Risk management at Credit Suisse is in the spotlight after the twin Archegos and Greensill fiascos. But the fundamental reasons behind them could lie much deeper than the incidents themselves given the banking sector is reliant on questionable control practices.
It has been almost a year since Credit Suisse restructured its internal control framework. At the time, this mostly had an impact on its second line of defense, as the bank indicated.
Then chief risk officer Lara Warner took over the compliance function as the new Chief Risk & Compliance Officer (CRCO). Bank management under CEO Thomas Gottstein hoped to create a more effective control environment from that step but they also made it as a way of eliminating duplication and, not last, save on costs.
CRO Fired
Everything is again in flux now. Warner had to leave in April after the two debacles. Credit Suisse has again separated risk and compliance, with Joachim Oechslin heading risk and Thomas Grotzer compliance.
Besides that, the Swiss Federal Market Supervisory Authority (FINMA) started two investigations against Credit Suisse, both of which explicitly look at risk management. An internal investigation is also trying to figure out what happened. And Credit Suisse's new chairman, António Horta-Osório, has said that risk is a priority.
The external and internal investigations continue and many are eager to see what the conclusions will be. It is possible that further heads will roll. At the same time, it is much less likely that there will be any fundamental criticism of the way that Credit Suisse and other Swiss banks control their risks.
Standardized Paralysis
But such a discussion is relevant, important and overdue. The sector is relying on a model that goes back to the 1990s and that many experts say is completely unsuitable for the present day. This, at a time when detailed ISO norms pervade every corner of our daily lives - and which even the banks themselves use.
Daniel Bühr, a lawyer, is one of those who has protested against the current state of affairs for years. A partner at Lalive, he has sacrificed countless hours and effort to travel to places as far as Australia to participate in risk management conferences. And he has not been shy about public criticism.
Roots in the 1990s
Bühr knows what he is talking about. He is a specialist in forensic and white collar crimes and he advises large companies how to protect themselves from a variety of risks. He helped Thurgauer Kantonalbank solve a tax dispute with the U.S. without having to pay a fine while also assisting the bank to further develop its internal control framework. He is also honorary president of Ethics and Compliance Switzerland (ECS) and a member of the expert committee Governance und Compliance-Management at the International Organization for Standardization (ISO).
He is particularly critical of the three lines of defense, a control framework developed by the American Institute of Internal Auditors (IIA) in the 1990s.
Nobody Really Knows
A slightly more updated 2013 description of the IIA model is just seven pages long and describes the role of each of the three lines. The operational front-line that manages the risks, the second line that supervises them, and internal audit as the third line providing assurance. It is a operational model that because of its brevity remains vague and, given that, can be implemented in very different ways.
Bühr tells of industry conferences in which nobody can tell him exactly which functions and processes belong to any specific line of defense.
Case Study in Failure
The failure of the IIA model in banking is causing concern at the highest levels. The EU Commission on recent bank money laundering cases said that the three lines of defense failed in one or more areas and it sprinkled its report liberally with case studies detailing how.
The Swiss banking sector broadly follows IIA guidance, including Credit Suisse. This happens with the blessing of regulators. The Basel for International Settlements (BIS) Committee on Banking Supervision uses the model as a reference and implicitly recommends it, Bühr said. Finma's banking sector corporate governance guidelines, which has been in force since 2017, also use it.
Confused Requirements
This is all mixed up with the ISO norms for management systems (ISO 31000 for risk management and ISO 37301 for compliance), which have been developed with an internationally supported methodology, although they are mainly focused on the independence of the various control functions.
This can lead to contradictions. The corporate governance guidelines demand independent control functions supervise risks from a legal, regulatory and internal policy perspectives. The compensation system for control functions shouldn't provide any incentives that could lead to any conflicts of interest. The ISO norms say much the same although they strongly segment and differentiate between risk management and compliance functions.
Front-line Controls Itself
Finma's corporate governance guidance calls the revenue generating units under the IIA model as a control function (the first line of defense). Under ISO, however, and that is key, the front should never control itself. Any systemically relevant banks have to appoint a risk head who is a member of management and who can also head other control functions such as compliance.
But with that there is no independence. The head of risk would be part of the management compensation and incentive package, which goes against Finma guidance. Linking the independent control functions or risk control and compliance also then makes the latter give up its independence, which also goes against the guidance, says Bühr.
Incentivizing More Risk
Finma has not responded to questions about the effectiveness of the guidance. Credit Suisse doesn't want to talk about its internal control framework. The assumption then is that it is currently evaluating whether it needs to change corporate governance while, at the same time, it also needs to heed ISO.
Bühr also confirms that risk and compliance functions have inadequate corporate governance on top of the fact that they lack precise methodology for internal control systems.
Management and corporate culture are often at odds with risk capacity and tolerances which usually incentivizes risk taking without effective management or control.
A number of experts also maintain that control functions are not really independent of the front line and that they do not have the necessary competence, up to board of director level, to fulfill their roles, duties or responsibilities.
Compliance Ignored
The case of the former Falcon Private Bank related to Malaysia's 1MDB scandal shows that these are not empty accusations. FINMA wrote in its report when it sanctioned the bank in 2016 in detail as to how compliance had been ignored.
But it is not generally the case that banks shy from the ISO norms. The IT departments, for example, have to follow strict standards. As finews has reported, the sector has paid more than half a billion dollars to implement the new SIC 4 payment system, ensuring compatibility with the EU's ISO 20022.
Massive Costs
Banks would have little to argue on if they tried to stop the implementation of modern systems that systematically capture banking and systemic risks. The opportunity costs of inadequate internal controls are real and horrific for the institutes and their shareholders.
You don't even have to look at the substantial Archegos loss. The Swiss National Bank recently calculated that the major domestic banks have to hold 7 percentage points more capital for operational risks than foreign competitors do. This is because they have been involved in so many incidents and legal cases in the past.
«No Alternative»
When you think that UBS and Credit Suisse's balance sheets are larger then Switzerland's annual GDP, you can figure out roughly what kind of numbers are being talked about, or could potentially come into discussion in future.
«There is no alternative», Bühr says. There are comprehensive international norms and acknowledged frameworks for risk management, compliance, IT security and corruption. Many are technically precise and reflect international «best practice». Everything is clear to him. If these frameworks and future corporate governance standards such as ISO 37000 are not followed, then a bank's internal controls will not be effective.
He warns. «Management will become increasingly liable for negligence.»
