Ramesh S Arunachalam
The importance of having properly functioning (effectively implemented) internal control systems[i] at investment and commercial banks and other financial intermediaries needs to be strongly emphasized, especially in the context of what happened in the lead up to the 2008 financial crisis. In fact, self-regulation, as a much touted and effective mechanism, miserably failed primarily because ‘internal controls’ were either absent or compromised at the major investment/commercial banks and financial intermediaries concerned (FCIC Report, 2011).
While specific examples of such internal control failures will be dealt with in a separate post, this one (in a series of posts) takes a look at such control systems and provides practical (starter) suggestions to investment/commercial banks/financial intermediaries[ii], regulators, policy makers, and other stakeholders on how (best) to structure such systems so as to achieve the goal of accountable and responsible operations in real time.
Having said that, let us now move on to substantive issues related to the control system.
The formality of any control system will depend largely on an INSTITUTION’s size, the scale and complexity of its operations, its risk profile and so on. Less formal/structured internal control systems at smaller INSTITUTIONS can be as effective as highly formal/structured internal control systems at larger (and complexly structured) INSTITUTIONS. But the key is that every ‘INSTITUTION’ should have an internal control system, this system should be commensurate with the size, scale and complexity of its operations and most importantly, the system should actually work on the ground in real time.
Many of the problems with investment/commercial banks/financial intermediaries[iii] could have (perhaps) been avoided in the lead up to the 2008 financial crisis, if and only if, the concerned INSTITUTIONS had an effective and appropriate internal control system operational in the first place—one that did not merely exist on paper but was rather implemented in reality. This is something that the concerned INSTITUTIONS (be it investment/commercial banks/financial intermediaries) will have to self-assess, with regard to their respective organizations and bring about the necessary changes. Regulators/supervisors and other stakeholders could also enable these INSTITUTIONS to assess the quality[iv] of their control systems and make the necessary changes.
That said, what then are the key components of such a system?
In my opinion, an effective control system (at any INSTITUTION) should have five key elements:
a) An appropriate control environment,
b) Supported by a proper risk management system,
c) With control activities commensurate with the size, scale and complexity of operations,
d) Aided by a transparent and accurate accounting, information, and communication system, and
e) Backed by dispassionate, objective and independent self-assessment/monitoring.
Having set the context, let us now look at what each of these elements mean in reality through a series of posts. And in this first post, I focus on the strategic element of the “appropriate control environment”, an issue that is seldom thought about in practice but one that I believe is very (if not most) crucial to the long-term survival of the INSTITUTION.
Why should each and every INSTITUTION have an appropriate control environment?
This is because the control environment is the foundation on which the institution’s control system is (to be) built. Basically, it reflects the board’s[v] (and also senior management’s) commitment to strong and effective internal control at the INSTITUTION. In other words, it provides the discipline and structure to the entire (internal) control system. Without this commitment by the board of directors (and senior management) to strong and effective controls, no (internal) control system (however well designed and structured) can actually work on the ground. And this commitment must clearly be visible throughout the INSTITUTION—for all staff to see and emulate. Let us be clear on that as otherwise accountable and responsible operations can never be the order of the day! Just look at the 2008 financial crisis which is replete with examples where board and senior management themselves showed scant respect for the control system that was (to be) in place at their INSTITUTIONS. They were equally guilty of ‘control system’ breaches due to their aggressive risk posture (s) caused by a compensation system that hugely rewarded short terms gains, when the risks were in fact medium to long term.
And who has to play a crucial role in establishing this at an INSTITUTION?
