korus m. corporate risk management and …corporate risk management and compliance would a stricter...
TRANSCRIPT
Corporate Risk Management and Compliance Would a stricter regulatory approach avoid current financial crises?
Mateusz Korus
July 17, 2009 This is a Bucerius/WHU MLB thesis 14.591 words (excluding footnotes)
Supervisor 1: Dr. Stefan Kröll Supervisor 2: Dr. Carsten Jungmann
2
Corporate Risk Management and Compliance. Would a stricter regulatory approach avoid current financial crises?
Table of content
I. Introduction ....................................................................................................................6
II. Economic concept of corporate risk management and compliance ..................................8
1. Economic concept of corporate risk management function ..........................................8
a) Concept of risk .....................................................................................................8
b) Risk management ................................................................................................ 11
c) General principles regarding risk management process ....................................... 13
2. Economic concept of corporate compliance function ................................................. 15
3. Interplay between risk management and compliance ................................................. 18
III. Regulatory approach ................................................................................................. 19
1. Regulations on risk management and compliance under German law ........................ 19
a) Risk management ................................................................................................ 19
aa) Special provisions on risk management for financial services industry .............. 23
bb) The reform of risk management provisions under German law .......................... 25
b) Compliance ......................................................................................................... 26
2. Regulations on risk management and compliance in international perspective ........... 28
a) Risk management ................................................................................................ 28
aa) U.S.A. ............................................................................................................... 28
bb) European Union ................................................................................................ 30
cc) National corporate governance code .................................................................. 33
dd) Basel II and Solvency II .................................................................................... 34
b) Compliance ......................................................................................................... 36
IV. Current financial crises and economic losses due to a non-compliant behaviour. Comparing legal risk management and compliance framework ..................................... 38
1. Sub-prime crunch ...................................................................................................... 38
a) General overview ................................................................................................ 38
b) Risk management failures ................................................................................... 40
c) Compliance failures ............................................................................................ 41
2. Global credit crunch and financial crises ................................................................... 42
a) General overview ................................................................................................ 42
b) Risk management failures ................................................................................... 45
c) Compliance failures ............................................................................................ 47
3. Economic recession .................................................................................................. 49
a) General overview ................................................................................................ 49
3
b) Risk management failures ................................................................................... 49
c) Economic losses due to non-compliant behaviour ............................................... 50
V. Would a stricter regulatory approach avoid current financial crises? Considerations de lege ferenda. ................................................................................................................. 52
1. Specifying general corporate risk management requirement ................................ 52
2. Risk assessment and credit ratings ...................................................................... 53
3. Auditing.............................................................................................................. 54
4. Accounting standards .......................................................................................... 56
VI. Conclusions .............................................................................................................. 58
Bibliography......................................................................................................................... 60
4
Abbreviations
ABS..................................................... Asset-backed securities
AktG.................................................... Aktiengesetz
ARM................................................... Adjustable-rate mortgages
Art....................................................... Article
BaFin................................................... Bundesanstalt für Finanzdienstleistungsaufsicht
BB....................................................... Betriebs Berater
BCFS................................................... Basel Committee for Financial Supervision
BCGC.................................................. Belgian Corporate Governance Code
BGBl................................................... Bundes Gesetzblatt
BilMoG............................................... Bilanzrechtsmodernisierungsgesetz
CDS..................................................... Credit default swap
COSO.................................................. Committee of Sponsoring Organizations of Treadway Commission
DCGC................................................. Dutch Corporate Governance Code
e.g........................................................ example
Ed........................................................ Editor
ERM.................................................... Enterprise risk management
et seq................................................... et sequens
EU....................................................... European Union
FASB.................................................. Financial Accounting Standards Board
fn......................................................... footnote
GCGC................................................. German Corporate Governance Code
GDP...................................................... Gross domestic product
Harvard Int’l L. J................................ Harvard International Law Journal
HGB.................................................... Handelsgesetzbuch
i.a......................................................... inter alia
Ibid...................................................... ibidem
ICS...................................................... Internal Control System
5
IDW PS 340....................................... IDW Auditing Standard: The Audit for Risk Early Recognition System Pursuant to § 317 (4) HGB
IDW.................................................... Institut der Wirtschaftsprüfer in Deutschland e.V.
IRB...................................................... Internal rating approach
KonTraG............................................. Gesetz zur Kontrolle und Transparenz im Unternehmensbereich
KWG................................................... Kreditwesengesetz
MBCA................................................. Model Business Corporation Act
NZG.................................................... Neue Zeitschrift für Gesellschaftsrecht
OTC.................................................... Over-the-counter securities
p.......................................................... page
pp........................................................ pages
PR........................................................ Public relations
RM...................................................... Risk management
RMS.................................................... Risk management system
SOX.................................................... Sarbanes-Oxley Act
U.S...................................................... United States
UK....................................................... United Kingdom
VAG.................................................... Versicherungsaufsichtsgesetz
ZRP..................................................... Zeitschrift für Rechtspolitik
All electronic sources have been last visited on 15.07.2009
6
I. Introduction
Corporate risk management and compliance have become of increasing importance during
last years. This has specially been the case due to new legislative initiatives at the
international and national level. The enactment of risk management provisions under national
jurisdiction –extending the duty program of management with elements of a professional risk
management, as well as implementation of industry related, but especially financial services,
requirements opened a wide discussion on the rationale and shape of a prospective legal risk
management framework. Also corporate compliance has been a subject to several theoretical
and practical discussions due to many changes in law during last decades. The enactment of
the U.S. Sarbanes Oxley Act (SOX) and a general trend in amending national corporate
governance frameworks with the obligation for a professional compliance approach brought
new perspectives and requirements on organizational structure in corporations.
Connecting risk management and compliance with the title question is not a coincidence.
Even though both areas are regulated separately, corporate risk management and compliance
are operating on the base of same principles. They can be both considered as a part of
corporate internal control systems. Developed in a responsible way, they both have the same
risk based appendage. And, as a result of this, both functions have the aim to control current
management processes and provide suitable approach helping to reduce any inappropriate,
damaging events to the organization. Due to this, corporate risk management and compliance
can be seen as complementary functions.
There have been several voices of critic, blaming the current, weak as many say, risk
management and compliance frameworks for current financial crises and worldwide
economic recession, one that has not been seen since the Great Recession in the early 30s of
the XX century. This paper tries to deal with general principles and concepts, trends and
mechanisms of risk management and compliance frameworks. The aim is to analyse the legal
environment with strong economic emphasis in order to find additional answers at the end
whether different risk management and compliance approaches would be able to prevent the
current crises happen. The paper itself has been divided into four parts – the first part tries to
show general economic (practical) mechanics of risk management and compliance; the second
part draws a picture on the national and international legal environment; the third tries to
create a general overview on main stages which brought up the international crises linking the
7
events to risk management and compliance failures; and the fourth part includes the title
analysis with opening a window for future developments.
8
II. Economic concept of corporate risk management and compliance
1. Economic concept of corporate risk management function
a) Concept of risk
Dealing with risks is making up an extremely important part of the management life.1 All
business activities like decisions or engagements are bearing a certain level of unpredictability
(uncertainty).2 This unpredictability is related to potential chances and risks.3 Using a simple
language a chance will mean a potential economic profit, the risk will mean potential
economic loss. Any business activity, especially every business decision, can be described as
acting under risk.4 That is the reason why the managerial dealing with risks has become an
important part of business practise.5 The risk itself, as a factor, is representing an essential
part of modern business decision-making theory.6
Risk in the business sense can be described as a condition involving exposure to events that
would have a negative effect on the company’s objectives.7 A company can face several types
of risks. The risk exposure may have an impact on the income structure of a company, its
investments, reputation, technology capabilities and other positions.8 The events may also lay
outside the organization – e.g. in the political, economic or legal environment.9 For a bank
risk will be linked to the possibility that a customer is not willing to pay its credit back. For a
automobile producer the fact of whether he will be able to sell all produced cars or not
represents a risk factor. From the economic perspective, risks themselves can be described by
two basic criteria: probability of occurring and quantification of potential financial impact
(like the extend of losses). This requires a standardized approach within organization. Risks
are then reduced to single risk positions.
1 P. Montana, B. Charnov, Management (2000), pp. 73-74. 2 P. Drucker, Management (2007), p. 125. 3 R. Kalwait, R. Meyer, R. Erben, Fr. Romeike, O. Schellenberger, Risikomanagement in der Unternehmens-führung (2008), p. 51. 4 L. Johanning, Risikomanagement in: W. Ballwieser [ed.], W. Grewe [ed.], Wirtschaftsprüfung im Wandel (2008), p. 259. 5 ibid. 6 A very interesting analysis of the issue: A. McLucas, Decision making (2003), pp. 185 et seq. 7 A. Bowden, M. Lane, J. Martin, Triple bottom line risk management (2001), p. 3. 8 D. Olson, D. Wu, Enterprise Risk Management (2007), pp. 5-6; R. Bowden, M. Lane, J. Martin, Triple bottom line risk management (2001), p. 3. 9 ibid.
9
Like Illustration 1 presents, enterprise risks can be generally divided into two general groups:
financial and non-financial risks.
