Enterprise Risk Management (Preview)

Chapter 1 – Risk Management Awareness 19 audit committee must have financial expertise, or an explanation needs to be provided for why the audit committee does not include such a member. 15 The audit committee is responsible for the appointment, compensation and oversight of the financial statement auditors of the company. Companies must also have an internal audit function, and the audit committee needs to exercise oversight of that function. 16 • Complaint procedures and whistleblower protection – Audit committees must establish procedures for the receipt, retention and treatment of complaints regarding accounting, internal controls or auditing matters. The procedures need to allow these complaints to be made confidentially or anonymously. The procedures must also protect the complainants (referred to as whistleblowers), and any other persons providing information, from retaliation by management or other employees. 17 The Sarbanes-Oxley Act includes harsh penalties for the falsification of documents, misleading certifications, or fraud against shareholders. These penalties include fines of up to $5 million and imprisonment of up to 25 years depending on the type of offense. 18 Although Sarbanes-Oxley does not include specific provisions relating to risk mana- gement, the obligations imposed on senior executives, board members and auditors have a profound effect. For example, risk-based approaches and methodologies have been developed by organizations to ensure that compliance and control activities are focused and cost-effective. The Sarbanes-Oxley Act created a culture shift by strengthening the accountabilities of executives regarding matters of governance, control and reporting. Financial Crisis of 2007-08 The financial crisis of 2007-08 led to major consolidations and regulatory reforms affecting the financial services industry, and signaled a wake-up call for risk management. Most large banks and insurance companies in the United States and Europe received financial assistance and loan guarantees during the crisis. Some filed for bankruptcy, namely Lehman Brothers and Washington Mutual. Others such as Bear Stearns and Merrill Lynch were forced to merge with financial services organizations considered more viable. In other cases, federal governments took over banking assets and operations until solutions could be implemented. Such a scenario occurred with Citigroup, the American Interna- tional Group (AIG), the Royal Bank of Scotland, and the Anglo Irish Bank. These interventions were led by central banks such as the Federal Reserve of the United States, the Bank of England, and the European Central Bank. They were aimed at providing liquidity, restoring trust and maintaining the integrity of the financial system. The massive scale of these interventions was unprecedented and overwhelming. The financial crisis was caused by aggressive mortgage lending practices. It was also caused by the failure of many financial services organizations to properly assess the risks associated with the mortgage securities that they bought or guaranteed. Some lenders became overly aggressive in approving mortgages for individuals who did not have a good credit. Such loans are called subprime mortgages because of the greater credit risks associated with them. They were offered at attractive initial interest rates, but the rates increased over the duration of the mortgages. The mortgage lenders collected fees and interest for a short period of time, and then transferred the credit risks to other investors. Separate negotiable securities derived from the mortgages were created to enable the