Delegation by board of directors

Compliance controls, like any core business strategy, emanate from the top. The
board of directors oversees the control culture and corporate personality of a firm.
The board should promulgate a mission statement that highlights the importance of
compliance and evidences the board’s full support for compliance efforts. The head
of compliance should likely report to the head of the law department or the CFO. As
regards derivatives, the board has several key responsibilities including:
Ω Understanding the broad risks of derivatives
Ω Setting clear objectives
Ω Making informed decisions
Ω Identifying specifically who can authorize risk taking
Ω Ensuring adequate controls are in place
Ω Ensuring that senior management hires qualified personnel
Ω Complying with external regulations and with company’s stated compliance and
investment policies
Ω Overseeing public disclosures
The board must understand the fundamental risks of derivatives. They must be
conversant with concepts ranging from liquidity, volatility and market share to option
fundamentals. Risk measurements such as the broad outlines of Value-at-Risk must
be a familiar subject.
The board must set clear objectives as to risk appetite, permitted instruments, and
maturity limits that are measurable and enforceable. Notional amounts often are too
crude a measure since they do not adequately account for leverage and imbedded
options. A credit equivalent exposure may be more appropriate.
The board must review proposed transactions/programs and ratify completed
transactions, ensuring full disclosure of risks and volatility of returns. Where
information is inadequate, the board must be sufficiently knowledgeable to know the
proper questions to ask.
The control of which individuals can take risk is perhaps the most significant
preventative measure that a board retains and should ensure this oversight is strictly
enforced. The board should be especially alert to those who have actual authority as
well as those with apparent authority. A periodic update sent to counterparty dealers
indicating changes in authorized employees is a useful control.
The board must put in place a structure that will ensure controls adequate to the
proposed uses of derivatives. Compliance risk is a key consideration in managing
the business risks of a firm. A compliance officer should be linked to each major
business stream. Many compliance losses result generally from a pattern of conduct
as opposed to a single event. Having compliance personnel ‘rubbing elbows’ with the
business side is an essential safeguard.
Compliance officers should exercise independence of the line of business, otherwise
there is a fundamental flaw in the compliance structure itself. A common mistake is
that the compliance process is designed around employees rather than job functions.
Another potential flaw is when turnover of staff allows business employees to ‘drift
into’ compliance-related functions. This frequently happens when the compliance
staff lacks a thorough understanding of the business processes.
Senior management must ensure that qualified personnel staff the critical compliance
functions. The staff should be experienced, sufficiently trained, and provided
with sufficient resources and tools to remain current. This means adequate technology
support, seminars, publications and access to internal/external counsel. There
is no implication that the board of directors follow every nuance in derivatives
activity. Rather they can and do rely on the representations of senior managers and
audit professionals. They must review derivatives reports and information and activity
for consistency, accuracy, and conformity to company goals and delegated authority.
Not only must there be a sufficient control environment, the Board must actively
verify the effectiveness of these controls.
Senior managers often view exposures in economic terms and do not focus on legal
or disclosure requirements. Management may lose sight of the fact that legal liabilities
related to compliance errors often dwarf business risks. Products need to be sold,
customers need to be served, and profits need to be made. The full impact of which
legal entity is used for booking a non-standard deal is often an afterthought. The
deal may run foul of compliance and legal requirements despite the best of intentions.
The demands of immediate economic performance should not be a rationalization
for sloppy controls.
A companion concern is when a company has so many large businesses that the
ramifications of a smaller segment of a business seems unimportant. Management
focus is often on dollar volume or profit margins and less focus is given to products
having lower profiles. Another issue is that given the increased complexity of the
business, compliance and audit staffs may be understaffed or insufficiently trained.
Control activities are most effective when they are viewed by management and other
personnel as integral part of, rather than an addition to, the daily operations of the
company [bank] (Basel Committee on Banking Supervision, 1998).
Public disclosures are generally the responsibility of the controller’s unit and it is
often the audit committee of the board, with some help from the law department,
that oversees these activities. Problems in this area tend to occur infrequently but
often have major impact. There has been increasing SEC focus on this area and
inadequate or inaccurate disclosure has enabled the SEC to pursue an enforcement
action that might otherwise have been doubtful. In the Gibson Greeting case, the
deliberate misvaluations of derivatives provided by the counterparty bank led to
Gibson releasing inaccurate financial statements. This led to SEC charges against
the bank as well as against officers of Gibson Greetings itself.