Corporate Fraud: Revenue vs. Risk...

It's been over five years now since the "Black Monday" at Enron. Volatility in the markets over the sub-prime mortgage industry has investors a little nervous. Operational Risk Executives are hoping that this is not a deja vu moment.

Though the main Enron characters have received their prison sentences, there's no closure for corporate fraud. Sherron Watkins, Enron's sentinel, describes the debacle's details and warns that it could happen again.

Dec. 3, 2001. Black Monday. The day that Enron declared bankruptcy. CEO Ken Lay had left a voice mail on the phones of all Enron employees asking they come into the office regardless. Nearly 5,000 were called to a massive meeting and told that the paychecks that they had recently received would be their last. Three weeks before Christmas.

In August of that year, Sherron Watkins, an Enron vice president, had sent an anonymous memo to Lay that read, "I am incredibly nervous that we will implode in a wave of accounting scandals."

Of course, that's exactly what happened. After the company's demise, the investigating U.S. Congress discovered Watkins' memos to Lay and other top executives. (After sending the memos, she had met with Lay with no results.) Watkins was soon lauded as an "internal whistle-blower," brought before Congressional and Senate hearings to testify against her former bosses, and heralded by TIME magazine as a "Person of the Year," with WorldCom's Cynthia Cooper and the FBI's Coleen Rowley.

With the chaos going on in sub-prime lending in the United States, the concern is that suddenly the liquidity that fueled this past boom is about to "Go South". Will there be any issues that surface about the fraud imposed upon consumers over the terms and conditions of the loans they signed to become part of the American Dream? Are there any "Sherron Watkins" sitting there in their offices today wondering how they can become the next "Whistleblower" to make it to the cover of Time Magazine?

Only time will tell whether any of the volatility in these companies has a ripple effect in markets for the long term. Yet the culture that exists today inside those organizations must be tense and certainly there are a handful who wish there was a way they could make it all go away. So what advice would Sherron have for anyone feeling this way at their institution in a role of Operational Risk Management?

If you ever were to go back to a corporate executive position, what kinds of things would you ensure would be set in place before you took the job?

In addition to the zero tolerance policy I've already mentioned for ethically challenged employees, I'd be sure that the company had a mechanism for bad news to get to the top and had effective policies and procedures for dealing with that bad news. I would also verify that the company's control and risk personnel had autonomy and equal power with top revenue executives. I would want to see that top management values the control and risk management function. I would want to make sure they recognize that control and risk personnel will not be the most popular and that the problems the company avoids as a result of the work of these groups will never be quantified.

Think about what she is saying here. Control and risk personnel need to have equal power with the executives who are bringing in the revenue. This means that the powerbase of the sales and marketing team would need to be on par with the Internal Audit and Risk Management executives. This culture shift is harder to achieve than one would think. The ego's aside, the people who make it their job to worry about losses and to mitigate risks day in and day out are just not used to waving the big black flag of doom. Everybody loves to hear that the business has been won, the competition defeated and the company just closed the biggest "Deal" in it's history. Let the spin doctors in Marcom get the Press Releases flying!

It has been said before, the tone starts at the top. The CEO and Board of Directors who are cognizant of the neccesity for effective risk management objectives must also create a balanced powerbase at the top to balance the "revenue generators" with the "loss mitigators." So who are some of these people who deserve a greater exposure to this new born culture shift:

• Director of Information Security promoted to CISO. (Chief Information Security Officer)
• Director of Corporate Facilities to CSO. (Chief Security Officer)
• Director of Regulatory Affairs to CCO. (Chief Compliance Officer)
• Director of Privacy to CPO. (Chief Privacy Officer)
• Director of Human Resources to CHO. (Chief Humanity Officer)
  

If the CEO thinks that this is too many chiefs in the "C" Suite, then what about the idea of creating the Executive Office of Operational Risk Management (ORM). This would be on par with the Chief Financial Officer and might even include the Chief Information Officer. The top ORM officer would be on par with the EVP of Sales or Marketing and unlike the Chief Operations Officer (COO) would be focused on the effectiveness of risk controls and not so much on the efficiency or uptime of corporate processes. What does Sherron think the moral is?

You've been asked this one numerous times, I'm sure, but what's the moral of the story?

Being an ethical person is more than knowing right from wrong. It is having the fortitude to do right even when there is much at stake.

operational risk