Rogue Trading and GRC

"When you have supervisors who rely on computer software rather than human contact, there is a false sense of security."
Stephen Brown, Professor of Finance at New York University's Stern School of Business (2011)

"You haven't heard of financial scandals where a rogue trader has earned $2 billion extra for the company"
Barry Staw, Professor of Leadership and Communication at the University of California (2011)

"Compliance monitoring is still regarded in most organizations as a second-class operation."
Stewart Hamilton, Professor of Accounting at Switzerland's IMD (2011)

"The current volatile market circumstances significantly heighten the chances that inappropriate trading practices could quickly lead to record losses, so early discovery and remedial action are even more important than in 'normal' times,"
UK's Financial Services Authority (2008)

Rogue trading risks are related to fraud, undetected errors (eg. typing an extra zero) or hedging strategies outside trader limits. Rogue traders usually deal with high risk investments expecting to create unreported large gains or win large bonuses. However, high risk investment may also create huge losses. A trader is, at the end, a trained professional to place large bets in a competitive environment. For the worse, trading losses can usually accumulate over time.

In the case of the Union Bank of Switzerland, all rogue trading risks were not properly managed for a bank bailed with $ 5 billion from the Swiss taxpayers. According to the explanation from this bank, a junior trader exploited a loophole in contentious synthetic ETFs that caused a $2.3 billion loss on fake over-the-counter positions over the past three years. In Europe, these transactions were not required with a confirmation from banks on the the other side of the trade. The trader allegedly evaded detection by booking fake hedging trades to cover the magnitude of his losses. Because the losses do not affect client accounts, only proprietary trading was done.

Rogue trading is generally prevented by controls including:
a) checking for confirmation from the counterparty or broker by back office,
b) segregating back, middle and front offices (traders should not access to middle and back office systems, order entries and adjustments should be segregated),
c) monitoring the number of cancelled and suspicious trades,
d) requesting continuous holidays for traders,
e) implementing BI controls (real-time transaction monitoring, higher than normal profits, extended settlements),
f) reviewing trading activity by managers (settlement position reconciliations),
g) hiring practices for a strong GRC culture,
h) conservative remuneration structure, and
i) independent internal audits.

Without the conclusions of the investigations at this moment , it is not clear if all these controls could have prevented the USB case. Rogue traders can create complex structures and exploit control loopholes.

In response, some banks diminished the trading units and delta one desks, other banks split off its investment banking business from its core wealth management to shield private clients. Policymakers are also reacting by proposing new regulations intended to limit banks from making high risk transactions.

PS: The last facebook update in the accused rogue trader account was a “Need a miracle".

What events do not need to be included in ERM?

Risk is defined as the effect of uncertainty on objectives (ISO 31000 § 2.1). This effect is a deviation from the expected, either positive or negative. Even though the statistical science provided well-grounded notions of risk, non-quantitative variables affect their use in business environments. In this post, I would like to establish criteria about what events cannot be treated by ERM.

Risk needs both a probable frequency and a probable impact. It implies that statements of absolute fact are not scoped by risk management. When the frequency or the impact is known, we are dealing with business facts and not business risks. For instance, a contract containing a penalty clause is not fulfilled because it is not longer profitable. At the time of the contact breach, there is not any risk involved since the company already knows its indemnity costs and when to pay them.

Uncertainties are a deficiency of information about an event. They are intrinsic in risk (as well as unavoidable for most business decisions). Different from risks, uncertainties cannot be valued. Therefore, it is not possible to calculate an average loss associated with the event. For instance, goods not passing the quality tests are delivered to comply with a contract. For this contract, there is not any risk of lack of compliance. The company knows for sure that the quality is not acceptable under the contract terms and it will affect somehow the client relationships.

Risk should be identified taking into account a future point in time when problems and opportunities will be treated. Immediate problems and opportunities are not scoped by risk management. It is usually said that rain is not a risk when it is raining. For instance, untreated risks in time would become an issue to have urgent attention. When risk is reality, crisis management becomes risk management, and the contingency plan becomes just the plan.

Risk is not a single point view. Events can have an impact in the financial, operative, legal & compliance or environmental categories. They may have a different impact and frequency for each category. Uncertainty may partially affect the information about one or more of these aspects, but others may be certain. In this case, it is safe to consider the whole effect as certain and to treat it outside ERM.

As a summary to treat issues in the right framework, risk management does not cover:
- events with all the information to foresee their outcome and moment to occur
- events which are not volatile
- immediate issues

Risk in New Business Ventures

The most critical opportunity to perform a risk analysis is at the development of a business plan. Investors do not expect business plans without risk, but entrepreneurs often fail to include a solid risk analysis into their business plans. Business plans need to anticipate risk in order to build flexibility to react by creating alternatives. In this post, I would like to discuss how risks need to be analyzed in aiming new business ventures.

