Governance, risk and compliance in the financial sector

An IT perspective in light of the recent financial crisis.

The recent financial crisis has brought renewed attention to governance of companies in the financial sector. Questions are being raised as to how we ended up in the current situation in a sector already heavily regulated and under tight scrutiny by financial authorities as well as market participants. Some of the answers must be found in the sector’s culture for corporate governance. 

by Kjell Johan Nordgard, Senior Vice President and head of global market support, SimCorp

Download the article as pdf

The new millennium is still young – not even nine years old. Still, during this time, the world has already experienced two major market crises. The burst IT bubble in 2000 and the ensuing corporate scandals among giants like Enron, Xerox and WorldCom cost investors billions of dollars and sent shockwaves through the economy. The situation sparked a mistrust of the commercial system in general, and gave rise to the Sarbanes Oxley (SOX) act in July 2002. SOX sets new standards for all public US companies in order to ensure sound corporate governance and hence protect investors from losses incurred by bad management and controls, hidden risk and exposure or outright fraud. The need for common guidelines for corporate governance is however a global phenomenon, and SOX compliance was quickly adopted as a common benchmark for governance worldwide. However, despite the SOX initiative, the world found itself in turmoil again in 2008. This time though, the scenario was different. Whereas the situation that led to the SOX legislation came on the back of the collapse of an overrated IT segment followed by revelation of cheating, fraud and bad management amongst leading blue chip companies, this time the crisis struck at the very foundation of the capitalist system – the institutions in charge of ensuring availability of capital and funding of corporate activity.

The crisis started amongst the financial institutions with sudden collapses of big international banks like Bear Sterns, Lehman Brothers and Merrill Lynch as well as leading insurance groups like AIG and US mortgage lenders Fannie Mae and Freddie Mac. It spread like fire across the entire international capital marketplace and the financial system was brought to the brink of melt down. Liquidity was frozen by banks out of fear of losing out on counterparty default, and the mechanisms for funding of commercial activities thereby basically came to a standstill. The entire corporate world was soon embroiled in a deep and spiralling crisis.

Overexposure and Transparency

So how could this happen in a market which is already heavily regulated by directives like Basel II, Solvency II, UCITS IV and IFRS, just to mention a few? The crux of the problem in the banking sector was that banks, already heavily geared and heavily exposed to the real estate sector, increased their gearing and their asymmetrical exposure through a combination of securitisation and regulatory arbitrage. Securitisation is in essence a very sensible construction, its purpose being to transfer risk from those responsible for raising funds over to the vast universe of private investors. In this case, securitisation was achieved by packaging loans as collateral for complex structured instruments like collateralised debt obligation (CDOs), collateralised loan obligations (CLOs) and collateralised mortgage obligations (CMOs). The collateral for these vehicles was corporate bonds and mortgage loans, many of them so-called subprime loans associated with high yield and high risk. Through a number of intermediaries who all charged lucrative fees for their contribution to the party, these loans, as if by magic, ended up on the shelves of the investment banks as AAA rated investment products in the shape of CDOs.

This is however where the securitisation process failed. Rather than distributing these products to the mass-market, the banks kept around 50% of them for themselves. So the securitisation stopped half way. The packaging succeeded but the distribution stopped. The risk was not transferred but kept on the books of the banks. In addition and in order to circumvent the Basel II solvency requirements, banks offloaded CDOs to different kinds of Special Purpose Vehicles (SPVs). To give these SPVs credibility, the offloading was however supplemented with liquidity and credit enhancements issued by the banks. Such enhancements are credit light in Basel II terms and the construction therefore effectively allowed the banks to increase the gearing by a factor of 5 compared to what Basel II would have allowed if the CDOs had been kept on the banks’ balance sheets. The problem was that the credit and liquidity enhancements meant that the risk in case of a collapse still would sit with the bank. What the banks effectively did was to write a put option to the market: “if the SPV fails to make its payments, we’ll cover for it”.

Was this excessive gearing and exposure understandable? From a short-term profit perspective – absolutely. From 1998 to 2006, house prices in the US were booming, and as the saying went, ‘when the music plays, you have to get up and dance’. Was it prudent? Not at all. Figure 1 shows the Case Shiller priceto- rent ratio in the US, which basically measures how the price level for property purchase develops compared to price level for property rental. The graph clearly shows an increasing imbalance building up in the new millennium. According to traditional asset pricing theory, the price of an asset ought to be the net present value of all future cash flows, for the property market that would be the net present value of future rental income. So the only reason for expecting the imbalance between rental and house prices to be sustainable, would be if there was a fair expectation that household income would increase correspondingly so that renters would be able to pay higher rent. Figure 2, which shows the price-to-household index shows that there was no reason to believe this to be the case. Household income was lagging behind to the same extent as rental levels. One can only guess why the carrousel then was allowed to continue spinning at higher and higher speed. The explanation is most likely that the markets lost control through a lethal cocktail of weak corporate governance, short-term greed and lack of transparency and understanding of true risks and exposures. The big international banks operate in departmental silos, each with their own performance goals. With the new structured instruments, CDOs, CDSs, ABSs and so forth it is difficult enough for a single department to decompose and assess the true exposures associated with these constructions. When you then add it up across several departments in different geographical locations, it becomes literally impossible for a board and the executive management to have a true feeling of the actual overall exposures and risks and hence enforce sensible departmental limits and thresholds. Each department will then act solely out of local motives in the chase for this year’s bonus – something that probably works well in good times when everything points to the sky, but which is a risky recipe in stormy and unpredictable weathers.

