Manage Tomorrow's Surprises Today

Steven Minsky

The Wells Fargo Scandal is a Failure in Risk Management

user-pic
Vote 0 Votes
Thumbnail image for Wells Fargo Scandal.jpg

Wells Fargo recently paid $185 million in penalties - the highest fine levied by the Consumer Financial Protection Bureau (CFPB) since it began operations in 2011 - for inappropriate sales practices. Millions of accounts were set up without customer consent, in many instances generating overdraft charges and other fees. The CFPB referred to the Wells Fargo activities as "widespread," and 5,300 employees have been fired.

The Wells Fargo scandal is on the level of those at VolkswagenWendy'sChipotle, and Plains All American Pipeline. Wells Fargo CEO John Stumpf has been asked to testify in Washington to account for his company's practices, this after he "defended the firm and the efforts it had taken to stop the behavior" and claimed he had no knowledge of employee activities.

Stumpf's comments indicate a failure in risk management for a few reasons:

  • - As the CEO of Wells Fargo, he is responsible for the risk management processes in place. How could activities on this scale go unnoticed to management for 5 years? "Not knowing" isn't a valid excuse. It's negligence.
  • - Employees were incentivized by unrealistic sales quotas. Why was there no compensation oversight for these practices?
  • - Where were the risk assessments on these processes? What about internal audits of both the risk management process and governance oversight?


News broke yesterday that the chief risk officer, Claudia Russ Anderson, has been replaced. It is a warning to all risk executives: they will also be held accountable for risk management negligence, as it is their fiduciary duty to get the board the information it needs through adequate risk management systems and processes. Even though Claudia Russ Anderson did not directly propagate the activities, she is being held accountable because they occurred on her watch.


Wells Fargo Scandal: A Direct Result of Risk Management Negligence

 

Starting in 2010, the SEC's Proxy Disclosure Enhancements, by establishing an ERM mandate for corporations, made boards responsible for disclosing various risk management requirements. Notable obligations include:

  • - The disclosure of risk management effectiveness and systems used to manage risk
  • - The board's role in risk oversight and knowledge of the company's material risks down to the front line
  • - Analysis of its compensation policies for all employees. Simply put, corporations cannot put employees in the risk/reward tradeoff position, which forces them to choose between customer well-being and their own careers.

When Wells Fargo designed its sales incentive program, why didn't risk assessments reveal how unrealistic those sales goals were? Were there mitigation activities to protect against customer account manipulation? If so, where were the risk monitoring activities that would have picked up on the appearance of two million accounts over a five-year period?


ERM Enforcement: The Wells Fargo Scandal Will Follow the Same the Same Trajectory as Risk Management Failures Since 2010

 

We have all seen ERM enforcements before, whether we realize it or not. Wells Fargo is but the most recent iteration of the same trend: risk management failures lead to a crisis event, which leads to penalties, which lead to class-action lawsuits, which recently resulted in criminal charges and jail time.

The Yates Memo (2015) by the Department of Justice (DOJ) clearly spells out consequences for failed risk management: Americans should never assume that negligence or fraud will go unpunished simply because they were committed on behalf of a corporation rather than an individual.

Consider the parallel of the risk management failures at Volkswagen:

  1. 1. Regulatory penalties
  2. 2. Punitive damages
  3. 3. Class action lawsuits (risk management negligence - management and the board)
  4. 4. Criminal charges & individual liability

In both cases, the CEOs (and other executives) made similar claims: I'm not responsible for this incident because I didn't have direct oversight; it's not my fault. This is the basis for negligence; they are directly accountable for their risk management processes and systems. Both Wells Fargo and Volkswagen (not to mention Wendy'sPlains All American, and Dwolla) were found negligent in risk management and are suffering the consequences accordingly.

We're currently witnessing Wells Fargo in the beginning stages of this process; it's already been slapped with penalties, and the "I didn't know" excuse - this time in the form of "it's the employees' fault, not management's" - will to provide no shelter against coming accusations.

The lesson: boards and senior management are absolutely responsible for the risk management effectiveness of their companies. It is their obligation, as outlined in SEC rule 33-9089, to ensure that robust risk management programs and software systems are in place so that scandals like these are avoided.

The good news is that it doesn't have to be this way. Corporations that can provide evidence of an effective risk management program are largely exempt from punitive damages, class-action lawsuits, and DOJ jail time for management. Many organizations have been successful in similar situations; ERM systems prevent scandals and associated costs, litigation, and jail time.

 

To learn what makes strong risk management programs effective - and capable of preventing issues like those that led to the Wells Fargo debacle - download our free eBook, 5 Characteristics of the Best ERM Programs.


Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT