When a corporate scandal hits the headlines, news of a senior executive departure is never far behind. However, apportioning blame ex-post for failures of oversight has in the past been challenging.
Boards and regulators are increasingly looking to minimise ambiguity around who is responsible for shortfalls and to strengthen individual accountability. Individual senior managers are therefore under increasing pressure as stakeholders scrutinise their efforts to prevent control failures in their areas.
This shift has occurred across different industries and geographies. In the U.S., following the emissions scandal which hit the automotive industry in 2015 (and a host of other high-profile corporate failings), the Department of Justice issued the Yates Memorandum to reduce protections for executives who preside over corporate misconduct. Meanwhile, in the U.K., the 2016 introduction of the Senior Managers and Certification Regime (‘SM&CR’) by the Financial Conduct Authority (‘FCA’) and Prudential Regulation Authority (‘PRA’) forced senior professionals in the financial services industry to meet a statutory duty of responsibility, or risk incurring the ire of regulators.
It is not just regulators and boards that senior managers must prove themselves to, though. Following the wave of corporate scandals which have recently hit the headlines, investors, employees and consumers are increasingly demanding reassurance that senior managers are taking appropriate measures to ensure that risks are properly controlled.
Whilst many senior managers accept the task of exercising increased oversight, demonstrating that they are doing so and that their efforts are effective is a different challenge altogether. SM&CR, for example, demands that senior managers take ‘reasonable steps’ to prevent control failures in their business areas – an ambiguous requirement leaving scope for different interpretations. So, how can individuals under the microscope demonstrate that they are discharging their responsibilities adequately? This article explores three, interrelated ways of achieving this.
1. Concentrate on fixing bad behaviours
Failures of risk management almost always have one thing in common – poor corporate culture. Rewarding the right behaviours (and penalising the wrong ones) is central to embedding healthy attitudes towards risk, aligned to the strategy and objectives of the organisation. Evidencing improvements in corporate behaviour can be difficult, but by weaving cultural considerations into the performance management framework of their firms and teams, senior managers have a way of clearly demonstrating how good behaviour is promoted and evaluated in their areas.
Senior managers must satisfy themselves that the correct incentives and deterrents are in place to promote measured risk-taking among their staff, in line with organisational culture and strategic objectives. This requires the alignment of financial and non-financial rewards with the firm’s risk appetite and consistent application of robust performance and disciplinary procedures when standards are breached. Data relating to performance appraisals, policy breaches, whistleblowing and disciplinary procedures should be used to identify patterns of bad behaviour to be addressed via training and internal communications. Equally, senior managers must encourage honest feedback from staff to address behaviour which compromises the organisation. Various organisations including car manufacturers, banks, healthcare providers and charities have committed to promoting ‘speak-up cultures’ in response to their respective conduct scandals, resulting in the increased prevalence of 360-degree feedback and independent whistleblowing channels. Ultimately, senior managers require the engagement of all employees as risk partners in order to prevent control failures and their consequences.
2. Establish a robust policy framework
Policies, procedures and processes provide the blueprint for operations, governance and compliance. Establishing a hierarchy of unambiguous policies, detailed procedures and robust processes (and controls) is crucial in promoting common standards and providing reassurance to senior managers that controls are in place.
Writing a good document is not enough, though – maintaining and monitoring policies effectively is vital in ensuring that the business remains well-controlled. There are numerous challenges involved in policy management, not least communicating policies effectively, making them easily accessible, tracking varying review dates and following-up on outstanding attestations. Using policy management software can greatly reduce this burden and provide senior managers with the data they need to ensure that staff are properly engaging with business standards.
3. Make sure you are getting the right information
One might expect that senior managers often fail to spot issues in their business areas due to a lack of data. In reality, the opposite is often true. Senior managers are routinely inundated with management information (‘MI’) but these reports contain the wrong data in the wrong format.
It is incumbent upon senior managers to ensure that they receive the appropriate quality and quantity of information regarding the risks in their business areas to enable them to make decisions. Agreeing a set of Key Risk Indicators (‘KRI’s) which are reported on a regular basis and provide insight into how risk levels are changing is crucial, whether monitoring key project milestones, customer satisfaction or financial performance.
Aside from improving decision-making oversight, implementing the regular reporting of well-designed MI allows senior managers to evidence to stakeholders that they are monitoring risks. For example, presenting a regulator with reports showing that compliance policy attestations were monitored over time demonstrates a commitment to maintaining a strong control environment.
The narrower focus on individual accountability has undoubtedly raised the stakes for senior managers. Leaders in dynamic organisations cannot involve themselves in all aspects of day-to-day operations, but they can take responsibility for embedding effective systems and controls which minimise the risk of control failures happening on their watch. Making sure these controls are adequately documented and tested not only provides clarity to staff, but also signposts to regulators or other scrutineers that appropriate action was taken to minimise risk if disaster does strike.
Joe Hill is a Senior Consultant within the Financial Services practice of FTI Consulting in London. He assists a wide range of financial services clients with matters arising from regulatory compliance and risk management issues. Having previously worked on major change programmes in both the public and private sectors, Joe has particular experience of delivering complex projects in the banking industry in the fields of governance, conduct and financial crime.