Taking corporate responsibility is hard - sometimes it’s much easier to pin difficulties on a scapegoat. Simply get rid of them and all will be well again. But, how often do problems in a major institution stem from just one bad guy or girl?
Risk managers need to ensure boards are willing to work together, a united effort is essential to rooting out problems early. There must be clear lines of communication across a business and endemic problems must be faced up to.
But, the scapegoat solution can be easier to deal with – think rogue trader Nick Leeson and Barings as a prime example. Certainly he will have been culpable, but cultural problems will also have played a key role. And if there are serious governance failings, it is unlikely that one individual will be alone in wreaking havoc.
So an unauthorised accounts scandal in the US may well make some interesting reading for risk managers in the UK.
Wells Fargo is a household name in retail banking and notably avoided getting into difficulties during the financial crisis. Yet, it seems staff had been opening unauthorised accounts to hit their sales targets. This messy business has resulted in some 5,300 staff being sacked for opening more than two million unauthorised accounts and the bank agreeing a $185 million settlement with regulators last September.
Anecdotal reports have also said the bank had a ruthless sales culture, with staff being bullied for not meeting targets.
Once the problems emerged, an investigation by the board said the causes were a high-pressure sales environment and in particular blamed the behaviour of former division head, Carrie Tolstedt.
Board chairman Stephen Sanger issued a report to the media saying Ms Tolstedt had not tackled poor sales practices and had allegedly obstructed former board efforts to investigate.
Ms Tolstedt was dismissed and is now represented by lawyers who issued the following statement: “We strongly disagree with the report and its attempt to lay blame with Ms Tolstedt. A full and fair examination of the facts will produce a different conclusion."
It was reported Wells Fargo has cancelled approximately $47 million worth of stock options held by her. The bank said it would also claw back some $28 million from former chief executive John Stumpf, who also apparently failed to act when warned about problems.
He retired last October with the scandal in full swing – critics said he was a supporter of Ms Tolstedt and that he failed to see how damaging sales practices were.
Meanwhile, Sanger has been a board member since 2003 and he has also faced criticism, along with other board members. But, he has defended his role; saying the board acted correctly with the information it was given and changes have been made.
These include ending sales targets, changing pay incentives for branch staff and separating the role of chairman and CEO. New directors have also been recruited to bring in fresh thinking.
It was noted that decentralisation and poor communication was in part to blame – branches were supposedly able to bat away inquiries from head office.
Yet it seems sales practices were identified as a risk to the board back in 2014, but no real action was taken. Further, Ms Tolstedt was said to have presented to the risk committee in May 2015, but the inference was that any problems were small scale and were being fixed.
This is a useful case study of what can go wrong when risk functions are not centralised and when boards are insufficiently thorough in their early investigations.
The fire may have been extinguished now, but the Wells Fargo share price has been negatively impacted and apparently, customer numbers are dropping off. The company has lost its status as America's most valuable bank by market value.
If ever there was a case for having proper controls and an effective enterprise risk management system to record incidents in place, then this is it.
Four key competences or ‘Ts’ that can help CRO’s gain influence.
Cathy Hampson, author of “An Introduction to Behavioural Risk” provides an insight as to why people behave in the way they do and some considerations for any operational risk managers