Chapter 14 Good Governance and Commercial Banks
- International Monetary Fund
- Published Date:
- August 1999
Corporate governance makes headlines when things go wrong. The collapse of Barings, billion-dollar-plus trading losses at Daiwa Bank and Sumitomo Corporation, embarrassing and costly litigation and regulatory sanctions over derivatives sales practices at Bankers Trust, and other highly publicized cases have raised questions about the adequacy of corporate governance in international financial and other institutions. Given the geographic scope and product complexity of today’s financial markets, some have even wondered whether “good” governance is truly achievable in a global banking or other financial institution.
In examining the root causes of well-publicized losses at Barings, Daiwa, and others, we can take some perverse comfort from the fact that all derived from violations of fundamental, managerial principles of control, such as those dealing with the recording of all trading positions and the adequate separation of duties. As stated in the Report of the (U.K.) Board of Banking Supervision on its inquiry into the collapse of Barings, “the failings at Barings were not a consequence of the complexity of the business, but were primarily a failure on the part of a number of individuals to do their jobs properly.”1
However, the use of futures and options contracts allowed Mr. Leeson of Barings to take much greater levels of risk, through the leverage involved in these instruments, than might have been the case in other markets. It took Mr. Iguchi of Daiwa almost ten years to lose $1 billion in unauthorized government bond trading. In less than two months’ time, Mr. Leeson was able to expand Barings’ losses from $374 million to $2.2 billion in his unauthorized trading of Nikkei futures and options and Japanese Government Bond futures. Although the fundamentals of good governance may not have changed, global markets and increasingly innovative and complex financial instruments not only make it more difficult to ensure such principles are adhered to throughout a large international organization but also greatly magnify the speed and costs of failure. The punishments for bad governance, as we have seen, can now be amazingly swift and severe.
The financial sector worldwide seems committed to creating ever larger organizations through merger and consolidation and to becoming more dispersed and complex organizations through combining the different products, delivery systems, and cultures of commercial banking, investment banking, securities brokerage, futures and options, life and casualty insurance, mutual fund and asset management services into universal banking or financial conglomerate structures. The challenge for those who govern these enterprises—and for those who regulate and supervise them—is to ensure that the basic tools of good governance—board of directors’ oversight and strategic direction, management internal controls, internal and external audit, corporate compliance, and regulatory surveillance and inspection—expand and adapt to ensure these enterprises continue to operate within a sound control environment.
What Is Meant By “Good Governance”
Good governance cannot be defined in isolation. It can only be understood in the context of the various constituencies it is meant to serve and their expectations.
Customers, counterparties, and others with whom an enterprise does business generally define good governance in terms of efficiency and quality—a well-governed enterprise is one that provides efficient, high quality services and products in a timely manner. For example, though the public administration of former Mayor William J. Daley of Chicago in the 1950s and 1960s would have been cited in very few textbooks as an example of good governance, it met the voters’ expectations of city government by “making the trains run on time.” Customers are thus highly results-oriented in their view of good governance.
Those who work within an organization tend to evaluate good governance on two fronts—job and personal satisfaction. Is management giving me all the tools and support that I need to do my job efficiently and well? Is management treating me fairly and objectively when it comes to such personal matters as salary, bonuses, benefits, and advancement, and does it seek to ensure that I work in a professional environment free from harassment, discrimination, and other forms of personal abuse? Internal constituencies thus tend to be more oriented toward management culture in their assessment of whether they are being well-governed.
Shareholders, which increasingly means institutional investors and securities analysts, evaluate good governance in terms of shareholder value and corporate opportunities. A well-run organization is one that continually seeks to enhance shareholder value, consistently meets earnings projections, and evaluates corporate opportunities in terms of the benefits to shareholders. Thus, a well-governed board of directors will have a substantial number of outside directors to ensure, for example, that proposed takeovers or mergers of the company are fairly considered in terms of the maximization of value to the shareholder in a sale of corporate control. From a shareholder’s perspective, good governance centers on enhancing enterprise value.