Illustration 1 – Risk types within a financial institution
(based on UBS, UniCredit Group and Deutsche Bank AG)
Financial risks are directly related to money losses when a certain event occurs. Those risks,
basing on the examples of UniCredit Group and Deutsche Bank AG, can be divided into:
• Credit risk (counterparty risk)10 – risk that a change in credit quality of a
counterparty will affect the value of a organization’s position. Default is the extreme
case, where a counterparty is unwilling or unable to fulfil its contractual obligation11
• Market risk12 – risk of changes in the financial market prices and rates which will
reduce the value of the organization’s financial situation. Market risk is generally
associated with interest rates, exchanges rates, stock prices and commodity prices13
10 Practical example: Risk management program, UniCredit Group, available at: http://www.unicreditgroup.eu/ ucg-static/downloads/credit_risk_ENG.pdf. 11 M. Ammann, Credit risk valuation (2001); C. Bluhm, L. Overbeck, Ch. Wagner, An introduction to credit risk modeling (2002). 12 Practical example: Risk management program, UniCredit Group, available at: http://www.unicreditgroup.eu/ ucg-static/downloads/market_ risk_ENG.pdf. 13 R. Gallati, Risk management and capital adequacy (2003), pp. 34-37.
10
• Liquidity risk14 – risk that the organization will not be able to meet its current and
future payment obligations in full or on time15
Non-financial risks can be understood as events that at the time when they occur do not
directly bear the changes of financial positions in an organization (like wrong assumptions in
strategy, court proceedings, negative PR in press etc.). Still, those categories may also bring
financial consequences like expenses or losses. An example distinction:
• Operational risk16 – risk of losses arising from failed or inadequate processes, from
human errors, technical failures or from external events including:
� Operative risk – failures and errors inside an organization17
� Systemic risk – events in the macro environment18
• Strategic risk – risk of losses due to wrong decisions at strategic, long-term level (e.g.
assumption on client preferences) or changes in market environment (government
policy changes)19 including:
� Legal risk20 – risk of legal liability in case legal or contractual obligations will
be disturbed (Crossing point with corporate compliance)21
� Reputation risk22
– negative image and PR due to a future event23
� Business risk24
– risks related to wrong business decisions or non-financial
events, like drop in sales, causing monetary losses25
� Political and social risk26
– risk related to changes in political and social
environment27
14 Practical example: Legal, Risk & Capital function at Deutsche Bank AG, available at: http://www.db.com/de/ content/company/legal_risk_capital.htm?dbiquery=null%3Arisk+management. 15 P. Jorion, Value at Risk (2000), pp. 340 et seq. 16 Practical example: Risk management program, UniCredit Group, available at: http://www.unicreditgroup. eu/ucg-static/downloads/operational_ risk_ENG.pdf. 17 Ibid. 18 R. Effros, Current legal issues affecting central banks (1998), pp. 111-112. 19 G. van den Brink, F. Romeike, Corporate Governance und Risikomanagement im Finanzdienst-leistungsbereich (2004), p. 90. 20 Practical example: Legal, Risk & Capital function at Deutsche Bank AG, available at: http://www.db.com/ de/content/company/legal_risk_capital.htm?dbiquery=null%3Arisk+management. 21 P. Jorion, Value at Risk (2000), pp. 20 et seq. 22 Well developed within the Risk management program, UniCredit Group, available at: http://www.unicredit group.eu/ucg-static/downloads/reputational_risk_ENG.pdf. 23 M. Power, The Risk Management of Everything (2004), pp. 35 et seq. 24 Practical example: Legal, Risk & Capital function at Deutsche Bank AG, available at: http://www.db.com/ de/content/company/legal_risk_capital.htm?dbiquery=null%3Arisk+management. Here, managing business risk will be included in the scope of the Treasury function tasks. 25 H. Scott, Capital adequacy beyond Basel (2005), p. 263. 26 Practical example: Risk Management Handbook, UBS, available at: http://www.ubs.com/1/ShowMedia/ investors/annual_reporting2005/handbook/0027? contentId=96467&name=hb0506_e_FINAL_web.pdf. 27 R. Daft, R. Allen, E. Sandburg, Management (2008), pp. 110-111.
11
b) Risk management
In order to deal effectively with risks in an organization, there is a systematic process
approach needed. The process itself will be described as risk management (RM) and will be
realized with the organizational support of a risk management system (RMS)28 providing
necessary recourses. A widely accepted RM-definition has been proposed by the U.S.
Committee of Sponsoring Organizations of Treadway Commission (COSO), where Risk
management means:
"A process, effected by an entity's board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity
objectives."29
According to another definition risk management concerns a process in which an organisation
methodically addresses the risks attaching to their activities with the goal of achieving
sustained benefit within each activity and across the portfolio of all activities.30 Risk
management itself can be seen as a wide, cross-divisional business support function inside an
organization.31 All functions of a company like corporate finances, strategy, sales, logistics,
etc. are facing within management process several risks. Using a risk management system can
help to limit losses or failures due to exposure to risks and strengthen the chance of achieving
competitive advantage.32 An effective risk management has to include all risks related to all
corporate functions within a one risk map also known as company’s risk portfolio.33
The importance of risk management has grown rapidly during last 20 years.34 This has been
the case as the business environment became more complex and sophisticated and the
development of technology brought the possibility of using new techniques to developed
standardized mathematical models on risks.
28 In the U.S. called “enterprise risk management” (ERM), e.g. terminology of COSO Enterprise risk management – integrated network. 29 COSO Enterprise risk management – integrated network, available at: http://www.coso.org/Publications/ ERM/COSO_ERM_ExecutiveSummary.pdf. 30 F. Romeike, Lexikon Risiko-Management (2004), p. 151. 31 P. Witt in P. Hommelhoff, K. Hopt, A. v. Werder, Handbuch Corporate Governance (2003), p. 249; more about integrating risk management with other corporate functions: Ch. Culp, The risk management process (2001), pp. 216 et seq. 32 T. Merna, F. Al-Thani, Corporate Risk Management (2008), pp. 153, 187, 224, 350. 33 F. Romeike, Lexikon Risiko-Management (2004), p. 151. 34 D. Chew, Corporate Risk Management (2008), p. 323.
12
Important is to define the distinction between risk management (RM) and internal control
systems (ICS). Internal controls can be described as special measurement instruments (checks)
that help to assess whether financial and non-financial goals of an organization are
achieved.35 The theory has not developed one view on the relation between RM and ICS. In
one opinion, risk management is seen as a part of internal controls, in other, ICS is defined as
part of RM.36 But following either opinion, effectiveness of both systems will be based on a
standardized monitoring function which focuses “limitation of financial losses and
operational failures”.37 Risk management will use a risk based approach and internal controls
will be focusing broader multidisciplinary scope of measurement points. Both systems can be
seen as complementary and integrate-able.38 How complex a corporate risk management
organization integrated within an ICS can be shows Illustration 2.
Illustration 2 – Organization of risk management at UBS (source: http://www.ubs.com/1/ShowMedia/investors/annual_reporting2005/handbook/0027?
contentId=96467&name=hb0506_e_FINAL_web.pdf)
35 A. Trenerry, Principles of Internal Control (1999), pp. 6 et seq. 36 M.Leitch, Intelligent Internal Control and Risk Management (2008), p. 20. 37 D. Chorafas, Implementing and auditing the internal control system (2001), p. 30. 38 A. Friedman and S. Miles, Stakeholders: Theory and practise (2006), p. 256.
13
c) General principles regarding risk management process
Risk management is broadly seen as a central part of corporation’s strategic management.39
This means that the essential base for the whole system shall be included in the company’s
strategy. The corporate strategy includes main mid-term and long-term strategic objectives
and goals that the organization wants to achieve. Those aims can be seen as chances for the
company to achieve a competitive advantage in the market. All chances, due to uncertainty,
are bearing a certain scope of risks. As the best approach, governing the organization’s risk
shall be related to encouraging the chances to be achieved. That is why the company’s
strategy shall include chances and risks.40 The risks shall be categorized in one organization-
wide document – risk portfolio or map. This portfolio includes only categories where the
exposure, due to certain types of risks, exists. At the strategy level risks are only localized and
defined, but not quantified.41 The strategy shall also include a general approach on how
certain risks will approached while occurring – the objective setting.42 There are four possible
approaches toward risks:
• Risk acceptance – This means the acceptance for losses or failures in case an event would
occur. In case of financial losses the company should have prepared reserves (credit lines
or cash). The loss itself will then be consolidated within the company’s accountings.43
• Risk avoidance – The company wants to avoid or not be engage in any situation linked to
risks (e.g. not to invest in an unstable country). Gaining economic profit is always related
to risks. There is no profit without the risk bearing. Correctly, the higher the risk the
higher the potential profit but also the higher the risk of losses or failures.44
• Risk reduction – Due to this approach, the risks are not avoided, so possible losses or
failures may occur. The organization from its side tries to implement certain steps in order
to reduce the risks (e.g. hedging the currency risk of a transaction).45
• Risk transfer – The risks are shifted to third parties (e.g. to insurance companies). Even
though the company does not bear the risk, this approach still generates costs such as the
39 e.g. – Risk Management Standard of The Institute of Risk Management (IRM),The Association of Insurance and Risk Managers (AIRMIC) and ALARM The National Forum for Risk Management in the Public Sector, p. 2., available at: http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf. 40 P. Drucker, Management (2007) , pp. 125 et seq. 41 Ibid. 42 Ibid. 43 R. Moeller, COSO Enterprise Risk Management (2007), p. 78. 44 Ibid. 45 Ibid., p. 77.
