Tip of the iceberg?

The headlines are screaming about the 11000 crore loss of public funds and honest tax payers money, and understandably so. There is no doubt that this is one of the single largest case of fraud – which has come to light - I must add.  We don’t know how many more are hidden in the closets or should we say bank lockers.

But I am surprised as to why no one is talking about the 7+ Lakh Crores NPAs (doubtful debts) of public sector banks..isn’t that loot of the public funds? The 11000 Crores in question is only a fraction of this bounty. Why aren’t the honest tax payers questioning this? The RBI has recently rolled out a new NPA rules for banks, but is it too late? How did it allow the problem to grow to such huge numbers? I have serious doubts on the quantum of recoverability of these NPAs. If properly investigated, many of these NPAs could turn out to be frauds similar to the case in hand.

Is this a failure of governance and risk management systems in banks or something more sinister?

Coming back to the case in the spotlight and assuming it’s a case of controls failure, let’s see what could have gone wrong:

People

-        There was no role rotation for the employee for years together

-        There was collusion between the manager and clerk, possibly few others in the hierarchy as well

-        The bank employees shared passwords of bank systems with bank clients

Technology

-        No integration between SWIFT and core banking. There could be other peripheral systems used in banks which have no integration with core banking platform

-        Poor identity and access management systems

Process

-        No or ineffective reconciliation between the Core banking and SWIFT systems

-        Collaterals were not taken against the LoUs 

Assurance & Governance

-        Risk Management, Vigilance, Internal Audit did not detect/report any discrepancies in controls

-        HR appraisal system did not detect discrepancy in job rotation

-        Regulatory and External audits also did not find any discrepancies

-        Whistleblower system was not effective, suspicions had been reported but no action taken

There could be more control failures which may emerge during the course of the investigation. If so many controls were either not implemented or ineffective, or even worse – discrepancies detected and suppressed, then it’s more a systemic risk and not just an operational risk. If it is a systemic issue, then merely reinforcing controls will not help mitigate this risk, it needs a complete redesign. If we try to retro-fit modern facade on archaic architecture, there will be always be gaps.  

"Chanakyaneeti*" for Risk Managers

The person who stifles innovation, the control freak, the person who restricts adoption of new & cutting edge technology, the person who says "NO" – to a new business proposition, to Facebook in office, to BYOD, to download & installing freeware… who would that be? Ask anyone and the answer would be: The CISO or CRO or someone in a similar role!

While this probably is the feeling amongst general employees, what does your boss & the senior management feel? A knight in shining armor, defender, guardian, superhero..? Nice dreams… Now wake up to the reality. 

When someone proposes a new but potentially risky solution, which is endorsed by the Senior Management, how does the CISO/CRO convince them to take the right decision?

Ideally, the CRO / CISO should provide a solution to implement the idea in a way such that the risk is minimized to an acceptable level. However, if the risk cannot be mitigated or minimized, then the CRO needs to put his/her foot down… So what could be the best way to say “NO” and convince the management?

I prefer "Chanakyaneeti" the diplomatic method mentioned in the Indian scriptures like Mahabharata and also made famous by the Indian philosopher Chanakya. The method suggests four steps to be used progressively and I have tried to apply them in the present scenario:

Sāma: (Reason) explaining the reason with logic. It is important to make the organization the potential risk and impact if the solution were to be implemented.

Dāma: (Price) Assess and present the financial impact in terms of business losses – top line and bottom line impact the organization may be exposed – the price which the organization may have to pay.

Danda: (Penalty) Present the potential regulatory impact in terms of potential sanctions and fines.

Bheda: (Discrimination) The damage to the reputation is the most hard hitting – if the customer, partners and employees were to know the risk, would they still want to be associated with you? The probability of customers turning their back on your organization would hopefully dissuade the management from going ahead with a solution bringing on unacceptable risks.        

If none of the above works, then we always have the Risk Acceptance Form!