Mba560_Week_6_Corporate_Compliance_Report_Citigroup

Corporate Compliance Report – Citigroup Inc. Brooke Hall June 22, 2009 MBA560 University of Phoenix Citibank N.A. or Citigroup, formerly known as Citicorp, is today’s pre-eminent financial services company, with some 200 million customer accounts in more than 100 countries. Citigroup was actually founded almost 200 years ago on June 16, 1812 under the name City Bank of New York in New York City with $2 million of capital. Throughout the last two centuries, numerous banks have merged with Citibank or been taken over by Citibank. In 1968, First National City Corporation (later renamed Citicorp), a bank holding company, became the parent of Citibank. In 1998, all Citicorp divisions merged with all divisions of Travelers Group to form Citigroup Inc. Through many different leaders and economic environments over the course of its rich history, Citibank continues to grow and prosper and remains a strong brand under the Citigroup umbrella (Citi’s History, 2009). Despite the strength of this financial institution, there remains much to be desired in its risk management practices. In an article by Lynn Turner, former chief accountant at the Securities & Exchange Commission offered his view of Citigroup, “If you’re an entity of this size, if you don’t have controls, if you don’t have the right culture and you don’t have people accountable for the risks that they are taking, you’re Citigroup”. This report is focused on setting up an improved risk mitigation plan for Citibank focusing on integrating ERM and corporate governance. “Corporate scandals and diminished confidence in financial reporting among investors and creditors have renewed corporate governance as a top priority for boards of directors, management, auditors, and stakeholders. At the same time, the number of companies trying to manage risk across the entire enterprise is rising sharply” (Management Accounting Quarterly, 2004). So, it is important to find the best way to integrate enterprise risk management (ERM) effectively with corporate governance. Due to the recent credit crisis, many financial institutions are in need of improved risk management and are paying closer attention to corporate governance. When evaluating enterprise risk management and corporate governance, an internal control system must be established for auditor independence under the Securities Act of 1933 and the Securities Exchange Act of 1934 ensuring compliance of preventive controls, detective controls, and corrective controls. The Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) identified one purpose of an internal control system as providing reasonable assurance that an entity complies with “applicable laws and regulations.” Preventive controls relate to measures taken by a firm to deter noncompliance with policies and procedures. Detective controls are aimed at uncovering problems after they have occurred. Random checks of compliance could be performed by a firm as a detective control. Finally, when violations of independence are identified, some corrective action is required (The CPA Journal, 2003). A report from the Institute of Internal Auditors (IIA) captures the essence of ERM: “The goal of ERM is to create, protect, and enhance shareholder value by managing the uncertainties surrounding the achievement of the organization’s objective”. The professional literature indicates that ERM is relatively well understood, especially by the companies striving to implement it. A significant indicator of a company that is effectively implementing ERM is it has a Chief Risk Officer or a position that manages enterprise risk. Because ERM is a fairly new management discipline, what constitutes best practices in ERM is yet to be defined. Many believe effective ERM can be achieved simply by expanding their SOX-related reporting and controls efforts, which is not the case. Corporate governance is a process a board carries out to provide direction, authority, and oversight of management for the company’s stakeholders. Unfortunately, directors, management, internal and external auditors, and risk managers do not understand corporate governance well. The board of directors is not directly responsible for risk management, it is management’s job. The board should, however, assume ultimate responsibility for corporate governance. According to a report from the Business Roundtable calls for a separate corporate governance committee to address governance issues and provide governance leadership (Management Accounting Quarterly, 2004). According to an article in The ERM Current written by Wheelhouse Advisors, great strides are being made in strengthening corporate governance compliance but the supporting risk management infrastructure at many institutions continues to be a work in progress. The following are some significant findings from a survey of 111 financial institutions around the world: • Seventy-three percent of the institutions surveyed had a Chief Risk Officer (CRO) or equivalent position. As an indicator of the role’s importance, the CRO reported to the board of directors and/or the CEO at roughly three quarters of these institutions. • Only 36 percent of the institutions had an enterprise risk management (ERM) program, although another 23 percent were in the process of creating one. • Roughly three quarters of the institutions had fully completed or substantially completed the work required to identify operational risk types, and to standardize the documentation of processes and controls for operational risk. • Many institutions may have significant work to do to upgrade their IT risk management infrastructure. Roughly half of the executives were extremely or very satisfied with the capabilities of their risk systems to provide the information needed to manage market and credit risk. In other areas, such as systems for liquidity risk and operational risk, 40 percent or fewer provided ratings this high. According to Bailey Jordan, Business Advisory Services partner for Grant Thornton, ERM with its holistic approach, has been viewed as the gold standard of risk management methodologies, helping organizations identify, analyze, manage and monitor risk comprehensively. ERM focuses on the strategic analysis of risk throughout an organization, cutting across business units and departments, and considering end-to-end processes. This comprehensive approach to risk oversight enables an organization to align its risk appetite with its overall business strategy, deciding how much uncertainty is acceptable and how much could actually add value. When building an ERM process, an organization should: • Understand the company’s strategic objectives, operations, control environment and inherent risk. • Define the risk universe and risk language, e.g., risk appetite, risk tolerance and risk response (accept, avoid, share, mitigate). • Develop questions to gauge the current state of risk awareness (i.e., significance, likelihood and impact) through interviews, common risk attributes and industry knowledge. • Distribute and analyze a questionnaire to establish preliminary risk categories. • Conduct facilitated sessions to define the risk appetite, finalize the risk categories and rank the