Kingfisher Airlines – Ethical Dilemmas of Mr. Vijay Mallya

Kingfisher Airlines was grounded last month. The agitating employees refused to come to work from 1 October 2012. Employees had been peacefully protesting earlier for payment of their salaries from February 2012. Management ignored the pleas and the plight of the employees increased. On 4 October 2012, Kingfisher’s store manager Manas Chakravarti’s wife Sushmita Chakravarti committed suicide. In her suicide note she stated – “My husband works with Kingfisher where they have not paid him salary for the last six months. We are in acute financial crisis and so I am committing suicide”.

The employees led a candlelight vigil in support of the grieving family. However, there was not even a word spoken about it by Vijay Mallya, the chairperson of the company on such a tragic incident. He did not mention anything on his twitter account until 23 October, and most of the month he was not available in India. Media reported that he flew out of the country in his personal Airbus. Check out the following tweets.

Vijay Mallya ‏@TheVijayMallya – 23 October 2012.

I travel 24×7 where my multiple work responsibilities take me. Sections of media call me an absconder because I don’t talk to them.

His Formula One team reportedly participated in Korea and he attended the race. He then attended the Indian Grand Prix and his twitter comments are below. They caused a storm in the twitter world.

Vijay Mallya ‏@TheVijayMallya – 26 October 2012.

 I have learnt the hard way that in India wealth should not be displayed. Better to be a multi billionaire politician dressed in Khadi

 Vijay Mallya ‏@TheVijayMallya – 27 October 2012.

Kingfisher is probably the most written about Airline in the World thanks to Indian media. Top of mind brand recall must be at its highest.

The comments don’t show true leadership qualities. He appears to be completely disengaged from the situation his employees are facing. A little bit of humility and sharing of pain would have gone a long way in appeasing the hurt feelings of his employees. Though he is not legally liable to pay salaries to employees from his personal wealth, he has to take moral responsibility for his actions that have caused so much tragedy in the lives of his employees. Some personal austerity would have sent a different message to the world. However, in an interview Vijay Mallya made the following statement and refused to take responsibility for the financial mess.

“In a Plc where is one man, who might be the chairman, responsible for the finances of the entire Plc? And what has it got to do with all my other businesses? I have built up and run the largest spirits company in the world in this country.”

Kingfisher’s net-worth was eroded last year. The banks have refused to grant further loans since the outstanding amount is Rs. 7000 crore (USD 1299 million). Accumulated losses amount to Rs. 6000 crore (USD 1114 million). You can read the details in my earlier post (link here).  Since March 2012, Directorate General of Civil Aviation has been asking for a revival plan to resolve the crises. However, Kingfisher management took no concrete actions. On 20 October 2012, the Directorate General suspended the license of Kingfisher Airlines.

The situation is that the bank, investors and employees are the biggest losers. Vijay Mallya’s personal shareholdings in the company is just 1.87%.  His group companies – United Breweries (Holdings) Limited, Kingfisher Finvest India Limited and UB Overseas Limited – hold 33.97%. Individual investors hold around 33%. Banks and other institutions hold the balance shares. Hence, Mr. Mallya will personally not be liable and may not suffer extensive damage to his personal wealth.

Though, recently Forbes has dropped him from Billionaire list and stated that now he is only worth USD 800 million now. He made a satirical comment on it

Vijay Mallya ‏@TheVijayMallya -26 October

Thanks to the Almighty that Forbes has removed me from the so called Billionaires list. Less jealousy, less frenzy and wrongful attacks.

 Closing thoughts

Mr. Mallya is blaming the media for inaccurately bashing Kingfisher Airlines. It is a strange reaction considering the dire state of the company. He has abdicated his professional responsibilities as leader of the group. He is also not taking any moral responsibility for the situation and the damage. I am amazed at his brand management team. The Kingfisher brand was worth a whole lot. Due to his personal negative reactions and his son’s Siddharth Mallya being oblivious to the churning controversies, the public is completely outraged. Besides the moral disconnection, there doesn’t appear to be any control on communications and brand management.

According to you what should be the appropriate reaction for the Chairman of a company in such a situation?

References

Vijay Mallya flies in to attend Indian GP, blasts media for Kingfisher coverage – Economic Times

 

Impact of Roubini’s Perfect Storm Predictions on India

Indian economy is not doing well. It grew at just 5.5 percent in the June quarter. The slow growth continues from last quarter, and the rapid economic growth of the last decade can no longer be taken for granted. The political paralysis, frequent corruption and scam charges, and inability to pursue  reforms has all led to this sorry state of affairs. This week with much fanfare reform guidelines for foreign direct investment in retail and aviation were released. Let us see whether they make a difference in the long run.

The area of concern is that economist Nouriel Roubini dubbed ‘Dr Doom” for predicting 2008 financial crises, recently predicted a global perfect storm in 2013. He highlighted five factors that will derail the global economy.

If India’s internal problems continue and Roubini’s predictions become real, the dream of India becoming a super power by 2020, may just remain wishful thinking.  As there are divergent views on India’s growth story, let us take a look on the impact of these factors on Indian economy and growth.

1) Worsening debt crises in Europe

The European crises is more than a spanner in the wheels, it has the capacity to bring the global economy to its knees. With Greece, Ireland and Spain in doldrums and economist predicting a breakdown of Eurozone in near future, things couldn’t be worse. London and other euro cities are home to the biggest financial institutions and extensively interconnected with the rest of the world. The combined economies of Eurozone is the second largest in the world, hence anything going wrong here will impact the rest of the world.

A recently released FICCI report states that – “Indian companies doing business or which have invested in Europe have been adversely impacted. About 75% respondents said they have reported decline in their business prospects and also a loss of over 20% in business generation from the European region.” If a full-blown breakdown occurs, then Indian economy will definitely suffer. Though, a lot has been said about European institutions working together to bring financial stability and governments having the political will to take corrective measures, it seems doubtful. Good economies, Germany for one, may back out as its citizens may not wish to carry the burden of other countries.  Hence, Indian companies are spreading their business in Africa and Middle-East to counter the downturn of Europe.

2) Tax increases and spending cuts in US that may push the country in recession

Barack Obama inherited an economy in crises. Though the financial crises is over, the economy will take a few years to recover. Last six months economic indicators show progress . The annualized growth rate is ranging between 1-2% in 2012, a major improvement from -7% in 2009. The unemployment rate is around 8%, and property prices have risen in the last six months after 5 years.

As neither Barack Obama nor Mitt Romney has a magic wand, the possibility of US going in recession is high, specially as it is highly linked and dependent on Europe. For India, a US recession is firstly bad news for the outsourcing industry. Obama and Romney, both in their election campaigns have targeted Indian outsourcing business as the source of all problems prevailing in US job market.

Though Indian software industry exports were US $ 101 billion in revenues in the year ended March 2012, NASSCOM has stated difficulty in predicting Indian software exports for more than two quarters in uncertain conditions. India exported  merchandise goods to US for $57.8 billion in 2011 and is growing. Since majority contributions are of textiles, stones etc., the impact of recession  isn’t significant.

In respect to FDI’s, receives investments through Mauritius, Singapore etc and “According to the latest data released by the Department of Industrial Policy and Promotion (DIPP), India received foreign direct investment (FDI) worth US$ 1.33 billion in May 2012 while cumulative inflows for April-May 2012-13 stood at US$ 3.18 billion”. Hence, the impact of US recession on Indian FDI will not be significant.

India in all likelihood can survive a US recession without much impact on a stand alone basis. With Europe also spinning out of control, the scenario changes.

3) A hard landing for China’s economy

Chinese economy over the last two decades flourished with high investment in infrastructure projects and low manufacturing costs. It imported capital goods, though not consumer goods, and domestic consumption didn’t increase much. Now growth forecasts are in single digits, and focus has to shift internally due to the Eurozone crises and US recession.

As Satyajit Das mentioned in a recent blog post, the world is divided into two groups with respect to China – Sino-philia and Sino-phobia. Some pro-China model believers think China is set to become a super power. On the other hand Sino-phobic believe China is out to control the world. Hence, the perpetual predictions of China succeeding and failing. However, Das has pointed out rightly in the following words -

Nothing illustrates this better than Chinese income levels. Despite its status as the world’s second largest economy, China ranks 98 out of 181 nations in the World Bank’s ranking of GDP per capita. Based on forecasts, wealth per capita in 2016 will be only equivalent to US$13,700 against $57,300 for the US and US$48,000 for Germany. This does not take into account the massive income inequalities in China, where a large portion of the population lives on less than US$1.25 a day.

China and India suffer from the same problems of huge income disparity, over-population and poverty. The corruption in the government further distorts the situation. If Chinese economy slows down, the disparities will continue and China will have to focus internally. It does give an opportunity for India to takeover but it depends on India straightening out its internal act.

4) Further slowing down of emerging markets

The BRICS – Brazil, Russia, India, China and lately South Africa – in the last decade showed tremendous growth. They were the torch bearers of developing world. However, now it is envisaged that BRICS will be growing in single figures. With it competition from other emerging markets is heightening - Indonesia, Philippines  Vietnam etc. . On both sides India is in trouble.

Firstly, with the slower growth in emerging countries, India will lose its advantageous position. As business heads start looking at other countries for investment, the FDI will slow down. Moroever, the emerging markets provide a good cost arbitrage. For example, Philippines have taken over the call center market specially that of US, as the cultures are similar and it is cheaper than India.

As each emerging country comes up with its own unique selling proposition, the Indian industries will be impacted unless they position themselves differently. As in the BPO business, India is now attempting to position itself as knowledge managers.

Emerging markets will increase competition for India, hence gazing at the crystal ball is not going to help. India will have to tackle its poor reputation on governance, public finances, scams and democratic setup.

 5) A military confrontation with Iran.

