Clean. Simple. 100% Finance.

Archive for 2018|Yearly archive page

Failure of risk governance in the Indian banking system

In Banking, Risk, Risk Management on July 2, 2018 at 9:47 am

 

Indian-banks.jpg

In the Nirav Modi case, a single rogue employee’s actions have threatened to wipe out more than a quarter of Punjab National Bank (PNB) shareholders’ equity. This incident follows other similar international scandals in which Nick Leeson brought down Barings Bank, and Hamanaka caused significant losses to Sumitomo, both in 1995. This brings up the question whether such occurrences can be prevented or at least minimised with a long-term solution rather than simply a quick fix.

Enterprise Risk Management (ERM) is designed to minimise the likelihood of such occurrences. The state of the art is to use ERM for risk management and the three-lines-of-defence model for risk governance. Worldwide, financial institutions such as banks and insurance companies have implemented risk governance and are continuously improving their practice of it. India trails behind international best practices in risk governance by almost a decade.

Before ERM, companies relied on Traditional Risk Management (TRM) where each department or project head used to manage the risk in their own areas of operation. Organisations were unaware of their risks in a holistic manner. In 2004 the Committee of Sponsoring Organizations (COSO, a group of US-based academic and practitioners’ organisations concerned with financials and assurance) introduced an ERM framework. Under this framework, the board of directors plays a key role in setting and overseeing the risk governance infrastructure, ERM policy, and risk appetite statement, and management executes it. Risk appetite sets the amount and type of risk a company is willing to take to meet its strategic objectives. A set of risk-mitigation and reporting processes support the execution of the adopted policy.

The three-lines-of-defence model is a structure for risk governance where front line staff represents the first line, board and risk professionals such as chief risk officers (CRO) are the second line, and auditors the third. The first line of defence is responsible for managing their activities within the bounds of the risk policies and frameworks set by the board, and reporting risk events and emerging risks. The second line of defence oversees risk management. The CRO’s office ensures that risk limits are followed and reported. The board sets the risk policy by specifying the types and degree of risk that the company is willing to accept. It sets and enforces clear lines of responsibility and accountability. The third line of defence consists of auditors who provide independent assurance that risk governance is working as it should. Risk culture ties together the three lines and reflects their collective beliefs, values, and attitudes towards risk based on their shared understanding of the organisation’s ERM policy.

Indian regulations too require risk governance. Financial institutions such as banks and insurance companies are required to form risk management committees of their boards, and have a risk governance infrastructure such as an ERM policy and risk appetite statements. However, the P.J. Nayak Committee on banking reforms found that Indian bank boards spend hardly any time on strategic matters such as risk management. It quotes one example in which the board spent as much time on the taxi fare reimbursement policy as on NPA recovery. With a lack of leadership from the top, it is not surprising to find a poor risk culture and the occurrence of incidents such as Nirav Modi’s.

In our research on risk governance, we find that even in advanced countries a regulatory nudge is generally necessary for financial institutions to adopt risk governance seriously. It is common worldwide, especially on complicated issues like risk management that are difficult to do well, that companies comply in form rather than substance. Regulatory skills and expertise therefore determine whether companies comply in substance or merely in form.

After the global financial crisis of 2007-08, risk became a major issue for regulators worldwide. They attributed the crisis to excessive risk taking and a lack of risk disclosure, and levied heavy penalties. Year 2013 was the most disastrous year in terms of penalties for financial institutions. In the U.K., the Financial Services Authority (FSA) was split into the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA). Regulators such as the FCA have moved from regulating not just conduct but also culture. The latter cannot be measured, but with expertise in doing so it can be managed.

FCA’s focus on culture required an increased focus on changing the systems and process within companies to integrate new regulatory requirements. One large and mature British insurance company we studied already had all the elements of the risk governance infrastructure in place, and yet found that it was not meeting FCA’s high expectation on risk culture. It took up the challenge of enhancing the risk culture and was able to do so by developing a cognitive risk culture—one where people across all three lines of defence understand risks well, and also their responsibilities in relation to those risks.

The change was accomplished by creating a cadre of first-line staff called risk champions who are not risk experts; rather they are front-line staff working partly with the risk function and given an extra role of creating risk awareness in the organisation. The risk champions helped improve communication between the first and second lines of defence. The company also developed IT tools to better communicate risks throughout the organisation. The improved communication resulted in the development of a cognitive risk culture.

The regulatory push therefore led to an improvement even in one of the largest and most respected companies. Our learning from this case is that regulators can make a difference even to well-managed companies. Company executives and boards can make a difference by adopting the spirit of continuous improvement.

Indian banks need to align risk culture with the three lines of defence model not just in form but also in spirit, so that risk becomes a part of day to day decision-making rather than a year-end audit or compliance activity. To this end, India needs board members and senior executives of financial institutions to develop the skills and expertise that would put them on par with the best globally.  To shape risk governance in banks, the Indian banking regulator, RBI, needs to act as a supervisor to guide, nurture and improve the current standard of risk governance. To do so, the RBI must develop expertise and keep up with global best practices. Sustaining economic growth requires nothing less.