14
counterparty requires a risk fee (price for bearing the risk – e.g. insurance premium). So,
the higher the risk, the higher the price for transferring it.46
As shown on Illustration 3, risk management can be seen as a permanent, ongoing process.
This process can be divided into five main stages: risk identification on strategic and
operative stages, risk assessment, risk treatment, risk communication and risk monitoring.
Illustration 3 – Corporate risk management framework as process cycle (based on: F. Romeike, R. Finke, Erfolgsfaktor Risikomanagement: Chance für Industrie und Handel, Lessons
learned, Methoden, Checklisten und Implementierung (2000), p. 153)
• Risk identification – has two levels. First, as described above, the management within the
corporate strategy prepares a company’s risk portfolio. At this level, the risks to which the
company is exposed (general risks and categories of risks as event identification) have to
be detected and categorized. Second, as the risk portfolio is developed, it will be the duty
46 D. Chew, Corporate Risk Management (2008), p. 210-212.
15
of management to identify the single risks in the daily business conduct and take over the
risk positions.47
• Risk assessment – once a risk is identified it needs to be estimated and transformed into
mathematical terms. The risk assessment includes estimation of the probability that a risk
related event may occur and the scope of its impact (quantification of losses).48
• Risk treatment (response) – means the factual dealing with risks. It includes all actions or
activities that will serve as an answer on the risk position. The process of selecting and
implementing measures shall result in modification of the risk position. The measures will
contain – risk acceptance, risk avoidance, risk reduction or risk transfer.49
• Risk monitoring (control) – includes monitoring of identified, assessed and treated risk
positions. It may serve to evaluate the effectiveness of risk treatment. It can be also used
to monitor the effectiveness of the whole RMS (e.g. existence of appropriate RM-controls
or monitor of implementing the RM-procedures by the employees).50
• Risk communication – The results of risks identification, assessment and treatment need
to be communicated. They can be communicated internally within the company (e.g. to a
higher business unit or to the senior management) or externally (e.g to shareholders or
other stakeholder). The external reporting at listed companies is typically sanctioned
under the law (requirement of risk reporting).51
How the system shall be structured in details depends on the company itself and the business
sector. In financial industry it is much easier and more important to establish a sophisticated
RMS, as money is the primary “product” and the risk assessment, communication and
treatment can be – to a higher extend – automatized. In a production industry the RMS will be
focused on different categories. The system itself will not need as much resources and the
profit can be achieved sometimes even already by implementing a corporate “risk culture”.
2. Economic concept of corporate compliance function
Compliance generally means following the provisions of law and internal regulations.52 In
general, everyone bears the obligation for a compliant behaviour. On the corporate level this
47 Ch. Culp, The risk management process (2001), p. 210. 48 Ibid., p. 211. 49 A. Bowden, M. Lane, J. Martin, Triple bottom line risk management (2001), p. 93. 50 COSO Enterprise risk management – executive summary, p. 2, available at: http://www.coso.org/Publications/ ERM/COSO_ERM_ExecutiveSummary.pdf. 51 Ch. Culp, The risk management process (2001), pp. 211-212. 52 Legal definition - 4.1.3 German Corporate Governance Code. See infra fn. 91.
16
requirement can be fulfilled with the support of a separated organizational structure equipped
with own resources. There are several functions associated with corporate compliance.
The main function of corporate compliance is reducing the risk of legal liability of the
company, its management and employees.53 This can be seen as a protection function and can
be only achieved with a risk-based compliance approach. Compliance organization shall also
be focused on providing support to employees in form of internal proper conduct standards. It
should be fully committed in setting internal standards and processes. The internal rules can
form a framework of different types and levels of conduct provisions (example of Daimler AG
– Illustration 4).54 At the same time, the compliance structure shall ensure that compliance
Illustration 4 – System of internal (compliance) regulations at Daimler AG (source: http://ar2008.daimler.com/reports/daimler/annual/2008/gb/English/602010/our-understanding-of-
compliance-and-our-principles.html.)
relevant information will be provided to addressees (information and communication
function).55 This can be specially ensured by offering dedicated trainings or providing other
forms of education and by giving the possibility for consultation and advising on compliance
issues (advise function).56 The establishment of compliance framework with own resources,
internal rules and processes may strengthen the governance processes, as the identified
responsibilities and defined processes can bring more clearness and overview on the
53 F. Banks, Corporate Legal Compliance Handbook (2002), pp. 135, 169; B. Youngberg, The Risk manager's desk reference (1998), pp. 112-113. 54 T. Lösler, Das moderne Verständnis von Compliance im Finanzmarktrecht, NZG 2005, p. 105. Practical example: Compliance program of Daimler AG, available at: http://ar2008.daimler.com/reports/daimler/annual/ 2008/gb/English/602010/ our-understanding-of-compliance-and-our-principles.html. 55 Practical example: METRO Group, METRO Group Compliance Program, available at: http://www.metro group.de/servlet/PB/menu/1138270_l2/ index.html. 56 T. Lösler, Das moderne Verständnis von Compliance im Finanzmarktrecht, NZG 2005, p. 105. Practical example: Merck & Co., Inc. Comprehensive Compliance Program, available at: http://www.merck.com/about/ compliance/ ccp.html.
17
governance structures of the organization.57 As seen at the UniCredit Group, corporate
compliance can serve as a value creation function as well.58 This is specially the case, when
the output of a compliance program will have the form of a better firm’s reputation,
stakeholder confidence and better perspectives for sustainability.59 The approach, how an
organization deals with its compliance program outside of the company, can also bring some
advantages to the corporation. Within the marketing function, the organization can use its
compliance program as a positive massage within PR what can encourage the firm’s image.
Compliance can also bear the preventive function. By setting and communicating clear
network of rules it can reduce the number of cases of improper conducts. Also regular
monitoring and audit of the business activities can help to ensure that compliance is being
adopted.60 Dealing with compliance risks shall also prevent the organization from reputation
damages like corruption scandals. A sensitive compliance network should specially deal with
minimizing the situations of a conflict of interests in relation to the company, its employees
and the external environment.
As this is the case in RMS, the structure of corporate compliance will also depend on
company’s and industry’s specifics. For example, the most common areas covered by the
German corporations are corruption61 and anti-competition62.63 But a corporate compliance
program, as the case of BASF Group, may also cover more topics like:
• Industrial and plant safety
• Protection of health and environment
• Antitrust regulations
• Insider knowledge
• Ban on exploiting knowledge of internal processes for personal purposes
57 E.g. see the objectives of the ING Group Compliance Risk Management Charter and Framework, available at: http://www.ing.com/group/ showdoc.jsp?docid=139868_EN&menopt=cog|coc|gpo. 58 Practical example: Compliance function at UniCredit Group, available at: http://www.unicreditgroup.eu/ en/Governance/ compliance.html. Effective compliance ensuring good corporate governance can be seen as an important pillar in corporate value creation, T. Clarke, International corporate governance (2007), pp. 45 et seq. 59 J. Doorley, H. Garcia, J. Osborn, Reputation Management (2006), p. 52. Practical example: GlaxoSmithKline Compliance Programme, available at: http://www.gsk.com/about/corp-gov-ethics.htm; Compliance function at UniCredit Group, see supra fn. 61 60 Practical example: Coca-Cola Company Ethics & Compliance, available at: http://www.thecoca-colacompany.com/citizenship/ governance_ethics.html. 61 J. Campos Nave, S. Bonenberger, Korruptionsaffären, Corporate Compliance und Sofortmaßnahmen für den Krisenfall, BB 2008, p. 734. 62 G. Pampel, Die Bedeutung von Compliance-Programmen im Kartellordnungswidrigkeitenrecht, BB 2007, p. 1636. 63 R. Lothert, J. Greve in: Ch. Hauschka [ed.], Corporate Compliance (2007), § 17 para 17 and § 24 para 62 et seq.; Ch. Hauschka, Von Compliance zu Best Practice, ZRP 2006, pp. 258-260; Ch. Hauschka, Der Compliance-Beauftragte im Kartellrecht, BB 2004, p. 1178.
18
• Embargo and trade control regulations
• Handling company property and the property of our business partners
• Money laundering
• Dealing with business partners and representatives of government bodies.64
Corporate compliance can be seen as a supporting function to internal controls as – defined
within the UniCredit Group – a “second-level internal control system”.65 Within this scope,
compliance will incorporate also set of controls and checks (e.g. in form of KPI66) measuring
the quality and effectiveness of the compliance program. This states that compliance can be
understood also as a part of organization’s ICS.