Political pundits predict that Israel to maintain its supremacy in Middle East will bomb Iran soon. Another view is that Iran will misuse its nuclear power to foster radical Islamic activities. Iran is rapidly building stronger ties with Russia, China and Latin America. In this situation, the target is US and Europe. The crucial question is, what does a war or attack by Iran means to India.

Besides ancient cultural ties, presently Iran is the major supplier of oil to India.  India has invested in the Oil & Gas industry in Iran to ensure its export. India imports 80% of crude oil to meet its energy needs from around 30 countries. Iran caters to 11% of the total requirement.

Hence, from cultural, political and trade perspective, India is not in Iran’s first list of country targets. However, if war does break out,  India is located between Pakistan and China. China would support Iran. On the other hand, Pakistan will face the tough choice of supporting the Islamic group or US. India is far to near the epicenter of the problem to avoid the war, as it has tense relationships with both its neighbors – Pakistan and China. On the whole, India loses out if there is a war in the Middle East. Tensions in Middle East will spell trouble for Indian companies having high energy consumption as crude oil price may increase.

Closing thoughts

Risk managers need to re-evaluate country risk of India and the rest of the countries they are doing business with. Credit rating agencies are threatening to further downgrade India’s rating. With the political risks of various countries changing, some impact on import-export, supply chain, customer relationships and investor participation can be expected. Even in the recent risk reports respondents have rated geo-political risks among the highest. This is a good time to take a close look at the risk scorecard to assess changes in strategic, financial and operational risks. Strategies should be developed for the country risks identified during the country risk assessment.

References:

  1. A Global Perfect Storm – By Nouriel Roubini 
  2. Roubini sticks to 2013 ‘perfect storm’ prediction
  3. 7 economic indicators that could decide the election - By Market Watch
  4. Foreign Direct Investment
  5. Indian companies facing losses in Europe: Ficci
  6. BRIC Countries Hit A Wall – Forbes India

Ethical Decisions – Why Bankers Fail At It?

Last week I read the US Senate’s Permanent Subcommittee of Investigations report on “U.S. Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History“. Since I am ex-HSBC I felt bad that an organization’s senior management took decisions for growth and profitability at the expense of world security.

I was personally horrified on the thought process of Christoper Lok, former Global Head of Bank Notes  relating to relationships with Al Rajhi Bank, Islami Bank Bangladesh Ltd and Social Islami Bank Ltd. The Compliance department in most of the cases had identified direct or indirect terrorist links with these banks. However, the business teams approached Mr. Lok to maintain relationships and sign off on the Know Your Customer documents. The logic given was that approximately $100,000/- per annum could be earned from these customers. Hence, approval was granted to pursue and maintain the relationships and most of the objections raised by Compliance department were over-ridden.

Bank Notes division had 800 customers. So if I assume that approximately  $100,000/- was earned from each customer, the total revenue would be $80,000,000/-. Though now the bank notes division is closed, but does a bank of HSBC level, need to pursue high-risk business for such immaterial amounts in respect to its total earnings.

With the controls so weak on transaction checks, even a single transaction of these three banks processed by HSBC, could result in terrorist funding. One doesn’t know, but there is a always a possibility that some funds may have been utilized for a terrorist activity somewhere in the world. A few people may have lost their lives. How does a person justify that his/her decision may result in death of some unknown person?

In the report it is mentioned that decisions were taken on Reward versus Risk parameter. Risk was generally considered about reputation damage and legal fines. As before none of the bankers were personally held liable, the maximum negative repercussion is job loss. The legal fines are paid by investor money. Hence, job loss is hardly a penalty, when after a time, the person joins another bank or financial services company. The rationalization given by bankers to self, I assume, is that the million dollar salary and bonus is worth the risk of death of someone else. Ruining life and happiness of some people, causing fear and terror in their life, does not appear in the Reward-Risk analysis. Can one be successful and happy when standing on the graves of innocent people?

The world is asking why do bankers take these decisions? Even after the financial crises, which caused so much suffering and pain to the general public due to job losses, retirement savings loss, and home losses, why do bankers persist in taking these decisions? Why don’t they change and take socially responsible decisions?

Though I am not a psychologist, my guess is two main feelings - cynicism and fear – makes them behave so. With +15 years of working in the financial industry, I know how easy it is to lose one’s idealism. With the whole society running after money, bankers see the worst behavior. They are surrounded with unknown people, friends, relatives, customers, suppliers etc. who all compromise a little bit of their ethics to get the deal, the loan, and better terms and conditions. When a person is dealing with large amount of money, the person witnesses greed of others every minute. It just seeps through the psychology, and greed becomes the paramount emotion.

Viktor Emil Frankl, world renowned psychologist and survivor of the Nazi camp gave an interesting metaphor on idealism and ethics. He mentioned that when we fly a plane from A to B destination, we do not follow a straight line due to the cross wind. So when we fly East to West, we fly at an angle towards North. The wind pushes the plane down and we reach the Western point of our destination.

Similarly in life, if we take a practical decision to operate on a straight line, the negative influences push us down to make unethical decisions. When we get cynical, and say “the society is doing negative behavior so why not me” ,we have already compromised on following the straight line. Our behavior falls below the straight line. However, if we manage to keep our idealism, we aim for higher ethical behavior. With all the negative influences in life, we then just about manage to live an ethical life. Hence, idealism actually motivates us to live an ethical life.

The next point is fear. Why do I think bankers are fearful and that is why they take these decisions? They are living a life which amounts to nothing. It is just money, more money and more money. Money buys comfort and luxury, it cannot buy self-respect and self-esteem.

Human consciousness is such that sometimes consciously we can fool ourselves. We think we know ourselves, but we at a conscious level don’t know ourselves, it is others who understand our behavior better. Hence, feedback from people is required for us to monitor our behavior. However, the more money and power one has, the lessor is the possibility of receiving honest negative feedback. Therefore, a senior manager’s moral compass at a conscious level can become distorted and he/she will remain completely unaware of the same.

At an unconscious level, our brain processes more information and keeps analyzing our actions, behavior and thoughts. We cannot fool ourselves at an unconscious level. The regulator inside us monitors our self-esteem. The right decisions and deeds deep down add to our self-esteem and self-respect. While our negative thoughts and actions erode the same. We compensate the lower self-esteem at an unconscious level, with a bigger ego at a conscious level.

The dilemma of maintaining ego to protect a low esteem causes irrational fear of loss. If internally we feel hollow, then fear of losing the external trappings is higher. Reason is simple, because the trappings is all the person has got. The pressure to maintain the facade is so huge, that it scares the shit out of people if they think they are going to lose it. Hence, fear drives the person to get more and more of the same trappings that they are familiar with and allows them to breathe in their comfort zone. Sometimes, it is sheer terror of losing it all that makes them sink deeper and deeper in the mud instead of breaking the mold for a better life. This reduces the possibility of bringing about a change in behavior. They can’t let go.

Closing Thoughts

Compliance officers gave excuses that their department was under-staffed or business teams over-rode their decisions. These cannot be considered justifications for failing to perform core functions especially when the transactions relate to drug money or terrorist funding. Both internal officers or external regulators, need to be far more vigilant in ensuring that the world is safe place to live.

For bankers it is a wake up call. They need to decide for themselves, whether they want to live in fear of losing everything, maybe going to prison, or adopt a more ethical life for their own happiness and safety. Going downhill is always easier than climbing uphill.

LIBOR Scandal – What Went Wrong?

This week Barclays Plc made banking history for the wrong reasons. The unheard occurred – the chairman, chief executive officer and chief operating officer – all resigned within one week. While chairman of Barclays, Marcus Agius took the blame saying “the buck stops with me“, initially Bob Diamond said the incident was “inappropriate“. An understatement or lack of adequate vocabulary for describing a manipulation with such huge impact on the financial markets? LIBOR is used as a benchmark for prices of approximately $ 350 trillion of financial products. British and US authorities fined Barclays $453 million!

In the parliamentary hearing yesterday, Mr. Diamond did modify his viewpoint and said “behavior is inexcusable“. In the hearing, Mr. Diamond implicated Bank of England and the Financial Regulatory Authority. With a dozen more banks under investigation, this story of rigging interest rates  isn’t going to blow over. It is just going to get murkier with time.

Watch this video to get an inside view on the procedures for calculation of LIBOR and the lack of monitoring by the regulators. Some speakers have given volatile views, but these are definitely worth listening in case of such a serious breach of business ethics.

In the last couple of months, titans of banking industry are facing the public ire. First Jamie Dimon was called in for questioning by US senate, yesterday Bob Diamond was questioned by UK parliament. The winds are blowing in a different direction; public is outraged by lackadaisical attitude of bankers towards ethical practices. Since the financial crises, many have written about the need to change culture within the banking organizations. However, from the frequent scandalous news stories, it doesn’t look that the wizards of the industry are understanding the social strategic inflection point.

With senior bankers’ ambition to join billionaires club, even the best minds have developed blind spots. The ambition is for more and more money; they have forgotten that more is not always better. We need banking CEOs to have the ethical mindset of Dalai Lama to bring about a positive change in the industry. Is it possible, what do you say?

References:

Barclays CEO Bob Diamond Resigns After Rates Scandal – Business Standard

Lessons from Rajat Gupta’s Downfall

When I started my career, Rajat Gupta was an icon. Indian Gen X wanted to achieve his heights. He made us realize that Indian professionals can compete in the global arena and win. Now with his name tarnished with insider trading charges, every professional would be thinking – we don’t want to follow his path. The fall is always the hardest from the top floor of the building, not the ground floor. Whatever he built in his lifetime, today lies in shambles. His family is going to pay a heavy price for his wrong-doing. He has from being a case study on “what to do to fulfill your career dream” has become a study for “what not to do in your career”. I feel sad to say this, but here are some lessons all of us can learn from his downfall.

1. Poverty is in the mind and not in the bank balance - JP Morgan Chase estimated Gupta’s net-worth as US $ 130 million but as Rajaratnam joked – “Gupta wanted to be in the billionaires club“. Gupta’s greed got him down as he was unable to draw the line for his wants.

