Global Financial Crisis, corporate governance and the three-lines-of-defense model
- Dec 24, 2015
- 5 min read
Since the Global Financial Crisis (GFC) of 2007–09, the design and implementation of internal control systems has attracted serious academic and professional attention. There has been little systematic analysis of how the design of an internal control system affects the efficiency and effectiveness of corporate governance processes, especially at financial institutions such as banks and insurance companies. The “three lines of defense model” has been used traditionally to model the interaction between corporate governance and internal control systems. This existing three-lines-of-defense model could be substantially enhanced by giving it a specific focus on the regulation of banks and insurance companies.
Building upon the concept of a “triangular” relationship between internal auditors, supervisors and external auditors, new responsibilities and relationships will enhance control systems. That said however, a risk that new problems could be caused by inadequate information flows among those actors.
During the financial crisis, there was a need for better corporate governance reforms to reduce the risk of a repetition of a major financial crisis. In particular, the GFC has prompted renewed discussions of the importance of board-level procedural safeguards, including the introduction of legally binding rules to promote board-level risk management committees and the requirement that a chief risk officer (CRO) be appointed to improve board expertise regarding risk management issues.
The corporate governance procedures of financial institutions could be used to improve risk management. This could be done, for instance, by creating a board-level risk management committee; altering board member incentives through varying remuneration schemes; improving oversight; and imposing other substantive rules on compensation with the ultimate goal of promoting financial stability.
The guidelines issued by the Basel Committee on Banking Supervision (BCBS) in 2015 on corporate governance principles for banks emphasize the importance of proper risk management procedures, including, in particular, “an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board.” Furthermore, the sophistication of the bank’s risk management and internal control infrastructure should keep pace with changes to the bank’s risk profile, to the external risk landscape and in industry practice” so as to identify, monitor and control risks on an ongoing bank-wide and individual-entity basis.
Such inadequacies include, in particular, “a lack of understanding of risks”, “a lack of authority […] to be able to curb activities of risk takers”, “a lack of expertise […] in risk management” and “a lack of real-time information on risks”. Consequently, the following recommendations can be considered with regard to risk management:
delineating board-level responsibilities;
creating a board-level risk supervision committee;
creating a position of chief risk management officer having familiarity with the “organizational complexity” of the relevant firm; and
increasing cooperation, not only between relevant supervisory authorities and boards of directors, but also between the risk supervision committee and other parts of the firm.
It follows from the above that internal control system reforms should accompany corporate governance reforms to ensure that banks enhance the quality of their risk-taking, either through curbing misaligned incentives or otherwise reducing the riskiness of business strategies. From this vantage point, the GFC showed that the weakness or ineffectiveness of such procedural safeguards was indeed significant.
It can be argued that the primary, if not the sole, justification for regulating internal control systems is to maximize the efficiency and effectiveness with which exposure to risk is managed. As far as internal control systems are concerned, efficiency includes, in my view, the way in which work is performed (in terms of qualifications, professionalism and resources), the model/structure underlying the parties involved in the process and the interaction between those parties.
Recent significant risk incidents and corporate scandals caused by misconduct in financial market operations indicate that banks need to further enhance corporate governance measures. It calls for closer cooperation between regulators, and external and internal auditors, so as to win back public trust in financial institutions.
Ineffective internal control systems in financial institutions were also significant factors in several recent incidents of fraud; for example, at Société Générale in 2008 and at Bank of Switzerland in 2011; and at a number of global financial institutions with respect to the more recently exposed Libor rate- rigging and foreign exchange rate-fixing. Those events served to remind us that the interconnectedness of financial market participants could amplify shocks, and potentially lead to a collapse of the financial system. A lack of public confidence triggered by behavioral scandals could eventually deter the public from using the financial system, thus undermining the stability and integrity of the economy at large. Behavior and culture at banks have never been so high a priority of the agenda of regulatory agencies worldwide, including the introduction of the “Volcker Rule” in the United States, the move to a Banking Union in the European Union (EU) and initiatives aimed at establishing an Asia-Pacific financial market.
To avoid a fraudulent scenario from playing out and, once again, addressing public concerns related to the integrity of financial markets, regulators are approaching internal governance shortcomings with a sharper focus on systemic implications. That said, this subject revolves around the efficiency of internal control systems as an essential component of corporate governance and, in my eyes, boils down to a model stipulating the role played by the various parties involved in the internal control system model.
In the financial industry, a de facto regulated sector, internal auditors, supervisors and external auditors are asked to carry out their duties in similar and closely related areas, although each of them has a slightly different focus (e.g. internal auditors focus on effectiveness and efficiency of operations, supervisors on supervisory issues, etc.).
Let’s briefly analyze how this played out with the recent global events-
In Germany, Europe’s strongest economy, exports fell 5.2% in August from the previous month, the Federal Statistics Office in Wiesbaden announced.
In the U.K., where growth had been outstripping most of the rest of the developed world, recent data shows output in Britain’s construction sector plunged by 4.3% in August, the sharpest monthly drop since 2012.
In Japan, things don’t look much better. Serious declines in industrial output over the summer suggest to some that the world’s third largest economy has already fallen back into recession.
In recent monthly surveys of fund managers conducted by Bank of America’s Merrill Lynch unit, a potential recession in China was cited as the biggest outlying risk to the global economy.
We may be on the cusp that makes it imperative to think if there are checks and balances in place to avoid another meltdown led by an unknown deficiency in the Internal Control systems. Recognizing the overlapping areas of activities and the need for coordination among these three parties, it is necessary to reshape the internal control structure of financial institutions by means of an additional fourth line of defense for external interconnected control bodies.
Comments