3. Interplay between risk management and compliance
Corporate compliance and risk management are very often considered as being a part of a one
corporate platform – GRC (Governance, Risk Management, Compliance). With a risk based
approach combining both governance structures in an organization can be enhance an
interesting protection system.67 As the example of ING Group shows, combining risk
management with compliance can bring potential synergies and more transparency.68
64 Practical example: Compliance Program of the BASF Group, source: http://www.basf.com/group/corporate/ en/about-basf/ vision-values-principles/code-of-conduct/index. 65 Practical example: Compliance function at UniCredit Group, see supra fn. 61. 66 Key Performance Indicators – set of measures focusing organizational performance, critical for future success of a company (or function, project, etc.), D. Parmenter, Key performance indicators (2007), pp. 3 et seq. 67 P. Purpura, Security and Loss Prevention (2007), pp. 260 et seq.; L. Geishecker, R. Weston, Risk! (2007), pp. 125 et seq.; N. Pal, From Strategy to Execution (2008), pp. 168 et seq. 68 ING Group Compliance Risk Management Charter and Framework, see supra fn. 60.
19
III. Regulatory approach
1. Regulations on risk management and compliance under German law
a) Risk management
The first step toward sanctioning the legal requirement of risk management under German
law has been made in 1998 by establishing the Corporate Control and Transparency Act
(KonTraG).69 This act has the aim to serve as a legal reaction on corporate “negative
developments” in Germany from the previous years and established a minimum requirement
for companies that would help to avoid the corporate crunches.70 Under KonTraG a broader
corporate law reform had to be proceeded.71
With the new § 91(2) AktG, the German legislator put on the management board of a stock
corporation the obligation for establishing a “monitoring system” so the “early detection of
any risks endangering the continued existence of the company”72 could be ensured.73 This
early monitoring system had been given due to the new § 317 (4) HGB under the audit of the
certified auditors.74 There are several difficulties concerning the fulfilment of the § 91(2)
AktG requirement. First of all, the legislator uses a very general language connecting the
expressions “monitoring system” and “early detection”, without using the expressions risk
management or risk controlling. Even though, the German doctrine75 established a harmonic
interpretation of § 91(2) AktG and it is commonly understood that the “early monitoring
system” stands for a requirement of a risk detection system being a part of an economic risk
management notion.76 As there are no indications for how this system has to be structured, the
69 K. Wolf, B. Runzheimer, Risikomanagement und KonTraG, Edition 4 (2003), p. 21. 70 T. Martin, T. Bär, Grundzüge des Risikomanagements nach KonTraG (2002), p. 37 – the authors are pointing specially the corporate crunches of Metalgesellschaft, Schneider, Balsam, Sachsenmilch. 71 K. Wolf, B. Runzheimer, Risikomanagement und KonTraG (2003), p. 21; S. Lingemann, D. Wasmann, Mehr Kontrolle und Transparenz im Aktienrecht: Das KonTraG tritt in Kraft, BB 1998, p. 853-862. 72 Can be linked also with the Business Judgment Rule and prudent businessman requirement. 73 Technically this has not been seen as an essential improvement, as also before the KonTraG, due to §§ 76 and 93 AktG the board was obliged to provide an appropriate organization within the corporation and detect imperiling developments, Begr. RegE BT-Drucks. 13/9712 p. 15; G. Spindler in H. Fleischer, Handbuch des Vorstandsrechts (2006), § 19 para 6. 74 G. Spindler in: Münchener Kommentar zum Aktiengesetz (2008), § 91 para 1. 75 M. Kort in: K. Hopt, H. Wiedemann [ed.], Aktiengesetz Großkommentar (2008), § 91 para 30 et seq; G. Krieger, V. Sailer in: K. Schmidt, M. Lutter [ed.], Aktiengesetz Kommentar (2008), § 91 para 6 et seq. 76 This is also because the legislator itself in the explanation to the KonTraG brought that risk management is a part of the duty of care of a prudent businessman, Begr RegE BT-Drucks 13/9712, p. 15.
20
German doctrine makes organization dependent on size and business segment characteristics
of the company.77 This means that the board has a wide discretion in fulfilling this
requirement.78 There are no doubts in literature that the scope of § 91(2) AktG is covering
also German partnership limited by shares (KGaA) and mutual insurance company (VVaG).
Discussed is the applicability to the limited liability company (GmbH).79
The existence of the “early monitoring system” has been included into the program of the
mandatory annual audit under § 317 (4) HGB.80 Under the general clauses of § 91(2) AktG
there are only few indications concerning the scope of audit. It is commonly understood that
assessment shall not evaluate whether a company is equipped in a full risk management
system including treatment of risks (so whether the risks have been properly treated by the
management board).81 The audit shall be rather focused on whether the risk detection,
analysis, assessment, communication and the linked monitoring system is covering all risks
and business areas, and whether the system fits to the structure of the company.82 So the audit
is not assessing the processes working in the company, but checking the systematic
arrangement and its “operability”83.
The German legislator put hardly no indications on the content of the monitoring system. This
space has been filled by the Institute of Public Auditors in Germany84 (IDW) which
introduced the IDW Auditing Standard 340 (IDW PS 340)85. This act has been especially
designed as a recommendation list for auditors having to assess the requirements set in §
91(2) AktG in connection with § 317 (4) HGB. The IDW PS 340 defines what the scope86 is
and how the plan87 for the audit should be prepared. It also recommends how the conduct of
the audit88 should be taken and the reporting89 of the results should be proceeded. But, more
77 M. Kort in: K. Hopt, H. Wiedemann, Aktiengesetz Großkommentar (2008), § 91 para 69. 78 Ibid. 79 As suitable shall be considered an adequate applicability of § 91(2) AktG to GmbH being part of a group of companies, where the parent entity is required to fulfill the requirement of an early monitoring system, G. Spindler in H. Fleischer, Handbuch des Vorstandsrechts (2006), § 19 para 4. 80 This provision is sanctioning the obligation of § 91(2) AktG and serves for its execution but with limitation only to the companies listed on the stock exchange, W. Ebke in: Münchener Kommentar zum Handelsgesetzbuch, 2. Edition (2008), § 317 para 79. 81 F. Wall, Komptabilität des betriebswirtschaftlichen Risikomanagements mit den gesetzlichen Anforderungen?, WpG 56/2003, pp. 457, 471. 82 W. Ebke in: Münchener Kommentar zum Handelsgesetzbuch (2008), § 317 para 82. 83 S. Fiege, Risikomanagement- und Überwachungssystem nach KonTraG: Prozess, Instrumente, Träger (2006), G. Krieger, V. Sailer, in: K. Schmidt, M. Lutter [ed.], Aktiengesetz Kommentar (2008), § 91 para 16. 84 Institut der Wirtschaftsprüfer in Deutschland e.V., privately run incorporated association which members are 86.68% of all German Public Auditor. 85 The full title – “IDW Auditing Standard: The Audit for Risk Early Recognition System Pursuant to § 317 (4) HGB”. 86 IDW PS 340.19. 87 IDW PS 340.20-23. 88 IDW PS 340.24-31.
21
interesting is the fact that the IDW PS 340 gives also a roadmap for the management board
how to create an “early monitoring system” due to § 317 (4) HGB. There can be following
measures divided:
• Determination of risk areas that may lead to developments endangering the going on
concern (IDW PS 340.7-8),
• Rules for the recognition and analysis of risks (IDW PS 340.9-10),
• Risk communication inside the company (IDW PS 340.11-12),
• Assignment of responsibilities and duties within the structure and for employees of the
company (IDW PS 340.13-14),
• Establishment of a monitoring system (IDW PS 340.15-16),
• Documentation requirements concerning the “early monitoring system” (IDW PS
340.17-18).
As it can be seen on Illustration 5, the standard provides also a guide for risk treatment
mechanisms. This has been included especially in the risk absorption and risk acceptance
functions. Even though the IDW PS 340 gives a wide map on how to develop a risk
recognition system within a company. Still, the nature of this act is unbinding. It has been
developed only as an outline for certified public auditors. As IDW is associating more than
85% of the PCA’s in German and as annual audits have an important impact on companies
themselves, the auditing standards released by the IDW are commonly implemented in
Germany.
89 IDW PS 340.32-33.
22
Illustration 5 – Risk management under IDW Auditing Standard 340 (source: G. van den Brink, F. Romeike, Corporate Governance und Risikomanagement im Finanzdienst-
leistungsbereich (2004), p. 90)
Parallel to this, the provision of § 91(2) AktG has an equivalent in the German Corporate
Governance Code (GCGC)90. Under 4.1.4 GCGC, there exists a requirement for an
appropriate risk management and risk controlling. Risk management shall be here understood
as a full function risk management including risk identification, assessment, treatment,
monitoring and communication.91 Risk controlling can be understood as a risk early
monitoring system.92 What is very interesting according to introduction of the GCGC. The
part including provision 4.1.4 contains no recommendations, but restatement of law. Even
though, the legislator does not use the terminology of 4.1.4, the provision itself shall be
connected to § 91(2) AktG.93 At the same time the German Corporate Governance Code sets
some other interesting accents. First, due to 4.1.4 GCGC, the code stresses the required
90 The Government Commission on the German Corporate Governance Code, German Corporate Governance Code of 2008, http://www.corporate-governance code.de/eng/download/ E_Kodex %202008_final.pdf. 91 R. Ringleb in: R. Ringleb, T. Kremer, M. Lutter, A. v. Werder, Kommentar zum Deutschen Corporate Governance Kodex (2005), para 657. 92 Ibid., para 643. 93 Ibid., para 640.