2. Don’t break the rules to get ahead - Gupta as ex-head of McKinsey knew he was duty bound to maintain confidentiality of boardroom information. He traded confidential information to meet his own personal targets. A McKinsey executive said - “It is mind-blowing that the guy who ran the firm for so many years could be going to jail for violating that principle.”

3. Choose friends carefully - That’s what parents say to kids but we forget it in our adult life. Gupta befriended  Rajaratnam, and though one cannot say he lacked judgment, he did manage to rationalize wrong-doing to keep the friendship alive. He got enamored by the Rajaratnam’s lifestyle. Relationship with  Rajaratnam, who had a dubious reputation, led him astray.

4. Keep feet firmly on the groundIdeas of invincibility and grandiosity lead to delusional thinking. Rajat Gupta was fined by SEC for insider trading. Instead of paying the fine, he chose to pursue the case legally. With the indictment, he is facing over 10 years of prison sentence. He took the decision to challenge SEC due to over-confidence and arrogance.

5.  Correct wrong-doing immediately – A person walking an unethical path rationalizes that s/he will get away with it, if they aren’t caught the first time. Gupta after doing insider trading for a few times got comfortable in his role. Mr. Naftalis said -“Having lived a lifetime of honesty and integrity, he didn’t turn into a criminal in the seventh decade of an otherwise praiseworthy life.” Gupta lost his principles over a time. He didn’t stop when he should have and didn’t take any corrective actions.

6. No one is above law – With the well-known figures in India and international arena facing trails and convictions, it is apparent that no one can escape the hands of justice. Sooner or later, the path will lead to a prison sentence. Being ethical pays in the long-run by keeping a person safe.

7. Protect your legacy – Rajat Gupta had an impeccable reputation of a world-class professional and a great humanitarian. His list of good deeds is long and was known as an exemplary citizen of the world. With these charges, he leaves a legacy of a criminal. A journey from  the boardrooms to a prison cell. There can’t be a greater tragedy on the professional field.

Closing thoughts

It is heartbreaking to find that our heroes have feet of clay. Gupta traded a comfortable old age with a prison cell for satisfying his insatiable hunger for power and money. An extremely intelligent man, an alumni of IIT and Harvard, failed to make the right ethical choices.  In the end, Robert Gilbert’s quote comes to mind -

“Conquer your bad habits or they will conquer you.” 

References:

Rajat Gupta Convicted of Insider Trading

Competition – Cause of Unethical Bahavior

Greg Smith, ex- Goldman Sachs executive director and head of the firm’s United States equity derivatives business in Europe, the Middle East and Africa, resigned last week. His public statement in New York Times “Why I am Leaving Goldman Sachs” has generated worldwide debate on organization culture and ethics in financial institutions and other organizations. He clearly mentions – “And I can honestly say that the environment now is as toxic and destructive as I have ever seen it.”

Then he further articulated that now clients interests are ignored to benefit the organization. The focus shifted from making profit for the clients to making profits for the organization. Brokers suggest clients to trade in securities that benefit Goldman, even if the products are wrong for them. The “Business Ethics” blog mentions Goldman Sachs was charged with 13 cases in the last decade, hence this isn’t the first time ethics of Goldman Sachs employees have come under search light. Excessive competition to be the leader makes organization culture dysfunctional. Employees driven by salaries, bonus and other perks, find it difficult to be ethical if the tone at the top is wrong.

The research paper “Organi-cultural Deviance: Socialization of Individuals into Deviant Culture” authored by  Gendron, R. and Husted - states that financial self-interest is the key reason white-collar-criminals engage in illegal acts. He states that wealth and success are the central goals of human behavior. In a capitalistic society personal wealth and power give the stamp of success. When people compete, and realize that they cannot achieve success by legal means, they indulge in illegal acts.  He further describes Coleman’s thoughts as -

Unable to lawfully obtain goals that are deemed appropriate or correct by the specific organization or society writ-large, an individual or a group of individuals may engage in neutralization strategies and begin to engage in deviant behaviors. Often more acts of deviance are required to continue to meet the organization’s or society’s goals. In this process, the individual or group may negate any concerns about their actions arguing that it is in fact “market forces at work”, that there are “no real victims” in such transactions.

The 1998 money laundering and securities fraud case of Jordan Belfort, illustrates this thought process. Jordan Belfort in an interview mentioned that if anyone had asked him at 21, his aim in life, he would have answered = “to get rich”. Belfort while still in his twenties opened Stratton Oakmont, a securities company. He hired youngsters in their teens and early twenties to sell stock to high net worth investors by writing their sale scripts. Over a 1000 people worked in the company. In his book  ” The Wolf of Wall Street” he narrates the hard playing culture in his organization -

“They were drunk on youth, fueled by greed and higher than kites. And day by day the gravy train grew longer, as more and more people made fortunes providing the crucial elements young Strattonites needed to live the Life.” 

Fast cars, mansions, babes, drugs, expensive products and dysfunctional behavior defined the core attributes of “The Life” of Strattonites.  Youngsters in their twenties without professional qualifications earned salaries over a million dollars. Since they spent their whole salary on living the Life, they were totally dependent on Berfort. He led the culture and in the rehabilitation center for drug addiction, he described himself as - “My name is Jordan, and I’m an alcoholic and a drug addict and a sexual deviant.”

Jordon Belfort was prosecuted and spent 22 months in federal prison for a pump and dump scheme, which resulted in investor losses of approximately $200 million. In the book he narrates that he transferred over US$ 10 million illegal cash funds to Switzerland bank accounts and FBI tracked his activities. He talks about Swiss Bank executive putting him in touch of a trustee who basically functioned as a master forger. He opened skeleton companies to pass fictitious transactions. Most of his business associates were also prosecuted by FBI as Belfort cooperated with FBI after his arrest.

Closing Thoughts

Some take Gordon Gekko’s statement “Greed is good” seriously. The desire to have money and become rich fast pushes them to take risks. Since legitimately one cannot become rich overnight or have savings higher than salaries, a few break the laws. In the financial sector, with the knowledge and relationships, it becomes easier to override the laws. Hence, they pursue a rich lifestyle far more aggressively than employees of other industries. As they sink deeper and deeper in illegal activity, they believe they can control the situation and have nine lives. They ride a tiger with no capability of stopping.

References:

  1. Why I Am Leaving Goldman Sachs - New York Times
  2. 13 Reasons Goldman’s Quitting Exec May Have a Point
  3. The Wolf of Wall Street – How Money Destroyed a Wall Street Superman – By Jordan Belfort
  4. Organi-cultural Deviance: Socialization of Individuals into Deviant Culture

Risk Management Failures in Kingfisher Airlines

Mr.Mallya with KFA Air hostesses

The king of good times is facing hard times. Launched in 2006, with much fanfare by its Chairman, Mr. Vijay Mallya, Kingfisher Airlines (KFA) is presently in dire financial straits. After the euphoria abated, KFA’s strategy, performance and financial health has been questioned from mid-2008. Now the company is facing major financial and operational problems. The press statement from KFA, on 12 March 2012, highlights the challenges:

“The flight loads have reduced because of our limited distribution ability caused by IATA suspension. We are therefore combining some of our flights. Also, some of the flights are being cancelled as a result of employee agitation on account of delayed salaries. This situation has arisen as a consequence of our bank accounts having been frozen by the tax authorities. We are making all possible efforts to remedy this temporary situation.” 

KFA is a good case to understand the impact of failure in risk management. The management ignored the warning signs of stormy weather and failed to navigate the company into safety.With hindsight, some of the important decisions made by the airline appear incorrect. Let us analyse the  top 5 risks.

1. Strategic Risk – Market Analysis 

 KFA was launched as a premium business class airline. That was the first mistake, a lack of understanding of customer requirements and basing a decision that luxury sells in airlines. Organizations focus on reducing costs and  usually just CXOs are allowed business class travel. Rest of the staff mostly travels by economy class. Moreover, buying most expensive business class tickets doesn’t go down well when seniors aim to project the image of walking the talk.

Even consultants, whose travel tickets are paid for by clients, hesitate to book KFA tickets. It appears that they are abusing privileges. Hence, the market size for business class tickets is small in India.

Secondly, internationally Southwest Airlines operating model has proven successful. It is a low-cost airlines, provides minimum frills to customers at reasonable rates. Mr. Mallya, highly successful in liquor business, didn’t comprehend the differences in customer preferences within the two industries. Customers may buy expensive alcohol, but not airline tickets, since the total cash outflow  is higher.  It is a price sensitive market. Therefore, KFA adopted an incorrect strategy from the start as it failed to understand the market dynamics.

2. Strategic Risk – Merger with Air Deccan 

KFA acquired Air Deccan, a low-cost airline in 2007. Five years of operations is a key criteria for an airline to fly internationally. Hence, KFA acquired Air Deccan’s international flying rights and simultaneously entered the cheaper market segment.  It made the following announcement in September 2008 financial results commentary:

The merger of the two operating airlines into one corporate entity has also enabled savings on operating costs such as Engineering and Ground Handling, Insurance and Catering. Employee costs have also been addressed through an integrated organization which enabled the Company to terminate the contracts of most expatriate staff and impose a hiring freeze on new appointments.

After the merger, first signs of trouble cropped up. As per a Business Today article, it became the largest Indian airline with 27.5% market share, and domestic travel increased by 30%, however it didn’t make profits. Despite the fact the its main rival – Jet Airways – continuously showed profitable quarters.

KFA showed growth in numbers while having lost the strategy. With the merger, it lost its brand image of a premium business class airline. It expanded with the speed of a jet without building a base and resolving the post merger challenges. This set the course for a bumpy ride.

3. Strategic Risk - Investment in Planes 

According to 31 March 2011 ending annual report, KFA flew 366 domestic flights and 28 international flights. It owned 67 aircraft.