top 15 risks. • Assign risk owners and create an action plan. Looking at ERM less holistically and more methodically, the board of directors should not assume direct responsibility for risk management, its governance activities contribute significantly to effective ERM, and boards must actively participate in risk management to add value. According to Management Accounting Quarterly 2004, directors on the board should follow these suggestions: • Contribute expertise, judgment, and professional skepticism to the strategic planning process • Define and communicate risk tolerance thresholds to senior management to guide management’s decisions • Assign authority to senior management to manage risks within the specified tolerance levels • Oversee the implementation of the company’s risk management process, and monitor the process to ensure that it continuously operates effectively in the best interests of the company’s stakeholders • Ensure that management’s mix of performance indicators associated with key risks is aligned properly with the company’s strategy and linked appropriately to shareholder value The board should also evaluate senior executives’ performance and ensure that their performance targets and compensation are aligned with the company’s strategy and linked to shareholder value. It also should evaluate senior management’s succession planning process to ensure that appropriately qualified people are ready to step in and carry on corporate executive duties when members of the senior management team turn over (Management Accounting Quarterly, 2004). In contrast to the board of directors, which owns the corporate governance process, management owns the ERM process. Typically, senior management is responsible for designing and implementing a structured and disciplined approach to managing risks. Under senior management’s supervision, risk owners develop, implement, perform, and monitor risk management capabilities and activities. Overall, risk management is most effective when (1) the chief executive officer is truly committed to the process, (2) other officers such as the chief financial officer and chief legal officer manage the risks under their jurisdiction, and (3) business unit executives and managers assume everyday responsibility for managing the risks under their control (Management Accounting Quarterly, 2004). As I mentioned before, some companies have benefited greatly by having a chief risk officer (CRO) as the company’s primary risk owner who oversees and coordinates the entire ERM process. Senior management also plays an important role in corporate governance. Corporate executives who serve on their company’s board of directors are perfectly positioned to facilitate the two-way communication that must occur between the board and the entire management team for effective governance to occur. An executive ERM committee can contribute to effective governance by directing and overseeing the ERM process on a day-to-day basis and monitoring a company’s risk management decisions and activities (Management Accounting Quarterly, 2004). Finally, professional auditing standards, particularly those from the IIA and the American Institute of Certified Public Accountants (AICPA), preclude auditors from assuming management responsibilities such as making ERM decisions. Auditors may not, for example, dictate how key risks should be managed. They may, however, involve themselves in the ERM process by educating management about risk and controls, facilitating risk and control self-assessment sessions, serving on information system and other steering committees, recommending ERM process improvements, and performing other services of a consulting nature. The role of auditors in the corporate governance process is to provide independent, objective assurance to senior management and the board of directors about the effectiveness of risk management, control, and governance processes (Management Accounting Quarterly, 2004). Focusing directly on Citigroup, due to its lack of effective ERM and corporate governance compliance, there was an announcement in April 2009 by a prominent proxy advisory firm that recommended the removal of directors at Citigroup. Here is a summary of their case against the directors as reported in The ERM Current. “Proxy-advisory firm Egan-Jones is recommending that Citigroup Inc. shareholders withhold votes for six incumbent directors at the annual meeting April 21, saying the current or former members of the board’s audit and risk management committee failed to fulfill their risk-management responsibilities. Egan-Jones said the directors in question — Michael Armstrong, Alain Belda, John Deutch, Andrew Liveris, Anne Mulcahy and Judith Rodin — “failed to protect shareholders from excessive exposure to credit, market, liquidity and operational risk.” The firm added that Citi’s board failed to effectively manage risks, “helping cause the company’s current instability and increasing volatility in the global financial markets.” Egan-Jones cited as examples of that failure an increase in Citi’s exposure to mortgage-related assets from $28 billion in 2005 to $234 billion in 2006, as well as an 85% increase in the number of subprime mortgages originated. Citi’s 2008 losses “are a clear indication that the committee failed to properly assess and control risks,” Egan-Jones said. Directors at other companies should take heed of this action and ensure their corporate governance and enterprise risk management are solid. Remember that ERM is an ongoing process; it is not a project with an end date. Don’t over commit and under deliver – implement ERM in manageable increments. Also, establish an executive risk oversight group that regularly reports key risk management information to the board of directors. It is hard for business leaders to argue against being more risk aware; however, many are intimidated to begin. The key is to start and to keep it simple, allowing it to evolve over time. References Board of Directors under Attack. (April 14, 2009). The ERM Current. Retrieved June 21, 2009 from http://wheelhouseadvisors.wordpress.com/2009/04/14/board-directors-under-attack ERM Case in Point. (November 26, 2008). The ERM Current. Retrieved June 21, 2009 from http://wheelhouseadvisors.wordpress.com/2008/11/26/erm-case-in-point/ Jordan, Bailey. (2009). “Enterprise risk management: avoid history repeating.” Retrieved June 21, 2009 from http://www.grantthornton.com/ Lousteau, Carolyn L. & Reid, Mark E. (2006). “Internal Controls Systems for Auditor Independence.” The CPA Journal. Retrieved June 21, 2009 from http://www.nysscpa.org/cpajournal/2003/0103/features/f013603.htm Reding, Kurt F. & Sobel, Paul J. (2004). “Aligning corporate governance with enterprise risk management: melding enterprise risk management with governance means directors, senior management, internal and external auditors, and risk owners must work interdependently.” Management Accounting Quarterly. Retrieved June 21, 2009 from http://findarticles.com/p/articles/mi_m0OOL/is_2_5/ai_n6118711/ Quinn, Lawrence R. (2008) “The Evolution of Enterprise Risk Management. Retrieved June 21, 2009 from http://www.investopedia.com/articles/fundamental-analysis/08/enterprise-risk-management/