Creditors, including banks, depositors, bond holders, analysts, and rating agencies, tend to view good governance in terms of an organization’s ability to meet and service its debt obligations. Good governance means having in place structures designed to provide such constituency with extensive, accurate, reliable, and timely financial information that enables creditors to evaluate regularly the likelihood of repayment of their loans or other credits when due at the negotiated terms. This constituency places its greatest reliance on financial reporting systems and their attendant controls.
The government, here broadly defined, defines good governance in terms of compliance with laws and regulations, from everything to paying the amount of taxes due on time to establishing compliance mechanisms to prevent criminal activity or fraud within the organization. In a very real sense, government is not necessarily concerned with whether an enterprise succeeds or fails, but whether it meets all of its legal responsibilities as a corporate citizen. Compliance is the critical path to meeting government expectations.
Finally, in the case of the banking industry (and certain other financial industries), regulatory and supervisory agencies, whether central banks, ministry departments or divisions, independent agencies or government deposit insurers, have their own concept of what constitutes good governance from a safety and soundness standpoint. Regulatory expectations of good governance tend to encompass all of the expectations of the more narrow constituencies described above, as regulators are concerned not only with the viability of a particular bank but the impact of that viability as well on the financial system—locally, nationally, and globally. Regulators want governance that effectively manages all material risks confronting a banking organization, whether those risks come from without or within the organization, to ensure that the institution is operating in a safe or sound manner. Safety and soundness considerations require regulators to have the highest expectations that cut across all interests of the organization.
Good Governance and Commercial Banks
Today, the banking industry is becoming more dominated by institutions with assets approaching the half-trillion and even trillion dollar range. Such size, in and of itself, overwhelms earlier supervisory approaches based extensively on transaction testing by examiners or inspectors. Thus, in the United States, United Kingdom and, increasingly, in pronouncements of the Basle Banking Committee, we see an acceptance and acknowledgment that a “risk-based” approach to supervision is the most workable, efficient, and prudent in dealing with increasingly larger, more global banking organizations.
Under a risk-based or risk-focused approach to supervision, a supervisor focuses on a banking organization’s principal risks and its internal systems and processes for managing and controlling these risks. Less emphasis is placed on transaction review, except as a means of testing the effectiveness of critical management or control systems. This approach relies upon-and creates high expectations for corporate governance, since, at the end of the day, the supervisor is examining, from the top down, how a banking organization is governing itself. Substantial gaps or failures in that governance thus become the focus of supervisory criticisms and enforcement measures, since regulators rightly perceive that such gaps or failures, especially in huge global organizations, can produce the next Barings, Daiwa, or even worse situation from a systemic standpoint.
The regulator’s view of corporate governance is functionally oriented—does the organization have in place the necessary systems and processes for managing and controlling the principal risks of its business? When regulators talk about good governance, they thus usually mean “risk management” in its broadest sense. In this regard, in recent years, a number of sound practice statements issued by the Basle Banking Committee, the International Organization of Securities Commissions (IOSCO), the Group of Thirty, and individual bank supervisors have emphasized the same “risk management” or “good governance” fundamentals for financial institutions:
Active oversight by the institution’s board of directors (or other governing body)
Clear policies, procedures, and lines of authority
Independent risk management units
Comprehensive risk measurement and reporting systems
Comprehensive internal controls and procedures
Each of these elements is equally important to establishing good governance.
The Role of the Board of Directors
In 1992, Price Waterhouse was one of four sponsors of a study by Oxford Analytica of corporate governance and the role of the board of directors in the Group of Seven (G-7) countries in the decade ahead.2 The study indicated that there would be a number of keynotes of change in corporate governance across the G-7, including trends toward
an enhanced role for the board in strategic direction,
a higher degree of professionalism,
the strictest of ethical standards,
increased familiarity with international markets, and
increased reliance on independent external consulting and support services.