“Aircraft Engine/Lease Rentals: Aircraft/engine lease rentals stood at Rs. 984 crore (USD 197 million) during the twelve month period from April 2010 to March 2011. Your Company operated 67 aircraft (scheduled and non scheduled) in the year under review, 13 of which are owned through finance leases and 54 are held under operating leases.”

Business Today article mentions that presently the airline owns 63 planes and a few have been returned to the lessors. However, the plane financing problem isn’t new. In September 2008, after the merger with Air Deccan,in financial results commentary KFA stated the following:

“Two aircraft have already been returned to Lessors with no additional cost, and the Company is in discussion for the return of a further eight aircraft. The impact of this capacity contraction will be visible during the second half of the Financial Year.”

After the merger, according to the Business Today article, the airline refused to take delivery of 5 Airbus A340-500. It had over 90 aircraft in Airbus books and no delivery was taken after 2008. This is a case of investment plans made under a cloud of unknowing.

4. Financial Risk - Excessive Debt  

In the December 2011 quarter unaudited financial results, signed by the Chairman Mr. Mallya, the following note is given:

The Company has incurred substantial losses and its net worth has been eroded. However, having regard to capital raising plans, group support, the request made by the Company to its bankers for further credit facilities, planned reconfiguration of aircrafts and other factors, these interim financial statements have been prepared on the basis that the Company is a going concern and that no adjustments are required to the carrying value of assets and liabilities.

KFA posted a loss of Rs 1027.39 crore (USD 205.95 million) in December 2011 quarter. As of 31 March 2011, its net worth was negative at Rs 3633.08 crore (USD 728.29 million). It was last positive in March 2008, and now the picture is dismal. Presently, KFA has a total debt of Rs 7057.08 crore (USD 1414 million) and total accumulated losses of Rs 6000 crore (USD 1202 million). The banks refuse to extend further  credit as the non-performing assets (NPA) will jeopardize the profitability and liquidity of the banks.

Here it is a clear case of excessive debt and poor cash flow management systems. The situation has gradually worsened from March 2008 and in three years the capital is completely eroded. A better financial risk management may have helped mitigate the problem. It appears no one in the company was monitoring the risk dashboard. Maybe they were flying high on optimism.

5. Operational Risk – Fuel Costs

It’s a well know fact in aviation industry that most airlines nosedive due to high fuel costs. The rise in fuel costs are an uncontrollable risks as the price of petrol is set internationally. Additionally, in India, states charge heavy sales tax on petrol. Hence, the fuel costs are much higher in India. KFA annual report of 31 March 2011 acknowledges this issue:

Aircraft fuel expenses: Expenditure on fuel stood at Rs. 2274 crore (USD 456 million) during the twelve month period from April 2010 to March 2011 accounting to 28% of the total costs. While the average fuel prices have come down from a high of Rs. 74 per litre in August 2008, prices have steadily risen through the year and ended 34% higher than prices at beginning of the year. 

As given in the commentary on the results for the half-year ended 30th September 2008, KFA was aware of the problem.:

The Aviation Industry is going through a challenging phase globally, driven primarily by spiraling fuel costs, which hit an un-precedent USD 147 per barrel in July 2008. The Indian industry was hit more adversely due to the cumulative impact of Customs Duty and Sales Tax on account of this sharp increase in international fuel prices. The average price of ATF in the six month period from April to September 2008 increased by about 60%. The impact on Kingfisher Airlines alone was to the tune of Rs.640 Crores (USD 128 million).

Most airlines to recover fuel costs increase the number of seats in the aircraft by better use of space. KFA couldn’t do it, as it projected itself as luxury class. Despite enjoying an occupancy rate of 75-85%, the company failed to break-even. Although the management was aware of the truculent factors in aviation industry it failed to take preemptive measures timely.

Closing Thoughts

A look at the 31 March 2011 year-end annual report reveals that KFA had 7-8 directors, with just one executive director. The audit committee had 3-4 directors and didn’t seem active, since there were just 4 meetings during the year. Since inception of the company, three CEOs have come and gone. Mr. Vijay Mallya, the Chairman, controls the company. The board of directors have not actively participated in charting the route of the company. Hence, pilot of the company is responsible for the downward spiral of KFA.  As the banks and government refuse to give a life jacket to KFA, the probability of safe landing is low.

References: 

  1. Kingfisher Airlines - Media statement 12 March 2012
  2. Kingfisher Airlines – 31 March 2011 Annual Report
  3. Kingfisher Airlines – 31 December 2011 Unaudited results
  4. Kingfisher Airlines – Commentary on results for half year ending 30 September 2008
  5. Losing Color – Business Today article.

Innovative Assurance and Advisory Services

The business teams mental picture of an auditor is of a guy focused on nitpicking financial accounts. The excessive focus from regulators on internal controls in finance processes has stereotyped auditors. However, in these dynamic economic conditions senior management expects internal auditors to break out of this image and become business partners. The question is – how can they do so? Let me share with you my story first.

My journey as an internal auditor changed in mid-nineties when I was an audit manager in an auditing firm. One day, I had a meeting with the client’s CAE to discuss the scope of work for the year. The client had in-house internal audit team and outsourced some areas of work. The CAE had mostly worked in UK and US, so was highly exposed to the international environment in comparison to the regular Indian CAEs at that time.

On starting the meeting, the CAE said – “Sonia, I think for the first quarter I would like you to cover marketing and customer service department.” I swallowed and nodded agreement.

He then continued – “Next quarter you can cover production”. I squeaked – “Production?” He replied – “Yes, shop floor audit would be interesting.” I tried to keep my expression under control and not show my shock, and again nodded in agreement.

He further added -”Last two quarters of the year, you can cover purchase department and inventory function”. I knew something about these two areas, so I tried to breathe. As the meeting closed, I started thinking how I am going to execute this scope of work. You see, there was a small hitch. I generally did service industry audit and this client manufactured cranes and forklifts. What does one audit in marketing of cranes? How are cranes produced? I was absolutely clueless.

As I drove back I wondered whether my boss had intentionally skipped the meeting. He knew if he had accepted this scope of work, I would have had reasons to crib. Now as I had accepted the scope of work, I couldn’t crib. If I did, he would say – “Sonia, you should have negotiated better.” So I took a small diversion and stop, before reaching my office. My boss was eagerly waiting and from his expression I knew he had already spoken to the CAE. It was a setup! I presented him the scope of work letter, my bookstore bill and the five books I had purchased on marketing function on the way back. He smiled gleefully.

I knew I was in trouble. In those days there was no internet and google in India. I tried to figure out how I  could convince my team that I knew more about marketing cranes than spell it.

Later on I realized that these assignments were the turning points in my career. They shook me out of my comfort zone and taught me a lot. While I could earlier rattle off the financial numbers of my clients, I really didn’t understand their business. What did they do? How did they make money? What challenges do they face in the market place? Without understanding the business, one could hardly do any value add.

So the relevant question is how can auditors become business consultants? Primarily internal auditors are driven in scoping their work according to materiality in financial statements. If we change the focus from financial to business, the scope of work automatically changes. I am sharing with you some of my ideas.

Of course as you read some of the suggestions the question will come up, does it fit into the third line of defense (internal audit), second line of defense (risk management) or the first line of defense (business teams). My view is that first an organization should decide, is this what they require? If yes, then they need to find an appropriate fit in their structure. Though some of these services do not fit the traditional sense of audit, they add a lot of business value. Moreover, the skill set required to perform these services is the same as an auditor or risk manager. The mindset has to be different.

The argument against it is that these are management responsibilities as some of these either appear to be focused on preventive or detective controls, and moreover do not focus on financial processes. The question to ask is – is management fulfilling these responsibilities in other functions? Additionally, if business risks and controls are not addressed, doesn’t it impact financial processes and income? Maybe, senior management needs to come out of the SOX mindset and think differently. Read on and share your views with me.

1.  Job Work Review

I am sure you must be wondering here – what is she referring to? As a corporate citizen you must have heard of management saying that with so many resources the work is still not done. On the other hand employees lament that they are over worked due to insufficient bandwidth. One wonders, are they talking about the same organization? Let me explain in detail as to what we can focus on here.

I had a banking client where the management and employees were in this tussle. Since it was an Indian nationalized bank, the tussle was fast becoming a labor union issue. Management appointed our company to identify the real work issues at a sample branch to resolve the problems. The branch had 50 odd employees and as a first step we asked them to fill a detailed form listing out their activities on a daily, weekly and monthly basis along with the time. We also gave time sheets for the bank employees to fill for a fortnight to record actual work done with time spent.

Meanwhile we analysed job descriptions, processes, MIS and business applications to assess the real activities performed by various departments within the branch. Finally, we conducted interviews with the employees to discuss our observations relating to their job roles and work done. We were able to identify duplicate work done, opportunities for minimizing manual work by using technology, improving processes, reducing time spent on non-value add work, restructuring department functioning and changing job roles. This improved the efficiency of the branch operations besides resolving the management problems.

In another similar assignment for a law office, we analysed billable and non-billable time spent by attorneys. By transferring the non-billable activities to other job roles, the attorneys were able to increase their billable time, hence directly improve revenues.

Point is, all managers are told to prioritize work. Ever wondered, what percentage of managers to do it successfully. Additionally, what is the impact on revenues because of failure to do so? Isn’t it worth checking out. Shouldn’t organizations focus on employee risks? Employee risks are turning big and are mostly un-addressed.

2. Build Risk Assessment Tools

The business teams are primarily responsible for managing risks, however are not trained on risk management. The internal auditors and risk managers have vast knowledge of business risks. Then isn’t it worthwhile to bridge this gap. Here I will give you an example of what we did for a software development company.

The program managers were running million dollar software projects. As you know, the project risks impact cost, quality and time of the project. The software development teams focus more of running the project than doing project risk management. Hence, we developed an excel tool for them. The spreadsheet contained over 600 risks on various stages of a software development project. The project manager just had to assess whether a risk was applicable to the project and select a listed risk mitigation plan. S/he had to input the name of the person responsible for managing the risk and time schedule. In rare cases only, project teams identified a new risk, that we incorporated in the next version of the tool. An activity which took the project teams days of discussion could be completed within a day and project manager could review the risk status within an hour on a weekly basis. An overall organization count was available on risks occurrence, success/ failure of mitigation plans and risk losses.

Empowering the business teams with appropriate tools to conduct risk management is far more beneficial than a post facto audit. A reduction in risk loss directly improves profitability.

3.  Process Design Review

Internal audit and risk management functions generally are not involved in the process review at the designing and re-engineering stage. They audit the process after it is functioning and then identify control gaps and give recommendations for improvement. Doesn’t this sound like attempting to catch an elephant by its tail. I will share with you my ideas on this area.

When an organization is establishing its back offices, usually the processes are migrated with the same controls as were existing before. However, the risks and control requirement change considerably on process migration. If an auditor reviews the process and standard operating procedures at the process migration stage, not only business risks will be addressed it will save a lot of time in doing a subsequent audit. Additionally, management will be able to identify whether the process is high, medium or low risk and budget risk loss accordingly in the cost-benefit model.

The same applies when management is re-engineering processes according to six-sigma or lean or any other model. Sometimes on re-engineering processes, the existing control steps are removed to reduce work time and improve efficiency. However, no other compensating controls are put. This increases the risk of the process without management’s knowledge.

Reviewing processes proactively for controls and risks reduces probability of subsequent damage due to control failure. It significantly mitigates fraud risk also. Moreover, it reduces the audit time significantly.

4. Software Implementation Review

Again I see here that auditors review application controls at the time of SOX or financial audit. An assurance  needs to be given on the technology controls. However, the cost of changing an application program after implementation is 3-4 times the cost at the time of development. Hence, doesn’t it make sense to review the software program at the time of implementation, whether it is an ERP or customized application.

To demonstrate the value of the work, I am narrating my experience of doing an assignment for a government tax department in India. The department was implementing technology for the first time to improve tax collection. According to its estimates because of the manual systems and delay in collecting information, it was losing revenue in millions due to tax evasion. They had appointed a hardware vendor and software vendor, and then my organization for auditing. We worked with the department to review the technology implementation strategy, user and functional specifications for controls, network diagram for information security and conducted application controls testing. This saved the department from various problems that would have occurred after implementation.

Proactively addressing technology controls saves the organization subsequent cost of changing them and mitigates the risks occurring from control lapses. Conducting an ongoing review of implementation of critical business applications is beneficial.

 5. Policy Decisions Review

Now this is something that most auditors and risk managers do not go near as policy making is management responsibility. However, I am going to narrate an incident here, and let you decide whether it makes sense to re-look the policies.

I was conducting a financial statements audit of a consumer goods trading company. While checking the discounts given on a product, I realized that the total discount given was eroding the profit margin. The company had various discount categories, for instance – special discounts, festival discounts, dealer discounts etc.. However, it was not calculating the total of these discounts for each product. Hence, didn’t realize that though the sales were increasing the discount policies were faulty and eating away the profit margin. I did a marginal costing analysis, and assessed that if they continued with this policy the company will lose its “going concern” status in three years. Management was horrified on seeing my report and realizing that various discount policies cumulatively could have such an impact.

Look at it from another angle. If you see the banking sub-prime crises, maybe a review of the policies to give loans to financially weak or unstable income borrowers would have reduced the risk. If the banks had just disbursed loans to this category to a small percentage of the total retail lending, this situation may not have occurred. Conducting an audit after loan disbursement and commenting on the quality of loans hardly helps.

My suggestion here is that when policies are issued, they need to be reviewed for financial and risk impact. Issuing single policies doesn’t sound like a big deal, however when sum total impact of a group of policies in a specific area is analysed, the picture is quite different.

6. Fraud Risk Assessment

In a speech given by Governor, Reserve Bank of India to Institute of Chartered Accountants of India in December 2011, he said – “The profession has shied away from the responsibility for prevention and early detection of fraud.” This is a valid allegation, although fraud risk is increasing at a tremendous rate, most organizations lack focus. Banks have fraud risk functions, however they are more focused on investigations. The thrust on fraud prevention can be improved.

Let me give you an example here. In India either banks are shifting back office operations or outsourcing it to vendors. Now these back offices have multiple processes, mostly run by people who are service delivery experts. The teams sometimes lack banking industry knowledge and are clueless on fraud risks of the process. At the time of process migration, training is provided to detect transaction level fraud. However, if you ask the process owners whether the processes they are running are – high, medium or low fraud risk, they will be unable to answer that.

I had once with my team developed a fraud risk assessment tool for banking back office operations. A weight was given to each data item that could result in fraud. For example, an employee having access to customer information can conduct account takeover fraud in a call center. The information normally required is name of the customer, account number, address, date of birth and debit/credit card number. If this data is available, the probability of fraud increases. Hence, the tool captured the data availability for each process and calculated the level of fraud risk for the process. Management and process owners knew the high fraud risk processes and could allocate more resources to fraud prevention to these processes. Incorporating controls in these processes reduced the overall fraud risk of the organization.

As mentioned in an earlier post, Kroll Fraud Report of 2011 states that globally organizations reported on an average 2.1% of earnings loss due to fraud and nearly 1/5 of the organizations had 4% earnings loss. In case of senior management involvement, for instance – Satyam, Enron, WorldCom, – organizations are nearly wiped out. Fraud risk additionally impacts financial, reputation and legal risks. Hence, organizations definitely need to focus on it.

 7. Review of Management Programs

Management initiates various programs, namely for – innovation, research, quality improvement, leadership development, etc. There is a lot of time and money spent on these programs as these enable the organizations to gain a competitive advantage. Risk managers talk about competitive advantage risks, however these programs do not come under the review radar of either internal auditors or risk managers. They check that the cost of programs is booked correctly, and are unconcerned about the success of the program and/or reasons for failure. Reason being, no obvious risk is seen.

My view is that if a program is developed to gain competitive advantage, then obviously its failure results in increasing competitive disadvantage. That increases business risks. These risks might not be immediately quantifiable, but have long-term impact. However, the reasons for program failure are not obvious and results in sunk costs for the program.

For instance, in a company I had run an organization survey to get feedback on implementation of a quality framework. Normally, negative feedback identifies the following problems – lack of senior management support, insufficient training, lack of implementation support, no hand-holding done in first project etc. In the feedback given, the respondents stated that these issues were addressed well and they had no complaints on these fronts. However, they were not motivated to use the framework because their was no reward or recognition system in place for doing well in this area. After implementing an employee bonus scheme for adopting the framework and using it well, participants commitment levels for the program improved.

As I had mentioned in an earlier post “Creativity@Risk“, organizations innovation programs may not be effective because creativity is not valued. I had given steps to audit creativity levels in the organization. Think of it, if innovation and research is failing, don’t the competitive advantage risks increase. How are organizations calculating and addressing these risks?

8. Brand Building Programs Review

Organizations are investing heavily in building brand names to gain competitive advantage and customer loyalty. They run advertising, social media and corporate social responsibility programs geared towards it. However, some are succeeding in their efforts, while others are reaching nowhere, specially Indian companies. For example, the global Brand Keys Customer Loyalty Leader report of 2011 in the top 100 brand names doesn’t even mention one Indian company. Hence, the question is where are all the advertising and brand building budgets going?

A review of the effectiveness of these programs helps to build better customer relationships. For example, some banks to get Gen Y customers have launched games on their website. If a customer logs in and does some transaction or activity on the website, s/he gathers points. After accumulating certain number of points, the customer is given a small gift. It is targeted towards building customer retention and loyalty. The cost of the program is low, impact is high.

Another aspect now facing organizations is social media risks. Any negative information that goes viral can damage the company reputation. Hence, the probability of reputation risks has increased. To ensure that these are properly mitigated and the programs are effective, these programs can be periodically reviewed.

9. Strategy Review

In an earlier post I had mentioned a point from a McKinsey report. It states that just 8% of the respondents said that their organizations review strategies on an ongoing basis. In 42% cases, the organizations were not conducting annual reviews of strategy. Now without reviewing the strategy, how do organizations really know where they are heading.

In another recent report of Economist Intelligence Unit  titled “The Long View” the key observation was that – “The time horizons for strategy and risk are often misaligned. Some companies are making longterm strategic plans without a proper consideration of the associated risks.” The main reason is that risk management is considered an operational activity rather than a strategic function. This is highlighted by the fact that just 24% organizations think that risk analysis is vital for strategy development.

To illustrate the need for strategy review, I am narrating an incident. I was pitching for work to a CEO. He handed me his strategy documents for building 100 collection centers. I analysed the numbers, and realized that though the revenue numbers and assumptions were correct, the costing was not so. I visited a few collection centers, developed an operational plan and costing analysis and submitted the revised numbers. When the CEO saw the numbers, he asked me for my recommendation. I said in a straight forward manner – “If I was in your position I wouldn’t implement this project. Though revenue numbers are good, the break even point is at 75%. There are no quick earnings and failure probability is high.” The CEO agreed to my observation and project was not undertaken.

As I persistently continue to make this point, strategy review is essential for success. A lot of funds are wasted on wrong strategies. Start with focusing on the strategy formation process and reviewing business strategies to move up the value chain.

10. Business Continuity Plan Review

Most organization dependent on information technology have disaster recovery plans and/or IT recovery strategies. Few have developed and implemented full-fledged business continuity plans envisaging various  natural and man-made disasters. Although, with the increasing frequencies of floods, earthquakes, hurricanes and terrorist attacks this would be an obvious move. Last year the earthquake in Japan and floods in Thailand caused problems for companies worldwide whose vendors were located in these countries. The supply chain broke down.

