8028253099?profile=originalWells Fargo recently paid $185 million in penalties – the highest fine levied by the Consumer Financial Protection Bureau (CFPB) since it began operations in 2011 – for inappropriate sales practices. Millions of accounts were set up without customer consent, in many instances generating overdraft charges and other fees. The CFPB referred to the Wells Fargo activities as “widespread,” and 5,300 employees have been fired.

The Wells Fargo scandal is on the level of those at Volkswagen,Wendy’sChipotle, and Plains All American Pipeline. Wells Fargo CEO John Stumpf has been asked to testify in Washington to account for his company’s practices, this after he “defended the firm and the efforts it had taken to stop the behavior” and claimed he had no knowledge of employee activities.

Stumpf’s comments indicate a failure in risk management for a few reasons:

  • As the CEO of Wells Fargo, he is responsible for the risk management processes in place. How could activities on this scale go unnoticed to management for 5 years? “Not knowing” isn’t a valid excuse. It’s negligence.
  • Employees were incentivized by unrealistic sales quotas. Why was there no compensation oversight for these practices?
  • Where were the risk assessments on these processes? What about internal audits of both the risk management process and governance oversight?

News broke yesterday that the chief risk officer, Claudia Russ Anderson, has been replaced. It is a warning to all risk executives: they will also be held accountable for risk management negligence, as it is their fiduciary duty to get the board the information it needs through adequate risk management systems and processes. Even though Claudia Russ Anderson did not directly propagate the activities, she is being held accountable because they occurred on her watch.


Wells Fargo Scandal: A Direct Result of Risk Management Negligence


Starting in 2010, the SEC’s Proxy Disclosure Enhancements, by establishing an ERM mandate for corporations, made boards responsible for disclosing various risk management requirements. Notable obligations include:

  • The disclosure of risk management effectiveness and systems used to manage risk
  • The board’s role in risk oversight and knowledge of the company’s material risks down to the front line
  • Analysis of its compensation policies for all employees. Simply put, corporations cannot put employees in the risk/reward tradeoff position, which forces them to choose between customer wellbeing and their own careers.

When Wells Fargo designed its sales incentive program, why didn’t risk assessments reveal how unrealistic those sales goals were? Were there mitigation activities to protect against customer account manipulation? If so, where were the risk monitoring activities that would have picked up on the appearance of two million accounts over a five-year period?


ERM Enforcement: The Wells Fargo Scandal Will Follow the Same Trajectory as Risk Management Failures Since 2010


We have all seen ERM enforcements before, whether we realize it or not. Wells Fargo is but the most recent iteration of the same trend: risk management failures lead to a crisis event, which leads to penalties, which lead to class-action lawsuits, which recently resulted in criminal charges and jail time.

The Yates Memo (2015) by the Department of Justice (DOJ) clearly spells out consequences for failed risk management: Americans should never assume that negligence or fraud will go unpunished simply because they were committed on behalf of a corporation rather than an individual.

Consider the parallel of the risk management failures at Volkswagen:

  1. Regulatory penalties
  2. Punitive damages
  3. Class action lawsuits (risk management negligence – management and the board)
  4. Criminal charges & individual liability

In both cases, the CEOs (and other executives) made similar claims: I’m not responsible for this incident because I didn’t have direct oversight; it’s not my fault. This is the basis for negligence; they are directly accountable for their risk management processes and systems. Both Wells Fargo and Volkswagen (not to mention Wendy’sPlains All American, and Dwolla) were found negligent in risk management and are suffering the consequences accordingly.

We’re currently witnessing Wells Fargo in the beginning stages of this process; it’s already been slapped with penalties, and the “I didn’t know” excuse – this time in the form of “it’s the employees’ fault, not management’s” – will to provide no shelter against coming accusations.

The lesson: boards and senior management are absolutely responsible for the risk management effectiveness of their companies. It is their obligation, as outlined in SEC rule 33-9089, to ensure that robust risk management programs and software systems are in place so that scandals like these are avoided.

The good news is that it doesn’t have to be this way. Corporations that can provide evidence of an effective risk management program are largely exempt from punitive damages, class-action lawsuits, and DOJ jail time for management. Many organizations have been successful in similar situations; ERM systems prevent scandals and associated costs, litigation, and jail time.


To learn what makes strong risk management programs effective – and capable of preventing issues like those that led to the Wells Fargo debacle – download our free eBook, 5 Characteristics of the Best ERM Programs.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!