Wells Fargo: What Should Have Happened

wells-fargo

When Wells Fargo fired 5,300 employees in September for inappropriate sales practices, then-CEO John Stumpf approached the scandal with an outdated playbook. In response to the $185 million in fines levied by regulators, he first denied any knowledge of the illegitimate accounts. Attempting to mitigate press fallout by distancing the company from a group of “bad eggs” acting independently is not the answer, however. Even if Stumpf had maintained this assertion of innocence, changes in the risk environment over the past few years demand a proactive approach.

Rather than simply deflecting responsibility in these situations, executives must be able to accomplish two things:

• Provide historical evidence of due diligence and risk management (if such a program was actually used)
• Demonstrate how the company is adjusting its policies and/or implementing new policies to ensure a similar incident doesn’t happen in the future

In 2010, the SEC’s Proxy Disclosure Enhancement (rule 33-9089) explicitly made boards of directors responsible for assessing and disclosing risk management effectiveness to shareholders. It mandates the use of risk monitoring systems to demonstrate that existing controls (mitigation activities) are effective. Under this rule, “not knowing” about an activity performed by employees is considered negligence. This is a crucial development; negligence carries the same penalty as fraud, but it does not require proof of intent. The Yates Memo (2015) gave the SEC ruling more “teeth” by requiring organizations to provide the Department of Justice with all the facts related to responsible individuals.

As a result, many companies have suffered significant penalties and frequently criminal charges, even though their executives were allegedly unaware of illicit activities. Consider the emissions scandal at Volkswagen and fines paid (to the SEC) by global health science company Nordion Inc. In both instances, deceptions were perpetrated by individuals below the executive level, but senior management’s inability to detect/prevent the incidents came back to bite them.

How to Prevent Risk Management Failures at Your Organization

John Stumpf’s approach should have started with an admission of Wells Fargo’s failure in risk management processes across the enterprise, followed by evidence that a more effective, formal enterprise risk management process is being implemented. For example, risk assessments must cascade from senior management down to the front lines and across all business silos. This ensures that the personnel most familiar with operational risks (and how to mitigate them) can keep the board informed.

In other words, instead of simply apologizing and attempting to provide restitution, Stumpf should have demonstrated that Wells Fargo is taking proactive risk management measures to protect its many stakeholders. It is the company’s duty to ensure that something like this never happens again.

The scandal is predictably following the same track as have previous failures in risk management: it starts with regulatory penalties, then leads to punitive damages, class action lawsuits, and finally, criminal charges and individual liability, depending on the particular case. The key to this pattern is the absence of adequate risk management, which means negligence under the new enterprise risk management laws, regulations and mandates passed since 2010.

The good news is that avoiding serious, long-term consequences is possible if proper actions are taken. For example, by providing a historical record of risk management practices, Morgan Stanley avoided regulatory penalties when an employee evaded existing internal controls. Other corporations that can provide evidence of an effective risk management program (risk assessments, internal controls that address risks, monitoring activities over these internal controls, and an electronic due-diligence trail) are largely exempt from punitive damages, class-action lawsuits, and possible jail time.

When implemented proactively, effective risk management systems have and will continue to prevent scandals, regulatory fines, litigation and imprisonment. For a more in-depth analysis of the Wells Fargo scandal, read the LogicManager blog post “The Walls Fargo Scandal is a Failure in Risk Management.”

Cultivating a Reporting Culture

While many organizations view whistleblowers as disgruntled employees looking for revenge and monetary rewards from the SEC, this is generally not the case, according to a recent study.

According to “Embracing Whistleblowers: Understand the Real Risk and Cultivate a Culture of Reporting,” by The Network, whistleblowers most often turn to the U.S. Securities and Exchange Commission only after they have tried reporting internally, or if they are concerned about retaliation by their company. In fact, only 20% ever reported to someone outside their company.

Organizations can do much to protect themselves, while also looking after employees. Since the majority of employees go to the company first with their concerns, organizations have an opportunity to address issues before regulatory involvement.

According to the report:

The fact that whistleblowers may prefer to keep things in the company doesn’t mean they won’t turn to the government or media if they think it necessary. Sixty-five percent of surveyed employees would be willing to report externally, “if my company didn’t do anything with my internal report.” An even higher percentage would report externally, “if keeping quiet would cause possible harm to people” or “if it was a big enough crime.”

How can companies manage this risk? By encouraging a strong “reporting culture,” they can learn about, and take care of potential problems through quality hotline reporting programs, The Network said.

