Daniel Buehr: «We All Know What Constitutes Good Management»

Large Gaps in Swiss Risk Management Practice

Written by Samuel Gerber | Deputy Editor-in-Chief

The continuous flow of scandals engulfing financial institutions has raised doubts about the effectiveness of their internal controls. «Systemic problems in compliance are usually a result of poor leadership,» risk management expert Daniel Bühr tells finews.com,

Johan Torgeby openly described the banks' fight against money laundering as ineffective. The industry is spending billions for very little results, the head of Swedish bank SEB said. This is incidentally a bank which has been sanctioned over money laundering scandals. What do you make of this?

Financial institutions are primarily responsible for compliance efficiency. Through effective governance and processes, they aim to ensure that anti-money laundering, for example, achieves its legal objectives efficiently. Long-standing, systemic problems in compliance effectiveness, usually comes down to poor governance, not poor regulation.

Torgeby is probably right to criticize that compliance spending is high, while at banks one scandal follows the next. Is the way institutions deal with risk dysfunctional?

In general, the way all organizations handle risk is dysfunctional. The situation with financial institutions worldwide is that they have not fundamentally modernized their control governance since the 1990s. These outdated governance concepts lack clarity regarding the internal control system (ICS) as well as and technically insufficient processes cause high costs with low effectiveness.

You worked as an expert on ISO standard 37000, a new standard for good corporate governance that integrally regulates the handling of risks. What are the chances that this standard will soon be used in banking?

The chances are high because the quality of the standard is good and because there is no alternative elsewhere in the world. The standard, one of the most important in the history of ISO, was developed by 77 countries and 24 organizations (including the OECD, the OAS, UNCTAD and the Institute of Internal Auditors). Thus, the standard is formally and de facto the global benchmark for good governance, including control governance (oversight). If financial regulators and institutions do not follow this standard, the general public will continue to bear the excessive costs of poor governance, as shareholders and taxpayers.

Is the slow change in thinking due to the fact that in the industry the costs are mostly borne by the shareholder, and only in exceptional cases is management held accountable?

I think that statement is too general. My impression is that managers still give too little weight to good governance and effective, systematic management. There is too much focus on short-term goals, with the result being that modern structures and effective instruments are not created under supervision and control. Control management then follows the principle of «too little, too late.» If regulators accept this, the overall system is sub-optimal, to put it politely.

What do you make of the credo that every banker must also be a risk manager? Can the customer managers monitor themselves?

This approach is a good one. I'll take the liberty of adding to it from a professional perspective: Every employee has the task of complying with the law within his/her sphere of influence and managing risks as a risk owner. In this sense, all employees at all levels manage their risks. The term risk manager, however, refers in a narrower sense to the specialist who, as a risk manager, is part of the internal control system (ICS) and assesses the risks of the business independently of the business, and reports on this to the highest authority in a timely and reliable accurate manner.

The ISO 37000 standard also creates clear procedures for dealing with whistleblowers. In Switzerland, whistleblowers are regarded as «traitors« and the Swiss parliament recently softened their protection. What are the consequences of this hard Swiss line?

The consequence is a further erosion of Switzerland's reputation and influence in the world. We do not live on an island, not even in politics. If the global community and the EU create standards to protect whistleblowers, because they are the central element in uncovering violations, and we in Switzerland deny that this is an issue of good governance in all organizations, then we are once again turning away from a community of free, modern, open and democratic states.

Sensibly, Mark Branson has made dealing with whistleblowers a top priority at the German financial regulator Bafin. When Branson was director of Switzerland’s financial watchdog this was never an issue. Are other countries acting better in regard to this issue?

Whether other countries are smarter than Switzerland would require a more in-depth analysis. What is important to me is that Switzerland acts smartly. We all know exactly what constitutes good management (for example, that hierarchy doesn’t override control functions and if it does, it must assume responsibility).

Which risk does the Swiss financial center underestimate most?

The risk of not modernizing governance and settling for «too little, too late.»

Daniel Lucien Buehr is a partner at the Swiss commercial law firm Lalive. He is specialized in regulatory and banking law as well as white-collar crime and compliance. Buehr is also a member of the International Bar Association, Swiss Management, the Swiss Association for Standardization and Honorary President of Ethics and Compliance Switzerland.