Wells Fargo recently paid $185 million in penalties – the highest fine levied by the Consumer Financial Protection Bureau (CFPB) since it began operations in 2011 – for inappropriate sales practices. Millions of accounts were set up without customer consent, in many instances generating overdraft charges and other fees. The CFPB referred to the Wells Fargo activities as “widespread,” and 5,300 employees have been fired.
The Wells Fargo scandal is on the level of those at Volkswagen,Wendy’s, Chipotle, and Plains All American Pipeline. Wells Fargo CEO John Stumpf has been asked to testify in Washington to account for his company’s practices, this after he “defended the firm and the efforts it had taken to stop the behavior” and claimed he had no knowledge of employee activities.
Stumpf’s comments indicate a failure in risk management for a few reasons:
News broke yesterday that the chief risk officer, Claudia Russ Anderson, has been replaced. It is a warning to all risk executives: they will also be held accountable for risk management negligence, as it is their fiduciary duty to get the board the information it needs through adequate risk management systems and processes. Even though Claudia Russ Anderson did not directly propagate the activities, she is being held accountable because they occurred on her watch.
Starting in 2010, the SEC’s Proxy Disclosure Enhancements, by establishing an ERM mandate for corporations, made boards responsible for disclosing various risk management requirements. Notable obligations include:
When Wells Fargo designed its sales incentive program, why didn’t risk assessments reveal how unrealistic those sales goals were? Were there mitigation activities to protect against customer account manipulation? If so, where were the risk monitoring activities that would have picked up on the appearance of two million accounts over a five-year period?
We have all seen ERM enforcements before, whether we realize it or not. Wells Fargo is but the most recent iteration of the same trend: risk management failures lead to a crisis event, which leads to penalties, which lead to class-action lawsuits, which recently resulted in criminal charges and jail time.
The Yates Memo (2015) by the Department of Justice (DOJ) clearly spells out consequences for failed risk management: Americans should never assume that negligence or fraud will go unpunished simply because they were committed on behalf of a corporation rather than an individual.
Consider the parallel of the risk management failures at Volkswagen:
In both cases, the CEOs (and other executives) made similar claims: I’m not responsible for this incident because I didn’t have direct oversight; it’s not my fault. This is the basis for negligence; they are directly accountable for their risk management processes and systems. Both Wells Fargo and Volkswagen (not to mention Wendy’s, Plains All American, and Dwolla) were found negligent in risk management and are suffering the consequences accordingly.
We’re currently witnessing Wells Fargo in the beginning stages of this process; it’s already been slapped with penalties, and the “I didn’t know” excuse – this time in the form of “it’s the employees’ fault, not management’s” – will to provide no shelter against coming accusations.
The lesson: boards and senior management are absolutely responsible for the risk management effectiveness of their companies. It is their obligation, as outlined in SEC rule 33-9089, to ensure that robust risk management programs and software systems are in place so that scandals like these are avoided.
The good news is that it doesn’t have to be this way. Corporations that can provide evidence of an effective risk management program are largely exempt from punitive damages, class-action lawsuits, and DOJ jail t.... Many organizations have been successful in similar situations; ERM systems prevent scandals and associated costs, litigation, and jail time.
To learn what makes strong risk management programs effective – and capable of preventing issues like those that led to the Wells Fargo debacle – download our free eBook, 5 Characteristics of the Best ERM Programs.
Comments are closed for this blog post