Enhancing the governance of risk management in DFIs/FIs in the COVID-era(II)


While the earlier article in this series set the strategic context for governance of risk management in the COVID era, this article looks at how to improve the governance of risk management in development finance institutions (DFIs) and financial institutions ([FIs]) like commercial and investment banks, non-bank finance institutions [NBFIs], microfinance institutions [MFIs], FINTECH companies—especially in a situation like the present, when huge delinquencies are staring many DFIs/FIs in the face? But before getting into the recommendations, let us ask a relevant question here: why have these risk management failures occurred and what are the important lessons in this regard that (especially) central banks can take away?  

The answer is simple. DFIs/FIs that have faced burgeoning growth in the past few years have not had commensurate capacity—including internal control and other systems—required for managing their turbocharged growth. Furthermore, as a result of their burgeoning growth, many of these DFIs/FIs are increasingly vulnerable to fraud and control failures (especially when their growth shears and stresses their systems). This aspect is especially crucial in the present time when governments, central banks, and DFIs/FIs are trying to jump-start their economies with increased lending. While increased lending is necessary, it must not become predatory or aggressive lending. We need to learn from the internal control lapses mentioned in part I of this series, and central banks must use these lessons for creating better risk management systems at DFIs/FIs. That is a COVID-19 imperative.

Lesson # 1: Lack of sound corporate governance leads to poor risk management at the DFIs/FIs. Sound corporate governance is critical as it can enhance the quality of risk management, including the processes adopted for the same at a DFI/FI. As governance involves many stakeholders, each with specific assigned responsibilities, they need to ensure that the system as a whole is geared to support the overall strategy of the DFI/FI and ensure the effectiveness of various internal control mechanisms.

Furthermore, while the board is not expected to understand every nuance of the financial service business and/or to oversee every activity/ transaction, they need to ensure that senior management does that using an organized hierarchy of responsibilities with clear authority. The board, however, has the responsibility of setting the tone regarding their own DFI’s/FI’s risk taking (preferences) and to oversee the internal control strategy to ensure that their directives are followed on the ground, during implementation. They also have the responsibility to hire staff who, in their opinion, have the integrity, judgment, and competence to help achieve the same. This, unfortunately, did not happen with the DFIs/FIs at the heart of the past crisis situations—be it the U.S. subprime (2007/8), the Indian microfinance crisis in Andhra Pradesh (AP) 2010, the Indian financial sector crisis {Punjab National Bank (PNB) scam of 2018 or the Infrastructure Leasing & Financial Services (IL&FS) crisis of 2018}. This happened despite many of these institutions having what we call a five-star board governing them. Accountability on the above aspects must be demanded from DFI/FI boards by central banks who (as regulators and supervisors) have several means to ensure that policies not only exist at DFIs/FIs regarding the above but are also implemented in real time on the ground. That there is no disconnect between stated policies and actual implementation is an aspect that the central bank can ensure through effective online (off-site) supervisory roles.

Lesson # 2: Disregard for internal controls by many line managers. Internal controls are the responsibility of line management at DFIs/FIs. Line managers must determine the level of risks they need to accept to run their businesses and to assure that the combination of earnings, capital, and internal controls is sufficient to compensate for the risk exposures. It is clear from past crisis situations that the basic tenets of “internal control”, particularly those pertaining to operating and related risks, were not followedin fact, as the analysis of many (fraud)[2] and errant[3] cases demonstrate, it is apparent that the line managers in several fast growing DFIs/FIs had utter disregard for even the most basic controls, such as the segregation of duties, and so on. This again needs to be focussed on by central banks through an effective off-site online supervision[4] function.   

Lesson # 3: Enhanced people risks also causing failure of internal controls. Internal controls and sound governance become more important when the DFI’s/FIs’ operations move into higher risk areas—such as the kind of growth that many of the DFIs/FIs experienced prior to the 2007/8 (U.S. subprime) or 2010 (Indian microfinance in Andhra Pradesh[AP]) crisis. The case of IL&FS (2018) is also a relevant example here. When changes are taking place, as had been during these high growth periods, there is no doubt that control failures will increase significantly, as has been reported. Thus, rapid growth, the introduction of new products, processes and projects, and changes in delivery channels and institutional arrangements are examples of situations that stress the control environment in DFIs/FIs. When these types of changes occur, “people risks”—i.e., risks related to training employees in new products, processes, projects, and institutional mechanisms—escalate. Employees who join will undoubtedly need to learn about the culture and control environment at the DFI/FI.

