When care and attention pays off

By Peter Noble

The recent global financial crisis has thrown a great deal of attention back on the issue of risk management for businesses big and small. One of the key questions being asked, especially of the US financial scene, is why didn’t they see the risk?

A good question. There has been considerable effort made globally over the past 10 years to create theories, processes and procedures to help the financial services industry manage the risks of their businesses.

Many of the international initiatives, such as the Sarbanes-Oxley legislation introduced following the calamity of Enron and the broader regulatory initiatives coming out of the Basel, have failed miserably.

Against this international background, a number of independent developments have taken place in Australia. Among them was the Wallis report that recommended the establishment of the Australian Prudential Regulation Authority (APRA) and its separation from the Australian Securities and Investments Commission and the findings of the Royal Commission set up to examine the collapse of HIH.

Consequently, a twin peaks model of financial regulation was adopted and APRA pursued enhancements in corporate governance through the introduction of prudential standards that were consistent with the eight principles of corporate governance adopted by the Australian Securities Exchange (ASX).

These developments, their clear articulation and the methods of embedding them seemed to have worked reasonably well in Australia’s financial institutions; those regulated by APRA have fared relatively well. Those companies that were following the ASX principles of corporate governance have not fared so well.

This latter list is particularly long and includes former listed market darlings such as Allco, Babcock & Brown and ABC Learning, all of which had compliant practices but, nevertheless, collapsed spectacularly. Had there been a proper understanding of Principle 7, recognising and managing risk, there was a chance that these corporations may have fared much better.

So two questions must be asked:

• Internationally, what went so wrong but affected our regulated institutions less severely?
• Locally, why did the APRA model work better than the ASX model when they are based on the same set of principles?

The view of the chairman of the US Federal Reserve, Ben Bernake, on the failure of financial institutions’ risk management strategies was that “a single firm may have an acceptable exposure to a particular type of risk that would be unacceptable if repeated across many firms”.

Bernake believes an appropriate risk management strategy must do more than identify and manage risks that an organisation faces on its own. The strategy should be broader and look at how many others may be similarly exposed. This applies to financial services businesses of all sizes in Australia.

Had this process been followed it may have exposed the huge risk that enveloped the global financial markets and led to their freezing. At the company level, board’s had no view on the size and extent of this contagion risk. If they had been aware of these contagion risks they may not have allowed their institution to be so exposed.

Risk mitigation strategies with early warnings are very effective in de-leveraging or de-risking any exposures.

For prudential regulated corporations, material risks are the focus and close examination is expected. Risk classes are called out and scenario testing and deep analysis is required. The findings from these examinations are reported to the risk management committees of the boards for review, with appropriate recommendations presented to the full board. There is a clear value focus here.

On the ASX front, Principle 7 also has both a compliance focus and a value focus. A pure compliance focus, however, would not have uncovered the relative risks, but a value focus may have. Calling out issues like counterparty risk, contagion risk and market risk in a systematic way through the application of an appropriate risk management strategy should have uncovered the exposures. Risks that could have a material impact on the business should be appropriately managed. The value focus is lacking in the ASX approach.

For the value focused type of risk management strategy to be effective, however, corporations must exhibit solid corporate values in the way their governance and risk management practices operate. A simple compliance approach to risk management practices will result in a simplistic outcome and leave the enterprise exposed to shocks. There are many examples of these failings, the most spectacular of which is the Societe Generale case.

The lessons here are not just for the big companies operating in Australia’s financial environment, they are there also for the smallest operator. Anyone involved in the financial sector can learn from this experience.

A risk management culture must be embedded in the business (regardless of how big or small) and practiced with attendant values, such as ‘no blame’ integrity and respect.

Codes of conduct and ethical behaviour need to be clearly brought to the attention of all staff. The framework must be deeply embedded within the corporation so that all risks faced have been properly articulated, called out at all the appropriate levels within and managed with effective responsibility and accountability applied.

This process would apply to operational risks deep within the business, the key business unit risks and the most senior levels of management of both the risks around strategy and key business objectives.

The operation of the framework must be able to assuage others so that they are comfortable that all risks faced by the business, whether they have visibility or not, are still appropriately managed.

As many submissions to the Ripoll inquiry show, having the confidence of customers in an organisation’s ability to manage risk in good and bad times is one of the biggest challenges facing Australia’s financial sector.

Peter Noble is head of corporate governance at Tower Australia.