Figure 1
 

Figure 2

Governance, Risk and Compliance (GRC)

The situation calls, again, for increased focus on corporate governance. The financial sector is faced with special challenges in this respect compared to other segments. The financial industry relies heavily on information, loads of information, and this information needs to be available at the right time, which, in many cases, means immediately. Furthermore, companies in the financial sector can rapidly change their overall risk profile, through actions undertaken by portfolio managers or traders, and the different firms are so intertwined in their business that the collapse of some big players quickly develops into a systemic crisis that affects the whole market.

As information is the clue, sound corporate governance in the financial sector should start with creating the foundation for making the right information available to all levels in the organisation. And it really starts even one step before that, because information, according to Russell Ackoff, acclaimed systems theorist and Professor of Organisational Change, is ‘data that are processed to be useful’. A sound corporate governance policy therefore needs to ensure:

  • an enterprise data management (EDM) platform to provide all levels in the organisation with consistent, coherent and timely data;
  • the right analytical tools to transform these data into information;
  • a strong reporting platform to ensure that information can be consolidated and presented in the right format, such as level of detail for example, at all levels in the organisation.

The analytical tools must cover the appropriate models for calculation of market risk, for example, value at risk (VAR) recommended by Basel II, credit risk and liquidity risk among others. This is a prerequisite in order to be compliant with legislation, and the importance therefore almost goes without saying. Just as important is however how the IT infrastructure is able to reveal true business risks, including exposures against counterparties in the marketplace. When Lehman brothers filed for bankruptcy in September 2008, it took many stakeholders weeks to figure out their claims and losses. Those who had full transparency of their total exposures also in the period leading up to the collapse protect themselves. Risk management is therefore not only about sophisticated maths and statistical models. The statistics will not help you much in times of extreme volatility or movement in prices. Sound risk management should therefore first and foremost take care of the bread and butter needs of the organisation. A company needs to have a true picture of how it is exposed and what the consequences are if such exposures turn into true liabilities.

Compliance Concerns Control Mechanisms

Based on the hypothesis that you do not get what you expect, you get what you inspect, legislators very wisely make huge efforts to try and control the financial marketplace in a way that promotes good corporate governance but preserves the basic ideas behind the free market economy. a company needs, of course, to comply with regulation. The consequences of not doing so will be fines, compensation claims, loss of reputation and even loss of license to operate.

It is however important not to reduce the control mechanisms to ensure compliance with external stakeholders. Just as important is to have mechanisms in place to secure compliance with internal governance policy and procedures. These must be seen as joint components of a company’s risk policy. Risk budgets should be allocated to all levels in the organisation and proper compliance controls should be implemented to ensure the alarm bells start to ring if thresholds are exceeded.

IT Governance

This is why, in the financial world, it does not make sense to talk corporate governance without also covering IT governance. The amount and versatility of the data, the sophistication of the analytical tools and the flexibility of the reporting tools are at a level that makes it impossible to cope with without a sensible IT infrastructure.

According to the IT Governance Institute (ITGI), sound IT governance should:

  • be closely aligned with the business strategy;
  • deliver direct value to the company’s business model;
  • be the foundation for the corporation’s control and mitigation of risk;
  • ensure effective use of company resources;
  • ensure performance of the it infrastructure is measurable.

Based on the overall business model, the IT organisation should therefore be given goals to secure delivery of true business value. Such goals should be made measurable (whenever possible) through key performance indicators (KPIs). The risks of not achieving the goals should conversely be quantifiable through key risk indicators (KRIs). Some examples of KRIs pertaining to stability, flexibility and security of the IT infrastructure could be:

Stability

  • statistics for central processing unit (CPU) usage;
  • statistics for network traffic;
  • statistics for database traffic and available space;
  • statistics for how fast the databases grows, taking archiving options into consideration;
  • statistics for downtime of applications in the infrastructure;
  • statistics for response times of applications;
  • statistics for recovery time in case of crashes.

Flexibility

  • statistics on how long it takes to set up a new portfolio or a legal entity;
  • statistics on how long it takes to add new applications to the infrastructure;
  • statistics on how long it takes to report total counterparty exposures;
  • statistics on how much redundant data (data which already exist elsewhere) a new application creates in the infrastructure.

Security

  • statistics on external hacking attempts, both succeeded and failed attempts;
  • statistics on internal breach of compliance rules and authorisation levels.

Conclusion

GRC is becoming increasingly challenging for the financial sector due to its complexity. It is however not always the best approach to throw a complex solution at a complex problem. For the financial industry it is crucial to get the fundamentals in place, and this means a proper IT infrastructure to ensure quality and timely data. If the foundation is not of appropriate quality, further sophistication will probably just exacerbate an already fragile information infrastructure. The extra information provided with the increased sophistication will therefore at best be of little or no value, and at worst be directly misleading and introduce further risks for the enterprise. When the data foundation is in place, sophistication can be increased over time as a controlled process, adding more and more value to the business. This journey must however be stated in the corporate governance policy, set out by the board of directors and executive management.

Kjell Johan nordgard (MSc EE, BA Finance) is Senior Vice President and Head of Global Market Support at SimCorp. He has several years of experience with IT services to the financial sector, including consultancy and training services as well as delivery of strategic solutions for decision-making, reporting and risk management.