Outsourcing risk and Madoff

-
One of the key issues of the financial crisis was banks not knowing the value of their assets. This lack of insight has numerous reasons, but to me the main ones are: too much focus on short term profit, not being able to understand your own financial products anymore and inadequate control over your back-end business partners. In this post I want to put some of my thoughts on this last topic: the importance of monitoring the ‘health’ of the other financial institutions the bank does business with. Banks got hit by Madoff and Leman Brothers because they did not appreciate the risk they ‘imported’ by extending their value chain beyond their own borders.

This issue was broad to my attention again in n a recent interview of Z24 (Dutch internet news channel) with the Chief Risk Officer of Fortis Bank Netherlands (3 billion revenue 2008, 184 billion in assets. In this interview the risk management practises of the bank were discussed and the CRO stated that the board is closely involved with all new product introductions, and determines how new products fit into the risk profile of the bank.

If so much attention goes into risk analysis, even at board level, how can it be that Madoff and Lehman Brothers were not detected earlier? As said in the beginning of this post play a lack of insight in de risk profile of the whole value chain and an underestimation of the ‘risk dynamics’ an important role. And looking at the value chain also means outsourcing as the times are long gone that banks ‘produced’ all their financial products and services themselves.

The term ‘outsourcing’ is however typically used for situations were internal employees and assets are transferred/sold to an external party. This means that outsourcing is not the perfect term in this situation, but looking from a risk management perspective is it not that relevant whether your relationship with the business partner is based on acquiring, purchasing or outsourcing. In all cases does the bank ‘import’ risk by dealing with an external vendor.

The point I want to make is that banks pay a fair amount of attention to new product introductions and selecting a new business partner to outsource internal activities to or buy services & products from. This means that most banks will have done some kind of due diligence before signing contracts with Madoff and Lehman Brothers. What many banks failed to do is to monitor these partners adequately and adjust their risk profile and control strategy accordingly (and in case of Madoff do a proper due diligence at all as it was a Ponzi scheme from the start). Financial institutions have been outsourcing various back office activities and buying complex products and services from others and lost in many cases the overview of the risks within their value chain.

Even though some financial institutions have business relationships with hundreds of partners is the control strategy of most banks still very much oriented towards the internal activities. This despite that in some cases more risk is ‘imported’ than produced by the financial institution itself. This immaturity is reflected in the control strategy for external partners. Most organisations do not get much further than a ‘right to audit’ and (miss-)using SAS70 statements to get some insight in the control maturity of its partners (more on SAS70 here and here). To make matters worse are the education curriculum’s for risk managers and auditors also paying inadequate attention to the ‘financial supply chain’. Risk and audit managers learn how to control the internal organisation and learning how to exercise control over external partners is dealt with in maybe 10-15% of the course time.

I expect this to change soon however as financial institutions and their clients are not waiting for a Madoff 2.0.

Comments

  1. vanitiesOctober 2, 2009 at 9:53 AM

    well i think history repeat itself..and will continue if the banks will not scrutinize all their clients especially those that have deposited a questionable large sum of money..

    ReplyDelete
  2. Deirdre McCabeOctober 17, 2009 at 10:24 AM

    Indeed, all actors involved in the finance supply chain need to be scrutinised,taking into account the cross jurisdiction aspects, different local rules and regulatory requirements. We are seeing more and more examples of financial products, distributed in one country, with underlying assets pooled in another jurisdiction and held in trust in a third jurisdiction. The end result is often financial loss for investors and lack of clarity re custodian rules, even Ponzi schemes. A reflection I have had, with most banks having disposed of their trust business latterly in the EU to "outsource" their risk, has this not had an adverse impact. Might it not have been better if trust business remained in control within banks? True due diligence is often done by all parties, but only taking into account direct risks involved in the immediate role:duty of obligation involved.

    ReplyDelete

Post a Comment

Popular posts from this blog

Beyond Two-Speed IT – Part 3

-
Summary This blog is about shifting gears and the ability to offer cars in other colors than T-Ford-black. It is the third and last part of a blog focusing on the importance of translating market and business context into the value proposition offered by IT. You can find the first part   here   and the second part   here .   FedEx and UPS dominate their markets,   again   using slightly different value propositions. Compared to UPS, FedEx offers its customer more flexibility at a slightly higher price point. More price sensitive customers opt for UPS and the more standardized value proposition that comes with it. More pronounced is the difference between Walmart and Amazon. The first has its roots in physical retail outlets while the second started as a native digital business model. Differentiation can also be observed at an operational level. Marketeers want to try new things on a daily basis, while the controllers and bookkeepers of the finance and administration (F&
Read more

Beyond Two-Speed IT – Part 2

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. In the second part, the difference between Customer Intimacy strategy and Operational Excellence strategy is used demonstrate that ‘differentiation’ is more than choosing Agile over Waterfall development. The first part of this blog dedicated to market and business context is  here .   Dell was founded in 1984 and was added to the Fortune 500 in 1992. Its key to success was building direct relationships with the customer via the internet. At the time, most competitors targeting consumers via analogue sales channels, such as brick and mortar shops. Selling directly to the customer also enabled Dell to build-to-order instead of the traditional build-to-stock model. It kept waste to a minimum and allowed the customer to choose from a wide selection of configuration options. Dell’s pursued a customer intimacy strategy, cont
Read more

Beyond Two-Speed IT – Part 1

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. This blog is the first in a series covering the third principle of the Digital Manifesto.   When in New York, searching for a restaurant on your mobile yields those nearest to your current location. If your search history indicates you like Chinese food, the results will highlight those. To create this kind of personalized experience, Google Now, Cortana and Siri combine several data sources, such as location and past usage patterns, to deliver a personalized experience. The capability to show the restaurants in New York instead of Moscow reduces the ‘search stress’ faced by customers and the saved time is a source of customer benefits. The business has a similar expectation. When requesting a new IT solution, the context, such as stable versus emerging market, or having little or intense competition, is at least as rel
Read more