Corporate compliance and stock volatility in top 35 Spanish companies

Compliance is a major ethical consideration that has an impact on the business strategy to improve the financial performance and to limit the risk of failure to a tolerable level. Compliance risks are today a mainstream issue in Spain after increased exposition to new criminal liabilities and globalization. Spanish companies from all sectors revised their codes of conduct and whistleblowing policies to adapt them to the new business landscape, but the relationship with sustainability risks was not explored.


In order to study the correlation between risk management and compliance, I generated 700 data sets to weigh them according to their relative market capitalization for the 35 public companies that make up Spain's benchmark IBEX 35 index. The compliance maturity was taken from analyzing the code of ethics and other publicly available ethics and corporate governance documents for these factors:

  • corruption, business conduct & gifts,
  • antitrust and market abuse,
  • workers´ protection, discrimination and harassment,
  • environmental and urban planning protection,
  • copyright and intellectual property protection,
  • IT data protection,
  • tax compliance,
  • money laundering,
  • occupational fraud, and
  • whistleblowing policy, available channels and management (30% of total score).
 
When the code of ethics and related governance policies set standard controls to mitigate the high level compliance risks a complete score was assigned to each factor. Other cases were particularly assessed according to mitigating controls.
 
The risk level was defined as the historical 250-day return measuring the stock volatility or beta. This indicator spots the risk arising from exposure to general market movements as opposed to idiosyncratic factors.

The market capitalization was taken from the last statistics update published by the Madrid Stock Exchange.The sector clasiffication also followed the Madrid Stock Exchange criteria.

The data analysis revealed a weak negative lineal correlation (r):-0.18 between the compliance maturity and the stock volatility risk. The compliance/risk correlation,  which does not imply causation, is stronger in the retailing and the telecommunications sectors.




On balance, companies with strong and transparent ethics and compliance policies has better risk management in creating stakeholder value.

There are 2 types of outliners in the analysis:
  • Santander Bank, Repsol, OHL and Acciona have a mature compliance model according to the information in this study, but the stock value was highly volatile in the last 250 trading days, and
  • AENA, Endesa, Gas Natural, Dia and Iberdrola have low market value volatility, but opportunities to strengthen their compliance programs.



You can find the supporting data from these links:

MS Access Datasets 
Summary of dataset
Supporting Code of Ethics and Documents

I will do further research to expand the conclusion of this study, by:
- using the OECD Guidelines for Multinational Enterprises to set the compliance factors to assess
- expand the study to other public non-IBEX35 companies
- monitor de evolution in time
- include the effective reporting of compliance and risks information

Do you have any suggestions for improving the study methodology or scope?

For more GRC news on Twitter

The 100 most critical and common segregation of duties conflicts in SAP

The most visited post in my blog covers the 20 most critical conflicts that you may find in SAP auditing, SOX testing and user security controls. After several years of fine-tuning  the user conflict matrix and having SAP HANA released, I expand this post by listing the 100 most critical and frequent segregation of duties incompatibilities.  This list helps in simplifying the user reviews by internal auditors, functional roles and access security professionals while explaining the risk which may result in operational fraud.