Conducting a business impact analysis requires breaking each activity in the business process as critical, necessary and optional in case of a disaster. These activities might be required in normal business functioning but not in a disaster scenario. For example, for a bank having credit card operations running 24/7 is critical, however a loan application approval process can be delayed without a big problem for a couple of days. A solution is required for all critical activities. For instance, in 9/11 attacks in US, the Amex center in Delhi acted as the back up center for US offices. It was one of the few companies whose customers didn’t feel any impact on customer service due to the incident. Hence, ensuring that all critical activities have a backup facility with trained resources operable in a short time span is critical for business continuity.

A review of the plan and testing documents ensures that there are no gaps and all possible disaster scenarios are covered. A periodical review is required as sometimes processes and business change, while the business continuity plan is not updated.

Closing Thoughts

To provide value add to business, auditors and risk managers need to focus on these services. Big 4 earn most of their revenues providing these services to clients as few companies have developed in-house capability.  Though some organizations have shown progressive thinking and renamed internal audit departments as business assurance and advisory function. One arm of the department focuses on regulatory requirements of internal audit and the other arm focuses on providing assurance and advisory services to various stakeholders within the enterprise. The cost of setting up the function is low, the rewards are high.  Senior managers just have to re-imagine audit and risk management functions. It will be worthwhile.

References:

  1. The long view - Getting new perspective on strategic risk by Economist Intelligence Unit
  2. Brand Keys Customer Loyalty Leaders 2011
  3. Challenges to the Accounting Profession Some Reflections – Speech of  Dr. Duvvuri Subbarao, Governor of Reserve Bank of India on 16 December

Shattering Perceptions About Audit Committees

Imagine driving a car with a speedometer in the rear. When you crash, a voice from the back of the car gives the depressing message – “You crashed because you broke the speed limit of 60 miles an hour”. Now this question will get most of the auditors and risk managers upset, but I shall stick my neck out on this one. Don’t you think this metaphor fits the role audit committees are fulfilling presently?  Should the audit committees function differently to help the CEO and board members perform better?

I am sharing below come controversial views on role and performance of audit committees. Let us say, I am auditing “auditing committees”. It might force you to rethink some issues. Do you share my views or hold different views?

1.  Formation of Audit Committee

Generally, audit committees are formed with 3-4 non-executive independent directors. The premise is independent directors are in a better position to give impartial and unbiased views. Hence, the committee is entrusted with responsibility of advising the board on effectiveness of systems of internal controls, compliance and governance in relation to financial reporting obligations.  The pertinent questions that arise are whether the independent directors are actually independent and capable of fulfilling their responsibilities. To shed light on this area, I am discussing some scenarios on appointment of independent directors.

Usually, independent directors are invited to join the board since they are either socially connected to the CEO or some other director. Delving into their backgrounds reveals commonalities between education, employment and/or social background. A board survey done in 2005-2006 in India showed that a “good 90% of the non-executive independent directors were appointed using CEO/chairperson’s personal network/referrals, and the remaining 10% through executive search firms.”

 Another challenge is getting independent directors with the right industry experience and expertise. To illustrate, in 2010 48% UK FTSE companies were unable to comply with the provision of 3 non-executive directors forming the audit committee, as there were  insufficient non-executive directors available in the board. Moreover, around 10-11% of the companies did not specify a director with relevant financial expertise.

Looking from another angle, appointment of independent directors to other company boards is dependent on favorable reviews and recommendations from existing board members. In light of this, wouldn’t the audit committee members be tempted to look the other way and avoid raising issues where CEO or board involvement is suspected in frauds. Can we really consider them independent?

Additionally, the value-add provided by the audit committee members is sometimes questionable.  I couldn’t find specific data relating to India, but Grant Thornton report on UK companies states that audit committee meetings on an average were held 4-5 times during the year and non-executive directors attended meetings on an average 17-18 times during the year. If I do back of the envelope calculations,  in rare cases only audit committee members would be spending more than 10 days per annum to fulfill their responsibilities for a particular company.

Considering this, I personally have doubts whether audit committee members are in a position to understand the complexities of business, the control environment and various risks impacting the organization. Keeping the size of organizations in mind and their global spread I sometimes feel that audit committees provide an illusion of confidence to shareholders rather than real confidence.

 2.  Selection & Appointment of External Auditors

 The appointment and selection of external auditors is one of the key recommendatory functions of the audit committee. The board in the annual general meeting generally proposes the name of the external auditor recommended by the audit committee.  .

Hence, the assumption is that audit committees take this responsibility seriously. I came across this Economic Times article “Can the big four survive a break-up attempt”. It highlighted some interesting facts:

  • In top 100 (US) companies, the average tenure of audit firms was 28 years. 20 companies had the same audit firm for 50 years or more.
  • 85% of the companies in EU are audited by big four.
  • 99% of the audit fees paid by FTSE 100 (UK) in 2010 were earned by big four.
  • Just 2.3% of FTSE firms changed their auditor between 2002 and 2010.

Separately, a Grant Thornton 2010 report states that average duration for UK FTSE companies of an external auditor is more than 31 years. Additionally, 55% companies provided minimum insight on selection process of external auditor and just 15% companies provided detailed information on the decision-making process.

I am going to let you decide whether with these facts you can presume the audit committees are ensuring proper selection and appointment of external auditors. The logical argument given would be that big four have the geographical reach and expertise to audit multinationals. I have a straightforward question – with the same audit firm continuing for numerous years, can one assume objectivity and independence in reporting.

I am personally in favor of the new Companies Bill 2011 (India) clauses relating to audit firm and audit partner rotations. It mandates rotation of audit firm every 5 years and audit partner every 3 years. In my view, that is a step in the right direction.

 3.  Relationship with Chief Audit Executive

Grant Thornton 2011 CAE Survey of US companies revealed some startling data. A quarter of the CAE’s had not met the audit committee chair outside of board and committee meetings. 29% had met 1-2 times and 31% had met 3-5 times during the year.

Another interesting fact from Grant Thornton 2010 report is that 13% of the UK FTSE 350 companies did not have an internal audit function. That is, 40 of UK largest companies did not have a third line of defense, so most probably didn’t have a CAE. Moreover, 25% of the companies did not disclose compliance to this provision in the reports. This fact is fascinating as in India internal audit is mandatory for listed companies and external auditors are required to comment on the function.

Seeing the above US data, that 85% CAEs had minimal interactions with audit committee chair, can one say that they have a good relationship with the chair and members of audit committee?  Without having a good one-to-one personal relationship, do you think audit committee members are in a position to assess the real performance of internal audit department or gather critical information about the company from the CAE. With such limited communication among audit committee members and CAE, would you have doubts on their effectiveness?

Now add to this, a CEO can terminate CAE services if s/he shares an opposing view than the board. Very few boards are mature enough to allow CAEs to constructively confront their ideas. Audit committee members may not be able to protect the CAE in all circumstances. Under these circumstances, would you say that audit committee and internal audit departments are effectively assessing the internal controls environment of the organization?

My view is that most audit committee members spend time on audit committee charter, internal audit charter and internal audit reports submitted by the CAE. They don’t delve deeply into  procedures used to conduct internal audits. Additionally, in some companies there might be just superficial support given to the internal audit function.

 4.  Challenging Board Decisions

Audit committees have immense power in the sense that it can challenge board decisions. As per Companies Bill (India) if the “board does not accept any recommendation of the audit committee, the same shall be disclosed in the report along with reasons thereof.” However, I have rarely seen a report that states audit committee’s recommendation was not followed. This would make us presume that audit committee members are exercising their power properly and keeping a control on board activities. However, the picture is somewhat different.

A KPMG Audit Committee survey conducted in 2010 mentions that – just 27% boards encourage contrarian views and discourage groupthink, 64% do it somewhat and 9% do not accept different viewpoints at all. As I had mentioned in a previous post, Satyam fraud case portrays board’s failure to exercise judgment. Although Satyam’s board consisted on renowned personalities, Central Bureau of Investigation report–

  “The members of the Board of Directors had acted as “rubber stamps”, unwilling to oppose the fraud. Not a single vote of dissent has been recorded in the minutes of the Board meetings.”

Moreover, the lack of personal accountability in independent directors’ mindset was apparent after Satyam fraud came into light. In a short period, subsequent to the disclosure of fraud 109 independent directors voluntarily resigned although their term had not ended, fearing being held liable for fraud or non-detection.

SKS Microfinance case is another example of the extent to which the board will not raise issues. CEO Suresh Gurmani was fired at the behest of the Chairman Vikram Aluka. Eight of the ten directors voted in favor of his termination, the other two were absent, although the CEO had no previous performance issue.

The situation is similar across the world. Enron, WorldCom or Swiss Air failure reflects board’s ineffectiveness. They are not exercising their powers judiciously for the benefit of the shareholders. In my opinion, audit committee members and other board members can do much more by challenging the viewpoints of the CEO and his/her team

5.  Evaluation of Finance Function

Ensuring the integrity of financial statements is one of the key responsibilities of audit committees. The members are required to review the financial statements with the external auditors before submission of the board.  Just to give you an example, Tata Motors 2010 corporate governance report defines the responsibilities of audit committee in respect to financial reporting as follows:

Reviewing the quarterly financial statements before submission to the Board, focusing primarily on:

  • Compliance with accounting standards and changes in accounting policies and practices;
  • Major accounting entries involving estimates based on exercise of judgment by Management;
  • Audit Qualifications and significant adjustments arising out of audit;
  • Analysis of the effects of alternative GAAP methods on the financial statements;
  • Compliance with listing and other legal requirements concerning financial statements;
  • Review Reports on the Management Discussion and Analysis of financial condition, results of Operations and the Directors’ Responsibility Statement;
  • Overseeing the Company’s financial reporting process and the disclosure of its financial information, including earnings press release, to ensure that the financial statements are correct, sufficient and credible;
  • Disclosures made under the CEO and CFO certification and related party transactions to the Board and Shareholders.”

Hence, it is crucial to evaluate the performance of finance function.