Principle 1: The board of directors should have responsibility for approving strategies and policies; understanding the risks run by the bank, setting acceptable levels for these risks and ensuring that senior management takes the steps necessary to identify, monitor and control these risks; approving the organizational structure; and ensuring that senior management is monitoring the effectiveness of the internal control system.
Principle 3: The board of directors [and senior management] are responsible for promoting high ethical and integrity standards, and for establishing a culture within the organization that emphasizes and demonstrates to all levels of personnel the importance of internal controls. All levels of personnel at a banking organization need to understand their role in the internal controls process and be fully engaged in the process.3
Although a board of directors is still expected to delegate the day-today routine of conducting the bank’s business to its officers and employees, regulators have been more forcefully educating the board that it cannot delegate its responsibility for the consequences of unsound or imprudent policies and practices, whether they involve lending, investing, protecting against internal fraud, or other banking activities. Accordingly, in its proposed Framework, the Basle Banking Committee emphasizes that the board “has the ultimate responsibility for ensuring that an adequate system of internal controls is established and maintained.”4
To provide effective strategic direction and oversight, a board must be able to exercise independent judgment when managing the bank’s affairs. Boards that merely rubber-stamp management’s recommendations or that are unduly influenced by a single, powerful shareholder or related group of directors are not sufficiently independent to meet their responsibilities. There has thus been a trend toward requiring the election or appointment of more outside directors on the board, who are not part of management and have no family or related ownership interest in the institution. In particular, it is viewed as increasingly important that a bank’s Audit Committee be composed entirely of outside directors. In the United States, the Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”) requires that all audit committee members of large banks (assets of greater than $500 million) be outside directors who are “independent of management.” The United Kingdom’s Cadbury Committee also recommended that audit committees be comprised of nonexecutive directors, with the majority independent of the company. The Basle Banking Committee’s recent Framework also implicitly endorses the benefits of having an independent audit committee “overseeing the financial reporting process and the internal control system.”5
Bank supervisors will thus seek to determine whether, in fact, a bank’s board is independent and is meeting its responsibilities set forth above for setting the bank’s strategic direction and for ensuring that the bank has established an adequate system of internal controls for managing its risks. As part of this evaluation of the board’s role, a bank supervisor will review the adequacy of Management Information Systems (“MIS”), which provide the board and its audit or other committees with the information they need to perform their oversight role. In this regard, the bank’s risk control function should periodically provide the board with “useable” information illustrating exposure trends, the adequacy of compliance with policies and procedures and risk limits and risk/return performance. The U.S. Office of the Comptroller of the Currency (OCC) has indicated that to be truly “useable” to board members, MIS must usually incorporate five (5) basic elements:
Timeliness—information is retrieved quickly.
Accuracy—there are adequate controls on information system processing.
Consistency—in data collection and processing.
Completeness—sufficient information is provided without creating data overload.
Relevance—the information is appropriate to support the board/management level using it.
In sum, good governance by a bank’s board requires independence, high ethical standards, knowledge of the bank’s business and the markets in which it operates, strategic direction, and effective oversight of the establishment and implementation by management of a sound internal system of controls, policies, procedures, and limits for managing all material risks.
The Role of Senior Management
Both the board of directors and senior management have important roles in a bank’s program of internal control and internal audit. Although the board of directors has overall audit responsibility and should require that the auditor report directly to it, senior management normally is charged with the duty of maintaining a strong system of internal control.
Perhaps the most ambitious attempt to define what is meant by management’s responsibility for “internal control” is the 1992 report of the Committee of Sponsoring Organizations of the 1987 Treadway Commission (COSO) on Internal Control—Integrated Framework. The COSO Report grew out of the work of the Treadway Commission, which was formed in 1985 to study the financial reporting system in the United States, with a mission to identify causal factors that can lead to fraudulent financial reporting and steps to reduce its incidence. The purposes of the COSO Report were (i) to establish a common definition of internal control that serves the needs of many different parties and (ii) to provide a broad standard framework against which business entities can assess the effectiveness of their internal control systems.
Internal control is defined in the COSO Report as follows.
Internal control is a process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and regulations.