This is the list which you are welcome to get as a MS Excel file,

VA01 Create Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
F.80 Mass reversal of documents and F-60 Maintain Table: Posting Periods are incompatible since the user may open accounting periods previously closed and make postings after month end.
VA01 Create Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA02 Change Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
F.80 Mass reversal of documents and OB52 C FI Maintain Table T001B are incompatible since the user may open accounting periods previously closed and make postings after month end.
VL02N Change outbound delivery and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
XK01 Create Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.
VF01 Create Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VL01N Create outbound delivery with order ref and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
VA01 Create sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XK01 Create Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD02 Change customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
MIGO Goods Movement and MM01 Create Material are incompatible since the user could create or change a fictitious receipt and create/change a material document to hide the deception.
XD01 Create customer (centrally) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
XD01 Create customer (centrally) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VA01 Create sales order and VL01N Create outbound delivery with order ref are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.
VF01 Create Billing Document and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA02 Change Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
FK01 Create Vendor (FI) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VA02 Change Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-26 Incoming payments fast entry are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VA02 Change Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
XD01 Create customer (centrally) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
XD02 Change customer (centrally) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
XK01 Create Vendor (Centrally) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated.  If the same person can process both items, unauthorized changes could be made and possibly not detected.  Th.
XD02 Change customer (centrally) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VD01 Create customer (sales) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
FK02 Change Vendor (FI) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XK01 Create Vendor (Centrally) and VD02 Change Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.
XK01 Create Vendor (Centrally) and FD02 Change Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.
VD02 Change customer (sales) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
FD02 Change customer (accounting) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
MK01 Create Vendor (MM) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
FK01 Create Vendor (FI) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VF01 Create Billing Document and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA02 Change sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XD02 Change customer (centrally) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
ME21N Access to Create Purchase Order and ABAA Unplanned Depreciation are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated.  Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
MK02 Change Vendor (MM) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VF01 Create Billing Document and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VF01 Create Billing Document and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
XD02 Change customer (centrally) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated.  If the same person can process both items, unauthorized changes could be made and possibly not detected.
XK01 Create Vendor (Centrally) and FD01 Create Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.
VA01 Create sales order and F-51 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK02 Change Vendor (FI) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XK02 Change Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
F.80 Mass reversal of documents and SCMA Schedule Manager: Scheduler are incompatible since the user may open accounting periods previously closed and make postings after month end.
XD02 Change customer (centrally) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.
FD01 Create customer (accounting) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VD01 Create customer (sales) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VF02 Change Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VD02 Change customer (sales) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
MK01 Create Vendor (MM) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VD01 Create customer (sales) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
FD02 Change customer (accounting) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
ME21N Access to Create Purchase Order and ABZU Write-up are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated.  Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
XD01 Create customer (centrally) and F-51 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VD02 Change customer (sales) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
MK02 Change Vendor (MM) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VF01 Create Billing Document and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
FD02 Change customer (accounting) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hid the misappropriation of goods.
FK01 Create Vendor (FI) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-39 Clear customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated.  If the same person can process both items, unauthorized changes could be made and possibly not detected.  Th.
VA01 Create sales order and FBCJ Cash journal are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XK02 Change Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
ME21N Access to Create Purchase Order and ABMA Manual Depreciation are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated.  Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
VA02 Change sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK01 Create Vendor (FI) and VD02 Change Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
VD01 Create customer (sales) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VF02 Change Billing Document and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-52 Post incoming payments are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK01 Create Vendor (FI) and FD02 Change Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.
FD01 Create customer (accounting) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VA01 Create sales order and FF/4 Interface for check deposit data entered externally are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VD02 Change customer (sales) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VA01 Create sales order and F-04 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VD01 Create customer (sales) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated.  If the same person can process both items, unauthorized changes could be made and possibly not detected.  Th.
FD02 Change customer (accounting) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VA01 Create sales order and FB05 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VA01 Create sales order and FF/5 Post check deposit data entered externally are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK02 Change Vendor (FI) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
VL02N Change outbound delivery and F-30 Post with clearing are incompatible since the user may create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods.
FD01 Create customer (accounting) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VD01 Create customer (sales) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.
XD01 Create customer (centrally) and FBCJ Cash journal are incompatible since the user may create a customer and then post payments against the customer.
XD02 Change customer (centrally) and F-51 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VD02 Change customer (sales) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated.  If the same person can process both items, unauthorized changes could be made and possibly not detected.

A risk-based approach to SAP segregation of duties        The top 100 most critical segregation of duties conflicts in SAP        Segregation of Duties Fraud Risks & Solutions
Security SOD Segregation of Duties        SOD Conflicts and Role Based Authorization in SAP        SAP Segregation of Duties SOX 404 and Risks


What factors define a good risk and compliance culture?



The promotion of a sustainable risk and compliance culture across the enterprise is a responsibility of the board and the executive-level leaders, particularly, the chief compliance and risk officers. Their tone at the top filters down the elements of a “good culture” through the layers of management and risk takers. Where culture is favorable, behaviors are more desirable in terms of policy compliance, risk prevention, whistleblowing and accountability.

Regulators and authorities have pronounced about a “poor culture” in enforcement cases to extend liabilities to governance areas. For instance in Spain, the State Prosecutor recently indicated that compliance programs should build the true compliance culture of a company rather than being an instrument to avoid criminal liability. Inadequate culture led by performance complacency, tolerance of improper behaviors or the justification of compliance breaches diverts resources from strategic objectives.

We need to understand the internal and external factors of the risk and compliance culture to change them for the better. Perceptions of the governance structures such as remuneration incentives and performance measurement are critical to adjust risk behaviors. The compliance program should specify these desired expectations to align practices in all part of the company with business ethical values and shared risk tolerance.