As I had mentioned in an earlier post, CFOs after CEOs are the most likely people to do accounting manipulations. CFOs either do it on their own or at the instigation of CEO. Due to the nature of their role in preparation of financial reports, they are in the unique position to hide critical information, change accounting policies, pass dubious transactions and present false reports. A Satyam or Enron couldn’t have occurred without CFOs involvement.

Another aspect to look into is that the role of CFO has expanded and become more critical. CFOs are not only managing financial reporting, but also play a key role in strategy development, risk management and business monitoring. The question is what audit committees need to take into account to evaluate the performance of the finance function. Below are some pointers:

  • Evaluate the role of the CFO in the organization to understand the functioning and power dynamics.
  • Assess whether CFO is able to maintain independence and hold his/her own position with the CEO.
  • Understand the logic given for changing accounting policies and methods, entering into transactions that may not be arms-length and inter-group company transactions.
  • Review the history of accounting frauds and manipulations, notices from regulatory agencies and industry specific risk impact on the organization.
  • Evaluate CFOs relationship with external auditors to determine whether he/she is unduly influencing them. Obtain CFOs viewpoint on qualifications and disclaimers given by external auditors.
  • Review the systems and processes used for maintaining accounts and preparing financial statements. Understand the finance department organization structure and segregation of duties matrix.
  • Determine CFOs focus on cost control, risk management, cash-flow management, and acquisition and mergers.

In my view considering the crucial role of CFOs, audit committees need to spend time understanding the various facets of finance function and gathering critical information to evaluate the integrity of financial reports.  From the past corporate scandals, one cannot assume that audit committees are doing a good job at raising red flags and/or identifying accounting manipulations.

 6.  Nature of External Reporting

The present day hot topic of discussion is about the aspects audit committees should include in external reporting. As such, law requires that audit committees review the financial reports and related media releases. The question is should audit committees ensure that a company sticks to minimal reporting requirements or should it go beyond them.

In my view, corporate governance is about building good and transparent relationships with investors, shareholders, creditors, public and regulators. Hence, information that contributes to a healthier relationship between management and other parties should be disclosed.

Let me explain my viewpoint. Taking the example of India, a number of listed companies are family owned-managed companies (example, Reliance group, Tata group, Birla group etc.). Shareholders, especially the minority shareholders do not have significant say in company. The perception exists that family owned groups sometimes do not invest funds for shareholder benefits and squander them for personal privileges. Moreover, Indian corporate laws are good on paper, the regulation is not so great, though improving. Hence, Indian shareholders are a vulnerable lot. Additional information builds trust and confidence as seen in the case of Infosys.

The business benefits for upholding transparency are huge.

  • The market value of shares increases. Velocity of share trading is also higher than other companies.
  • Financial institutions show more propensities to invest.
  • Foreign investors – institutional and individual – are open to trading in the shares.
  • The companies have lower legal and regulatory costs as regulators are comfortable.
  • Customers prefer buying products from companies that are ethical and socially responsible, hence transparency impacts sales directly.

The most important job of audit committees and board members is to ensure that management aligns company and personal objectives with shareholder interests. If the company is doing bare minimum reporting then audit committee is not really keeping shareholder interests in mind. For instance,  Grant Thornton report of UK companies’ corporate governance practices mentions that of the 303 largest companies in 2009-2010, just 11% of the chairpersons commented on the corporate governance practices.

In my view, audit committees should focus more on the extent and level of external reporting.  To enhance shareholder confidence more details can be provided on functioning of board, and internal audit, finance and risk management departments. A discussion on organization objectives, strategy and evaluation parameters would also be helpful. An explanation about the external auditor selection process and fees would be beneficial. Lastly, the company’s efforts in fulfilling corporate social responsibility would provide an added advantage.

7.  Information Available with Audit Committees

Besides the abovementioned activities, audit committee members are required to look into other aspects of the business also. For example, review – the utilization of funds through public issues, transactions that indicate conflict of interest,  cases of suspected fraud, financial statements of subsidiary companies, political spending and overall compliance with regulatory provisions.

Normally audit committee members rely on getting information from board meetings, minutes of the meeting, discussions with external auditors, reports and discussions with internal auditors, fraud investigation reports, whistle blowing hotline investigation reports etc. However, the question remains – do audit committees get the real information to make informed decisions? A KPMG 2010 US survey report states that 77% of the audit committees are activity engaged in obtaining information.

However, I do not see the same occurring in India. At the time of Satyam scandal and more recently on formation of new Companies Bill, there was a lot of discussion about responsibilities of independent directors in respect to fraud or inaccurate financial reporting. The independent directors had complained that they are not privy to the internal workings and thinking of the organization. Especially in case of family owned group. Hence holding them responsible is not the right step. If one considers this view, then audit committee members are actually abdicating their responsibility.

Another issue to deal with is that audit committee members may lack industry expertise, hence may not know the questions to ask. In my view, audit committee members should use their right to hire external consultant in case of doubt. Moreover, they should get additional information. A few pointers are:

  • Obtain strategy and implementation plans.
  • Review key performance indicators – financial and non-financial with status
  • Interact with external and internal auditors of subsidiary companies directly
  • Hold discussions with senior and middle managers were required of various business units
  • Discuss with company secretary all legal and compliance challenges
  • Discuss with ethics officer the key issues on maintaining code of conduct
  • Discuss with fraud risk, information security and other risk officers the key issues they have faced during the year and their overall functioning.
  • Review in detail all documentation relating to material transactions, acquisitions and mergers.
  • Travel to other offices and locations to understand business operations.

This is not an exhaustive list, however will be beneficial in fulfilling audit committee members responsibilities better. Without gathering this information, the audit committee members would in my mind is doing superficial oversight.

8.  Effectiveness of Risk Management Programs

The financial crises got the focus back on risk management. In the annual reports boards are required to comment on the performance of risk oversight function is. Board has to the responsibility to ensure that the organizations risk management procedures are commensurate with the company’s risk profile. In most cases, board delegates responsibility for risk oversight to audit committees, especially when the organization does not have a separate risk oversight committee.

Risk reporting is generally done in the business review section, though integrated reporting of risks and internal controls is being encouraged. As per Grant Thornton UK report, 63% of 350 FTSE gave detailed descriptions of risks and focused on operations risks. The question that comes up is how audit committees assess the effectiveness of risk management function and programs.

Let me take some of the challenges of risk management in the financial industry:

  • Risk management is increasingly complex for financial institutions as it involves managing interlinked strategic, financial, operational and systemic risks
  • Risk managers do not have sufficient authority and are frequently overruled by business teams. In few cases, they play a role in strategic decision-making.
  • Risk managers do not strong relationships with business teams
  • Risk appetite is defined by the organization but data is so scattered that it is difficult to monitor when actual organization risk exceeds risk appetite.

During the financial crises some of the key examples were –

  • Royal Bank of Scotland (RBS) acquired ABN Amro Bank without sufficient details. It faced quite a few unpleasant surprises later on.
  • Lehman did not get timely funding as actual worth of CDOs was considered overestimated, hence had to file for bankruptcy.
  • AIG faced challenges in finding an investment partner since it didn’t have financial systems for integrated reporting.

Still banks are increasing their risk profile in the coming year. Some may have improved the risk management function and reporting, while others may not have learnt their lessons.

In light of this, my question is simple. Are audit committees really in a position to comment and provide reliable assurance on effectiveness of risk management programs?

 9.  Assessing Risk Culture

Loud noises after major frauds and financial crises repeatedly proclaim the same thing – “The risk culture of the organization was wrong”. It all boils down to the culture of organization and the attitude of the management towards risk taking. When Wall Street bankers received bonuses after the crises, there was uproar in the government and public. The outcry was bankers should be penalized for excessive risk taking, and not rewarded for nearly collapsing the financial sector.

Hence, the question arises why doesn’t management do anything about the risk culture? The logic is simple if you view it from CEO/CXO perspective. Their performance is evaluated on the quarterly numbers they give in the financial reports. To give that incremental growth high risk taking is required. Building a risk culture requires a long-term commitment to reap rewards. While implementing a risk culture program, in the first year the performance might be lower as employees will not be as enthusiastic about taking risks. Moreover, most of the professional CEOs duration is of 4-5 years in a company.

Considering these aspects it is not surprising that only a few are committing to building a risk culture. Though the corporate scandals have reduced investor confidence and resulted in closure of many organizations, the belief persists that they will not land up in the same soup. However, there is enough evidence that a high risk taking culture can nullify all the efforts of risk departments.

To counteract the effects of high-risk taking, proactive chief risk officers focus on building the risk culture. Their challenge is that regulatory guidelines ensure lip service and real commitment is missing.  The question remains, can audit committees help them in doing so?

Audit committees in my view can assess the risk culture by focusing on:

  •  Remuneration of key personnel, including the bonus component linked to performance.
  • Code of business ethics adopted and implemented by the company
  • Analyzing the extent of reputation and regulatory risks the organization is facing
  • Reviewing reported ethical breaches
  • The amount of risk appetite board has determined it is willing to take to meet strategic objectives.
  • The processes implemented to monitor risk appetite and key risk indicators
  • Transactions entered that reflect conflict of interest to some degree.

In my view, audit committees can do much more to improve the tone at the top about risks. A continued focus from board members is likely to influence management in incorporating a good risk culture. A detailed explanation on the risk culture in the annual returns would be beneficial.

 10.  Internal Controls

Last but not the least, audit committees responsibilities include ensuring that the organization has effective system of internal controls. In some countries including India, the board is required state in the annual report that proper systems are in place to ensure compliance to all the applicable laws of the country. If it is not so, then they need to provide an explanation.

As you recall history, the focus on internal controls had increased worldwide after the spate of frauds (Enron etc) in US and subsequent introduction of Sarbanes Oxley Act. On that premise, one would assume that most companies would have vibrant internal control systems now. Though all companies report on internal controls, the Grant Thornton report states that in UK just 25% companies provide a detailed description on procedures adopted to evaluate the effectiveness of internal controls.  Just 3 companies disclosed material weakness in internal controls. Hence, the quality of assessment of effectiveness of internal controls by audit committees comes in doubt.

