The Wells Fargo Scandal is a Failure in Risk Management
Steven Minsky | Sep. 20, 2016
Wells Fargo recently paid $185 million in penalties – the highest fine levied by the Consumer Financial Protection Bureau (CFPB) since it began operations in 2011 – for inappropriate sales practices. Millions of accounts were set up without customer consent, in many instances generating overdraft charges and other fees. The CFPB referred to the Wells Fargo activities as “widespread,” and 5,300 employees have been fired.
The Wells Fargo scandal is on the level of those at Volkswagen, Wendy’s, Chipotle, and Plains All American Pipeline. Wells Fargo CEO John Stumpf has been asked to testify in Washington to account for his company’s practices, this after he “defended the firm and the efforts it had taken to stop the behavior” and claimed he had no knowledge of employee activities.
Stumpf’s comments indicate a failure in risk management for a few reasons:
- As the CEO of Wells Fargo, he is responsible for the risk management processes in place. How could activities on this scale go unnoticed to management for 5 years? “Not knowing” isn’t a valid excuse. It’s negligence.
- Employees were incentivized by unrealistic sales quotas. Why was there no compensation oversight for these practices?
- Where were the risk assessments on these processes? What about internal audits of both the risk management process and governance oversight?
News broke yesterday that the chief risk officer, Claudia Russ Anderson, has been replaced. It is a warning to all risk executives: they will also be held accountable for risk management negligence, as it is their fiduciary duty to get the board the information it needs through adequate risk management systems and processes. Even though Claudia Russ Anderson did not directly propagate the activities, she is being held accountable because they occurred on her watch.
Wells Fargo Scandal: A Direct Result of Risk Management Negligence
Starting in 2010, the SEC’s Proxy Disclosure Enhancements (rule 33-9089), by establishing an ERM mandate for corporations, made boards responsible for disclosing various risk management requirements. Notable obligations include:
- The disclosure of risk management effectiveness and systems used to manage risk
- The board’s role in risk oversight and knowledge of the company’s material risks down to the front line
- Analysis of its compensation policies for all employees. Simply put, corporations cannot put employees in the risk/reward tradeoff position, which forces them to choose between customer wellbeing and their own careers.
When Wells Fargo designed its sales incentive program, why didn’t risk assessments reveal how unrealistic those sales goals were? Were there mitigation activities to protect against customer account manipulation? If so, where were the risk monitoring activities that would have picked up on the appearance of two million accounts over a five-year period?
ERM Enforcement: The Wells Fargo Scandal Will Follow the Same Trajectory as Risk Management Failures Since 2010
We have all seen ERM enforcements before, whether we realize it or not. Wells Fargo is but the most recent iteration of the same trend: risk management failures lead to a crisis event, which leads to penalties, which lead to class-action lawsuits, which recently resulted in criminal charges and jail time.
The Yates Memo (2015) by the Department of Justice (DOJ) clearly spells out consequences for failed risk management: Americans should never assume that negligence or fraud will go unpunished simply because they were committed on behalf of a corporation rather than an individual.
Consider the parallel of the risk management failures at Volkswagen:
- Regulatory penalties
- Punitive damages
- Class action lawsuits (risk management negligence – management and the board)
- Criminal charges & individual liability
In both cases, the CEOs (and other executives) made similar claims: I’m not responsible for this incident because I didn’t have direct oversight; it’s not my fault. This is the basis for negligence; they are directly accountable for their risk management processes and systems. Both Wells Fargo and Volkswagen (not to mention Wendy’s, Plains All American, and Dwolla) were found negligent in risk management and are suffering the consequences accordingly.
We’re currently witnessing Wells Fargo in the beginning stages of this process; it’s already been slapped with penalties, and the “I didn’t know” excuse – this time in the form of “it’s the employees’ fault, not management’s” – will to provide no shelter against coming accusations.
The lesson: boards and senior management are absolutely responsible for the risk management effectiveness of their companies. It is their obligation, as outlined in SEC rule 33-9089, to ensure that robust risk management programs and software systems are in place so that scandals like these are avoided.
The good news is that it doesn’t have to be this way. Corporations that can provide evidence of an effective risk management program are largely exempt from punitive damages, class-action lawsuits, and DOJ jail time for management. Many organizations have been successful in similar situations; ERM systems prevent scandals and associated costs, litigation, and jail time.