News

Do you play Russian roulette with your Company’s integrity?

May 21, 2018

Considering Danish Bank’s money laundering case related to their Estonian branch, what are then the learnings that any company – big or small – should take notice of?

Let’s first look at what went wrong. The Danish Financial Supervisory Authority (“FSA”) have done their assessment in the decision of 3 May 2018.

FSA’s decision includes eight injunctions and eight appeals. The decision also reveals that the increase in compliance and reputations risks that have been detected, should be covered by an increased Pillar 2 capital of 5 billion DKK.

The decision is only considering the management and governance of the money laundering activities. The specific questions about lack of money laundering efforts in Estonia’s Estonian branch are addressed by the Estonian authorities.

These are the wrongdoing according to FSA;

Board of Directors, Executive Board and the Bank’s other decision-making processes have not been adequately documented in the form of sufficient written resolutions, minutes of led discussions and made decisions. Ratings of compliance risks have in addition, not been sufficiently considered or have been given sufficient significance in decision making.

The bank’s reporting procedures, decision-making processes and corporate culture have not been sufficient preventing risks from materializing.

The Bank’s management has not secured sufficient focus on the compliance area and transparency of the problems and ensuring timely and safe handling of possible problems with complying with the legislation. Management’s priorities and practices have damaged the credibility of the bank and reputation. Considering the bank’s systemic importance and international presence the reputation of the Danish banking sector may also be damaged. In summary, these are the three main questions and learnings that any company may take notice off;

1. Are our decision-making processes sufficiently linked to our risk management processes in order for you to answer, “what could go wrong (risks) in order to meet our objectives”, “how do we manage what could go wrong (our risks)” and “how do we know if we are effective in managing what could go wrong and thereby meet our objectives”.

The learning there off ought to be;

  • Make sure that your risk assessments are linked to your business objectives If you do have an Enterprise Risk Management framework in place, it should set the standard for the methodology of assessing any risk in your business (compliance, operations, market, liquidity etc.). If you do not have such, bring your risk managers together to discuss “how do we assess our risks and what can we learn from each other to align”

2. Do we know if we have a strong or weak risk culture? Most companies depend on people. People do drive earnings in many ways. However, sometimes people also act incorrectly    – some intent to do wrong, some fail to act on feedback, some neglect policies and procedures. The erroneous acts can cause fraud, safety breaches, operational errors, and overleveraging. Regardless, companies cannot assume that a healthy risk culture is a natural thing in an organization. Rather, leadership teams must manage risk culture just as thoroughly as any business problem, demanding evidence about the underlying attitudes that pervade day-to-day risk decisions.

So, the learnings should be;

  • Make sure you get insight of your risk culture. It can be measured in connection with employee satisfaction surveys, by Compliance, by Internal Audit or by an independent advisor. And it can be done in various ways, by tracking incidents and how they are rectified, having a whistleblower process, or by complete investigations with higher frequency.
  • Practice, practice, practice. Employee training that does not deter deterrence but calls for pointing out risks as part of improving the company’s market value is earning its cost.

3. What is our risk appetite and is it operational? Can employees be guided by your risk appetite or is it to overarching? Is risk tolerance, limits, profiles defined on each level of the organization? And are roles & responsibilities defined according to the risk appetite?

So, the learnings should be;

  • Quantify, on your risks. When you have assessed, what could go wrong estimate the potential loss. This also includes your compliance and reputational risk. If one risk occurs several places in the organization, make sure to align and review the estimations in agreement with your co-risk managers. Also make sure staff understands their responsibilities according to the risks – what is acceptable and what may call for escalation. Performance is also about managing what could go wrong to meet business objectives.

Read more about the author: Heidi Gliese Hylleborg

Related news