23
management board and supervisory board for cooperation in questions of risk management.94
Second, in accordance to 3.4 GCGC, management has to supply continually the supervisory
board with all relevant risk information. Third, under 5.2 GCGC, the chairman of the
supervisory board has a special advisory function to the management on risk management
questions. It has to be stressed that the GCGC is only applicable to capital corporations listed
on German stock exchanges.95 This makes the applicability of the 4.1.4 GCGC more limited
comparing to § 91(2) AktG.
aa) Special provisions on risk management for financial services industry
Credit institutions96 and financial service institutes97 enjoy a special regulation on risk
management in Germany.98 The German Banking Act (KWG) requires in its § 25a (1) those
two groups of institutions having an appropriate and effective risk management within the
business organisation. The institutions are obliged to implement a proper strategy and internal
control procedures (including internal control system (ICS) and internal audit (IA))99 in order
to calculate and secure the capacity of their risk bearing.100 A special obligation concerns
internal control system which has to include procedures for risk detection, assessment,
treatment, monitoring and communication.101 ICS has to be organized in a way where the
internal procedures are design with a clear separation of responsibilities.102
The risk management needs to be equipped with “adequate human and organizational
resources” and well prepared “contingency plan”.103 The main distinction comparing to the
corporate law is that the German banking law requires a full function operating risk
management. So, it is not only important whether the early detection of risks is working but
also whether the detected risks are treated and monitored, so the capacity of the risk bearing
of the institute is not endangered. Still, the German legislator left space for discretion again.
Under § 25a (1) KWG the criterion for risk management is being appropriate, so the way of
how the system will be designed may dependent on the “type, scope, complexity and risk
94 R. Hilz-Ward, O. Everling and N. Löhndorf, Risk Performance Management (2009), p. 19. 95 Ibid. 96 German „Kreditinstitute“ 97 German „Finanzdienstleistungsinstitute“ 98 U. Braun in: K. Boos, R. Fischer, H. Schulte-Mattler, Kreditwesengesetz (2008), § 25a para 1 et seq. 99 G. Hellstern in: G. Luz, W. Neus, P. Scharpf, P. Schneider, M. Weber [ed.], Kreditwesengesetz (KWG) (2009), pp. 754-755. 100 § 25a (1) para 1 KWG. 101 § 25a (1) para 1 (b) KWG. 102 § 25a (1) para 1 (a) KWG. 103 § 25a (1) para 2 and 3 KWG.
24
level of the institutes’ business activity”.104 So it depends on the banks profile – whether the
institute will offer simple products like a consumer bank or if it is offering a greater portfolio
of complex and sophisticated products like a wholesale or investment bank.105 The provision
of § 25a (1) KWG itself looks more like a specification of § 91(2) AktG with relation to the
financial industry. There are still doubts in literature if § 25a (1) KWG has to serve as an
industry related substitute for § 91(2) AktG.106 This is not the case in jurisprudence, that states
the link between § 91(2) AktG and § 25a (1) KWG.107
As the rules set in § 25a (1) KWG are very general, in order to provide an explanatory
framework for them and incorporate the Basel II requirements under German regulatory
framework, the Federal Institution for Supervision of Financial Service (BaFin) released the
“Minimum Requirement for Risk Management” (MaRisk).108 MaRisk encompasses a form of
a “regulation for implementing standards”109 – binding interpretation of BaFin on how a risk
management shall be structured in German financial institutions.110 There are currently two
versions of MaRisk – one is related to German crediting institutions (MaRisk BA)111, the
other is binding German insurance institutions (MaRisk VA)112. Both – MaRisk BA and VA
are very similar. The main difference concerns the implementation of Solvency II113 rules
with regard to German insurance institutions within MaRisk VA.114 While the MaRisk BA is
implementing a big part of Basel II requirements.115
104 U. Braun in: K. Boos, R. Fischer, H. Schulte-Mattler, Kreditwesengesetz (2008), § 25a para. 77. 105 Ibid. 106 U. Hüffer, Die leitungsbezogene Verantwortung des Aufsichtsrates, NZG 2007, pp. 47-49. 107 Decision of VG Frankfurt a.M. from 8 July 2004, 1 E 7363/03 (I), WM 2004, pp. 2157, 2160. 108 G. Hellstern in: G. Luz, W. Neus, P. Scharpf, P. Schneider, M. Weber [ed.], Kreditwesengesetz (KWG) (2009), pp. 755 et seq. 109 German “norminterpretierende Vorschrift”. 110 C. Kraft, Die Mindestanforderungen an das Risikomanagement (2008), p. 11. 111 Circular 05/2007, Banking supervision minimum requirements for risk management (Rundschreiben 05/2007, Bankenaufsicht Mindestanforderungen an das Risikomanagement), available at: http://www.bafin.de/ cln_006/nn_721290/SharedDocs/Veroeffentlichungen/DE/Service/Rundschreiben/2007/rs__0705__ba.html?__nnn=true. 112 Circular 3/2009, Minimum requirements for insurers risk management (Rundschreiben 3/2009, Mindestanforderungen an das Risikomanagement für Versicherer), available at: http://www.bafin.de/cln_109/ nn_721290/SharedDocs/Veroeffentlichungen/DE/Service/Rundschreiben/2009/rs__0903__marisk__va.html?__nnn=true. 113 European Parliament legislative resolution of 22 April 2009 on the amended proposal for a directive of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance (COM(2008)0119 – C6-0231/2007 – 2007/0143(COD)), available at: http://www. europarl. europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P6-TA-2009-0251+0+DOC+XML+V0//EN. 114 S. Fus, Business Continuity Management bei Finanzdienstleistern (2008), pp. 24-25; V. Altenähr, T. Nguyen and F. Romeike, Risikomanagement kompakt (2004), p. 43. 115 U. Braun in: K. Boos, R. Fischer, H. Schulte-Mattler, Kreditwesengesetz (2008), § 25a para 7 et seq.
25
The MaRisk itself is not a very detailed act. It shall serve more to set some common standards
for the risk management in the financial industry segment.116 With the AT 2.2 MaRisk there
are four categories of risks to be distinguished:
• Counterparty (credit) risks117
• Market price risks
• Liquidity risks
• Operational risks.
The MaRisk includes at the same time further provisions specifying measures required to deal
with those risks.118 The shelf of this act consists of provisions specifying requirements
mentioned under § 25a (1) KWG:
• Risk-bearing capacity and strategy (AT 4.1-2),
• Internal control system (AT 4.3),
• Internal audit (AT 4.4),
• Organisational guidelines (AT 5),
• Documentation requirements (AT. 6),
• Resources (AT. 7).
Important is also that MaRisk has been used to implement provisions of European law on
“requirements for ensuring adequate internal capital to cover all material risks”119, as well as
European standards on financial instruments120.121
bb) The reform of risk management provisions under German law
With enactment of the BilMoG (Act to Modernise Accounting Law)122, German legislator
intended to push the development of German accounting law forward and to implement the
rules of European law under the Directive 2006/43/EC (audit) and the amending Directive
2006/46/EC (accounting).123 This modernization will also have a significant impact on the
116 Ibid. para 78. 117 including country risks. 118 BTR 1-4 MaRisk. 119 Articles 22 and 123 of the Directive 2006/48/EC (Capital Requirements Directive (CRD)). 120 Art. 5,7,8 and 13 of the Directive 2004/39/EC (Markets in Financial Instruments Directive) and Art. 13 and 14 of the Directive 2006/73/EC (Implementing Directive for the Markets in Financial Instruments Directive). 121 MaRisk AT 1.1-3; for more see: G. Hellstern in: G. Luz, W. Neus, P. Scharpf, P. Schneider, M. Weber [ed.], Kreditwesengesetz (KWG) (2009), pp. 759 et seq. 122 Gesetz zur Modernisierung des Bilanzrechts vom 25. Mai 2009, BGBl. I 2009, 1102. 123 A. Müssig, Bilanzielle Risikovorsorge und außerbilanzielle Risikoberichterstattung (2006), p. 181; V. Basin, Die Modernisierung der 8. EU Richtlinie unter Einfluss des Sarbanes-oxley Acts (2009), p. 58.
26
German corporate and business law, especially on requirements concerning risk management.
The core of the new bill in relation to this issue has been included within the new provisions
of § 107 AktG and § 289a HGB.
With the reform, due to the new § 107 (3) sent. 2 AktG-E,124 the supervisory board’s
monitoring responsibility will be extended on monitoring the effectiveness of the company-
wide internal control system (ICS) and the internal risk management system (RMS).125 This
regulation brings wide going implications. Even, when the German legislator has not
introduced a general duty for establishing a full function –RMS, the supervisory board will be
faced with assessing not only existence of RMS but also its effectiveness.126
The second part of the “risk management reform” considers the disclosure requirements. Due
to § 289 V HGB-E, the management board has to describe all main characteristics of the
accounting-related internal control and risk management system in the management report.127
As the management board will be required to provide relevant information on effective
internal RMS to the supervisory board and for the external disclosure purpose, a functioning
corporate RMS will become de facto an obligation. This will be realised without any help
from legislative side on legal description of elementary features of a RMS. This will probably
increase the importance of the IDW PS 340 as an only explanation and road-map for
establishing a German-fitting risk management system.
