Banking is a balancing act between risk analysis and sales: if the risk managers are in charge, the bank won't do any business; if the salesmen are in charge, it will go bankrupt. The challenge of governance is to strike the right balance between the two.
The global financial crisis showed that this felicitous balance was not always struck. In too many cases, banks failed because risk managers were ignored; in too few cases, senior managers asked the right questions and, unconvinced by the responses, limited exposures to complex, opaque financial instruments. This raises, I think, a pretty basic question about governance: if the people who were supposed to be making informed decisions about their institutions risk tolerance didn't understand the products they were putting into their portfolios, how would they know that they were adequately provisioned and their balance sheets protected against adverse outcomes?
In a sense, the global financial crisis was a crisis of governance.
Good governance should have ensured that strong internal risk management systems, designed to assess risks and take mitigating action against them, were in place. Such systems would encompass a series of measures starting with an internal risk management group whose job it would be to identify potential risks and assess the effectiveness of existing corporate controls. Where existing measures are inadequate, the risk management group should recommend ways to strengthen such measures to enhance their effectiveness. The next line of defence is the internal audit function, which serves to verify that existing risk management controls are, in fact, being followed.
Both the risk management and internal audit functions should have some degree of independence. But to do their jobs effectively, these groups need access to the full information set of the bank; it wouldn’t be realistic to assume that this would be the case if they were wholly independent. As a result, there is a tension between effectiveness and independence. This isn’t the case with respect to the third line of defence — the external auditors. Fundamentally, the role of the external auditors is to provide an independent verification of the bank’s financial statements and, importantly, to identify potential sources of material weaknesses that could threaten the bank solvency.
In the wake of the Enron debacle, it was pretty clear that the firm’s external auditors did not fulfill these responsibilities. This lapse represented a huge failure of governance. The same, however, can’t be said in the case of the global financial crisis. The origins of the crisis can be traced to a number of sources — both micro and macro — but it is fair to say that, apart from a few individual cases, blame can’t be assigned to the external audit function. I think it more likely that the corporate governance failures of the crisis occurred at the final line of defence, to whom the external auditors report: the board of directors and, specifically, audit committees.
A well-functioning board governance structure would have independently minded board members providing two key functions. First, the board should clearly identify a risk tolerance for the bank that shareholders are prepared to accept and that is consistent with regulatory and fiduciary obligations to depositors. In turn, this risk appetite or tolerance would be communicated to shareholders so that the relationship between risk and return is clear. This risk appetite then establishes the metric against which the internal risk management and audit groups operate. The second role of the board is to provide a sober second thought and challenge function for these earlier lines of defence. It may be apocryphal, but one particularly well-managed Canadian bank is reputed to have avoided the toxic assets that so many American, British and European banks soaked up prior to the crisis because its CEO refused to acquire complex, opaque instruments that he couldn’t explain to his mother.
Surprisingly, in the wake of the crisis, the international regulatory response largely ignored issues of governance. The focus has been on strengthening the regulatory requirements for liquidity and reserves. These are important initiatives, to be sure; but if that felicitous balance between sales and risk management internal to the bank hasn’t been achieved, these regulations are likely to be the financial sector equivalent of the Maginot line — outwardly impressive, but of little strategic value. This (excessively harsh and not wholly accurate) assessment reflects the fact that financial markets are inherently dynamic and constantly evolving — innovating new instruments to package and repackage risk. In contrast, unless regulators are given constrained discretion to adjust regulatory frameworks in response to the evolution in the marketplace, regulations will be inherently static. In a sense, regulators might be generals fighting the last war.
Absent better corporate governance that clearly manages and mitigates risk, the problems that led to the global financial crisis will re-emerge, albeit in another guise. It is noteworthy, therefore, that last year the Financial Stability Board (FSB) issued a Consultative Document on “Principles for an Effective Risk Appetite Framework.” The document identifies best practice for determining risk appetite and, importantly, spells out roles and responsibilities for the effective management and mitigation of risk. The adoption of this best practice and the faithful execution of these roles and responsibilities would do much to reduce the threat of a systemic financial collapse, such as the dégringolade experienced in the autumn of 2008, reducing the need for the extraordinary measures taken to preserve global stability. But, there is a tension: if bank officers, thinking their institution too big to fail, ignore these practices and shirk these responsibilities in anticipation of rescue, the threat remains. They might once again gamble that the risk they take on their balance sheets can be laid off to the taxpayer in a “heads I win; tails you lose” gambit.
In the new age of uncertainty, this underscores the need for credible, effective mechanisms to resolve financial institutions in a timely, orderly manner.