Monday, March 30, 2009


The call for more regulation and rules has already started and is part of the Treasury Secretary's plan to overhaul the financial markets. This occurs after every crisis, when there is much political grandstanding.

Does everyone remember the post- Enron scandal legislation? Sarbanes-Oxley or SOX was introduced as the most sweeping changes since the great depression. Sound familiar? Did it stop or even lessen this crisis?

SOX was introduced to address the following problems:
- auditor conflicts of interest
- boardroom failures
- security analysts conflicts of interest
- SEC inadequate funding
- banking practices- making loans that were too risky
- executive compensation excesses

Well, how well do you think it worked?

It did drive a great revenue stream for the accounting and consulting firms as they helped companies comply with the regulations. So one benefit of new regulation could be job creation in these industries. Now, there were benefits from the SOX legislation. The question is the follow through.

It seems we should make sure there is follow through and action taken from the current rules on the books before we jump to adding more legislation and good forbid more government agencies. There is a good article in the WSJ regarding the Risk Management group at AIG. Two things really caught my eye.

In January 2008, PWC, the auditors of AIG, reported to the board that access into the financial products unit by the risk group may require strengthening. Two months later the Federal Office of Thrift Supervision reported the the financial products unit was allowed to limit access of the key risk control groups.

Why bother to have risk groups if they can be denied access and if their reports are not acted upon by the board? Why are the oversight groups, in this case PWC and the Feds, allowed to write reports with vague wording such as "may require strengthening"?

But most importantly, nothing was done! If we have rules and regulation, they need follow through and "teeth". If not, let's not waste the time on legislation.

Questions for all of you:
1) Do you know your company's risk management policies and procedures?
2) Do you know if the policies and procedures are targeted to your company's biggest risks? Mike and I use a technique in our leadership development sessions in which we ask people to list the three biggest risks in their company or group and what they are doing to monitor, mitigate, and manage those risks.
3) How do you know if the controls are being circumvented, such as denying access?
4) What is the process? This is one of Mike's favorite the process.

Until next time,

No comments:

Post a Comment