Two high profile banking scandals have many companies rethinking their policies and cultural attitudes about regulatory compliance and risk mitigation.
The most recent scandal has hit particularly close to home at Wachovia, one of the largest banks in the United States. Wachovia bank executives are accused of collaborating with fraudulent telemarketing companies that siphoned cash from unsuspecting customers’ accounts.
Wachovia officials there were initially accused of allowing criminal telemarketers to use Wachovia’s bank accounts to steal millions of dollars from customer accounts-many of them elderly. But documents revealed in early February in a lawsuit against Wachovia provided evidence that bank officials were not only aware of the illegal scams, but knowingly contracted with the fraudulent telemarketing companies.
The Wachovia case surfaced close on the heels of the rogue trader debacle at Soci??Â«t??Â« G??Â«n??Â«rale, one of France’s largest financial institutions, which caused the bank to lose $7.2 billion in investor funds.
In the case of Soci??Â«t??Â« G??Â«n??Â«rale, a low level trader, J??Â«r??me Kerviel, pulled simple tricks like forging emails to hide illegal trades that for a time earned the bank tremendous profits, but which eventually landed Soci??Â«t??Â« G??Â«n??Â«rale deep in the red.
To read more about the trading debacle at Soci??Â«t??Â« G??Â«n??Â«rale, click here.
It’s still unclear if others in the bank knew about Kerviel’s scam, though he has claimed in statements to investigators that it’s impossible his managers didn’t know what was happening given the level of risk-and the amount of cash-involved in his trades.
While miles apart in their strategies and undertakings, the scandals at Soci??Â«t??Â« G??Â«n??Â«rale and Wachovia do bear some similarities.
Both were perpetrated inside the four walls of the financial institution; both required knowledge of the respective bank’s policies and mechanisms to override those policies and procedures; and either the risk mitigation and compliance processes in place were fundamentally broken, or those processes didn’t exist in the first place.
Financial institutions are, according to industry watchers, among the most sophisticated users of GRC [governance, risk and compliance] software in the world. They are widely considered to be far more mature in their risk mitigation and compliance controls than companies in other industries.
Yet, according to a study released Jan. 18 by Deloitte, the majority of direct compliance spending in the nation’s top banks-60 percent-went to compensate staff, while only 18 percent went to capital expenses, mainly IT systems, hardware and software.
Software is only one part of a GRC strategy
“Spending money on people and not systems, that’s partly due to the fact that it’s hard to get an investment on systems [without] a demonstrated return on investment,” said Jeremy Roche, CEO of Coda, which develops financial accounting, analytics and GRC software for the financial services industry. “The thing is about properly designed [GRC] systems is that once they’re designed, they don’t make mistakes. People make mistakes.”
The Deloitte study found that, although the financial costs of compliance have been significant, the tendency for banks has been to respond by adding people rather than technology to manage compliance.
While banks have made “considerable progress” in integrating compliance management across the different parts of their business, there’s still a lot of fragmentation and duplication of efforts, according to Deloitte. Abut 30 percent of the respondents to Deloitte’s study said that duplication had actually increased rather than decreased.
One reason compliance efforts are being duplicated is that initiatives are often managed on a case-by-case basis, based on a specific (and looming) regulations-an approach that leads to siloed initiatives.
At the same time companies struggle with implementing a concise, organization-wide GRC strategy because of the people issue, according to Narina Sippy, senior vice president and general manager of SAP AG’s GRC group.
“Software and technology in general is really only as good as the people who use them, and as good or strong as the corporate commitment and the cultural willingness to embrace the technology that is put in place,” said Sippy. “Sometimes it’s change management [issues], sometimes it’s cultural. If those are not aligned, the software is not going to be as effective as it could be.”
Sippy said that while software has a big role to play in the GRC field, it’s only one of the factors. “We’re starting to see some changes. In the last six months or so there’s been a slight shift in how companies are looking at GRC in their organization,” she said. “Up until not too long ago, and it was pretty rampant, companies were managing whatever regulation they were facing at the time. An integrated approach is what’s really missing today. By having isolated controls, it really leads to corporations being vulnerable.”
Chris Capdevila, vice president of Application Strategy at Oracle, said that GRC maturity and evolution really involves several pillars: organizational, cultural and processes.
The organizational layer-where the decisions are made to determine controls-is where a lot of companies struggle. “A lot of companies moving up in maturity are dealing with organizational issues-sending up a chief risk officer or a chief strategy officer,” he said. “Historically audit [function] was looked down on. Now audit has seen more prominence, in a lot of cases reporting directly to the board. There are different ways of dealing with the organizational issue,” Capdevila said.
Richard Speer, CEO of Speer & Associates, s strategic planning and risk mitigation consulting company for the banking industry, said that most financial institutions want to understand what their risk exposure is on an ongoing basis. But the fact is that most don’t have any particular knowledge of what is going on day-to-day in a particular business unit.
“Our clients are saying ‘are there any managerial weaknesses that could create something like Soci??«t??« G??«n??«rale?’ But because Soci??«t??« G??«n??«rale is still unfolding we’re still unclear on all the lessons,” he said. “But all the sudden every one is much, much more interested in GRC than when it’s an abstract.”