What do JPMorgan Chase and HSBC have in common? Internal controls that failed, spectacularly, by turning a blind eye to trading activities of the “the London Whale” in Bruno Iksil at J.P. Morgan Chase & Co., and to the transport of $7 billion in currency from HSBC Mexico to HSBC US.
What is the result? From Congress and every regulatory and enforcement quarter, there is a renewed focus on effective internal controls. Former federal judge Louis Freeh’s “lessons learned” from the Penn State scandal apply to every institution. Good corporate governance, including clear internal controls, subject to independent audit, will now be a focus of every regulatory examination in the financial institutions sector and should be the focus of every board.
The message of the JPMorgan Chase & Co., HSBC and Penn State episodes is clear: No “player”—regardless of the “game”—should be immune from implemented and audited internal controls. The issue is how to carry this message into action. Three major, common sense steps accomplish this:
1. Leadership starts at the top. The board should direct an independent review of its own internal control policies and those of its organization. The board should let the organization know of the review and that it will subscribe to the results. It should make compliance part of its every meeting.
My firm represents a company in a dangerous business. Every company meeting, even with outside counsel, begins with a safety minute. The result? Incidents are down at the company and operational time is up.
2. Train to the controls. The board should set the example by ensuring that its structure, procedures and actions reinforce the board’s and the company’s internal controls.
Good training leads to good habits. As the saying goes: Train like you fight, fight like you train. A good set of internal controls does no good if it just sits on the shelf.
3. Audit to the controls. A regular audit cycle should focus on compliance with internal controls and effectiveness of the controls.
This combination of reviews ensures that the controls are being used and that non-effective controls are identified and changed. These reports should be reviewed by the compliance officer and reported on directly to the board by that officer. Regular updating shows that the board and senior management are actively monitoring and supporting the controls. Every instance of board support is worth its weight in gold in terms of getting rank and file employees buy-in to effective internal controls. Every demonstration that the board and senior management support sound internal controls helps keep your company from being the next scandal.