Devolution of risk management
In response to the savings and loan scandal of two decades ago, the United States has enhanced the regulatory and compliance regime (FDICIA, SOX); problem is, compliance or regulation is necessarily historically based — it addresses the sins of the past and is not designed to anticipate the future
Companies now operate in an environment in which risk management has been hopelessly confused with compliance. Bill Sharon writes that compliance or regulation is necessarily historically based — it addresses the sins of the past and is not designed to anticipate the future. The management of risk is supposed to be about the future, though. Clearly, he writes, given the continuing collapse of the financial system, risk management functions throughout the world have failed. How did we get here? “We narrowed the definition of risk and created staggering complexity at the same time,” he says.
One of the key elements in the devolution of risk management in the United States was the passage of FDICIA (Federal Deposit Insurance Improvement Act) in 1991. The law had unintended consequences. In response to the savings and loan scandal (remember Kenneth Keating?), the act resulted in a fundamental shift in the structure of regulation in the financial services industry. In the past, Sharon writes, regulators would announce their arrival, examine various parts of the operational and financial aspects of a bank’s organization, and issue a report. The savings and loan scandal demonstrated the futility of that process. In passing FDICIA the regulators essentially conceded that there were more ways to fiddle the system than they could police so they transferred the process of regulation to the banks themselves. The act basically states that financial institutions accepting deposits had to review their processes on a regular basis and disclose any “material weakness” to the FDIC.
The passage of Sarbanes Oxely codified the regulatory reliance on self-assessment for all publicly held companies; “essentially we now have FDICIA for everyone,’ Sharon writes. Once again, risk management organizations embraced this new function and for several years there was a boom in SOX consulting. Unless something changes we are likely in for another round of regulation and legislation that will again expand the number of risk managers dedicated to compliance functions.
The problem, says Sharon, is that compliance and reporting requirements are not the issue. “It is the taking of risk that needs management in our complex interconnected world. It is the taking of risk that cries out for the convergence of perception of those risks in the context of what an organization wants to achieve.”