(Views expressed are personal.)

originally published in Fortune India https://www.fortuneindia.com/amp/story/opinion%2Ffailure-of-risk-governance-in-the-indian-banking-system%2F102074

Advertisements

PSUs: A better half or worse

In Banking, corporate governance, Insurance, Legal, Risk on February 17, 2018 at 4:58 am

PSUs.jpg

Indian PSU’s such as Life Insurance Corporation (LIC) is no doubt a better half of Indian Insurance Industry with total assets of USD 340 billion. Following the leaders from China, Germany, and France (ranked 1st, 2nd and 3rd in Forbes list of Global Insurers), LIC is ranked among top 50 global insurance companies though still unlisted in a global stock exchange where almost all large insurance companies are listed. On the other side, there are several worse halves in Indian financial industry. Post 2007-2008 crisis, bad NPAs in banking and insurance frauds have pushed the liquidity position in Indian financial industry and raised the debates over the inefficiency of PSUs. Almost half of the premium from general and health insurance business in India comes from four large Public Sector General Insurance Companies and more than half from one single public sector life insurance company (LIC). The recent initiative of the government to merge the three worse halves (National Insurance Company, United Indian Insurance Company, and Oriental Insurance Company) to make one better half is one attempt towards providing them strategic direction. In this blog, I am going to discuss what went wrong with these PSUs and how they became the victim of resistance to change (Senge, 2014) and the way forward to become the better half.

Indian PSUs lived on their today with forgone tomorrow and not able to adapt to global practices. For example, when a company is listed in NASDAQ, it has to comply with several rules particularly implementation risk governance and risk management at the holistic level. Implementation of Enterprise Risk Management (ERM) and risk governance takes years to set up infrastructure, create an eco-system for good risk culture and monitoring the risks. Indian PSUs, in general, face several challenges to follow these global practices due to lack of tone from the top.

Challenge 1: We don’t have time for this stuff

After decentralisation in 1997, PSUs had to work hard to remain their market share from aggressive private sector market players. The race of cut-throat competition looks never ending in which PSU adopted a defensive approach. The PSUs senior executives were busy in expansion or retention of market share and others in managing the business operations. Practically, the issue was who has time for risk management in growth-oriented markets. In fact, if the government want them to follow risk management, PSUs need time for reflection and practice.

Challenge 2: We have no help

 If PSUs even accept that implementation of risk governance and risk management is important to maintain their global position and part of the requirement to maintain legitimacy in the international market, who will help them. The PSUs in last few years attempted to execute ERM with the support of some market consultants but found the issues of inadequate coaching, guidance, and support.

Challenge 3: This stuff is not relevant

 PSUs are unaware of the benefits of these global practices due to lack of exposure. Senior executives ask these questions: What I will achieve if I implement risk governance in five years? They are also unaware about why new efforts and learning capabilities are relevant for their business goals. In fact, they face several challenges related to fear, anxiety or concerns for exposure what if the implementation of ERM does not derive any value? This challenge is more related to the negative assessment of the problem.

Challenge 4: We have the right way/they don’t understand us

 PSUs are facing the challenge of overwork. Before decentralisation of 1997, the employees used to work with comfort (10 am to 5 pm) and after entry of private players in the insurance industry, the work pressure suddenly starts percolating. Executives are working day and night with no great appreciation and still called as worse half. New recruitments have been stopped and with under-staffed and over worked departments, the executives are responsible for not only to regain the market position but also to compete in the global market. How is it possible? On the top of that, now the new expectation of adapting ERM and risk governance. Who has time for this stuff? They have the right way but nobody understands them, they have given their whole life for the development of the company but not instead of recognition, the divestment is the worst idea.

Challenge 5: We keep reinventing the wheel

PSUs arguments are based on the premise that okay if world’s top 50 insurance companies are implementing ERM and so we should also implement it. Tell us how they have done it. Why we keep reinventing the same wheel which has been discovered by so many organisations ignoring the current research. A research from Harvard says that there is no one way to implement risk management in an organisation, it depends on the context so it would be different for all organisation. ‘One size does not fit for all’ holds true in case of implementation of ERM (Mikes & Kaplan, 2015).

What may work for PSUs?

Certainly, PSUs need profound change to overcome many challenges they are facing to adopt global practices. Can a short-term training be helpful to PSUs in overcoming those challenges?

Daniel H. Kim, co-founder of the MIT Center for Organisational Learning, found major limitation in the way traditional companies think. His findings revealed that companies would like to mention individual factors critical to success which remain in isolation rather seeing them interrelated sets. For example, companies try to make top 10 risks list or critical factors hampering the achievement of organisational objectives without thinking the key ways in which the risks are related to each other. Then next issue is the companies want to set priorities. He found that list based approach has several problems such as ‘Divide and Conquer Strategy’ where the people do not consider important intersections among different factors. He believed that System thinking and organisation learning can put a theory in place how managerial action can resolve the problems. These learning can be put in PSUs in the current context.

To improve PSUs current position, they can form a group along with private insurance companies to learn risk management at the industry level. My previous two blogs on ‘do Indian Insurance Market need a Professional CRO forum’ and ‘role of CRO Forum’ explain the concept in detail.

See ‘https://finguru.org/2016/01/18/do-indian-insurance-market-need-a-professional-cro-forum/

See https://finguru.org/2016/02/26/role-of-cro-forum-in-india/

The major questions PSUs need to ask before engaging in learning approach:

Why is the change required? What went wrong?

Who wants change to happen? What results are expected?

How the change will happen and who will support it?

Who will be involved and what is our personal contribution and gain?

Peter Senge, Assistant Professor at MIT, believed that to make these learning efforts sustainable, the efforts should be so designed that each effort could learn from each other. A lesson from several kinds of literature for PSUs is: “Don’t try to learn in silos, learn together, learn from others and share learning. Start from small, create trust, set the example, understand interconnected issues, and then resolve critical issues. This way, PSUs can resolve many issues at one go”.