But neither ring-fencing, as proposed by the UK’s Independent Commission on Banking last year, or full separation, which happened in the US in the 1930s under the Glass-Steagall Act, will meet their objectives unless risk management – and the cultural tone that enables it – are improved.
Attempts to improve risk management and internal control are evident. Since the financial crisis five years ago, the recruitment market for risk management and compliance staff has been relatively buoyant. But is it enough simply to create a bigger risk and control capability, or does the philosophy behind the management of risk need to be questioned?
The results of a recent survey reported in the Financial Times suggest that risk management in the largest banks and insurance firms is at least 20 years behind that of their peers in the aviation industry. Its conclusions are based on the reactions of those banks and insurers to scandals including Libor-fixing, money-laundering and IT failures. According to the study, their response was to install more “box-ticking” processes and ways to link staff bonuses to risk performance. While this is acknowledged to be a natural move, the survey’s authors contend that it is immature response, which encourages non-reporting by managers. It means that assurance functions and, ultimately, boards and risk and audit committees, are unlikely to know much about what’s actually happening.
The message here is that how the process is managed is as important as the process itself. And the “how” reflects the prevailing culture.
The causes of most incidents making the front pages are fundamentally cultural. Internal auditors in the financial sector can help boards to become more proactive in creating the right risk management culture. In future, their role must enable them not only to evaluate the quality and scope of controls through their work with managers, but also to encourage continuous improvement in how risk is perceived and managed from the top down through their engagement with boards. They must also maintain the regulators’ confidence through an effective dialogue. Internal audit needs to strike the right balance in its relationships with this tripartite group of stakeholders in order to gain enough influence to ensure that risk is managed appropriately over the long term.
So, whatever partitions are put in place to recognise the very different appetites for risk in retail and investment banking, internal audit is key to their success in creating and maintaining the right attitude to risk and rebuilding trust in the industry.
Ian Peters, CEO at the IIA.