The Role of the Board of Directors

In 1992, Price Waterhouse was one of four sponsors of a study by Oxford Analytica of corporate governance and the role of the board of directors in the Group of Seven (G-7) countries in the decade ahead.² The study indicated that there would be a number of keynotes of change in corporate governance across the G-7, including trends toward

• greater accountability,

• an enhanced role for the board in strategic direction,

• a higher degree of professionalism,

• the strictest of ethical standards,

• increased familiarity with international markets, and

• increased reliance on independent external consulting and support services.

Although a board of directors is still expected to delegate the day-today routine of conducting the bank’s business to its officers and employees, regulators have been more forcefully educating the board that it cannot delegate its responsibility for the consequences of unsound or imprudent policies and practices, whether they involve lending, investing, protecting against internal fraud, or other banking activities. Accordingly, in its proposed Framework, the Basle Banking Committee emphasizes that the board “has the ultimate responsibility for ensuring that an adequate system of internal controls is established and maintained.”⁴

To provide effective strategic direction and oversight, a board must be able to exercise independent judgment when managing the bank’s affairs. Boards that merely rubber-stamp management’s recommendations or that are unduly influenced by a single, powerful shareholder or related group of directors are not sufficiently independent to meet their responsibilities. There has thus been a trend toward requiring the election or appointment of more outside directors on the board, who are not part of management and have no family or related ownership interest in the institution. In particular, it is viewed as increasingly important that a bank’s Audit Committee be composed entirely of outside directors. In the United States, the Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”) requires that all audit committee members of large banks (assets of greater than $500 million) be outside directors who are “independent of management.” The United Kingdom’s Cadbury Committee also recommended that audit committees be comprised of nonexecutive directors, with the majority independent of the company. The Basle Banking Committee’s recent Framework also implicitly endorses the benefits of having an independent audit committee “overseeing the financial reporting process and the internal control system.”⁵

Bank supervisors will thus seek to determine whether, in fact, a bank’s board is independent and is meeting its responsibilities set forth above for setting the bank’s strategic direction and for ensuring that the bank has established an adequate system of internal controls for managing its risks. As part of this evaluation of the board’s role, a bank supervisor will review the adequacy of Management Information Systems (“MIS”), which provide the board and its audit or other committees with the information they need to perform their oversight role. In this regard, the bank’s risk control function should periodically provide the board with “useable” information illustrating exposure trends, the adequacy of compliance with policies and procedures and risk limits and risk/return performance. The U.S. Office of the Comptroller of the Currency (OCC) has indicated that to be truly “useable” to board members, MIS must usually incorporate five (5) basic elements:

1. Timeliness—information is retrieved quickly.

2. Accuracy—there are adequate controls on information system processing.

3. Consistency—in data collection and processing.

4. Completeness—sufficient information is provided without creating data overload.

5. Relevance—the information is appropriate to support the board/management level using it.

In sum, good governance by a bank’s board requires independence, high ethical standards, knowledge of the bank’s business and the markets in which it operates, strategic direction, and effective oversight of the establishment and implementation by management of a sound internal system of controls, policies, procedures, and limits for managing all material risks.

The Role of Senior Management

Both the board of directors and senior management have important roles in a bank’s program of internal control and internal audit. Although the board of directors has overall audit responsibility and should require that the auditor report directly to it, senior management normally is charged with the duty of maintaining a strong system of internal control.

Perhaps the most ambitious attempt to define what is meant by management’s responsibility for “internal control” is the 1992 report of the Committee of Sponsoring Organizations of the 1987 Treadway Commission (COSO) on Internal Control—Integrated Framework. The COSO Report grew out of the work of the Treadway Commission, which was formed in 1985 to study the financial reporting system in the United States, with a mission to identify causal factors that can lead to fraudulent financial reporting and steps to reduce its incidence. The purposes of the COSO Report were (i) to establish a common definition of internal control that serves the needs of many different parties and (ii) to provide a broad standard framework against which business entities can assess the effectiveness of their internal control systems.

Internal control is defined in the COSO Report as follows.

Internal control is a process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations.

• Reliability of financial reporting.

• Compliance with applicable laws and regulations.

The Report states that this definition reflects certain fundamental concepts.

Internal control is a process. It’s a means to an end not an end itself.

• Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.

• Internal control can only be expected to provide reasonable assurance, not absolute assurance, to an entity’s management and board.

• Internal control is geared to the achievement of objectives in one or more separate or overlapping categories.

The broad concepts outlined in the COSO Report provide an important framework for determining good governance by the senior management of a bank. However, the COSO Report defines internal control in terms of the expectations of traditional corporate constituencies discussed previously—customers (effective and efficient operations), employees (internal control culture), shareholders and creditors (financial reporting), and government (compliance with laws and regulations). Bank regulators and supervisors add one more comprehensive objective to the internal control process—safe and sound operation. Thus, from a supervisory perspective, internal controls should be designed not only to ensure achievement of organizational goals and objectives—such as profitability targets expected by shareholders and securities analysts and accurate financials expected by creditors but also prudential goals of safe and sound operation. This expectation flows from the special status of banks as deposit-takers, payments system participants, and beneficiaries of special government privileges and protections, including, in many cases, government protection against, or assumption of, the costs of failure.

In its Internal Control Framework, the Basle Banking Committee takes this more expansive view of the internal control process at banking organizations. The Committee notes that the historical reasons for internal controls—to reduce instances of fraud, misappropriation, and errors—has “recently become more extensive, addressing all the various risks faced by banking organizations.”⁶ In doing so, the Committee defined internal control for banks as consisting of five interrelated elements:

• management oversight and control culture,

• risk assessment,

• control activities,

• information and communication, and

• monitoring activities.