The Report states that this definition reflects certain fundamental concepts.
Internal control is a process. It’s a means to an end not an end itself.
Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
Internal control can only be expected to provide reasonable assurance, not absolute assurance, to an entity’s management and board.
Internal control is geared to the achievement of objectives in one or more separate or overlapping categories.
The broad concepts outlined in the COSO Report provide an important framework for determining good governance by the senior management of a bank. However, the COSO Report defines internal control in terms of the expectations of traditional corporate constituencies discussed previously—customers (effective and efficient operations), employees (internal control culture), shareholders and creditors (financial reporting), and government (compliance with laws and regulations). Bank regulators and supervisors add one more comprehensive objective to the internal control process—safe and sound operation. Thus, from a supervisory perspective, internal controls should be designed not only to ensure achievement of organizational goals and objectives—such as profitability targets expected by shareholders and securities analysts and accurate financials expected by creditors but also prudential goals of safe and sound operation. This expectation flows from the special status of banks as deposit-takers, payments system participants, and beneficiaries of special government privileges and protections, including, in many cases, government protection against, or assumption of, the costs of failure.
In its Internal Control Framework, the Basle Banking Committee takes this more expansive view of the internal control process at banking organizations. The Committee notes that the historical reasons for internal controls—to reduce instances of fraud, misappropriation, and errors—has “recently become more extensive, addressing all the various risks faced by banking organizations.”6 In doing so, the Committee defined internal control for banks as consisting of five interrelated elements:
management oversight and control culture,
information and communication, and
Noting that “problems observed in recent large losses at banks can be aligned with these five elements,”7 the Committee specifies a series of “shoulds” for senior management in each of these five areas.
Management Oversight and Control Culture. Senior management should
have responsibility for implementing strategic policies approved by the board, setting appropriate internal control policies and monitoring the effectiveness of the internal control system; and
with the board, be responsible for promoting high ethical and integrity standards and for establishing a culture that emphasizes and demonstrates the importance of internal controls.
Risk Assessment. Senior management should
be assessing the full range of external and internal risks that could adversely impact a bank, including credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk, and reputational risk; and
be continually evaluating a bank’s strategies and objectives to address any new or previously uncontrolled risks.
Control Activities. Senior management should
set up an appropriate control structure to ensure effective internal controls at every business level, including top level reviews, appropriate activity controls for different business units, physical controls, periodic checking for compliance with exposure limits, a system of approvals and authorizations, and a system of verification and reconciliation; and ensure that there is appropriate segregation of duties and avoidance of conflicting responsibilities.
Information and Communication. Senior management should
ensure that there are adequate and comprehensive internal financial, operational, and compliance data and external market data relevant to decision making;
establish effective channels of communication to ensure that all staff are fully aware of policies and procedures affecting their duties and responsibilities; and
ensure that appropriate information systems are in place that cover all activities and that they are secure and periodically tested.
Monitoring Activities. Senior management should
continually monitor the overall effectiveness of the bank’s internal controls and monitor key risks in daily operations;
ensure that there is a well-trained and competent internal audit function, which reports directly to the board or its audit committee, and which conducts an effective and comprehensive audit of the internal control system;
ensure that internal control deficiencies are reported in a timely manner to the appropriate management level, with material deficiencies being reported directly to senior management and the board, and that they are addressed promptly; and
establish a system to track identified internal control weaknesses and the actions taken to rectify them.
Red Flags of Bad Governance
While it is of critical importance to define the elements of “good governance” at commercial banks, it is equally, and perhaps more, important to identify those elements of “bad governance” that are likely to lead to significant losses or even failure. When these governance “red flags” pop up during internal or external audits or bank inspections or examinations, bank supervisors need to respond promptly to ensure they do not evidence deeper governance or control problems within the banking institution.
Again, the Basle Banking Committee, in its proposed Internal Control Framework, has provided some useful examples of control failures that have resulted in significant losses at banks and should thus be on the “red flag” list of any bank supervisor.
