Another critical priority for central banks deals with enhancing the governance of risk management in DFI (Development Finance Institutions) and FIs (commercial and investment banks, NBFIs [non-bank finance institutions], MFIs [microfinance institutions), FINTECH companies etc) across economies worldwide. This aspect of risk management is very crucial in the context of the current COVID-19 crisis.
What then is the key lesson from a risk management perspective for all central banks, financial services regulators, and DFI/FIs from the present COVID-19 catastrophe?
The key lesson is that our risk management process must not be focusing only on the high probability and often lower impact risks, but it should also wake up to the low probability, high impact (strategic) risks like the present COVID-19 event. Remember, the frequent and less impactful risks can be easily dealt with. Infrequent low probability strategic risks that can have huge impact (like the occurrence of COVID-19) are the ones that put the world in danger and these need to be anticipated and tackled well in advance.
So, all concerned central banks, financial services regulators, and DFIs/FIs must factor in this crucial aspect and start continuously scanning for the low probability, high impact strategic risks that can devastate their environment, country, and the whole world (as part of their normal risk management and decision-making process). This will help these organizations strategize better and prepare well in advance to counter such low probability, high impact (strategic) risks.
That said, getting back to the risk management function in DFIs/FIs, let us remember that lack of sound corporate governance leads to poor risk management at DFIs/FIs. Sound corporate governance is critical as it can enhance the quality of risk management, including processes adopted for the same.
As governance involves many stakeholders, each with specific assigned responsibilities, they need to ensure that the system as a whole is geared to support the overall strategy of the DFI/FI and ensure the effectiveness of various internal control mechanisms. Further, while the board is not expected to understand every nuance of the business or to oversee every activity/transaction, they need to ensure that senior management does that using an organized hierarchy of responsibilities with clear authority.
The board, however, has the responsibility to set the tone regarding their own DFIs’/FIs’ risk taking (preferences) and to oversee the internal control strategy to ensure their directives are actually followed on the ground, during implementation. They also have the responsibility to hire staff who, in their opinion, have the integrity, judgment, and competence to help achieve the same.
This did not happen with either the DFIs/FIs at the center of the U.S. subprime crisis (2007/8) or the MFIs at the heart of the 2010 Indian microfinance crisis in Andhra Pradesh (AP). The case of the Indian banking crisis (2018) clearly shows that this did not happen at the concerned FI (i.e., Punjab National Bank [PNB]) or DFI as well (Infrastructure Leasing & Financial Services [IL&FS]).
The IL&FS case (2018) also illustrates the fact that prudent risk management principles were not followed at this systemically important financial institution, resulting in many problems caused by excessive dependence on short-term borrowings and abnormally high leverage.
The biggest failure at IL&FS was the fact that the risk management committee (RMC) of the board met just once over a period of three years since July 22, 2015. This is not acceptable by any standards and can be faulted in large measure to many of the issues that have cropped up at IL&FS in 2018.
Let us understand this better.
The RMC of the board is an important committee—this is especially so in a non-bank finance company (NBFC) with a focus on high-risk infrastructure finance and development, where inherent asset-liability mismatches could exist. This was more critical because IL&FS also acted as a DFI. In this context, the mandate of the RMC was to regularly and periodically look at several core functions including asset liability management (ALM), credit, liquidity as well as market risk (CLMR), capital adequacy, and regulatory compliance with norms of extant laws.
Strangely, according to data given in the various annual reports, this most vital and crucial committee of the board met just once since 2014-15—the specific date of the meeting being July 22, 2015. That in the last three financial years {preceding the year in which the IL&FS crisis erupted (2018)}, the RMC held just a single meeting and that too, way back in July 2015, is cause for concern.
What is even more horrific is the fact that IL&FS was registered with India’s central bank, the RBI as a “Systemically Important Non-Deposit Accepting Core Investment Company”. Even more special was the fact that the five-star board of IL&FS consisted of nominee directors, from prominent financial institutions, who well understood the importance and need for the RMC to have met regularly and periodically to perform its fiduciary and strategic responsibility—yet, none of these nominee board members insisted and got the RMC to meet after July 22, 2015.