Noting that “problems observed in recent large losses at banks can be aligned with these five elements,”⁷ the Committee specifies a series of “shoulds” for senior management in each of these five areas.

1. Management Oversight and Control Culture. Senior management should

   • have responsibility for implementing strategic policies approved by the board, setting appropriate internal control policies and monitoring the effectiveness of the internal control system; and

   • with the board, be responsible for promoting high ethical and integrity standards and for establishing a culture that emphasizes and demonstrates the importance of internal controls.

2. Risk Assessment. Senior management should

   • be assessing the full range of external and internal risks that could adversely impact a bank, including credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk, and reputational risk; and

   • be continually evaluating a bank’s strategies and objectives to address any new or previously uncontrolled risks.

3. Control Activities. Senior management should

   • set up an appropriate control structure to ensure effective internal controls at every business level, including top level reviews, appropriate activity controls for different business units, physical controls, periodic checking for compliance with exposure limits, a system of approvals and authorizations, and a system of verification and reconciliation; and ensure that there is appropriate segregation of duties and avoidance of conflicting responsibilities.

4. Information and Communication. Senior management should

   • ensure that there are adequate and comprehensive internal financial, operational, and compliance data and external market data relevant to decision making;

   • establish effective channels of communication to ensure that all staff are fully aware of policies and procedures affecting their duties and responsibilities; and

   • ensure that appropriate information systems are in place that cover all activities and that they are secure and periodically tested.

5. Monitoring Activities. Senior management should

   • continually monitor the overall effectiveness of the bank’s internal controls and monitor key risks in daily operations;

   • ensure that there is a well-trained and competent internal audit function, which reports directly to the board or its audit committee, and which conducts an effective and comprehensive audit of the internal control system;

   • ensure that internal control deficiencies are reported in a timely manner to the appropriate management level, with material deficiencies being reported directly to senior management and the board, and that they are addressed promptly; and

   • establish a system to track identified internal control weaknesses and the actions taken to rectify them.

Red Flags of Bad Governance

While it is of critical importance to define the elements of “good governance” at commercial banks, it is equally, and perhaps more, important to identify those elements of “bad governance” that are likely to lead to significant losses or even failure. When these governance “red flags” pop up during internal or external audits or bank inspections or examinations, bank supervisors need to respond promptly to ensure they do not evidence deeper governance or control problems within the banking institution.

Again, the Basle Banking Committee, in its proposed Internal Control Framework, has provided some useful examples of control failures that have resulted in significant losses at banks and should thus be on the “red flag” list of any bank supervisor.

• A culture that rewards managers who generate profits but fail to implement internal control policies or address problems identified by internal audit. Under these systems, today’s star performer can be tomorrow’s Nick Leeson.

• An organizational structure in which accountabilities are not clearly defined, resulting in one or more divisions or business units not being directly accountable to anyone in senior management and not being monitored by anyone in line management. As banking organizations approach Leviathan sizes and incorporate a host of different business and national cultures in their product and geographic diversification, the odds of the ungoverned unit would appear to increase substantially.

• An attraction to high-yielding loans, investments, or derivatives unsupported by a commitment to enhanced risk assessment. Higher returns have to be balanced with a more rigorous assessment of the attendant higher risks.

• A lemming-like expansion into new products or business lines without an effective process for assessing, managing, and controlling the new risks involved.

• A failure to observe basic control requirements for the segregation of duties. The Basle Banking Committee found this to be the most frequently overlooked control principle in banks that experienced significant problems from internal control failures. Even the most trusted employee should not be supervising the front and back offices of a trading desk.

• A consistent tendency of top management not to follow up on internal reports indicating anomalous results in divisions or units. This can take the form of not exploring too deeply extraordinary profits—the good news syndrome—or not following up on unanticipated losses—the bad news syndrome.

• A poor MIS that provides management with incorrect or incomplete information. For example, incorrect data from outside sources may be used to value positions and reports may fail to include potentially high-risk activities.

• An inadequate system for communicating employees’ duties and control responsibilities or for disseminating policies. For example, policies communicated through e-mail are often not read or retained—a result that should not surprise anyone who may have to parse through scores of e-mail messages in any given day.

• An absence of effective monitoring usually evidenced by a failure to consider and react to daily information provided to line management indicating unusual activity, such as exceeded exposure limits, customer accounts in proprietary business activities, or lack of current financial statements from borrowers. The Basle Banking Committee noted that in one bank, losses concealed in a fictitious account may have been uncovered if the bank had a procedure requiring that customer statements be mailed on a monthly basis and that customer accounts be periodically confirmed.

• A lack of additional resources to control or monitor high-risk activities. The paradox in organizations that suffered significant losses was that higher-risk activities received less oversight than lower-risk activities.

• An ineffective system of internal audit usually characterized by a combination of three factors: the performance of piecemeal or fragmented audits, the lack of a thorough understanding of the business processes, and inadequate follow-up when problems were noted.

• When internal audit programs are focused on discrete audits of specific activities within the same business unit, geographic area, or business entity, the auditors may fail to understand the business process. If an audit can follow processes and functions from beginning to end, e.g., follow a single transaction from point of initiation to financial reporting, the auditor gains a better understanding of the business process and can verify and test the adequacy of controls at each step of the process.

• When internal audit staff have inadequate knowledge and training in trading and markets, electronic information systems, or other highly sophisticated areas, they often may fail to ask needed questions or accept on faith answers they do not truly understand.

• When management does not accept the role and importance of internal audit, it often fails to follow up on problems identified by auditors or institute effective tracking systems to ensure deficiencies are corrected.

The existence of these and other red flags may indicate anything from outright corruption to simple carelessness. In either case, the results can be potentially ruinous.