Regulatory revisions make corporate goverance top priority

NEW YORK -- Corporate governance, as an operational risk subject, is rapidly increasing in importance thanks to both the revisions to the Basel Accords and the US Sarbanes-Oxley law. Going forward, senior executives and board members at financial institutions will have to sign off on their firm's accounts -- making sure they have the correct information at their disposal, and that they feel comfortable with those accounts is itself an operational issue. The penalty for mis-stating the accounts is not only regulatory wrath, but also substantial reputational damage and the possibility of legal action from shareholders.

In addition, shareholders will now be privy to increased amounts of risk management information, including op risk information, in public documents. The third pillar of the Basel Accord revisions specifically makes use of public disclosure, on top of regulatory disclosure, as both carrot and stick to ensure that firms strive to implement sound risk management practices. Banks must grapple with what risk management information to disclose to investors, and the best way to disclose it.

Bringing together all this data -- credit, market, and operational risk information -- will be a substantial challenge for many firms. And firms will not only have to comply with Sarbanes-Oxley and the Basel revisions, but internationally active firms will also face new corporate governance regulations from other jurisdictions. The European Commission, for example, issued a proposed directive in late March designed to increase investor protection and transparency. The proposal is the result of a two-year consultation process, and will impact companies that have securities traded in a regulated market, such as a stock exchange. Other jurisdictions in the process of enacting corporate governance legislation or promulgating new rules include France, the UK, Singapore and Canada. Even the Bank for International Settlements' Financial Stability Forum is weighing in on corporate governance. In a late-March statement, the group urged the OECD to revise its corporate governance principles to provide "more substantial guidance on applicability, implementation and enforcement in different economic and legal contexts."

So more corporate governance regulation is probably on the way. But for now, the combination of the Basel revisions and Sarbanes-Oxley are forcing "the banks to look at this from a much broader perspective than in the past," says Charles Herel, vice-president of marketing and business development at FRS, a reporting software company, based in Boston. For Basel II, banks will have to report risk information from their operations worldwide. Herel says, "that's a challenge because of the data requirements. Ita data problem".

Individual firms are tackling this challenge in different ways. For example, Credit Suisse First Boston (CSFB) has set up a variety of committees within the firm to collect and communicate information on operational risk. However, Wilson Ervin, New York-based managing director of strategic risk management, admits that deciding who should sit on each committee is not always that easy, in part because op risk issues often involve a variety of disciplines, such as audit, compliance, business units, systems experts, and so on. "There is a real challenge that we are facing when it comes to the corporate governance of operational risk, because the subset of people who need to address a particular issue will vary," he says. "It is something that we are trying to develop a more structured approach around."

Blackrock, the New York-based asset management company, has put in place a "sub-certification" system so that responsibility for Sarbanes-Oxley sign-off is distributed throughout the firm, according to managing director Charles Hallac. Each business unit has a series of questions tailored to its activities, which must be answered once each quarter, and then the results certified. CSFB has also put a similar framework in place. Says CSFB's Ervin, "I do think the original Sarbanes-Oxley, which asks people to put their hand up and say they are accountable for the quality of the financial statements, and the impact that's had on firms to push that down to get other people to raise their hands, I think that's helpful."

At Royal Bank of Scotland, Fred Bell, head of group operational risk, is using a risk mapping process to help create an internal corporate governance structure. "Mapping policies and processes against risk categories to ensure total coverage is key," says Bell. As part of this programme, a designated person within each business unit was assigned the task of rating a series of people, asset and systems risks on a scale of 1 to 5 at the end of 2002. This self-assessment programme is then compared with internal key risk indicators, and also real loss events that the firm has experienced. This framework provides the information needed for compliance with UK corporate governance rules, says Bell. He adds, "we have a framework, the framework has substance, and people understand what their requirements are within it." OpRisk