Hotline programs have been around for years, but are more important than ever in today’s regulatory and business environment. Compliance teams should stop thinking of hotlines as purely telephonic; they’ve grown to include mobile and Web-based reporting solutions that give employees and others a safe and reliable way to raise their concerns internally via whichever method is most comfortable for them. They also give the compliance team important insight into what is going on inside the company.

 

RMORSA Part 4: Risk Monitoring, Control & Action Plans

The fourth step of ORSA implementation, risk monitoring, control, and action plans illustrates the importance of adhering to best practices when executing risk culture and governance, identification and prioritization, and risk appetite and tolerances.

With the necessary structure in place to track and collect risk intelligence, the next step involves orchestrating a plan for improvement. Why is a plan for improvement so critical? Besides limiting the risk exposure of your organization, consider that under the SEC Rule Proxy Disclosure Enhancements, boards of directors and executive leadership can be found negligent for having inadequate or ineffective ERM programs. Having a demonstrable plan for improvement, however, can greatly reduce or even exempt companies from penalties under the Federal Sentencing Guidelines.

The Right Way to Monitor Control Activities

Boards and CEOs are depending on risk managers to monitor key risk indicators at the business process level. This can be accomplished one of two ways: testing or business metrics.

Testing provides a high level overview of whether a control is occurring, usually in the form of a simple pass/fail. Testing does not, however, provide actionable steps to take in order to improve a mitigation activity. The result is that many organizations are only testing compliance with internal policies, which may or may not tie back to the specific risks that the policies were designed to mitigate.

Here’s an example: an insurance organization with an online customer service system is experiencing unacceptable downtimes, and the appropriate staff members never seem to be available to fix the problem. The organization implements what would appear to be a reasonable control activity, by insisting that every member of the support team be trained to refresh the system. The company tests internal compliance with this policy by tracking whether the online training has been completed. Unfortunately, even if everyone takes the training, the company has no idea whether this control is fulfilling its purpose.

In testing compliance to the policy, the organization has lost sight of the risk. If they had tracked a business metric, like system downtime, however, they would have realized that the controls in place made no difference to the impact or likelihood of system failure. Business metrics may have indicated that the system was going down during peak usage hours, like lunch, when staff was unavailable. With no business metric tracking, the organization continued with a Band-Aid approach when money might have been better spent upgrading system memory.

Developing the Action Plan

To avoid this common pitfall, your key business metrics need to be aligned not only with the control activities you’ve designed, but the risks they were designed for. Keeping track of these linkages can be impossible with two dimensional spreadsheets, but is critical to monitoring the risks you’ve identified so that your action plans and control activities are meaningful and measurable.

As a risk manager, approach process owners in need of assistance with mitigation plans geared toward their most severe risks. As you develop actionable plans for improvement, don’t lose sight of the end goal or fall into the trap of testing controls rather than monitoring risks.

Interested in the best way to monitor or audit your risk management program? Check out the RIMS Risk Maturity Model Audit Guide, also available through the RIMS Risk Maturity Model.

Officer Requirements When Blowing the Whistle on SEC Violations

Over at Risk Management, we have a new article on some of the considerations corporate officers must consider before blowing the whistle on their own companies. With the new SEC Whistleblower Program, there are some new nuances but the core advice remains the same as common sense would suggest: officers should first try to report the problem internally but if that isn’t possible (for example, because the violations are occurring at the very top or the officer fears retribution) then they should by all means inform the SEC.

Here is more from article authors Lawrence A. Hamermesh and Jordan A. Thomas.

It is when the internal reporting system breaks down that the most serious problem for officers arises: the officer reports misconduct through the appropriate channels, but the report is ignored or the response is otherwise inadequate. In that situation – and also when the officer has a reasonable belief that reporting internally will be inappropriate or futile — the officer must determine whether to report the matter to an outside party, such as the SEC or another law enforcement authority. It is here that the officer’s fiduciary duty of loyalty intersects with the potential for an SEC whistleblower award. Would the officer’s duty of loyalty prohibit him or her from reporting the misconduct to the SEC, where such reporting is at least partly motivated by the hope of receiving a monetary award?

For several reasons, the most likely answer is “no.”

The duty of loyalty does not prohibit self-interested conduct by officers; it simply prohibits such conduct if it unfairly affects the corporation. Yet, in at least some cases, external reporting will actually be in the best interest of the corporation: while a whistleblower submission could lead to an eventual enforcement action against the corporation, it might result in substantially smaller sanctions and related private settlements than if the officer remained silent and the illegal conduct was allowed to continue and grow larger.

Related to that, adverse effects on the corporation’s reputation might be minimized by limiting the reach of corporate misconduct.