Incentives concerning more conscious risk decision making can be found also in the German
Management Compensation Bill.128
b) Compliance
The definition of corporate compliance can be found under the German Corporate
Governance Code. Due to provision 4.1.3 GCGC, compliance has been defined as a
124 The scope of new provisions brought with the BilMoG is of significant importance, as the rules shall apply not only to stock corporations (AG) but to all capital market oriented corporations (including Societas Europaea (SE), partnership limited by shares (KGaA), private limited companies (GmbH) as well as cooperatives, mutual benefit societies and commercial partnerships present at the capital market), C. Meyer, Gesetz zur Modernisierung des Bilanzrechts (Bilanzrechtsmodernisierungsgesetz - BilMoG) - die wesentlichen Änderungen, DStR 2009, p. 765. 125 D. Mattheus, P. Hommelhoff, Risikomanagementsystem im Entwurf des BilMoG als Funktionselement der Corporate Governance, BB 2007, pp. 2787 et seq. This responsibility can be delegated to one of the members of the supervisory board. 126 K. Wolf, Zur Anforderung eines internen Kontroll- und Risikomanagementsystems im Hinblick auf den (Konzern-) Rechnungslegungsprozess gemäß BilMoG, DStR 2009, pp. 921 et seq. 127 G. Burwitz, Das Bilanzrechtsmodernisierungsgesetz - Eine Analyse des Regierungsentwurfs und der Änderungsvorschläge des Bundesrats, NZG 2008, p. 699. 128 Entwurf eines Gesetzes zur Angemessenheit der Vorstandsvergütung (VorstAG) from 17. 03. 2009, BT Druck-sache 16/12278, available at: http://dip21.bundestag.de/dip21/btd/16/122/1612278.pdf.
27
managements board responsibility to ensure that “all provisions of law and the enterprise’s
internal policies are abided”. Even though the GCGC is not a binding act, the applicability of
this provision is under German publicly listed capital corporations commonly accepted.129
The German Corporate Governance Code does not contain any further explanations how to
achieve “compliance” within the company.130 The understanding how to fulfil the
requirement, can be reached only in the way of legal interpretation. The provision 4.1.3
GCGC has been included in the part of the Code describing management responsibilities and
tasks in a company. This means that compliance has to play a prominent role within the
management boards duties. The requirement itself can be divided into two levels. Compliance
shall be understood as a broad requirement for legality of all companies’ activities,131 as well
as an organizational duty to establish a compliance system.132 In other words – the
compliance-system has to encourage the establishment and fulfilment of conduct standards
within the company by implementing organizational arrangements.133 The conduct standards
will be here described by the law itself, as well as internal regulations134 released only for the
employees of the company. Specially the internal regulations play an extremely important
role, as they can be used for the purposes of risk avoidance – by showing and
communicating135 to the employees concrete risks and providing ready rules of conduct that
can be applied for those risk-bearing situations.136 Companies, in order to inspirit this
approach, appoint a corporate chief compliance officer who (supported by a slim compliance
organization) is dealing only with compliance aspects.137 Another question is, how the scope
of the corporate compliance should be defined. As there are no legal provisions on the
structure of a compliance system, the management board, in shaping a corporate fitting
compliance structure, shall follow the Business Judgement Rule138 as well as take companies-
and industries characteristics139 into account. At the same time, the requirement of compliance
129 For more, see M. Kort, Verhaltensstandardisierung durch Corporate Compliance, NZG 2008, pp. 83-86. 130 R. Ringleb in R. Ringleb, T. Kremer, M. Lutter, A. v. Werder, Kommentar zum Deutschen Corporate Governance Kodex (2005), para 617. 131 M. Peltzer, Deutsche Coprorate Governance , Ein Leitfaden (2004), p. 48. 132 J. Bürkle, Corporate Compliance – Pflicht oder Kür für den Vorstand der AG, BB 2007, pp. 1797, 1798. 133 M. Kort, Verhaltensstandardisierung durch Corporate Compliance, NZG 2008, p. 83. 134 E.g. Integrity Codes, Codes of Ethics, Codes of Conduct, Internal Guidelines, Policies but also articles of associations or employment contracts and others. 135 Using e.g. the channel of corporate “internal communication function”. 136 R. Lothert, in: Ch. Hauschka [ed.], Corporate Compliance (2007), § 17 para. 2; G. Wecker, H. v. Laak, Compliance in der Unternehmerpraxis, pp. 136, 169; J. Bürkle, Corporate Compliance – Pflicht oder Kür für den Vorstand der AG, BB 2007, pp. 1797, 1798. 137 J. Berwanger, S. Kullmann, Interne Revision (2007), p. 82. 138 O. Sieg, S. Zeidler, in: Ch. Hauschka [ed.], Corporate Compliance (2007), § 3 para. 1 et seq. 139 J. Bürkle, Corporate Compliance – Pflicht oder. Kür für den Vorstand der AG, BB 2007, pp. 1797, 1798.
28
has to be applied within the entire group of companies (Konzern).140 Due to 3.4 GCGC,
management board has to inform the supervisory board “regularly, without delay and
comprehensively” on all compliance related issues. In addition, supervisory board has to
establish an audit committee which will inter alia deal with compliance matters as well (5.3.2
GCGC).
Beside the GCGC, provisions on compliance have been included in legislative acts as well.
This applies specially to the financial services industry. The most prominent example exists
under the German Banking Act (KWG) and Insurance Supervision Act (VAG). With almost
similar provisions,141 the management board of a credit (financial services) or insurance
institution has the duty to create a corporate organization enabling achievement of compliance
with legal provisions. Further requirements can be found in German Securities Trade Act142
and in German competition law143.
2. Regulations on risk management and compliance in international perspective
a) Risk management
aa) U.S.A.
The regulation that influences the environment for risk management in the U.S. at most is the
Sarbanes-Oxley Act of 2002144. This law has been enacted as a reaction on a series of
corporate scandals in the U.S. (especially the cases of Enron145 and Worldcom146) and had to
bring back the trust of shareholders for investing in the U.S. corporate stocks.147 Being
corporate governance regulation, under the SOX the expression of risk management is not
used at any place. The provisions are creating mainly a new framework for mandatory annual
140 Provision 4.1.3, German Corporate Governance Code 2008. 141 § 25a KWG and § 64a VAG. 142 Due to § 33 I WpHG (being a transposition of the MiFID-Directive provisions), all investment firms ("Wertpapierdiensstleistungsunternehmen") have to ensure that the company itself, as well as its employees, are following (so are compliant with) the provisions of the German securities trade law. 143 The requirement for a corporate compliance has not been defined expressis verbis, but a non-establishment of a compliance-system may follow, under some circumstances, negative legal consequences (§ 130 (1) OWiG), K. Rogall, in: L. Senge [ed.], Karlsruher Kommentar zum OWiG (2006), para 1-116; Ch. Hauschka, Der Compliance-Beauftragte im Kartellrecht, BB 2004, p. 1178. 144 Sarbanes-Oxley Act of 2002, H. R. 3763. 145 Report of Investigation by the Special Investigative Committee of the Board of Directors of Enron Corp. v. 1. 2. 2002, availbale at: http://news.findlaw.com/hdocs/docs/enron/sicreport/index.html. 146 Report of Investigation by the Special Investigative Committee of the Board of Directors of Worldcom, Inc. v. 31. 3. 2003, availbale at: http://www.edgar-online.com/bin/irsec/finSys_main.asp?dcn=0000931763-0300186 2&x=118&y =17. 147 L. Johanning in: W. Ballwieser, W. Grewe [ed.], Wirtschaftsprüfung im Wandel (2008), p. 280.
29
audits and financial reporting tools. Still, introduction of SOX had quite strong impact on
shaping the environment for risk management.148 The most important parts having impact on
RMS are the Sections 302 and 404 SOX. The Sec. 404 SOX requires establishment of an
adequate internal control system, which has to be assessed in terms of its effectiveness for
financial reporting purpose, which, due to Section 302 SOX, management has to disclose in
the annual or quarterly report. Auditors have at the same time the duty to control and certify
the management effectiveness reports.149 Under Sec. 409 SOX exists a strict obligation for
having a monitoring system that on a “rapid and current basis” detects and provides “such
additional information concerning material changes in the financial condition or operations”.
