Caught in a Web - Risk Management Crises in our financial institutions
My interesting job as a Risk, Compliance and Internal Audit Expert has taken me to various banks, microfinances and government institutions in the country and abroad. One thing which is very certain is that most banks in Ghana don’t care about risk management (Enterprise Risk) because there is this strong drive for deposit mobilisation. Credit departments are being headed by relatives and cronies of board members who micro manage them; hence, have lost their independence and objectivity.
Advertisement
Over 80 per cent of loans granted in such banks are on the basis of ‘’name lending,’’ which usually goes bad within six months. Why? Because loans go bad basically on two reasons: poor Credit Process and poor Credit Culture in the financial institution.
I’m currently reviewing the corporate governance structure of a particular bank. One person on the board chairs five out of the seven committees and is a member of the other two committees. This man has no clue on risk management. His background is in foreign trade but unfortunately he is the chair of both the Risk Management, Audit and Compliance sub-committee of the board a clear indication of poor corporate governance.
Who is the Head/ Director of Enterprise Risk in your bank, and what is his locus? Traditionally, the structure of Enterprise Risk Department in many of the indigenous banks in Ghana looks very frightening. Usually the Head of Enterprise risk is not an EXCO (Executive Committee) member but is there only to satisfy BoG requirements. Funny enough the Head of Enterprise Risk rather reports to the Head of Credit because an inexperienced/unmotivated person has been made the Head of Enterprise Risk. If the risk maturity of the Bank is at the foundation level and the unmotivated /inexperience Head of Enterprise Risk has the task of putting up the enterprise risk framework of the bank, setting the risk appetite framework and risk appetite statement(subject to Board approval) of the bank and implementing them, then definitely customers’ funds will suffer. Most banks still see Risk and Audit departments as where non-performing staff must be pushed to and truly these are also the banks with high levels of non-performing loans.
Show me a very good bank and I will show you a very strong Risk, Audit and Compliance Unit. How come the Head of Audit reports functionally to the MD in your bank? The Head of Compliance reports to the Director of Finance and the Head of Enterprise Risk report to the Head of Credit because no value is placed on these sensitive positions in the bank .In an ideal bank, the Head of Audit reports to board Audit Sub Committee, Compliance reports to Board and Enterprise Risk report to the Board Risk Committee (Good Corporate Governance). I have reviewed the Corporate Governance structure of a bank where the Head of Enterprise Risk is on manager grade, the Head of Operational Risk is an officer and the Head of Market Risk is a national service person who has no assess to the bank’s software. Meanwhile, in the same bank the Head of Internal Communication is on director grade.
It’s even murkier when we come to Risk Based Internal Auditing. Banks are all over the place with reporting styles and risk methodologies. How come the Head of Audit was asked to prepare the risk register of the bank? IIA (Institute of Internal Auditors) have specifically stated this as some of the don’ts of internal auditors. The risk register of a bank must be prepared by the enterprise risk department, not by internal auditors, to avoid conflict of interest. The role of internal auditors in risk management is to ascertain whether proper structures have been put in place by the risk department to identify, measure, monitor and control risk. These structures include the risk register.I have seen a bank which has no risk register in place but has started reporting its audit findings in a risk base manner. Where are the risk experts on the board? What is this new function /concept of control (Branch Control) or monitoring units in some banks? The concept of residence internal controls came to Ghana from Nigeria in 2007. Apart from the fact that it is costly, its main functions are the same as operational risk management and internal audit. The originators have stopped this and rather strengthened their enterprise risk management functions. Risk is about event, impact and cost. Its management starts from the process owners, to be proactively managed by risk and compliance unit and finally by the internal auditors as the last stop.
Enterprise Risk, Compliance and Internal Audit departments must be made mandatory for all registered microfinances, with the option of outsourcing them. Risk management must be the baby of all stakeholders, from the cleaner to the board chair, and must be accorded the needed attention just as the finance department.
The writer is a Chartered Accountant by profession and a leading expert in Internal Audit, Compliance and Enterprise Risk Management. Can be contacted on raatgloaudit@rocketmail.com
