The Australian Financial Services Royal Commission has given enough food for thought for risk managers. It is still early days but what we heard during the first week of hearing is sufficient to question the efficacy of enterprise-wide risk management that ERM is supposed to manage.
Startling revelations by very senior executives drawn by the sharp line of questioning by the counsels assisting the commission are hard to believe. This is the same banking system that withstood the tailwinds of the global financial crisis in 2008.
Most banks have (or should have) elaborate risk management systems and quite rightly so. This may be the healthy clean-up the system needed before the public trust erodes further. Or is it just a slap on the wrist for banks? Is this a failure of the Australian banking system or a result of a good regulatory mechanism identifying impending problems well in advance? Can Sri Lanka claim such pre-emptive regulatory environment?
Notwithstanding these revelations, the Australian banks seem to have performed well against their overseas competitors. Measured risk taking is an integral part of banking and that has been done well by most of the Australian banks. Good regulations and effective regulators have, to a large extent, identified the problems in advance. The governments could and should protect the consumers by appointing good regulators.
It is similar in the US. For example, regulators put the expansion programs on hold till Wells Fargo got their act together. Hardly 10 years have passed since the global financial crisis, Wells Fargo, one of the most reputable banks, got into serious trouble. The sales practice investigation report concluded “senior management in the community bank had a deep-seated adherence to its sales model. The model generally called for significant annual growth in the number of products, such as checking accounts, savings accounts and credit cards, sold each year. Trends in the data show, perhaps not surprisingly, that as sales goals became harder to achieve, the number of allegations and terminations increased and the quality of accounts declined.”
Against this background the once-conservative banking sector in India is showing much worse problems. There appears to be a great deal of “masking” of the real issues over the years. Problems have been compounded for a long time. Now the very survival of some banks will depend on trillions of rupees of capital injection by the government – the taxpayer.
Recently, State Bank of India reported its first quarterly loss in 17 years. The bank reported bad debts of about Rs. 232 billion ($ 3.6 billion). There might be more to come. Other public sector banks are also not doing so well. Given the size of the banking sector and the challenges of effective regulation, reigning in this out of control banks is a politically sensitive issue. More government capital injection may be required as most of these banks belong to the “too big to fail” category. Are there lessons to be learnt for banks in Sri Lanka?
Risk management systems
Most banks in Australia and the US have sound risk management systems. They all recognise the importance of Enterprise Risk Management (ERM). So what has changed with the ever increasing velocity of change? Has the change created cracks within the risk management system? To put in context, however, the risk management systems and regulatory frameworks in Australia and the US seems to be addressing the key issues as opposed to emerging economies like India. But they are not failure proof especially in terms of conduct risk.
India, on the other hand, provides the software needed for overseas banks. Software giants like Tata, Infosys and Wipro have deployed their software professionals worldwide. Sophisticated banking systems have been developed and installed at reputed banks worldwide. Yet, the country is struggling to effectively regulate its own banks. The legacy banking systems are still in place and the risks are mounting at an alarming rate.
Conflicts of interest between the government of India and the regulator – Reserve Bank of India (RBI) seem to be a root cause. Political interference especially in large scale lending is said to be a major obstacle for prudent lending. According to the RBI Governor Dr. Urjith R. Patel, “The RBI’s legal powers to supervise and regulate Public Sector Banks (PSB’s) are also constrained - it cannot remove PSB directors or management, who are appointed by the government of India, nor can it force a merger or trigger the liquidation of a PSB; RBI has also limited legal authority to hold PSB Boards accountable regarding strategic direction, risk profiles, assessment of management, and compensation. Legal reforms are therefore highly desirable to empower the RBI to fully exercise the same responsibilities for PSBs as now apply to private banks, and to ensure a level playing field in supervisory enforcement.”
The “independence” of the RBI is in question. The result is a five-fold increase of non-performing assets from 2012 to 2017.
Recent events in Sri Lanka and subsequent statements by policymakers signal a questionable “independence” of the Central Bank. The well-publicised bond scam also add fuel to these suspicions. Are Sri Lankan public sector banks also sitting on large piles of non-performing loans?
One of the most effective risk identification techniques focuses on root cause analysis, which tells us why an event occurs. Identifying the root cause of a risk provides information about what triggers a loss and where an organisation is vulnerable. Once the root source of the resultant risk is understood, steps could be taken to most effectively mitigate such risk? However, identifying risk based on the effect or outcome often leads to ineffective mitigation activities.