Still, all of those provisions stay more in the sphere of financial reporting and internal controls
rather than risk management mechanics. Concerning the fulfilment of Sec. 404 SOX, SEC
and Public Company Accounting Oversight Board (PCAOB) developed as a guidance the
Accounting Standard (AS) No. 2, which contains a "top-down risk assessment".150 The
advantage of this guidance is that the proposal enables the company to develop tools being
useful for an effective and early detection of significant risks of a company.151 Another guide
for risk management system is the COSO Enterprise Risk Management – Integrated
Framework.152
Even thought the direct general requirement for establishing a risk management system (or
part of it) can be hardly found in any U.S. act, an important provision on this issue can be
found in the U.S. Model Business Corporation Act of 2005153. Under Sec. 8.01 (c) MBCA,
the corporations management has to pay “attention to major risks to which the corporation is
or may be exposed” and “effectiveness of the corporation’s internal controls”. But,
“administration of risk management is not a board function coming within the ambit of
directors’ duties”.154 In addition, due to Regulation S-K, companies admitted to stocks
exchange market have to fulfil very detailed requirements on disclosing their risk positions
within financial reporting.155
148 R. Moeller, COSO Enterprise Risk Management (2007), p. 182. 149 H. Williams, Federal banking law and regulations (2007), pp. 245-246. 150 W. Fletcher, T. Plette, The Sarbanes-Oxley Act (2008), pp. 44-45. 151 M. Ramos, How to comply with Sarbanes-Oxley section 404 (2006), pp. 19-20. 152 D. Olson, D. Wu, Enterprise Risk Management (2007), pp. 35-36. 153 Available at: http://www.abanet.org/buslaw/committees/CL270000pub/nosearch/mbca/assembled/20051201 000001.pdf. 154 Committee on Corporate Laws of the American Bar Association, Model business corporation act annotated: official text with official comments and statutory cross-references, 2005, para 8-52. 155 Item 101, 303, 305 and 503c, Standard Instructions for Filing Forms under the Securities Act of 1933, Securities Exchange Act of 1934, and Energy Policy and Conservation Act of 1975 – Regulation S-K, available at: http://www.law.uc.edu/ CCL/regS-K.html; A. Gutterman, The legal considerations in business financing (1994),
30
When it comes to risk management within financial services sector, the situation is very
complicated. In the U.S. exist three banking supervisors:
• Federal Reserve (Fed)
• Office of the Comptroller of the Currency (OCC)
• Office of Thrift Supervision (OTS),
four supervisors for non-banking financial institutions:
• National Credit Union Administration (NCUA)
• Financial Industry Regulatory Authority (FINRA)
• Federal Deposit Insurance Corporation (FDIC)
• Commodity Futures Trading Commission (CFTC)
and two securities regulators:
• Securities and Exchange Commission (SEC)
• Financial Industry Regulatory Authority (FINRA)
All of those authorities use very different approaches to oversee risk management practices
and because of a high split and general overlap in responsibilities and activities, regulators
may have only a limited view of institutions risk management.156 This hurts the effectiveness
of the U.S. financial supervision – including risk management rule giving.
Another weak point in the U.S. system is the application of Basel II recommendations. The
U.S. just recently started adopting those standards.157 Still, the extent of application is not
bright – the implementation concerns generally supervisory review on capital adequacy and
Basel II advanced approaches only to very narrowly defined banking institutions.158
bb) European Union
In Europe, the issue of risk management has been typically regulated under national corporate
governance codes. It is very common that this regulation has been closely related to
pp. 71-72; R. Gallati, Risk management and capital adequacy (2003), p. 117; C. Rogers, Financial reporting of environmental liabilities and risks after Sarbanes-Oxley (2005), pp. 296-297. 156 United States Government Accountability Office (GOA), Financial Regulation – Review of Regulators’ Oversight of Risk Management Systems at a Limited Number of Large, Complex Financial Institutions (2009), p. 2, available at: http://www.gao.gov/new.items/d09499t.pdf. 157 Due to U.S. Federal Reserves (Fed) guide, available at: http://www.federalreserve.gov/GeneralInfo/basel2/US Implementation.htm#Current. 158 Ibid.
31
requirements of corporate internal controls.159 Still, as the EU has gained greater impact in the
field of corporate and business law,160 also the area of risk management has been added,
during last five years, on the agenda. The main general provisions touching this issue have
been included in following directives: Directive 2004/109/EG (Transparency Directive)161,
Directive 2003/71/EC (Prospectus Directive)162, Directive 2006/46/EC (amending Accounting
Directives)163 and Directive 2006/43/EC (Audit Directive)164.
A direct requirement of establishing a corporate risk management system has not been
included in any of them. Still, under Art. 4 Sec. 2(c) of the Transparency Directive
2004/109/EG the management of a company is obliged to include in the company’s annual
report “description of the principal risks and uncertainties” that the company is facing. The
scope of this provision concerns companies whose “securities have been admitted to trading
on a regulated market situated or operating within an EU member state”.165 In addition to
Art. 4 Sec. 2(c), under Directive 2004/109/EG, the management is required to disclose also
“principal risks and uncertainties for the remaining six months of the financial year” in half-
yearly interim management report (being part of the financial report).166 A bit different
requirement on disclosing risk information has been included in the Prospectus Directive
2003/71/EC. Here, due to Art. 5 Sec. 2, before an initial public offer (IPO), a company has to
disclose in its prospectus in a “brief manner and in nontechnical language, convey the
essential characteristics and risks associated with the issuer”.167 Still in both cases, the
European law facing financial reporting requires only disclosuring the information on risk. To
159 Ch. Van der Elst, M. van Daelen, Risk Management in European and American Corporate Law (2009), p. 27. 160 C. Timmermans, Company Law as Ius Commune?: First Walter van Gerven Lecture (2002), available at: http://www.law.kuleuven.ac.be/ccle/pdf/wvg1.pdf. 161 Directive 2004/109/EG of the European Parliament and the Council of 15 December 2004 on the harmonisation of transparency requirements with regard to information about issuers whose securities are admitted to trading on a regulated market, OJ L 390/ 38. 162 Directive 2003/71/EC of the European Parliament and the Council of 4 November 2003 on the prospectus to be published when securities are offered to the public or admitted to trading and amending Directive 2001/34/EC, OJ L 345/64. 163 Directive 2006/46/EC of 14 June 2006 of the European Parliament and of the Council amending Council Directives 78/660/EEC on the annual accounts of certain types of companies, 83/349/EEC on consolidated accounts, 86/635/EEC on the annual accounts and consolidated accounts of banks and other financial institutions and 91/674/EEC on the annual accounts and consolidated accounts of insurance undertakings, OJ L 224/1. 164 Directive 2006/43/EC of the European Parliament and the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC, L 157/87. 165 Art. 1 para 1, Directive 2004/109/EG. 166 Art. 5 para 4, Directive 2004/109/EG. 167 This provision has been specified with the Commission Regulation (EC) No 809/2004 of 29 April 2004 implementing Directive 2003/71/EC of the European Parliament and of the Council as regards information contained in prospectuses as well as the format, incorporation by reference and publication of such prospectuses and dissemination of advertisements, L 149/1. Due to ANNEX I para 4 and ANNEX III para 2 the risk associated with the issuer will contain “specific to the issuer or its industry” or “material to the securities being offered and/or admitted to trading in order to assess the market risk associated with these securities” .
32
fulfil this requirements the companies do not have to establish a sophisticated risk
management system. A simple risk and uncertainty identification and monitoring system will
be sufficient.
Under EU law there are also requirements existing on effectiveness and monitoring duty of
risk management. With the Audit Directive 2006/43/EC, the audit committee168 has not only
the aim to “monitor the financial reporting process”, it has as well the duty to “monitor the
effectiveness of the company's internal control (...) and risk management system”.169 At the
same statutory auditor will report to the audit committee on every weaknesses in the internal
control system (in Germany to be implemented with the BilMoG – § 171 (1) sent. 2 AktG-
E).170 Due to the latest amendments, companies listed on stock exchanges are covered with
the requirement of disclosing main features of any existing risk management systems and
internal controls in relation to the financial reporting process in annual corporate governance
statement.171 So, the requirements related to risk management have been defined indirectly,
within financial reporting and auditing duties.
There are also some more stricter, specific provisions on risk management in regard to the
financial sector within EU law. With the introduction of the Mifid Directive 2004/39/EC172,
the first effort for integrating European financial markets and establishing “risk‑sensitive”173
regulation framework has been made. Under Art. 13 investment firms shall “have sound
administrative and accounting procedures, internal control mechanisms, effective procedures
for risk assessment, and effective control and safeguard arrangements for information
processing systems”.
Due to Art. 39 (b) Mifid, Member States shall require the regulated market to be adequately
equipped to manage the risks to which it is exposed, to implement appropriate arrangements
and systems to identify all significant risks to its operation, and to put in place effective
measures to mitigate those risks. This serves as a general framework. Specification can be
168 Under EU law it is a general obligation for every public-interest entity to have an audit committee. It might be composed of “non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders” of the company, Art. 41 Sec. 1, Directive 2006/43/EC. 169 Art. 41 para 2 (b), Directive 2006/43/EC. 170 Art. 41 para 4, ibid. 171 This “in relation to the financial reporting process” and “in relation to the process for preparing consolidated accounts” – Art. 1, para 7 and Art. 2, para 2, Directive 2006/46/EC. 172 Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments amending Council Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC of the European Parliament and of the Council and repealing Council Directive 93/22/EEC, OJ L 145/1. 173 Facilit 5, Directive 2004/39/EC.
33
found in other directives regulating financial markets. The Directive 2002/87/EC,174 which
has a much wider scope of applicability (covering not only investment firms, but also credit
institutions, insurance undertakings) within Art. 9 (2) introduces a requirement of adequate
risk management. This act deals also with risk concentration175 issues and capital adequacy
requirements176 (implementing Basel II framework).
