One of the foundational pillars of modern day capitalism is the sanctity of stock exch­anges and credibility of information traversing through the­m. Countries have made conscious efforts to empower market regulators with legal and financial powers to control deviant behaviour. Post 9/11 and collapse of Enron, regulators across the world have become wary of cooked books, misleading information, and terror mo­ney. Besides personal certifications by CEOs and CFOs about completeness, accuracy and reliability of financial data, companies are required to establish internal controls and file mandatory disclosures to the shareholders and excha­nges. Checks and balances ha­ve been enforced and firewalls created to distance the auditors from the operators, and companies are encouraged to implement mechanisms su­ch as whistle-blower policy.

However, fresh scandals in recent months involving established corporate giants such as MF Global in USA, Societe Ge­nerale in France and Olympus in Japan have once again shaken the faith of investors and general public alike. They wonder if it is at all possible to control greed and cheats.

Olympus is accused of de­cades-long cover-up of more th­an $1 billion in losses and illegal payments to unknown persons. Olympus bought Gy­rus for which it allegedly paid an advisory fee of $687 million to a firm incorporated in the Cayman Islands and whose ow­ners are unknown. The company now faces threat of delisting at Tokyo Stock Exchange despite resubmitting five years’ financial statements. That wou­ld mean complete erosion of sh­areholders wealth in the absence of ability to trade the st­ock, once delisted.

MF Global took positions worth $6.3 billion on European sovereign debt, a trade large enough to wipe out the firm. The decline was rapid. In October this year, the ratings agencies downgraded the firm and investors fled, leading to bankruptcy by the end of the month. About $1.2 billion of customers’ money is reported mi­ssing. In this case, it is alleged that the top management deliberately set up weak audit and risk controls, including stripping of vital powers of its top risk officer in charge of controlling and identifying risk.

Both the companies were using well-known risk capital management frameworks — then what went wrong?

The starting point of establishing robust controls is the boardroom. Strategic intenti­ons and corporate persp­ect­ives on controls are established in those hallowed rooms. The­se are the people entrusted wi­th the fiduciary responsibility of safeguarding the interests of the shareholders and the company. In making appointments of independent directors, it is essential that they have the professional competence and credibility, and not have any conflicts of interest.

The tone from the top sets up a culture that encourages open and transparent discussions, provides avenues for asking questions and admitting mistakes, recognises experts and expertise, and respects the ‘four eyes principle’ of review. The culture of openness has to be ideally supported by training programmes, hiring people with the right background, providing formalised policies and procedure manuals for accounting and internal controls, creating a confidential and non-punitive avenue for complaints, and establishing reasonable targets.

It is not sufficient to know the risks, but what the company is doing about it. The governance str­ucture and reporting systems should be independently supported by audit, compliance and independent review functions.

Additional controls within the management reporting pr­o­cesses can ensure that estimates (including the tools used for arriving at them) and key assumptions are adequately analyzed. These should be validated by independent external reviewers. The management reporting processes that underpin the risk capital framework should be well controlled, consistent and prudently applied. Major financial risks should be covered with a solid capital base for providing high level of security to the customers, employees, investors and the company itself. In a changing economic order, this is indispensable for the success of any company.

Large businesses are not only bundles of resources and knowledge but are also full of assumptions, estimations and expectations. This necessarily creates inherent risks that need to be managed. It is important that all the internal risk management processes are constantly reviewed for factoring changes in regulatory requirements and new uncertainties surrounding the business. It means constantly balancing the need for consistency with commensurate reliability of the risk management system.

For example, Allianz Group — one of the largest insurance and asset management companies in the world (revenues in excess of Euro 100 billion in 2010) — uses a top-down, risk-based approach to establish the system of internal controls. At the local subsidiary levels, the system is decentralised. Operating entities identify processes and risk scenarios for the significant accounts defined by the group.

In sum, risks are inseparable with entrepreneurial acti­ons. Excellent companies not only create risk management frameworks but also simultaneously establish robust controls to prevent malfeasan­ce or corruption possibilities! Ti­mely identification and cont­r­ol of risks with safegu­ards and cou­nter-measures in pla­ce in case situations go out of laid-down boundaries are the cornerstones for them for mo­ving forward.

(The writer is a professor of strategy and corporate

governance, IIM-Lucknow)