Non-Performing Assets (NPAs) are the effect of a root cause. Therefore, analysing NPA’s will not yield the results required. It is the root cause analysis that will help mitigate risks. In the case of India, it appears the political interference in state-owned lending institutions seems to be at least one of the main root causes that had been ignored for decades. Consequently systemic failures of prudent lending practices have resulted in unacceptable levels of bad debts.
The accusations against the previous Governor are disturbing and the lack of action thus far undermines the regulatory authority and credibility.
Does regulation work?
When things go wrong, effectiveness of regulators are questioned. Media coverage of the financial services Royal Commission in Australia gives rise to questioning the efficacy of the role of regulators. While this is understandable, on the other hand, the Royal Commission can also be viewed as an integral part of the regulatory framework. That is, if the public feels that the financial institutions have failed them then the public hearing might provide the voice for the public and, moreover, the “required cleansing” of the system.
But there is no regulation with 100% proof. Trust cannot be replaced by regulation. Public disappointment in regulators is not justifiable. Regulators would not and should not analyse minute details of banking operations.
Australian regulators have done well to manage risks in general and the non-performing assets in particular. To put things in perspective, the non-performing assets in Australia have decreased markedly from 1992 – 2017 suggesting that lessons have been learnt from the Global Financial Crisis (GFC) and the Royal Commission may also act as a pre-emptive strike on regulatory compromise.
Given the size of the country and the distributed nature of the banking system, regulators in India, on the contrary, have a long way to go. And, as opposed to the regulators in Australia, regulators in India do not enjoy the regulatory independence. Public banks and the regulators have the same master, the government. Political interference and fraud appear to have robbed the independence of the Reserve Bank of India and it has become a toothless tiger.
Human side of
ERM processes and oversight structures, albeit essential, are only part of the overall risk management paradigm. Problems can continue to emerge when banks ignore to actively manage the staff attitudes and behaviours that are often beyond risk management systems. Risk management systems will be as good as the inputs and the staff that operate them. Moreover, attitudes and behaviours of frontline staff are the first line of defence against risks and often the input for the ERM models. Ethics, judgement, morals etc. of staff may even be more important than the risk models.
As the RBI Governor comments on the linkage between the Rs. 8.5 t-plus stressed assets and bank frauds, “In a number of large frauds, serious gaps in credit underwriting standards have been evident. These are exemplified by inflated cash flow projections, lack of continuous monitoring of cash flows, lack of security perfection and over valuation, gold plating of projects, diversion of funds, double financing and general credit governance issues in banks”. And, this is not much different to what the Royal Commission in Australia has found thus far.
Creating an effective risk culture and implementing a prudent risk conduct seem to be of paramount importance. Within this risk culture, the human decisions that govern the day-to-day activities of every organisation are made; even decisions that are small and seemingly irrelevant can be critical. Having a strong risk culture do not necessarily mean taking less risk but taking risks with appropriate awareness and measurement. Companies with the most effective risk cultures might, in fact, take a lot of risk, acquiring new businesses, entering new markets, and investing in organic growth. An effective risk culture will give risk insight and foresight to gain a competitive advantage over the competitors with poor risk cultures. Those with an ineffective risk culture might be taking too little risk and thus achieve too little gain.
It is unlikely that any program will completely safeguard a company against unforeseen events or bad actors. It is possible to create a culture that makes it harder for an event or an offender to put the company at risk. Good ERM systems will provide the information to act upon and if the risk culture is appropriate then quick response to events is likely. If the company has a culture that acknowledges risk and resultant damage, then it is highly likely to act quickly. However, in some instances the poor conduct (conduct risk) become the obstacle.
To instil a certain level of confidence among managers to acknowledge risks is important, especially to the point of discussing them internally, as well as with shareholders or even regulators. Transparency and collaboration are the keys to avoid hidden risk clusters.
The cultural differences between companies that instil a good risk culture and those that do not are quite stark. In most cases, whether in Australia, US or India it appears that unacceptable ethics, morals and judgement of staff had been a root cause. In summary, the poor conduct has been a major contributor to massive risks and resultant losses. Therefore, embedding correct ethical, moral and disclosure practices in the recruitment and talent development process is crucial to avoid costly mistakes. An appropriate risk culture should be an integral part of the corporate culture. Risk culture should be embedded in the human resources culture. Each staff member should be aware of their own and organisation-wide reputational position and risk DNA. Are there lessons to be learnt for financial institutions in Sri Lanka?
(The writer is Director, Agape International, Sydney, and finance and risk management academic at the Sydney Business School of the University of Wollongong. He can be reached via firstname.lastname@example.org.)