Bonuses, sanctions and enterprise risk control

When incentives outweigh sanctions in a bonus driven organisation, problems will inevitably ensue. Getting the correct balance between risk and reward poses a challenge to governance and compliance professionals.


There is a saying in Holland that you catch more flies with honey than with vinegar. Indeed if we look at the causes of the financial crisis in a number of cases the drive to achieve the incredible bonuses that are customary in the financial sector seem to have outweighed the sanctions the enterprise risk department might or might not have imposed for excessive risky behaviour.

First of all this shows an underpinning feeling regarding enterprise risk and control: Enterprise risk and control limit the possibilities of "the fast and the furious" to reach for the sky. This feeling that enterprise risk and control only limits the possibilities of the organization to maximize on growth and profit potential is surprisingly common also with people that should know better. Some time ago I had a conversation with an account manager of the management consulting firm I was working for at the time. The customer we were discussing was a supplier of high-tech production tools for the computer industry with a world-wide customer base.

The company is a world-wide market leader in its field of business. We were discussing if they might be interested in my particular expertise (IT Governance, Risk, Security and Compliance). I will not soon forget one of the statements my discussion partner made: "This is a fast moving company with a young, entrepreneurial, can-do culture. They have no interest in the control resulting from IT GRSC since it would limit their possibilities to maximise growth and profit." Not his exact words by the way but close enough. Such convictions however are amazing for an account manager of a management consulting firm.

What made it worse was that he was also the company director overseeing the consulting business for customers in the production sector. In response I have a question: Why does a formula 1 race car need breaks? Answer: To be able to drive faster. Explanation: No formula one driver in his right mind will drive his car at full speed unless he is convinced he will be able to slow down in time to make the next corner!

These days we look at the causes of the financial crisis and the actions to be taken to ensure it does not happen again. There seems to be consensus that Governance and Risk mechanisms have failed in the financial sector. Regarding the solutions the discussion often turns towards the (according to some excessively) high bonuses customary in the financial sector and the need to limit these. Interesting to notice that the amounts of the employee remunerations are not a primary focus point of any of the Governance and Risk models and regulations I checked (amongst others COSO ERM, OECD Principles of Corporate Governance, Basel II, ISO 38500).

The Cadbury report does address the issue but comes with the following statement: "The Committee has received proposals for giving shareholders the opportunity to determine matters such as directors' pay at general meetings, but does not see how these suggestions could be made workable."

A blind spot?

Do the models and regulations have a blind spot on the issue? One could argue that (IT) Governance and Risk models and regulations do target organizational objectives and since bonuses (in general) are connected to achieving objectives there is a causal connection between the two. However this would not explain why the discussion only focuses on the height of the bonuses. One would expect the discussion to focus on the circumstances under which bonuses are awarded, not primarily the values.
It is understandable how the high financial bonuses are at the core of the public discussion since they speak to the imagination of the public and are sure to create public outrage: "Make so much money for yourself and loose so much money for the rest of the world".

To exclusively focus on the amounts keeps it simple and understandable for the general public. For opportunistic politicians and press the opportunity is just too good to pass. Though I do not want to defend the bad apples we should not forget that it was the financial sector that made the economic boom of the last decades possible by creating new financial products that made more investment capital available to a wider audience. It is the COD's that made mortgages more widely available and made home-ownership possible for a bigger percentage of the population.

These and other financial instruments that were eventually misused and are partially the cause of the disaster did initially do very good things. As long as the financial sector supported and fuelled the economic boom nobody seemed to care that they made a "good living" for their effort.

Find your next job with computerworld UK jobs

"Recommended For You"

Growing concern over risks to (and of) the system Challenges for IT governance after we've weathered the financial crisis