Research evidence suggested that culture is strongest in business units when:
  • have smaller (up to 5) and less diverse members (Colquitt et al. 2002), 
  • staff well-being, engagement and tenure are higher (Huhtala et al. 2015, Beus et al. 2010) 
  • social interaction is high and leaders provide clear guidance (González-Romá et al. 2002), 
  • communication network is more dense (Zohar & Tenne- Gazit 2008), 
  • are focused on customer needs (Bedarkar et al. 2015), 
  • more interdependent and have higher group identification (Roberson 2006), and 
  • more cohesive with leaders who are transformational, share a clear strategic vision for the work and behave consistently (Luria 2008) 

The ISO 31.000 on risk management defines that the organization's culture should be assessed as part of the internal context to adjust and to improve the risk policy. Strong culture factors suggested by research can be promoted by:
  • setting a risk tolerance policy to consistently manage holistic risks including compliance, operational, financial and strategic functions, 
  • focusing cost saving and performance programs to investigate accidents and losses, including those covered by insurance and fraud, 
  • adjusting the remuneration scheme to taken risks and internal control reviews, 
  • setting HR policies to avoid mutual accountability and to promote open door communication, issue escalation and whistleblowing reporting, 
  • developing a comprehensive training program to build skills to support behaviors such as detecting fraud red flags, team management and objective settings, workplace incident response, and regulatory compliance, 
  • building a risk and compliance reporting channels for governance oversight, to aggregate risk management information and indicators and to decide on the risk reduction plans, the development of the compliance program, and the internal control effectiveness, 
  • articulating an value-based compliance system with policies and procedures enhancing personal accountability, and 
  • involving suppliers, investors, clients and regulators in creating and developing action plans to support a transparent culture and to anticipate risks. 

What lessons have you learned to create a strong ethical culture? Expand this article with your comments.
More GRC news: Twitter Hernan Huwyler

Why compliance is such a hot topic in Spain?





The Spanish Criminal Code was amended in 2010, and subsequently reformed in 2013, to introduce the concepts of criminal liability of legal persons. Many domestic legal entities are now criminally responsible for penal offenses committed in their name or for their benefit by those being empowered to manage and to control the business, and by their employees or contractors due to the lack of adequate controls. The responsibility of a legal person does not exclude any criminal proceeding against a natural person, such as the perpetrator of a criminal offense, but it significantly increases the compliance risks and affects the corporate sustainability. The first prosecuted case was recently confirmed by the Supreme Court to ratify a €776M imposed penalty to a machinery rental company for drug trafficking from Venezuela to Spain.

This law responded to local business crime trends and it was focused on assigning moral culpability for the commission of serious offenses to the corporate entities lacking effective compliance surveillance and ethical measures. Companies are excepted to be criminally liable if they provide evidence of effective supervision policies over their administrators and staff. The law provides a detailed description of an appropriate compliance management system, domestically known as "corporate compliance", "corporate defense", "compliance program" or "crime prevention plan".

During the past five-year period, the scope of compliance evolved from the criminal offenses to include business ethics in general, from external compliance to internal compliance, and it moved from the legal departments to the internal and external auditors, boards, shareholders, risk managers, consultants, information technology and security areas. The offenses expressly mentioned by the Criminal Code are general key compliance risks, such as bribery, tax evasion, market abuse, fraud, environmental crime, personal data breach, money laundering, and intellectual property infringement. They can all be treated by accepted international standards including the ISO 19.600 guiding the compliance systems, the ISO 37.001 for anti-bribery controls, the ISO 31.000 to identify compliance risks, best practices to manage whistleblowing reports, or just having comprehensive codes of ethics.

The wide scope of compliance and the greater reputation and financial risks increased the need of professionals managing the implementation of compliance programs, the chief compliance offices, in all kinds of businesses and organizations whatever their size or activity sector, including multinationals, domestic subsidiaries, political parties, unions, and even soccer clubs. The compliance officers created a new association called CUMPLEN to share practices to implement accepted international frameworks.

