There is a saying in Holland that you catch more flies with honey than with vinegar. Indeed if we look at the causes of the financial crisis in a number of cases the drive to achieve the incredible bonuses that are customary in the financial sector seem to have outweighed the sanctions the enterprise risk department might or might not have imposed for excessive risky behaviour.
First of all this shows an underpinning feeling regarding enterprise risk and control: Enterprise risk and control limit the possibilities of "the fast and the furious" to reach for the sky. This feeling that enterprise risk and control only limits the possibilities of the organization to maximize on growth and profit potential is surprisingly common also with people that should know better. Some time ago I had a conversation with an account manager of the management consulting firm I was working for at the time. The customer we were discussing was a supplier of high-tech production tools for the computer industry with a world-wide customer base.
The company is a world-wide market leader in its field of business. We were discussing if they might be interested in my particular expertise (IT Governance, Risk, Security and Compliance). I will not soon forget one of the statements my discussion partner made: "This is a fast moving company with a young, entrepreneurial, can-do culture. They have no interest in the control resulting from IT GRSC since it would limit their possibilities to maximise growth and profit." Not his exact words by the way but close enough. Such convictions however are amazing for an account manager of a management consulting firm.
What made it worse was that he was also the company director overseeing the consulting business for customers in the production sector. In response I have a question: Why does a formula 1 race car need breaks? Answer: To be able to drive faster. Explanation: No formula one driver in his right mind will drive his car at full speed unless he is convinced he will be able to slow down in time to make the next corner!
These days we look at the causes of the financial crisis and the actions to be taken to ensure it does not happen again. There seems to be consensus that Governance and Risk mechanisms have failed in the financial sector. Regarding the solutions the discussion often turns towards the (according to some excessively) high bonuses customary in the financial sector and the need to limit these. Interesting to notice that the amounts of the employee remunerations are not a primary focus point of any of the Governance and Risk models and regulations I checked (amongst others COSO ERM, OECD Principles of Corporate Governance, Basel II, ISO 38500).
The Cadbury report does address the issue but comes with the following statement: "The Committee has received proposals for giving shareholders the opportunity to determine matters such as directors' pay at general meetings, but does not see how these suggestions could be made workable."
A blind spot?
Do the models and regulations have a blind spot on the issue? One could argue that (IT) Governance and Risk models and regulations do target organizational objectives and since bonuses (in general) are connected to achieving objectives there is a causal connection between the two. However this would not explain why the discussion only focuses on the height of the bonuses. One would expect the discussion to focus on the circumstances under which bonuses are awarded, not primarily the values.
It is understandable how the high financial bonuses are at the core of the public discussion since they speak to the imagination of the public and are sure to create public outrage: "Make so much money for yourself and loose so much money for the rest of the world".
To exclusively focus on the amounts keeps it simple and understandable for the general public. For opportunistic politicians and press the opportunity is just too good to pass. Though I do not want to defend the bad apples we should not forget that it was the financial sector that made the economic boom of the last decades possible by creating new financial products that made more investment capital available to a wider audience. It is the COD's that made mortgages more widely available and made home-ownership possible for a bigger percentage of the population.
These and other financial instruments that were eventually misused and are partially the cause of the disaster did initially do very good things. As long as the financial sector supported and fuelled the economic boom nobody seemed to care that they made a "good living" for their effort.
There is one reason to discuss the height of the bonuses and this is a basic law of security and control: The higher the possible benefits the bigger the temptation to break the rules to achieve them. As a result a bank is normally better protected against robbery than, let's say, a poor man's home. One response is to try and limit the possible benefits of misbehaviour (lower the bonuses).
But it is a fact that the financial whiz kids who earn these incredible bonuses make even more money for their employers and they are in short supply. So unless you want to rethink the fundamental concept of capitalism any solution that might get implemented will go directly against the basic supply-and-demand law of economics (High demand for items in short supply will drive the price up).
There is however another approach. As we noted in the beginning, currently risk management is seen as a limiting factor on maximising growth and profit. The basic attitude seems to be: Don't do it because it is too risky. However an alternative approach would be to make target correction based on inherent risk. We all know this attitude:
The better your financial situation and past history the better terms you are offered on new credits (Getting a loan or a new credit card is much more expensive for a person who went bankrupt in the past). In the stock market we expect a better return on investment for venture capital when compared to an investment in a blue-chip fund.
As the Greek government learned the hard way in recent days a triple-A rated government bond does not have to offer as much interest as a bond of a less reputable (and thus lower rated) government to attract investors.
Could we use that principle elsewhere? If we look at the Investment portfolio for (IT enabled) organizational investments, for instance, we could look at introducing a risk-rating system for each of the proposed investments.
The (financial) goals, for instance the expected return on investment, could be adjusted based on the project risk rating. If we came up with a rating system that factored in the past performance of the key-project personal like project and program managers etc. we could use that as the bases to steer risk-aware behaviour of these people. Risk aware attitudes would translate towards better (financial) goals and targets. Since these targets in general form the bases for the bonuses earned this would mean bonuses are inherently connected towards risk attitude.
This is just one example. A risk aware culture that better aligns benefit and sanction instead of perceiving these two as two separate worlds can be achieved in multiple ways.
Too often I encounter organisation with on the one side a focus on performance management, goal setting, monitoring, etc. and this would include the remuneration for good performance. On the other side (in complete isolation) there is the governance; risk and compliance (GRC) function.
They are trying to limited the risk exposure and ensure organisational compliance. Operating in isolation from performance management they do not have the "weapon" of remuneration (and bonuses) to stimulate desired behaviour. All GRC is left with is sanctions to stop unwanted risky behaviour. If these sanctions are perceived to stand in the way of achieving the bonus benefits one can clearly recognise the basis for possible future disaster.
Bottom line: There is so much to align, in this case performance and risk management