FINAL SAY
It's Time To Revisit Internal Control
by Press Southworth and Mritunjay Singh
Why does the banking industry continue to stumble from one crisis to the next? In the Seventies, it was sovereign lending to developing countries. Then came real estate, money laundering and junk bonds in the Eighties, and in the Nineties, of course, came derivatives.
These crises usually left in their wake a string of bank failures, massive losses and criminal prosecution of bank officers and directors. Even worse, they created a perception of an industry that just can't seem to get it right.
Often, legislative and regulatory actions followed, creating a slew of new rules and more stringent supervision. The unintended but foreseeable effect was to incrementally micro-legislate how banks were to be controlled in an era when the industry badly needed flexibility.
Viewed broadly, these problems resulted from a lack of a comprehensive and integrated framework for assessing and controlling risks across all business lines. Traditional control mechanisms, focused as they were on procedures manuals and accounting controls far removed from the CEO's office, were simply ill-equipped to adapt to a rapidly changing banking environment.
Some Progress
Even though somewhat reactive and piecemeal, both banks and their regulators have made some progress in moving to more robust risk management frameworks. Thus, while FDICIA focuses on effective internal controls needed to ensure proper financial reporting, the Federal Sentencing Guidelines for Organizations focuses on internal controls needed to prevent and detect criminal activities. The Basel Committee and various organizations around the world (including the Office of the Comptroller of the Currency, through its Banking Circular 277) have focused on risk management systems and internal controls for trading activities, specifically derivatives.
While BC 277 is a reaction to well-publicized problems with financial derivatives, it offers a far more comprehensive framework for risk assessment and control than any previous regulatory initiative. What is needed-indeed, what the circular itself suggests-is to expand this framework beyond trading to other banking activities.
In fact, such a comprehensive framework already exists. It was fashioned over three years by a group of leading professional organizations called the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Called "Internal Control-Integrated Framework," it went through numerous drafts and public hearings before being officially issued in 1992.
The COSO Report presents a broad view of control, encompassing effectiveness and efficiency of operations, reliability of financial reporting and compliance. An entity begins by clearly articulating and linking business objectives at all organizational levels. Then a process is established for assessing the attendant risks. Based on risk prioritization, the entity's appetite for risktaking/avoidance and its "control environment," appropriate control procedures are developed.
Information and communication processes to support dynamic decisionmaking are then designed and implemented. And finally, all internal control processes are monitored and revised to maintain their effectiveness over time.
Unfortunately, in spite of the publicity and regulatory endorsement the COSO report has gained (there are COSO-based initiatives in the U.K., Canada, France, South Africa, Australia, etc.), few banks have embraced it comprehensively. It seems that bank management has been unable to shake its traditional view of controls as necessary evils.
COSO espouses a radically new concept-shifting responsibility for internal control from the traditional backoffice and support functions to the board and the CEO. Its top-down approach specifies line management's duty to implement effective internal control for achieving profitability goals and mission objectives, while minimizing surprises.
It is time that the industry heeded the siren call. Boards and CEOs must make time to study and understand COSO's concept of integrated internal control and apply it comprehensively across their organizations.
Click here to return to the Index
|