We are just completing a review of our risk policies in UniCredit GSS. The challenge we faced, as indeed I have faced in similar exercises in my previous organisation or as Chairman of the Euroclear Risk Committee a few years back, is the conflict between a need for completeness and a need for communication.
Completeness drives one into a document that could rival the Dodd Frank Act in its length. Completeness requires detail. Although principles of risk management are usually generic across borders, details are not. In the detail, we come across process divergences from day counts, valuation rules and record dates through to different treatment of fiduciary risk, diverse approaches to the bare custodian’s duty of care, alternative interpretation of the role of a nominee or even the definition of the rights of legal and beneficial owners. And all that is before one tries to cover the challenges of anti-moneylaundering policies, European law versus local regulation, issues of extraterritoriality in the law of the country of domicile of the investor or the need to understand the legal framework in the jurisdiction of the country under whose laws contracts may be governed. Who said custody was simple?
When contemplating such issues, I am reminded of the lawyer who seriously suggested that any custodian signing up to doing business in today’s environment needed a legal agreement that was not only monstrous in its detail but had to be live to allow for changes in law, especially from the G20 driven initiatives in flow at the moment. This recommendation had a happy side, for indeed it ensured a sizeable annuity for the lawyer in question as well as an initial fee that would have absorbed any likely annual profit from a large custody contract. The challenge, facing the lawyer and indeed any risk manager, is the fluid state of the legal and regulatory environment. Regulators have still to create a workable solution for much of Dodd Frank or the European Markets Infrastructure Regulations. The target date for the migration of a substantial number of OTC derivatives to trading platforms and central clearing has definitely slipped.
More worrying is the lack of clarity on the complex rules which will accompany such initiatives. There is confusion around short selling rules. The mooted financial transaction tax is likely to be an administrative nightmare even if it is adopted in only a few locations. And US tax rules, where establishing fiscal residency has become an art rather than a science, appear to be appreciated by some European officials enticed by the revenue potential of a wider tax net.
All of this implies that the risk manual should be even longer and more complicated than Dodd Frank; and, let us be honest, few have managed to even read that! That brings me back to the core issue. Should one focus on completeness when preparing an organisational risk manual or on its effectiveness as a communication and behavioural tool? The reality is that neither option is mutually exclusive. But the measurement of the effectiveness of the policy is its ability to create a sound risk management ethos and ethical conduct across an organisation.
A short, sharp focused tool is the best method I have experienced to achieve that. The key is to identify the big picture risk features of the business. Let them be understood by all key executives and ensure that those executives are accountable for compliance, both in respect of the letter and the intent of the rules in their business area. The centre creates the policy and the business managers their rule books and work flows.
We have decided we need to agree on a series of key questions and statements and that each local business head has to formally confirm their business area‘s compliance. Where they have an issue with doing this, then a senior risk manager has to review their processes in the impacted area more closely. It may be that a control is manual rather than automated (and scale of business could justify that). It may be an issue of local rules creating a two- track approach depending on whether the client is domestic or cross border. Or it may be one of those special cases that occur (ever more frequently) from time to time.
But fundamental to risk management is a team that does not look to tick boxes, does not get lost in the minutiae or delegate responsibility for compliance to a risk department. It is a team of professionals who understand the right way to do business and meet the highest possible ethical and business standards (as defined - but only in part - by law and regulation) in fulfilling their critical duty of care and compliance to their customers.
John Gubert Chairman Global Securities Services Executive Committee UniCredit