Therefore, the question comes up – how do audit committees improve quality of assessment. Although regulations are more geared towards audit committees reporting internal controls on financial systems, a broader view covering operational and compliance controls is preferable. To do so, audit committees need to understand the business objectives, strategy, processes and information systems of the organization. This will facilitate them in understanding whether the organization is geared and equipped to deal with day-to-day operational problems. In the current environment, management requires real time information for decision-making  and managing business operations.

After gathering the abovementioned information, audit committees would be in a position to assess whether:

  • The right financial and operational areas were selected for internal controls review
  • Procedures and practices followed for assessing internal controls was sufficient.
  • Any areas require further review.
  • The reported control weaknesses are material

In short, though audit committees are focused on ensuring organizations have a proper internal control systems, additional work can be done to improve the confidence in the assessments.

Closing Thoughts

Audit committees are a critical tool for corporate governance. However, presently in my view they are not significantly effective. Hence, emphasis on working of audit committee can add value not only to the board but also to the investors and shareholders. It might appear a tall order, but ensuring that audit committee meetings are frequent, maybe monthly, would very much improve the performance. Worldwide, the corporate world needs to take this route to ensure better governance and build investor confidence.

I rest my argument here; share your opinion with me.

References:

  1.  Economic Times article – “Can the big four survive a break-up attempt”
  2. Evolution and effectiveness of independent directors in Indian corporate governance – by Umakanth Varottil, Faculty of Law, National University of Singapore
  3. Grant Thornton 2011 Chief Audit Executive Survey – Looking to the future: Perspectives and trends from internal audit leaders
  4. Grant Thornton 2010 Report on UK
  5. Corporate Governance in India – Evolution and Challenges by Rajesh Chakrabarti College of Management, Georgia Tech
  6. Tata Motors 2010 Corporate Governance Report
  7. KPMG- Highlights of the 6 Annual Audit Committee Issues Conference 2010

Comments on Basel Committee’s consultative paper – The Internal Audit Function in Banks

The Basel Committee on Banking Supervision issued a consultative paper on the internal audit functions in banks comprising of 20 principles. This is a revision of the 2001 document and aims to promote a strong internal audit function and supervisory guidance of the function in banks. This is definitely a step in the right direction, however it still fails to address some of the critical issues apparent during the financial crises. Below are some of my observations that may help the function to become stronger and more effective. I am being a devils advocate out here and invite you to debate with me on these aspects.

1.  Independence and objectivity of internal auditors 

Principle 2 of the paper covers independence and objectivity of internal auditors. Point 15 mentioned below discusses the remuneration of internal auditors.

The independence and objectivity of the internal audit function may be undermined if the staff’s remuneration is linked to the financial performance of the business line for which they exercise internal audit responsibilities or to the financial performance of the bank as a whole.

My contention is that internal auditors within the organization can never be fully independent as their job, salary and bonuses are decided by the CEO/CXO. However, internal auditors/ risk managers face the dilemma of getting appraised at year-end for being good critics of the decisions taken and work done by CXOs/CEO. Hence, there is high possibility of being unfairly appraised on issuing strong reports. Senior managers may turn vindictive. This impacts independence as job, salary and bonus is dependent on senior management feedback.

The second aspect is about how internal auditors/ risk managers should be given bonus. Should they be given stock options like other employees? The committee paper “Principles of enhancing Corporate Governancestates -

Banks should take other steps to better align compensation with prudent risk taking. One characteristic of effective compensation outcomes is that they are symmetric with risk outcomes, particularly at the bank or business line level. That is, the size of the bank’s variable compensation pool should vary in response to both positive and negative performance. Variable compensation should be diminished or eliminated when a bank or business line incurs substantial losses.

Compensation should be sensitive to risk outcomes over a multi-year horizon. This is typically achieved through arrangements that defer compensation until risk outcomes have been realised, and may include so-called “malus” or “clawback” provisions whereby compensation is reduced or reversed if employees generate exposures that cause the bank to perform poorly in subsequent years or if the employee has failed to comply with internal policies or legal requirements.”

Now my question is, if it is later discovered that internal audit function failed to identify some control lapses and risks that resulted in huge financial losses to the bank, should their bonus/stock options be reduced subsequently? My view is yes, if they are receiving stock options and failed, then they should be withdrawn. However, if possible their compensation should not have a high variable component.

Lastly, rotation of internal auditors, a point that I consider relevant for maintaining independence is not covered in the paper. Depending on the size of the bank, internal audit function key staff  should be rotated to other subsidiary organizations or different functions every 3 to 5 years. Here the logic is same as applied to external auditors, with deepening business relationships objectivity may be compromised.

2. Regulatory Compliance for Capital Adequacy and Liquidity

Principle 7 mandates that  “internal audit function should ensure adequate coverage of regulatory matters within the audit plan.” One of the critical points covered relates to capital adequacy and liquidity assessment. The scope of audit should check compliance to regulatory framework and assess the adequacy of capital resources in relation to bank risk exposures and minimum ratios.

From a banking perspective I believe this is the crux of ensuring applicability of going concern concept for banks. As seen from the financial crises, the banks that failed basically had insufficient liquidity.

My argument here is about what happens when internal audit function does mention the problems in the report. Let me take the case of RBS failure. RBS faced liquidity crunch as the CEO had taken a strategic decision towards “capital efficiency” due to which it heavily relied on wholesale funding. As per the report   “the main weakness was the firm’s use of a 96% confidence interval in its assessment of how much capital it should hold, rather than the ‘standard’ 99.9%.” Secondly, the Supervision team was “concerned that the firm was underestimating the amount of capital that should be held.” The internal audit report also highlighted a few weaknesses relating to capital adequacy. A long term plan was developed to improve capital adequacy, however no change in capital efficiency strategy was envisaged.

Now my question is, in this scenario where internal audit function highlights key gaps and the same are ignored, what should be done? The FSA report on RBS failure states that no legal action can be taken as -

There is neither in the relevant law nor FSA rules a concept of ‘strict liability’: the fact that a bank failed does not make its management or Board automatically liable to sanctions. A successful case needs clear evidence of actions by particular people that were incompetent, dishonest or demonstrated a lack of integrity.

Errors of commercial judgement are not in themselves sanctionable unless either the processes and controls which governed how these judgments were reached were clearly deficient, or the judgements were clearly outside the bounds of what might be considered reasonable. The reasonableness of judgments, moreover, has to be assessed within the context of the information available at the time, and not with the benefit of hindsight.

According to the report, if senior executives ignore the internal audit reports and thus the firm suffers huge losses and goes bankrupt, they are not really legally liable. In my view, this is a flawed approach and encourages high risk taking since there is no downside to bad decisions.

My suggestion might raise a few eyebrows, nonetheless I think it is required to avert further financial crises. A few penal clauses should be incorporated in the guideline that ensures high risks/ control gaps are addressed by senior management. If senior management/board chose to ignore high risks they can be penalized by removal and/or not getting a similar position in any other bank.

3. Review of Internal Audit Function by Board

Principle 9 mentions responsibilities of board of directors and senior management in respect to internal audit function. Para 43 states that -

At least once a year, the board of directors should review the effectiveness and efficiency of the internal control framework based, in part, on information provided by the internal audit function.

My contention is that an annual review is too little. Keeping in view the dynamic banking environment and global impact review of internal control framework for banks should be done quarterly. If not, at least it should be done half yearly.

Additionally, para 72 states that -

Supervisory authorities should receive periodically (e.g., on an annual basis), or upon request, the main internal audit findings and recommendations as well as the corrective measures taken or to be taken in response to the weaknesses identified, in the same way the audit committee is informed.”

My view is the same here, it would be best to review the observations and weaknesses quarterly. An annual review would be historic and no corrective action would be possible.

4. Impact on bank’s Risk Profile

Principle 19 states that “supervisory authority should consider the impact of its assessment of the internal audit function on its assessment of the bank’s risk profile and on its own supervisory work.” In para 92 it further adds -

Where remedial actions cannot be agreed upon or where the bank faces ongoing delays in remediating the identified weaknesses, the supervisory authority should consider the impact of this on the bank’s risk profile.

A good example of this case is the CitiBank Rs 400 crore fraud (USD 76 million) conducted by employee (now ex) Shivraj Puri. The fraud case was filed with Gurgaon police in 2010. An internal report of Citi Security and Investigative Serivces (CSIS) was submitted five months earlier before the date of police case filing. Moreover, unusual activity in Shivraj Puri and his wife’s account was detected in its initial stages in 2008 by fraud risk management team. The media report states that senior officials were aware of it, were involved in discussions, however did not take any action.

My argument here is the same as given in point 2. If there is failure to act on high-level risks, specially fraud risks, senior management/board can be treated as accomplice to the fraud. Hence, the guideline should include a few penal clauses on failure to respond timely  on identified risks and control gaps.

Closing thoughts

The framework fortunately does not subscribe to the COSO definition of internal controls and covers strategic risks. It also provides detailed guidelines on a number of aspects, including outsourcing of the function and managing the function in subsidiaries.

However, my view is that the guideline should be more stringent and include a few penal clauses. This might raise questions, as the guideline cannot replace the laws of the country. I understand that, so even a recommendatory guideline would be helpful. The logic behind this suggestion is that financial crises occurred due to bad decisions and high risk taking. It is unlikely that internal auditors/ risk managers of the banks were entirely clueless about the high risks. In all probability management chose to ignore those warnings hence the crash. Therefore, to avoid a similar disaster some measures need to be incorporated to ensure that management/board cannot override high impact risks that exceed the risk appetite/tolerance of the bank without being personally laible and accountable.

References:

  1. Citibank failed to act on Puri scam warning signals, says probe report - Economic Times
  2. The internal audit function in banks – consultative document – Basel Committee
  3. FSA RBS Failure Report
  4. Principles of enhancing corporate governance – Basel Committee