At a very basic level, it is an INSTITUTION’s board of directors (perhaps along with and through senior management) who must assume responsibility for establishing and maintaining an effective internal control system that: a) meets statutory and regulatory requirements (if any); b) protects the INSTITUTION, its assets, operations, investors and other stakeholders; and c) responds to changes in the INSTITUTION’s environmental conditions. They need to ensure that the control system operates as it is intended to and is also modified (appropriately) when circumstances so dictate. Again, there are so many examples from the 2008 financial crisis that tell us that at many so called big and supposedly well run INSTITUTIONS in the United States, this sadly did NOT happen! And in India, the case of the erstwhile SATYAM COMPUTER’s is a great example where highly reputed independent directors[vi] merely sat on the board, watching the fraud that was being perpetuated by the founder promoter[vii]
And for discharging the above duties, the board of directors must fully understand the risks that the INSTITUTION could face, set the acceptable limits for these risks, and ensure that senior management takes the steps necessary to identify, monitor and control these risks. In turn, the senior management must then take the responsibility to implement the strategies approved by the board, to set appropriate internal control process/procedures, and to monitor the effectiveness of these process/procedures. There can be no substitute for this. And not to sound like a broken record but the fact of the matter is that this did not happen in the lead up to the 2008 financial crisis at many of the big institutions!
This makes it quite clear where the main responsibility for control rests and that is fairly and squarely on the strategic shoulders of the INSTITUTION’s board of directors (along with the senior management)—not on the compliance and audit departments. Please note this critical issue. However, having said that, everyone in an institution should share the responsibility to some extent and that is where the board (through the senior management) must play a catalytic role in shaping a positive control culture throughout the entire organization so that all stakeholders within the INSTITUTION respect the control system and act in accordance with it. Thus, a key task for the board (through senior management) is to establish the right culture within the INSTITUTION—a culture in which the importance of internal controls is STRONGLY stressed, and high ethical and integrity standards are promoted and adhered to. And this culture cannot be determined simply by what the board or top levels of management (merely) say in their policy pronouncements - it will have to be judged more importantly by what they (actually) do in real time?
For example, do the INSTITUTION’s policies (remuneration etc) reward risk-taking at the expense of accountable and responsible operations? For example, the pressure (at INSTITUTIONs) to achieve faster growth through highly innovative financial products have been known to be associated with remuneration policies that reward (immense) short term risk taking by individuals within INSTITUTIONs. And a related issue here is the question of whether the board/senior management displays a casual attitude towards breaches of (control) limits? Do they encourage the right attitude towards regulatory and/or control system compliance? Is there backing and respect at board/senior management levels for the internal audit and compliance functions?
Thus, the response of the board/senior management of the INSTITUTION to these kinds of issues will clearly determine how other staff (at the INSTITUTION) actually behave in practice, including their attitude to control issues and the overall control environment. This point needs emphasis here! If the board and senior management are casual towards control system breaches, then, managers and others down the line will behave in a similar or worse fashion, showing total disregard for control system limits. This is what happened at many big institutions in the 2008 financial crisis!
In summary, it is the responsibility of the board (along with senior management) to see that there are no differences between policy statements and actual implementation with regard to controls. This will go a long way in building a positive control culture at the INSTITUTION, which is a very necessary and integral component for building a proper internal control system, which, in turn, is very vital for accountable and responsible operations in real time.
[i] The term control system is used synonymously with the word internal control system
[ii] The term INSTITUTION is used to refer to commercial banks, investment banks and other kinds of financial intermediaries, as defined in common parlance!
[iii] Please see FCIC Report (2008)
[iv] Judging the quality will require not merely the examination of whether or not an appropriate internal control system exists on paper but rather studying if indeed what is said on paper actually works on the ground. That is the key to making inferences about quality.
[v] Board = Board of Directors or Equivalent as may be as per the legal form of the institution as per the relevant laws in the country of incorporation.
[vi] A separate article on independent directors will be posted!
[vii] The first court pronounced the founder promoter of Satyam (Ramalinga Raju) guilty, in line with his own famous confession dated Jan 2009. An appeal court is said to have however suspended the sentence however but the case is on-going. Nevertheless, it must be remembered that the founder promoter (Ramalinga Raju) himself self confessed to perpetrating a major fraud at the erstwhile Satyam Computers.