A culture that rewards managers who generate profits but fail to implement internal control policies or address problems identified by internal audit. Under these systems, today’s star performer can be tomorrow’s Nick Leeson.
An organizational structure in which accountabilities are not clearly defined, resulting in one or more divisions or business units not being directly accountable to anyone in senior management and not being monitored by anyone in line management. As banking organizations approach Leviathan sizes and incorporate a host of different business and national cultures in their product and geographic diversification, the odds of the ungoverned unit would appear to increase substantially.
An attraction to high-yielding loans, investments, or derivatives unsupported by a commitment to enhanced risk assessment. Higher returns have to be balanced with a more rigorous assessment of the attendant higher risks.
A lemming-like expansion into new products or business lines without an effective process for assessing, managing, and controlling the new risks involved.
A failure to observe basic control requirements for the segregation of duties. The Basle Banking Committee found this to be the most frequently overlooked control principle in banks that experienced significant problems from internal control failures. Even the most trusted employee should not be supervising the front and back offices of a trading desk.
A consistent tendency of top management not to follow up on internal reports indicating anomalous results in divisions or units. This can take the form of not exploring too deeply extraordinary profits—the good news syndrome—or not following up on unanticipated losses—the bad news syndrome.
A poor MIS that provides management with incorrect or incomplete information. For example, incorrect data from outside sources may be used to value positions and reports may fail to include potentially high-risk activities.
An inadequate system for communicating employees’ duties and control responsibilities or for disseminating policies. For example, policies communicated through e-mail are often not read or retained—a result that should not surprise anyone who may have to parse through scores of e-mail messages in any given day.
An absence of effective monitoring usually evidenced by a failure to consider and react to daily information provided to line management indicating unusual activity, such as exceeded exposure limits, customer accounts in proprietary business activities, or lack of current financial statements from borrowers. The Basle Banking Committee noted that in one bank, losses concealed in a fictitious account may have been uncovered if the bank had a procedure requiring that customer statements be mailed on a monthly basis and that customer accounts be periodically confirmed.
A lack of additional resources to control or monitor high-risk activities. The paradox in organizations that suffered significant losses was that higher-risk activities received less oversight than lower-risk activities.
An ineffective system of internal audit usually characterized by a combination of three factors: the performance of piecemeal or fragmented audits, the lack of a thorough understanding of the business processes, and inadequate follow-up when problems were noted.
When internal audit programs are focused on discrete audits of specific activities within the same business unit, geographic area, or business entity, the auditors may fail to understand the business process. If an audit can follow processes and functions from beginning to end, e.g., follow a single transaction from point of initiation to financial reporting, the auditor gains a better understanding of the business process and can verify and test the adequacy of controls at each step of the process.
When internal audit staff have inadequate knowledge and training in trading and markets, electronic information systems, or other highly sophisticated areas, they often may fail to ask needed questions or accept on faith answers they do not truly understand.
When management does not accept the role and importance of internal audit, it often fails to follow up on problems identified by auditors or institute effective tracking systems to ensure deficiencies are corrected.
The existence of these and other red flags may indicate anything from outright corruption to simple carelessness. In either case, the results can be potentially ruinous.
The elements of good governance cannot be found in secret formulas, complex structures, or magic bullets. They are based on long-standing and well-tested principles of enterprise direction, management, and control. But if God is in the details, then so too is good governance. As the world’s banking institutions get ever larger and more diverse, the details of corporate governance become ever more important to institutional and systemic soundness.
Report of the Board of Banking Supervision Inquiry Into The Circumstances of the Collapse of Barings, July 18, 1995, at 250.
Oxford Analytica Limited, “Board of Directors and Corporate Governance: Trends in the G7 Countries Over the Next Ten Years,” prepared for Russell Reynolds Associates, Price Waterhouse, Goldman Sachs International Ltd., and Gibson, Dunn & Crutcher (1992).
Basle Committee on Banking Supervision, Framework for the Evaluation of Internal Control Systems (January 1998) at 10.
Id. at page 11.
Id. at 10.