Likewise, employees unfamiliar with their new responsibilities, including the systems they use, their changing client profile, the services they provide customers, the degree of attention expected by their own supervisors (and members of the internal control department), are more likely to create control breaks. As a result, DFIs/FIs need to be wary of and manage people risks appropriately and in a timely manner, through a good (interactive) human resources function. This again has been and continues to be very weak at most DFIs/FIs—especially those pushing the frontiers of the financial services industry. Central banks, as regulators and supervisors, need to look at human resource (HR) policies, associated functions, and compensation mechanisms for various positions at DFIs/FIs to determine if the structure of jobs and roles are encouraging the quick deal. This is an important task for them, both as regulators and supervisors and they need to constantly monitor these aspects, both from a HR policy formulation as well as implementation perspective at DFIs/FIs. The final objective is to prevent DFIs/FIs from rewarding the quick deal that, as we have seen, often perpetrates reckless risk taking on the ground and results in a financial crisis. 

Lesson # 4: Drive for efficiency causing omission of key controls. Rapid growth and change also modify the relative risks for a DFI/FI. For example, the pressure to beat a competitor in the market with new/same products (as was the case in the U.S. or in AP during the years preceding the various crisis situations) may cut short the design review process and omit an important aspect of control. This has happened consistently and the drive for efficiency and use of more standardized processes also led to very little time being invested in building client-level relationships, which incidentally was the key and hallmark feature in the early success of many DFIs/FIs (especially, MFIs). Central banks, as supervisors, must ensure that DFIs/FIs do not omit an important control—this is something that they need to look at as part of their effective RegTech backed off-site (online) supervision. 

Lesson # 5: Entrepreneurial drive and non-transparent governance results in lack of control infrastructure. Many of the DFIs/FIs at the center of the U.S. subprime (2007/8) or the Indian microfinance crisis in AP (2010) came under the microscope for their governance failures and they demonstrated similar characteristics. This is also true of the IL&FS case which had at its helm for several long years, an extremely dominant (founder) CEO with a penchant for aggressive growth.

What is interesting to note is that in all these cases, it is the hard-charging entrepreneurs/CEOs—with their unique ability to think outside the box—who pioneered the stupendous growth and innovation. But the personalities of these individuals, in many cases, led to a single-minded focus on unmanageable growth, higher profits, increased equity investments, share valuations at a premium, higher returns, and larger “wealth creation” for shareholders. This perhaps resulted in very little time being spent on building the control infrastructure so vital for the delivery of financial services. As a result of this, inadequate time was spent on building the control infrastructure, unequal to the amount required in such an environment. The consequences are there for all to see. Again, this is an aspect that central banks need to look at as part of their supervision function. Ensuring that good governance practices get implemented in real time and that there is no disconnect between intended and implemented strategy is an aspect that can be handled only by proper supervision on the part of the central bank.

Lesson # 6: Irrational expectations and internal frauds. Another form of risk is internal fraud. When the expectations of the market, supervisors, and colleagues, or pressures of professional/personal life become overwhelming, key DFI/FI staff may overstep ethical and legal boundaries and cover up errors or deliberately commit a fraud. This is what has happened in many DFIs/FIs (in these past crisis situations) that turbocharged themselves to grow at any cost. There is enough reason to believe that this may have been the case with several of the staff at these DFIs/FIs who were found to be involved in frauds (before and during the crisis situations). Again, the human resources function must take the driver’s seat and reduce (or, if possible, eliminate) unrealistic expectations and ease work time pressures, so that the DFI/FI staff are not forced to cross the line, with regard to ethical behavior on the job. An important aspect is to ensure that there should be no disconnect between strategy and risk management on the one hand, and incentives on the other. Incentives do not just mean remuneration, but also other aspects such as promotion, stock options, and so on. That would help in reducing “people risks”. Central banks, in their supervisory role, must also look at what DFIs/FIs are actually doing to mitigate “people risks”—this has implications for both the HR function and the job descriptions in terms of whether DFIs/FIs are pushing people to deliver quick results by ignoring key controls as well as using other fraudulent means. Clearly, central banks as supervisors must do more about the HR function, given its implications for a DFI’s/FI’s operations.

