Europe is now engaged in an experiment unprecedented in world history: can independent nations – even if linked by significant legal, economic, and social ties – merge their financial systems into a true banking union? Policymakers are working diligently to achieve that goal. Spurred by the financial turmoil of 2007-2009 and its aftermath, Europe has created a network of powerful regulatory institutions including the Single Supervisory Mechanism, the European Systemic Risk Board, the European Banking Authority, the Single Resolution Mechanism, and the European Stability Mechanism. Acting individually and in concert, these bodies are working to enhance the integration of financial markets in the euro area.
Important as these institutions are, they are not the only factors at work in what appears to be an irreversible trend towards the harmonization. More general trends are at work – changes in best practices in the management of banking institutions. Although promoted in important ways by regulatory authorities, these trends trace their roots to broader developments: a movement that emphasizes risk and compliance as key elements in the governance of banking enterprises. These changes are even more international in scope than the move towards European banking integration. The trend, moreover, is not only broad in scope; it is also characterized by an astonishing degree of convergence. Arguably the treatment of risk and compliance at financial firms is one of the most successful international frameworks for regulation — even though the applicable rules are not embodied in any single statute, code, or regulatory action.
While the causes of a phenomenon this extensive can never be fully identified, the following have played a role. First, finance economists have invented powerful and sophisticated techniques for modeling risk within firms. These models have been thoroughly integrated into the day-to-day management of banks through computerized models and reporting and control systems.
Second, it would be hard to overstress the importance of the Basel Committee on Banking Supervision, which through its risk-based capital regulations has directed attention to the systematic analysis and management of risk. The Basel framework was a breakthrough insofar as it highlighted the importance of risk — first the risk in a bank’s portfolio and off-balance sheet activities and, later, market and operational risk. The emphasis on risk contained in the Basel capital adequacy rules had a large impact on the thinking of banks, bank regulators and financial market participants generally.
The corporate frauds uncovered during the late 1990s and early 2000s raised public concerns about the processes of internal control which seemed to have broken down so badly. How was it that so many large companies, which appeared on the surface to have maintained the requisite procedures and safeguards, were capable of engaging in massive fraud and illegality? Many concluded that internal controls were inadequate and that, to prevent such frauds in the future, it was desirable to upgrade the control environment. The Sarbanes-Oxley Act responded to these concerns. It requires corporate officers to certify that they are “responsible for establishing and maintaining internal controls;” and requires management and the external auditor to report on the adequacy of the company’s internal control on financial reporting. This statute gave central importance to the concept of internal controls as mechanisms for managing the risk of misstatements in financial reporting.
The financial crisis of 2007-2009 convinced many that risk at banks had been poorly controlled in the years that led up to the turmoil. The light of hindsight revealed that many financial institutions invested too much of their assets in subprime mortgage-backed securities and other assets whose value was tied to the U.S. housing bubble. But it was not only financial institutions that misjudged these risks; rating agencies and regulators were at least as far off in their estimates. In retrospect, it appeared that had risk assessment and risk management been better conducted in all these institutions, the crisis could have been mitigated or avoided. The current emphasis on risk management reflects that assessment and seeks to ensure that the disaster of 2007-2009 does not recur.
A variety of influential committees and quasi-governmental bodies have offered advice about the advantages of risk management, especially through the implementation of effective internal controls. Important among these is the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which formulates best practice standards which have been widely adopted in the financial world. One pillar of the COSO framework for internal control is “risk assessment”: the process by which the organization identifies and evaluates material risks to its operations.
These and other events and developments have contributed to the greatly enhanced emphasis on risk and risk management in the structure of systems of internal and external control at financial institutions. Scholars of corporate compliance face the interesting challenge of making sense of these developments.
The preceding post comes to us from Geoffrey P. Miller, Professor of Law at the New York University School of Law. It is based on his recent article, Risk-Management and Compliance in European Banking Integration, NYU Law and Economics Research Paper No. 14-34, available here.