More shocking still is the fact that all this information was available in the public domain and despite this, the credit rating agencies were liberal in giving a good rating to IL&FS (and its financial instruments), especially when the public domain contained information regarding the IL&FS board and its RMC’s abject neglect of risk management. I simply have no words to explain what happened at IL&FS (in September 2018 and years preceding that), especially given the responsibilities of the RMC.
Thus, as illustrated above, in my opinion, one of the most important fallouts of the past crisis situations has been the apparent lack of and/or failure of risk management at many DFIs/FIs. I have several generic and specific observations regarding this—for central banks and other financial service regulators and supervisors (worldwide) who are at the forefront of ensuring a stable and secure financial ecosystem in their respective economies during the present economic crisis caused by COVID-19—and they are listed below:
- Internal controls for financial reporting versus risk management: In many DFIs/FIs, the (sole) focus on internal controls was mainly for the purpose of financial reporting. This resulted in risk management deviating from strategy and its implementation. Also, in several DFIs/FIs, the basic tenets of internal control, particularly those pertaining to operating risks, were not followed.
- Risk handled in a piecemeal manner: In a few cases, the enterprise (or DFI/FI) as a whole was not considered and risk was handled in a piecemeal manner—so much so that even the boards were completely out of touch with the (risk management) systems in place. Thus, a holistic and comprehensive perspective on risk was lacking.
- Risk management mistaken for risk elimination: In many DFIs/FIs, effective risk management was seen as eliminating risk taking and that is perhaps an inappropriate view of things. DFIs/FIs and other stakeholders must understand that risk is a fundamental driving force in any activity, including financial services. Therefore, risk elimination is perhaps not strictly possible. The aim must be to ensure that the risks are understood, managed, and, where appropriate, communicated throughout the organization, so that the DFI/FI as a whole can be ready for these, as and when they become significant.
- Inability to seriously anticipate and properly manage political, regulatory, and other risks: In several DFIs/FIs, the political risk (as in the Indian microfinance crisis in AP in 2010) was neither (seriously) anticipated nor managed on an institution-wide basis. Those (initially) looking at this risk were perhaps either far too junior or lacked the requisite contextual experience; often, there seemed to be no serious guidance from the senior management/board. Importantly, the boards were, in a number of cases, ignorant of the key (political and important) risks facing their DFIs/FIs, and most came into the picture later than required.
- Lack of board involvement in establishing/overseeing risk management structure: Without question, the effective implementation of risk management requires involving the board in both establishing and overseeing the risk management structure. This did not happen, and in many DFIs/FIs, the board neither reviewed nor provided guidance about the alignment of overall strategy with risk appetite and the internal risk management structure.
- Lack of independence of risk management and control functions: To assist the board in its work, risk management and control functions need to be independent, reporting directly to the board. However, this was seldom the case, and as a result, risk perceptions often got altered (or even misreported) by the line management and other staff. In reality, such risk perceptions were perhaps not fair representations of the true risk confronting the DFI/FI (a situation akin to not wanting any bad news, often without realizing that timely news about things going wrong affords a greater chance to undertake appropriate on-course corrections). Thus, a true picture of the risks perhaps never reached the board, which was left high and dry when the same affected the DFI/FI.
Having made these key observations, in the second part of this ‘governance of risk management’ series, we will look at how then can the governance of risk management be improved in DFIs/FIs and especially in a situation like the present one (where COVID continues to rage), when huge delinquencies are staring many DFIs/FIs in the face?
[1] RAMESH SRIVATSAVA ARUNACHALAM is a board member of the Financial Inclusion Advocacy Centre (FIAC), Ghana and UK. He is also a partner in ASCENSION ADVISORY (India), under incorporation. He is the author of 14 critically acclaimed books. Ramesh also provides strategic advice on a wide variety of Financial Sector, Financial Inclusion and Economic Development issues. He has worked in over 314 assignments with multi-laterals, governments, private sector, Banks, NBFCs, DFIs, regulators, supervisors, MFIs and other stakeholders in 31 countries across 5 continents and 680 districts of India during the last 31 years. He can be contacted at [email protected] and +919962815615.