Traditional ERM approaches are not tailored for startups (or proposals, or new projects) (1), however, risk is the source of their competitive advances. The skills of the entrepreneurs to strategically manage risk determine the success of their endeavor. Potential losses need to be assessed in other to prioritize the venture vulnerabilities.

There are particular decision-making needs involving a business idea. Then, risk categories for startups could be different than those for well-established companies. Most relevant risk categories for startups may include:

Product development risk can be defined as the likelihood to successfully transform a prototype or a business idea into a marketable product. This risk can be mitigated by extensive I+D and customer research.

Market risk can be defined as the likelihood to reach a smaller target than expected (for a given period). This risk can be mitigated by indentifying secondary niches or segments (for instance, a market for by-products) and performing a reliable competitive analysis. Having a good strategy to reach early adopters could mitigate this risk too (for instance, by discounts for first purchases).

Managerial risk can be defined as the likelihood to loss key members or to not attract the right employees. The managerial ability to adjust and strive is affected by this risk. As managerial incompetence increases costs, Cost controlling can be very effective to treat this risk.

Cash generation risk can be defined as the chance to become unable to get liquid moneys. Balanced scorecards and projected cash flows can play a key role in monitoring this risk. In order to mitigate it, budget assumptions should be validated, potential funding should be available, and capital requirements should be adequately calculated.

There are also several tools to identify risk and create strategies. For instance, Monte Carlo simulation can be an effective method to indentify the variables with the highest impact in profitability. Some of these tools are included in by the traditional ERM systems.

A compressive risk analysis adds the reality check to business ideas.

(1) For instance, there are not references to startups in ISO 31.000

Opportunity-based Audit

Business risks are increasingly the prime focus of Internal Audit (1). Risk-based Audit (RBA) is the methodology which provides assurance that risks are being managed to a level considered acceptable by the board. This methodology covers the enterprise risk management (ERM) framework (2). Risk-based auditing is increasingly widening the coverage to support management decisions to achieve more objectives. By adding opportunities management to this process, the decision-making process will be improved. In this post, I would like to take a first step towards a definition for Opportunity-based Auditing.

Effective since 2006, the SASs No. 104-111 required that auditors should evaluate the design and implementation of internal control on all audits to properly identify and assess risks. The assessed risks need to be linked to the nature, timing, and extent of audit procedures performed in response to those risks. These new standards significantly altered the methodology that audits were performed over the past three decades. Risk-based audits focus on the areas of the highest risk to the business. These audits start from business objectives rather than controls. Their recommendations are then risk-evaluated to ensure highest benefits (3).

Auditors have the chance to look right across their companies and identify not only best practices but also business opportunities. So, internal auditors should be seen as business partners by directors. Directors (as well as investors) don’t like unexpected risks, but they are attracted to make profit of unexpected opportunities. They need systems to promptly indentify both business risks and opportunities.

An ERM system aligns the risk involved in a process to the accepted risk appetite. The risk appetite depends on the profitability of a business. Business needs more profits to undertake greater risks. In order to adjust the risk level of a business, new opportunities should be identify. An ERM/EOM system should link the targeted profitability with its risks and opportunities.

An Opportunity-based Audit (OBA) refers to an examination of processes based on a previous assessment to indentify the most promising opportunities to increase profits for a given risk appetite. Its goal is to recommend a strategy to change existing processes to make them more efficient.

Traditional Auditing + Enterprise Risk Management = Risk-Based Auditing

Performance Auditing + Opportunity Risk Management = Opportunity-Based Auditing

The traditional role of internal audit was reviewing the internal controls for financial statements reporting. The RBA modified this role to review the ERM system to reduce risks to an acceptable level. The OBA adds the review of the opportunity management (EOM) system to recommend business strategies. Its areas to audit are Corporate Planning, IT Planning, Marketing, HR, Public Relations and Project Management.


(1) According to the PWC surveys to CEOs, the role of internal audit gradually changed from being focused on financial and operations (2000) to risks (2007).
(2) ISO 31.000 defines risk as a deviation form the expected, both possitive and negative (2.1.1). However, the described risk treatment options to avoid, transfer or mitigate can only be aceptable for dealing with threats (not opportunities). When defining risk as a threat, managing risk is managing controls.
At the time of publishing this post (August 2011), there are not references to a framework for "opportunity-based auditing". The process to indentify and manage opportunities is generally overlooked by auditing.
(3) ISO 31.000 includes a chapter about risk monitoring and review (5.6). It encompasses the assurance that controls are effective and efficient. There is not a more detailed look to audit these controls when dealing with opportunities. Controls to deal with opportunities are done, for instance, by marketing, corporate planning and HR.