Spanish companies are moving from "makeup compliance" to create effective compliance programs in order to ensure the business sustainability and to improve the overall corporate governance. These new ethical objectives require much more professionals and with a new profile being able to translate legal requirements into comprehensive ethical behavior while designing and building risk-based cost-effective preventive controls. This is the real challenge for Spain.
More GRC news: Twitter Hernan Huwyler

Rogue Trading and GRC

"When you have supervisors who rely on computer software rather than human contact, there is a false sense of security."
Stephen Brown, Professor of Finance at New York University's Stern School of Business (2011)

"You haven't heard of financial scandals where a rogue trader has earned $2 billion extra for the company"
Barry Staw, Professor of Leadership and Communication at the University of California (2011)

"Compliance monitoring is still regarded in most organizations as a second-class operation."
Stewart Hamilton, Professor of Accounting at Switzerland's IMD (2011)

"The current volatile market circumstances significantly heighten the chances that inappropriate trading practices could quickly lead to record losses, so early discovery and remedial action are even more important than in 'normal' times,"
UK's Financial Services Authority (2008)

Rogue trading risks are related to fraud, undetected errors (eg. typing an extra zero) or hedging strategies outside trader limits. Rogue traders usually deal with high risk investments expecting to create unreported large gains or win large bonuses. However, high risk investment may also create huge losses. A trader is, at the end, a trained professional to place large bets in a competitive environment. For the worse, trading losses can usually accumulate over time.

In the case of the Union Bank of Switzerland, all rogue trading risks were not properly managed for a bank bailed with $ 5 billion from the Swiss taxpayers. According to the explanation from this bank, a junior trader exploited a loophole in contentious synthetic ETFs that caused a $2.3 billion loss on fake over-the-counter positions over the past three years. In Europe, these transactions were not required with a confirmation from banks on the the other side of the trade. The trader allegedly evaded detection by booking fake hedging trades to cover the magnitude of his losses. Because the losses do not affect client accounts, only proprietary trading was done.

Rogue trading is generally prevented by controls including:
a) checking for confirmation from the counterparty or broker by back office,
b) segregating back, middle and front offices (traders should not access to middle and back office systems, order entries and adjustments should be segregated),
c) monitoring the number of cancelled and suspicious trades,
d) requesting continuous holidays for traders,
e) implementing BI controls (real-time transaction monitoring, higher than normal profits, extended settlements),
f) reviewing trading activity by managers (settlement position reconciliations),
g) hiring practices for a strong GRC culture,
h) conservative remuneration structure, and
i) independent internal audits.

Without the conclusions of the investigations at this moment , it is not clear if all these controls could have prevented the USB case. Rogue traders can create complex structures and exploit control loopholes.

In response, some banks diminished the trading units and delta one desks, other banks split off its investment banking business from its core wealth management to shield private clients. Policymakers are also reacting by proposing new regulations intended to limit banks from making high risk transactions.

PS: The last facebook update in the accused rogue trader account was a “Need a miracle".


What events do not need to be included in ERM?

Risk is defined as the effect of uncertainty on objectives (ISO 31000 § 2.1). This effect is a deviation from the expected, either positive or negative. Even though the statistical science provided well-grounded notions of risk, non-quantitative variables affect their use in business environments. In this post, I would like to establish criteria about what events cannot be treated by ERM.

Risk needs both a probable frequency and a probable impact. It implies that statements of absolute fact are not scoped by risk management. When the frequency or the impact is known, we are dealing with business facts and not business risks. For instance, a contract containing a penalty clause is not fulfilled because it is not longer profitable. At the time of the contact breach, there is not any risk involved since the company already knows its indemnity costs and when to pay them.

Uncertainties are a deficiency of information about an event. They are intrinsic in risk (as well as unavoidable for most business decisions). Different from risks, uncertainties cannot be valued. Therefore, it is not possible to calculate an average loss associated with the event. For instance, goods not passing the quality tests are delivered to comply with a contract. For this contract, there is not any risk of lack of compliance. The company knows for sure that the quality is not acceptable under the contract terms and it will affect somehow the client relationships.

Risk should be identified taking into account a future point in time when problems and opportunities will be treated. Immediate problems and opportunities are not scoped by risk management. It is usually said that rain is not a risk when it is raining. For instance, untreated risks in time would become an issue to have urgent attention. When risk is reality, crisis management becomes risk management, and the contingency plan becomes just the plan.

Risk is not a single point view. Events can have an impact in the financial, operative, legal & compliance or environmental categories. They may have a different impact and frequency for each category. Uncertainty may partially affect the information about one or more of these aspects, but others may be certain. In this case, it is safe to consider the whole effect as certain and to treat it outside ERM.

As a summary to treat issues in the right framework, risk management does not cover:
- events with all the information to foresee their outcome and moment to occur
- events which are not volatile
- immediate issues