Non-executives need more risk oversight claims Moore at IRM
Many organisations need to make rapid changes to their culture, behaviour and balance and separation of power in the boardroom. They also need to introduce measures to ensure the provision of independent assurances about the management of risk, he said.
Mr. Moore told Commercial Risk Europe that regulators are making the correct noises on these issues for the financial sector at least. But he said that they need to go further.
The Walker report into corporate governance in the banking sector, published in late 2009, appears ‘rather woolly’. And the U.K.’s Financial Services Authority has ‘not bitten the bullet on formally taking into account and assessing culture in their supervision,’ he said.
hide
To address some of these concerns, people responsible for control functions, such as risk managers, internal auditors and compliance officers, should essentially report to the non-executive, rather than the executive officers, to ensure a balance and separation of power, said Mr. Moore. He also called for the creation of a new non-executive role within organisations for this purpose and the need for regulators to independently assess the culture within organisations.
Mr. Moore’s firm Moore, Carter & Associates carried out a recent survey entitled, The RiskMinds 2009 Risk Managers’ Survey: The causes and implications of the 2008 banking crisis – with Professor Andrew Kakabadse of Cranfield School of Management. Mr. Moore said that many respondents believed that the financial crisis had been caused by failures in culture and ethics, rather than technical or process failures in risk management.
The majority of risk professionals surveyed said that they saw the crisis coming in advance, but believed that the culture within organisations inhibited them from speaking up or that they were simply ignored by their executives, he added.
Speaking at the IRM’s annual conference held at Keele University, Staffordshire last week Mr. Moore repeated his assertion, first given in evidence to the U.K. Treasury Select Committee in 2009, that ‘you can have the best governance and risk processes in the world, but if they are carried out in a culture of greed, unethical behaviour and indisposition to challenge, they will fail.’
In his keynote speech Mr. Moore told IRM delegates that there are four key points that risk professionals, organisations and regulators must take on board in order to avoid future problems.
Firstly, that culture is far more important than process or structure in effective risk management.
Secondly, that culture is not created without people and so there is the need to increasingly professionalise the risk industry. “It is becoming as important a profession as the law and accountancy and so we need to professionalise who we are and what we do…and this is not just about technical skills,” he added.
Thirdly, Mr. Moore said that you cannot create the right culture unless you have a governance system that permits people to speak truth to power.
“Therefore you need to have a separation and balance [of power] in the boardroom that currently we do not have. The history of speaking truth to power is a long and ugly one. In a civilised world we need to find a way so that people who do things that we do, can say things sometimes to people who are very blinded by their own pride or group think, and can say it with protection,” he said.
Finally, Mr. Moore stressed that self-serving statements without corroboration bear no weight. When information that mitigates risk is of a material nature you cannot take it as read without checking that it is true, he advised.
We have very short memories and unless we deal with these four points, particularly the balance of power, “we will have another crisis it is as simple as that,” said Mr. Moore.
“We must make sure that these points get into the quality and the standard in both regulated and non-regulated industries,” he urged.
“The findings from our survey – which involved 563 risk professionals and was published in March –have corroborated my view that unless regulators seek to understand, assess and supervise the culture within regulated firms, despite any other measures that they take, they will fail in their role,” Mr. Moore told CRE.
“However, whilst a lot of things the FSA are doing are along the right lines and their latest consultative paper makes references on several occasions to the importance of culture it doesn’t take it any further and say what are we going to do to understand it,” he said.
Regulators tend to shy away from what they see as the intangible, but, it is perfectly possible to understand and assess culture and there are certain methodologies and tools that you can use, he argued.
“Regulators should sit down with some practitioners and with some research capability and actually work out what the best tools and methodologies are to assess this”, Mr. Moore said.
“You can take the temperature of culture more easily than you think and we as a group of professionals need to develop proper methodologies and norms that we can adopt and [use to] actually compare one organisation with another in a sort or grading,” he added.
“Then the review of culture should not be one that is permitted to be conducted internally. It has to be conducted externally and under the supervision of the regulator so that it is totally independent and people feel that they can speak up,” he explained.
Mr. Moore recommends that the regulator should then engage the right firm to do a proper and independent culture check at least every three years.
He said that his company’s recent survey also supported his view that the right culture cannot be created unless the issue of the separation of balance of power is dealt with, so that risk managers and other control functions can raise challenges without personal risk to themselves.
“Because if you discover that there is a cultural indisposition to challenge inside an organisation and people are not allowed to disagree with group thinking, without putting themselves at personal risk, it is probably the biggest risk that any organisation can have from a risk management perspective,” warned Mr. Moore.
The survey recommended that important control functions should essentially report to the non-executive and not the executive, to ensure that when they raise challenges they are protected, he said.
And it concluded that there should be a new non-executive director, who is accountable for oversight and assurances of risk management and internal audit and compliance and that these function should primarily report to that non-executive, added Mr. Moore.
Mr. Moore said that he was pleased to see that in their latest consultative paper on the Walker review and governance of risk management in financial sector firms, CP10/3 Effective corporate governance, the FSA have made it clear that chief risk officers should primarily report to the risk committee and its chairman and only to the executive for operational purposes.
He also welcomes the FSA’s stance that a chief risk officer cannot be removed without a full meeting of the board of directors.
“However we [in the survey] say that they should go further and that before the dismissal can take effect the regulator must authorise it,” he said.