Enterprise Opportunity Management and ERM

The word risk can be traced to the Classical Antiquity in reference to a hazard to avoid in the sea (like an exposed rock or a barrier). Deriving from the Greek rhiza and the Latin risicum, we inhered the English words for both, cliff and risk, the Spanish risco and riesgo, and the French récif and risqué. It seems that Occident defined a risk with a meaning of danger and chance… usually with a negative outcome. However, the word rizq in the Arabic world means the blessing that has been given by God to make profit from. In this post, I would like to use the Arabic meaning of rizq in ERM.

A research done by Robert Ciardini concluded that most people would rather avoid a loss than receive a benefit. I think that this tendency gave the ERM approach to the uncertainties that might have negative impact rather than positive. From this perspective, risk management means a defensive tactic.

The same system that ERM uses to indentify, treat and report risks can be used to collect business insights about opportunities. This assessment process should not be limited to threats with negative impact. At the end, changing business environments create both risks and opportunities to innovate. The real value of this process is to anticipate opportunities. Opportunities indentified by top management should be communicated, validated and treated by all the employees across the organization (top-down), as well as employees should be able to communicate their ideas for innovation to the top management (bottom-up). Employees should be able to see market opportunities and transform them into realistic ideas, as they see risks to develop a specific mitigation strategy in a traditional ERM approach. Companies need to expose their employees to entrepreneurship and to understand the commercial dimension of new ideas.

The Enterprise Opportunity Management (EOM) approach may cover the following opportunities categories (as complement to risk categories):

1- Opportunities to create a new process or product.
2- Opportunities to improve existing processes or products.
3- Opportunities to broaden the range of products or services (geography, target).
4- Opportunities to use excess resources.
5- Opportunities generated from declined customer orders and requests.
6- Opportunities to cut costs.
7- Opportunities to improve the corporate image and reputation.
8- Opportunities to improve the HS&E standards.
9- Opportunities to build alliances.

Several of these categories can be related to a risk category (eg. the reputational risk is linked to opportunities to improve the corporate image). However, they are not limited to have negative impact. As well as in ERM, both historical and projected data may be used to detect patterns and tendencies.

An EOM Matrix can be used to prioritize all the collected opportunities from the assessments. This matrix can be an additional guidance in the strategy decision-making (as well as ERM). Even the assessment can be treated in more detail; the opportunity score can be calculated by multiplying the expected gain by the likelihood to succeed (both in a given range). High reward opportunities with high chances to succeed (in other words, involving low risks) are ranked high.

An EOM matrix would be displayed as follows (in a cold map);

In EOM, we can talk of an opportunity appetite (as complement of a risk appetite), as well as, a culture for innovation and entrepreneurship (as complement of a risk culture).

An opportunity is the opposite of a threat. Then, risk is a balance between the benefits and harms of an event and the probability of those benefits and harms. Both ERM and EOM should be part of a business model to guarantee that the enjoyment to create something that does not exist should overcome the fear of failure.

Defining a GRC culture

The GRC culture influences the management and employees decisions, sometimes even at an unconscious level. C-level executives should ensure that the “whatever it takes” attitude to get results does not affect stakeholders´ interests. Employees should understand that GRC rules apply to everyone in the company as they pursue their business goals. In other words, all levels of a company need to understand the boundaries within which they can operate. In this post, I articulated my ideas about the three aspects of a GRC culture.

Risk Culture: It can be defined by the system of values and behaviors, called the culture, that affect the risk decisions. In practical terms, employees need to understand the company risk exposures. The risk culture is created by risk management training, risk assessment and guidance about decision-making. It involves organizational risk policies, as well as, risk statements and procedures. A strong risk culture is part of a good ERM practice. For instance, banks with a healthy risk culture were able to deal better than average the 2008 credit crisis.

Compliance Culture: It can be defined as the overall environment that affects how compliance issues are handed. In a strong compliance culture, employees follow the right processes and perform the right controls even without oversight. In practical terms, it refers on how effective a company is in meeting compliance regulations and deterring and detecting compliance problems. It covers how proactive are the employees in averting compliance issues, interpreting the meaning and the intention of rules, and getting examination resources. Compliance culture involves strategic planning, effective control points, careful audit traceability and documentation, proper disclosure and well known company procedures.

Governance culture: It can be defined as the attitudes and actions to build a strong and competitive company that enhances shareholder value. It involves the strategic direction of a company, and how this strategy is embedded into business practices and leadership capabilities at every level. A healthy governance culture would create a reputational advantage in the investors. The governance culture involves the beliefs about how business should be done and the ethical principles of the management and employees in general.

The boundaries about the tree aspects of the GRC culture are hard to establish. At the end, the general term for culture is also hard to delineate. These aspects are linked to create a company culture.

Building a GRC culture is a consistent and long process based on effective communication around ethics and practices and rewarding proper actions to comply with the GRC strategy. It is not enough to have good intentions. It is not enough to have an internal audit department. It requires leadership, accountability and infrastructure to create an environment that is conducive to ethical behavior and it is part of the company business model. There is an overwhelming amount of research to support that an ethical culture is part of the company success.