Lesson # 7: Weakened internal audit function in many DFIs/FIs. Boards of directors at DFIs/FIs are responsible for ensuring that their DFIs/FIs have an effective audit process and that internal controls are adequate for the nature and scope of their businesses. The reporting lines of the internal audit function should be such that the information the board receives is impartial and not unduly influenced by management. Internal audit is a key element of the overall responsibility to validate the strength of internal controls. This is not to be underestimated. This sadly did not happen in many DFIs/FIs and, especially, in the larger FIs. The same weakness can be found in many large and fast growing DFIs/FIs. This is a critical area of focus for central banks, both as regulators and supervisors of DFIs/FIs. They must, in policy terms, ensure that internal audits at DFIs/FIs are designed to be independent of the areas being audited, and that internal audit teams report to an independent board or audit committee at the DFI/FI. As supervisors, central banks must ensure that this happens on the ground in real time during implementation.  

Lesson # 8: Greater focus on quantitative versus qualitative risks. Thus, although risk management has become more quantitative, considerable management judgment must be applied to the process, and this is what DFI’s/FIs need to get their boards to facilitate. Frequent and small losses can generally be absorbed in the operating margin of the product or service, and DFIs/FIs have tended to focus more on such risks and problems.

It is the low-probability, large losses that provide the greatest challenge. It is just such risks—the ones that can severely damage, if not kill, an organization—that too many DFIs/FIs have not formally taken into consideration. And that, in many ways, has resulted in many problems on the ground in these past crisis situations. Why, today’s COVID-19 crisis is a perfect example of a low probability, very high impact risk which has devastated economies worldwide and impacted DFIs/FIs, corporations, and MSMEs around the world.

That apart, I would like to mention that as the financial services industry moves forward, risk assessment and risk-based auditing[5] at systemically important and large DFIs/FIs becomes necessary. I do hope that all DFIs/FIs—including fast growing, large, and new age (FinTech) ones—adopt this and the regulatory framework makes it necessary for them to do so. This alone can help prevent the kind of institutional lapses that led to the U.S. subprime (2007/8), the Indian microfinance crises in AP (2010) and the 2018 financial sector crisis in India—all of which contributed in significant measure to eroding the stability, inclusiveness, and accountability of the financial ecosystem. This aspect is very important now because economies and financial systems worldwide are very fragile and susceptible to systemic failure, especially because of the devastation that COVID-19 is still causing across the globe.

I sincerely hope that globally, all central banks look at these and other issues related to risk management arising from the past crisis situations. That is one area, among many others, where rebuilding (in the COVID-19 era) can and must start as soon as possible. Only this can put the financial services industry on a firm footing and get it to implement—through sound prudent risk management—the great-sounding ideas that DFIs/FIs always wanted to implement to ensure stable, inclusive, and accountable financial sectors that can kick-start the respective economies and help them grow in double digits, especially in the COVID-19 era.

[1] RAMESH SRIVATSAVA ARUNACHALAM is a board member of the Financial Inclusion Advocacy Centre (FIAC), Ghana and UK. He is also a partner in ASCENSION ADVISORY (India), under incorporation. He is the author of 14 critically acclaimed books. Ramesh also provides strategic advice on a wide variety of Financial Sector, Financial Inclusion and Economic Development issues. He has worked in over 314 assignments with multi-laterals, governments, private sector, Banks, NBFCs, DFIs, regulators, supervisors, MFIs and other stakeholders in 31 countries across 5 continents and 680 districts of India during the last 31 years. He can be contacted at [email protected] and +919962815615.

[2] The PNB scam is a classic example here.

[3] The IL&FS case is an appropriate example here.

[4] COVID-19 has rendered onsite supervision as almost impossible and going forward, central banks would have to rely on online (off-site) supervision backed by innovative “SMART” RegTech tools to ensure effective, efficient, and adaptive supervision on the ground in real time.

[5] In simple terms, risk assessment is a process by which an auditor identifies and evaluates the quantity of the DFI’s/FI’s risks and the quality of its controls over those risks. Through risk-based auditing, the board and auditors will use the results of the risk assessments to focus on the areas of greatest risk and to set priorities for audit work. That, however, does not mean that the audit department can lose sight of or ignore areas that are rated low risk. An effective risk-based auditing program will ensure adequate audit coverage for all of an DFI’s/FI’s auditable activities. The frequency and depth of each area’s audit should vary according to the auditor’s risk assessment.

Leave a Reply