Have we really learned anything?
Risk culture, conduct risk, operational risk, these topics have been at the forefront of the RiskMinds International 2017 agenda this week. We’ve been privy to a lot of advice about how to handle all of these risks, including best practice in risk management and how technology can help us do our jobs better.
But it’s not often that we get to hear from someone who has caused those risks to become a catastrophic reality. Someone whose very name evokes the biggest scandal of an era; like Nick Leeson and the collapse of Barings Bank.
“I bet you don’t know whether you should clap or boo,” began Nick as he took to the stage.
Nick’s isn’t a tale of greed or of deliberate obfuscation, at least, it didn’t start that way. It’s a story of poor risk mismanagement and personal flaws, which contributed to series of events that spiralled out of control and ultimately leading to the collapse of a 233-year-old bank.
The Barings scandal was supposed to be a wake-up call that no one would forget, yet over the last 22 years there have been a number of other financial scandals. It seems we still have plenty to learn. In particular, the fact that understanding how to manage risk is just as important now as it was when Nick was a trader.
“I was someone who didn’t understand or manage risk at the time,” admitted Nick. “I didn’t manage my personal risks – I never expected to be in prison – and the bank didn’t manage theirs either.”
Nick had expected risk controls to be in place. After every trade executed to cover his tracks he expected a knock on the door. Yet day after day, month after month, even year after year, those knocks didn’t come. Or if they did, he skillfully batted them away, assuming all the while that he could sort the mess out.
Partly, the collapse of the bank was was down to his own personal flaws. Having built a reputation as a high-flyer, he didn’t want his wife, his family or his bosses to find out the extent of his deception. What drove him was the continued belief that he could fix it, along with a healthy dose of bravado and sense of inflated ego – he was only 23 at the time.
“I was head-hunted for Barings, I was their best employee. I was highly accurate, extremely diligent, worked really long hours and progressed rapidly through the organisation.
I wanted to climb the ladder, to be the one making the important decisions. For a period, I was very successful.
“Then I arrived in Singapore and made some very bad decisions, and then froze and didn’t deal with them.
“I’ve been accused of deliberately defrauding the bank but the truth is I was surviving day by day.
“From the first time I put a loss in the five 8s account I expected someone to knock on the door and ask me a sensible question. For three years no one did, not settlements, not the risk office, not the internal auditor; nobody felt that they had the power to challenge me because I was the star trader. They didn’t feel empowered enough to ask the difficult questions.
“The first thought process I had was that I had another day to correct this, that day turned into weeks and into months, and over time, without it being deliberate, I started to feel a certain amount of contempt for the people that were in charge of those controls. To me that meant I had longer and longer to turn things around. The longer it went on the harder it became. I couldn’t put my hand up and tell anyone what was going on.”
But partly the Barings collapse was thanks to a culture that was, at best, lackadaisical about risk, argues Nick.
Among the characters caught up in the scandal was a manager who had made himself utterly unapproachable to his staff. No one referred any concerns to him, because they were too afraid to. There was also a significant lack of understanding of the derivatives business.
“Three main things went wrong,” explains Nick. “Disparate technology – systems that didn’t talk to each other; exceptionally poor communication and everyone operating in silos; and a management system that didn’t understand how the business fitted together.
“I knew what I was doing and I am fully responsible and accountable for what happened. But there are similarities in all financial scandals; poor systems, poor quality of controls, poor people in charge. If people are doing their jobs these events shouldn’t occur.”
Are risk managers doing their jobs properly now? Have they learnt from the past? Several CROs gathered at a panel session immediately following Nick’s talk to outline their approach to reputational risk.
Bruce MacLaren, Chief Risk Officer Europe at RBC, explained how the bank had set up a reputation oversight committee, precisely to avoid headline risks. “These oversight committees – and most institutions have them in some form now – take the decision-making away from the transactors. Those who are profiting from the risks they are taking, as per Nick Leeson, have clouded judgement. You have to get transactions up to a higher level,” he explained.
In addition, he said, there had to be a certain “tone from the top”, so that these things are identified, because “it won’t come from those who are profiting from it.”
Paul Berry, Chief Risk Officer at Mizuho International described how they had also added new layers of governance with regard to reputational risk, as well as new policies and procedures. They had a “zero risk appetite for reputational risk,” he added.
Coping with reputational risk means doing the right thing with shareholders and regulators but also the client base. A fact made more complicated by the advent of social media.
Jacques Beyssade, Deputy Chief Executive Officer In Charge Of Risk, Compliance & Permanent Control at BPCE felt that the ultimate stakeholder was the customer base. They have 30 million customers, half of whom “are really engaged with bank” and 9 million of whom “own shares in the bank”.
Alexander Vedyakhin, Senior Vice-President, Chief Risk Officer at Sberbank agreed, adding that what might previously have taken a week to travel round their 130 million customers could now be done in half an hour and as a result of a single tweet. As a consequence they now had a reputational risk committee that can come together at a moment’s notice in order to respond.
The role of compliance versus the role of risk
With all this frenetic activity on the part of the risk function, where did that leave compliance?
Bruce argued that compliance was just as important but that companies shouldn’t rely on them as the sole guardian of reputational risk; “It has to be embedded in the first line,” he said.
Alexander said that risk and compliance had to work more closely together despite being strange bedfellows: “They usually come from different backgrounds, half of risk come from business and the other half have strong mathematical skills, and compliance guys come from a legal background.”
Training was key, he added, as well as, according to Jacques, making an example of bad behaviour: “When you have identified it, deal with it and don’t tolerate it,” he said.
Ultimately, the reputational risk isn’t going to disappear.
Leeson’s fall from grace has since been eclipsed by the likes of Madoff and Jerome Kerviel of Société Général. “I didn’t know how catastrophic my actions would be, or how small their capital base was,” says Nick. “It is the most embarrassing period of my life and I’ll never get away from it.”
“If you find yourself in a situation where you can’t cope, do one simple thing, for me, – ask for help.”