the failure of information and communication seems to be the only constant element in each situation.
Consider the current mortgage crisis – many people argue that risk management broke down. Honestly, I don’t think that it did. The broker making up details in a loan application knew exactly what risks he was taking - this risk fit into his risk appetite - and he was happy with the bonus he received. However, if senior management knew what he was doing, then alarm bells would be ringing.
A great book for GRC specialists and auditors to read is part one of ‘House of Cards’ by William D. Cohan. This books talks about the fall of Bear Sterns – particularly in the last ten days of its existence -- and discusses the events and indicators that should have been obvious in the months before the company went under.
The introduction in the book jacket is worth quoting:
‘On March 5, 2008 at 10:15 AM, a hedge fund manager in Florida wrote a post on his investing-advice website that included a startling statement about Bear Sterns & Co, the nations fifth largest investment bank: “In my book, the are insolvent.”
‘This seemed a bold and risky statement. Bear Sterns was about to announce profits of $115 million for the first quarter of 2008. They had $17.3 billion cash on hand, and as the company incessantly boasted, had been a colossally profitable enterprise in the eighty-five years since its founding.’
‘Ten days later, Bear Sterns no longer existed’.
So put on your GRC hat, switch your focus to information and communication, and start reading.
One of the first things that becomes obvious in the book is that no one party had the true picture of what was going on. Information silos were rampant within Bear Sterns but also with the outside parties involved with the company. People either had no information, the wrong information, a partial view of the right information, or did not trust the information they were getting.
So much was fundamentally wrong from a GRC perspective that it is difficult to know where to start.
Let’s begin with some fundamentals.
The first fundamental is funding. In a regular bank, most money primarily comes from you and me through our deposits. In an investment bank, funding comes from repo accounts – which are essentially 24-hour loans that roll over each morning (and have rolled over with no problems for many years), and short-term loans from investors -- for example, hedge funds, which can easily withdraw millions of dollars deposited overnight.
This approach to funding works because of your reputation. If your reputation is damaged, then your depositors have little loyalty to you and will move their money elsewhere. In the case of hedge funds, they may even make investments that rely on the price of your stock failing drastically so that they can make a profit.
The second fundamental is investing, in particular, risk management and sub-prime mortgages.
Credit derivatives or credit default swaps are instruments that effectively insure a loan. If Bank A were to loan money to Customer B, they could effectively insure this loan so that if Customer B defaulted, the insurance company would take the loss.
A bank could make many loans and bundle them into a pool, then divide this pool into tranches (levels). If a loan went into default, the riskier tranche was impacted. As most of the loans in the pool were mortgages, and it was assumed that mortgages were safe investments, there was little risk that the less risky tranches would be impacted by defaults. As it was assumed that AIG could insure these loans, then the risk associated with sub-prime loans was considered low. Months before the crisis, the cost of insurance for Bear Sterns began to become more expensive relative to the costs for other investment banks. This began to be noticed by several hedge funds.
The third fundamental is liquidity. If funds are not sufficient to meet operating requirements, then cash reserves would be used and then less liquid assets would be sold to meet operating requirements. Shortly before the crisis, senior management at Bear Sterns were concerned that the bank did not have sufficient assets to meet short-term funding needs during a crisis. These managers wanted to sell less liquid assets and increase more liquid assets. They were overruled.
The stage is almost set for what was to come. There is more to the story but I will focus on information and communication and how weaknesses in these areas contributed to the coming crisis.
Information is the collection and analysis of internal and external data that will presented in a form to enable business performance and risk management decision making. The information collected will vary according to the varying needs of management e.g. the Board, Executive management, risk management, and internal audit would require information acquired across the entire organization.
Communication is the collection, transformation and transmission of timely and accurate information to management. This information will enable management to assess current and emerging states, analyze trends and failures, and provide input to enable timely management decisions.
The processes at Bear Sterns failed to collect and communicate the necessary information to predict and manage the crisis.
When you look at the internal workings and the stakeholders within Bear Sterns, you begin to realize how siloed the organization was, and how this led to catastrophe.
Externally the Regulators were told everything was fine until the day before help was needed. They then did an extraordinary job behind the scenes to stop a financial catastrophe. The lessons they learned will begin to emerge in the next several months. In banking, expect more transparency with the Federal Reserve and whomever the new systemic regulator will be (this is yet to be decided). The safety and soundness rules will change with more focus on corporate governance and risk management. Outside of banking, expect the roles and responsibilities of the Board to be better defined.
Hedge funds, investors and even the competition were told everything was fine, even though Bear Sterns’ performance indicators were showing that this was not true. Goldman Sachs even offered to help but was ignored. The first indicators of trouble began as hedge funds began betting that Bear Sterns share price would plummet dramatically. Then investors began pulling out money, and those 24-hour loans referenced earlier were not being renewed or “rolled over.”
Internally, the Board was told that everything was fine– until they were asked to attend a conference call where the main item on the agenda was whether to declare bankruptcy.
The top 50 managers – a recognized group within Bear Sterns - were also told that everything was fine just before the crash. Even inside their siloed bunkers, this did not ring true and it became more difficult to reassure the market.
For repo management, it must have been the equivalent of Pearl Harbor. This group had good relationships with other banks and had easily managed 24-hour cash loans in the past using spreadsheets, but had received the brunt of the backlash. In just a few hours, the number of institutions that would not be renewing short-term deposits was longer than the institutions providing short-term funds.
Lessons Learned
It is interesting to listen to financial analysts who, as Bear Sterns headed for collapse, said the firm was sound, and who now say that there was no risk management in place. I have a fundamental disagreement with them. I believe that risk management was in place, but it was limited to silos that determined that the risk to their silo was acceptable based on the bonuses they would receive.
The Board was remiss in not taking a more active interest in the strategic direction of the firm and demanding an independent assessment of the information they were given. They did not have a holistic view of the firm’s performance and the risks that it was accepting.
It is easy to say that the regulators ‘should have known’. Based on the rules of the day they did a good job. However, expect the rules to start changing in a fundamental way. The days of the passive regulator are over. I do not expect regulators to begin second guessing banks, but I do expect them to ensure that fundamental corporate governance and risk management processes are in place.
I don’t believe that internal audit made any major mistakes. Based on the Internal Audit Mission Statement of many major corporations, it is difficult to say how they could have made a difference. If the Board fails in its responsibilities, it is difficult for internal audit to go around the directions they have been given and assume the responsibilities of the Board.
However in the future, I firmly believe that things need to change. If the roles and responsibilities of the Board are better defined, then the responsibilities of internal audit will change. Internal audit will become more important and will be a strong ‘value added’ component of the business.
Finally, in regards to risk management and GRC, I believe that risk management is becoming more important. Regulations and legislation will be passed to reduce the impact on the average citizen of poor risk management and governance practices of corporations. In my discussions with Risk Managers about these issues, I have heard the following: 1. What is our plan?, 2. What can you deliver in 3 months?, and 3. How can you do this cost effectively? I hope to address answers to these questions in the future.
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®