In our latest ‘From the Archives’ piece, Mike Finlay, CEO of RiskBusiness takes us through the risk classification process for a governance failure. This piece was originally published in issue 31 of The Risk Universe magazine, in July 2014.
Every operational risk professional and every business person who has ever had to try and consistently classify some item of operational risk data fully comprehends the enormity of the challenge, usually hindered further by the absence of an unambiguous, comprehensive and business-relevant classification taxonomy. Continuing with our regular feature on data classification issues and guidelines, RiskBusiness’ Mike Finlay takes a look at what is unfortunately a very prevalent issue in many firms today, yet one which is seldom actually used in classifying specific events.
Definitions and suggested good practices around corporate governance abound, yet the almost continuous revelation of more and more poor governance and governance failings suggests that the concept often only receives superficial attention in many firms.
Penalties, fines, sanctions or warnings associated with violations of corporate governance requirements or direct financial losses due to direct corporate governance failings, arising from inadequate monitoring, mismanagement, inadequate direct and indirect oversight, weak or inappropriate strategic direction, disclosure and reporting failures, inappropriate business practices, unsuitable firm culture, etc.
Element type: Risk category
Risk type: Operational risk
Classification level: Level 4
Clients, Products and Business Practices
➤ Improper Governance, Compliance and Regulatory Disclosure
➤ Governance, SOX and Internal Compliance Violations
➤ Governance Failings
Industry applicability: Industry generic
➤ Penalties, fines, sanctions or warnings associated with violations of corporate governance requirements and rules established by self-regulatory bodies, exchanges, government and/or regulators and supervisors.
➤ Direct financial losses arising from direct corporate governance failings, due to inadequate monitoring, mismanagement, inadequate direct and/ or indirect oversight, weak or inappropriate strategic direction, disclosure and reporting failures, inappropriate business practices, unsuitable firm culture, etc.
➤ Fraudulent activities by executive and senior management, even where the alleged fraud was facilitated by weak or poor governance.
➤ Breaches of regulations focused more on financial control, such as the US Sarbanes-Oxley Act, financial reporting or accounting and investor reporting, as opposed to direct corporate governance itself.
➤ Poor judgement, poor decision making or the selection of what, in hindsight, proves to be an unsuitable corporate strategy, where appropriate due diligence, consideration of available
factors and information and suitable governance principles have been followed.
Common classification pitfalls
➤ Breaches in financial and accounting requirements, rules and regulations, including those related to Sarbanes-Oxley, are not per se corporate governance failings and should be classified elsewhere.
➤ Acts involving bad judgement, management errors and mistakes which are neither intentional nor contrary to information provided to management do not constitute corporate governance failings.
➤ Fraudulent acts by management, including bribery and corruption, should be viewed as fraud.
➤ An inappropriate strategy or business decision where there are no operational risk-related failings should be deemed to be either strategic risk or business risk, not operational risk.
Key identifying tags
AGM; annual general meeting; audit committee; beneficial owner; beneficial ownership; board; board audit committee; board committee; board compensation committee; board director; board nominations committee; board of directors; board policy; board remuneration committee; board risk committee; CEO; C.E.O.; chair; chairman; chairperson; chairwoman; checks and balances; chief executive; chief executive officer; code of conduct; code of ethics; company secretary; compensation; compensation committee; conduct; controlling interest; controlling share; controlling shareholder; corporate culture; corporate governance; corporate governance failing; corporate governance failure; corporate governance system; corporate responsibility; corporate social responsibility; CSR; C-suite; culture; delegated authority; delegated responsibility; delegation; delegation of authority; delegation of responsibility; deputy president; director; directorship; ethical; ethics; EGM; ExCo; executive; executive chairman; executive committee; executive director; executive management; external director; extraordinary general meeting; governance; governance failing; governance failure; governance shortcoming; governance, risk and compliance; GRC; holding company; improper governance; inadequate governance; inappropriate governance; inadequate oversight; inappropriate behaviour; inappropriate decision; inappropriate strategy; incentive; independent director; independent oversight; investor relations; investors; lack of oversight; leadership; limit of authority; limit on responsibility; limits on authority; limits on responsibility; management; management control; management oversight; management structure; management style; mismanage; mismanagement; mission; mission statement; NED; nominations committee; non-executive director; objective judgement; officer; opaque structure; outside director; oversight; parent company; president; profit motive; remuneration committee; responsibility; risk committee; risk governance; scandal; scrutiny; senior executive; senior management; SGM; shareholder; special general meeting; stakeholder; strategic plan; strategy; supervision; sustainability; terms of reference; terms-of-reference; tone at the top; tone-at-the-top; ToR; transparency; undesirable behaviour; unethical behaviour; unsupervised; vice chair; vice chairman; vice chairperson; vice chairwoman, vice-chair; vice-chairman; vice-chairperson; vice-chairwoman; weak culture.