A detailed requirement for establishing risk management for investment firms has been set up
under Art. 7 of Directive 2006/73/EC.177 This provision provides not only the obligation of a
risk identification and communication system, but requires a full function risk management
system including risk assessment, treatment and monitoring. This is realised with a more
decentralized approach within the investments’ firm structure – it is the senior management
(so the persons who direct business) that has been made responsible for fulfilling this
requirement178.
cc) National corporate governance code
Provisions on risk management can also be found under other national regulations. Typically
this has its place under the national corporate governance code. In the UK, the main focus
goes on the corporate internal controls. The general management obligation to establish “a
sound system of internal control” has been defined under the principle C2 of the Combined
Code on Corporate Governance (CCCG) from 2008.179 Due to provision C2.1, risk
management has been defined as a material part of internal control system. The provisions of
the Dutch Corporate Governance Code (DCGC)180 require that companies shall have an
internal risk management and control system that is suitable for the company (provision II.1.3
DCGC). Management board directly bears the duty of managing the risks associated with the
company activities and shall discuss questions of risk management with supervisory board
174 Directive 2002/87/EC of the European Parliament and of the Council of 16 December 2002 on the supplementary supervision of credit institutions, insurance undertakings and investment firms in a financial conglomerate and amending Council Directives 73/239/EEC, 79/267/EEC, 92/49/EEC, 92/96/EEC, 93/6/EEC and 93/22/EEC, and Directives 98/78/EC and 2000/12/EC of the European Parliament and of the Council, OJ L
35/1. 175 Facilit 29, Directive 2002/87/EC. 176 Art. 6 and 7, Directive 2002/87/EC. 177 Commission Directive 2006/73/EC of 10 August 2006 implementing Directive 2004/39/EC of the European Parliament and of the Council as regards organizational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive, OJ L 241/26. 178 Art. 7 para 1 (c) (ii), Directive 2006/73/EC. 179 Financial Reporting Council (FRC), The Combined Code on Corporate Governance (2008), available at: http://www.frc.org.uk/documents/pagemanager/frc/Combined%20code%202006%20OCTOBER.pdf. 180 Monitoring Commission on Corporate Governance Code, The Dutch Corporate Governance Code - Principles of Good Corporate Governance and Best Practice Provisions, December 2008, available at: http://www.corpgov.nl/ page/downloads/CODE%20DEF%20ENGELS%20COMPLEET%20III.pdf.
34
and its audit committee.181 A quite interesting and modern construction has been established
under recently amended Belgian Code on Corporate Governance (BCGC).182 Due to guideline
1.1 BCGC, within requirement of adopting clear corporate governance structure, the
management board’s duty is to enable risks to be assessed and managed. This has been
defined as a critical point in pursuing long-term success of the company, where definition of
risk-bearing profile of the company has been included at the same level as defining strategy
and core values.183 At the same time, the role of supervisory board has been extended to a
body approving the “framework184 of internal control and risk management”185 designed by
the management.
All of those regulations have the same character, as they are not directly binding the
companies. Requirements on risk management are mostly applicable on the “comply or
explain” basis.186
dd) Basel II and Solvency II
A prominent position in the international financial systems regulation has been reserved to the
so-called “Basel Accords” – international financial standards formulated by the Basel
Committee on Financial Supervision (BCFS) and having no direct legal binding effect187 and
not being a part of the international law.188 From the perspective of risk management, the
most important is the second Accord (Basel II)189 of that framework.
Basel II is intended to provide an overall system of risk-based supervision and risk
management for banks.190 The act describes handling rules with five types of risks:
• Credit risk
181 Principle II.1, Dutch Corporate Governance Code 2008, see supra. 182 Belgian Corporate Governance Committee, The 2009 Belgian Code on Corporate Governance, March 2009, available at: http://www.corporategovernancecommittee.be/library/documents/final%20code/CorporateGov% 20UK%202009%205.pdf. 183 Principle 1.2, Belgian Code on Corporate Governance 2009. 184 Framework has to “describe the main features of the company's internal control and risk management systems” and has to be “disclosed in the Corporate Governance Statement”. See below. 185 Principle 1.3, Belgian Code on Corporate Governance 2009. 186 The Comply or explain rule in corporate law means that companies are required to disclose whether they are following the recommendation of corporate governance codes and if not they should state what are their reasons for non-complying, C. Mallin, Corporate Governance (2007), p. 169. 187 As they are not a part of the international customary law nor international treaties, A. Powell, Basel II and developing countries (2004), p. 4; D. Kaltofen, S. Paul, S. Stein, Retail Loans & Basel II: Using Portfolio Segmentation to Reduce Capital Requirements (2005), p. 3. 188 K. Alexander, R. Dhumale, J. Eatwell, Global governance of financial systems (2006), p. 136. 189 Available at: http://www.bis.org/publ/bcbs128.htm. 190 D. Arner, Financial stability, economic growth, and the role of law (2007), p. 212; M. Kort in: K. Hopt, H. Wiedemann [ed.], Aktiengesetz Großkommentar (2008), § 91 para 114.
35
• Market risk
• Operational risk
• Liquidity risk
• Legal risk
From its structure, Basel II has been divided into three main thematic blocks – “Pillars”.
Pillar I addresses minimum capital requirements. Under the Basel Accords banks are required
to have a certain level of own capital guaranteeing their liquidity. Minimum capital
requirement can be described as a proportion between ratio of capital (in total) to risk-
weighted assets. Banks can chose three methods in order to calculate the risk-weighted assets:
• Standardized approach – Banks risk is assessed on the base of external rating
assessments (e.g. using ratings done by rating agencies like Standard & Poors,
Moody’s or Fitch) and this is the most commonly used approached in the financial
industry191
• Foundation (IRB) internal rating approach – allows banks to use their own
system of measuring the risk but established on standards provided by the national
supervisors192
• Advanced IRB – more sophisticated and more risk sensitive than previous. Banks
can use this approach only as a subject to approval from their local regulators.193
No matter which type of approach the banks will apply, they are obliged to a minimum ration
of capital equal to at least 8% of risk-adjusted assets.
Pillar II addresses supervisory review. The national supervisory bodies have to ensure that the
banks have adequate capital and appropriate systems running for measuring, managing and
monitoring risks.194 The supervisors have become strengthen instruments in order to monitor
and execute the standards on minimum capital and risk management.195
Pillar III – disclosure requirements, is called also as market discipline196. Within Pillar III,
there are several rules concerning disclosing information on the risk management process. Its
aim is to create more transparency in the financial market, so all stakeholders (creditors,
191 M. Crouhy, D. Galai, R. Mark, The essentials of risk management (2006), p. 72. 192 D. Tarullo, Banking on Basel (2008), p. 124. 193 M. Crouhy, D. Galai, R. Mark, The essentials of risk management (2006), p. 72. 194 A. Griffiths, S. Wall, Applied economics (2007), p. 429. 195 J. Barth, G. Caprio, R. Levine, Rethinking bank regulation (2006), p. 3. 196 I. Akkizidis, V. Bouchereau, Guide to optimal operational risk & Basel II (2006), p. 103.
36
shareholders) could assess whether the bank has correctly measured and managed the risks.197
This aims to work as a supplement to the banking supervision system as professional
investors and financial analysts are seen to be a powerful instrument enhancing the
implementation of the Basel II standards by banks.198
The Solvency II199 framework serves for insurance industry as an equivalent to Basel II.200
They both have been developed with the same principles provided under three pillars structure
including capital adequacy, supervision and risk management issues.
b) Compliance
The most prominent regulation on corporate compliance is the Sarbanes Oxley Act. This act
established a general requirements framework for corporate governance standards in the U.S.
The process of implementing and monitoring the following of the SOX standards can be
considered as the basics for organizational approach for corporate compliance. In the key, the
SOX deals with requirements internal controls (Sec. 302), assessment of internal control and
auditing (Sec. 404) as well as criminal penalties for violation of SOX (Sec. 802 and 1107).
Those provisions are supplemented with general requirement of MBCA. Due to Sec. 8.01 (c)
(4) MBCA “the board’s oversight responsibilities include attention to policies and practices
to foster the corporation’s compliance with law and ethical conduct”. The importance of
corporate compliance programs have been underlined also under the U.S. case law – in the
1996 Caremark landmark decision201 and 2006 decision in Stone v. Ritter202. It has to be
stressed that the SOX is very costly in fulfilling and is generally blamed for current low
interest of international corporations on the U.S. capital market.203 Even though some
197 D. Chorafas, Stress testing for risk control under Basel II (2007), pp. 314 et seq. 198 I. Akkizidis, V. Bouchereau, Guide to optimal operational risk & Basel II (2006), p. 103. 199 European Parliament legislative resolution of 22 April 2009 on the amended proposal for a directive of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance (recast) (COM(2008)0119 – C6-0231/2007 – 2007/0143(COD)). 200 A. Adam, Handbook of Asset and Liability Management (2008), p. 378. 201 Much of the current standard of director’s duty of care in the oversight and monitoring context derives from the 1996 Caremark decision, B. Banks, Corporate Legal Compliance Handbook (2002), pp. 74 et seq.; D. Burke, D. Guy, K. Tatum, Audit Committees (2008), para 12.01 et seq. 202 Delaware Supreme Court affirmed the Caremark standard for the director’s duty with respect to corporate compliance programs in its decision in Stone v. Ritter of 6 November 2006; Ch. Van der Elst and M. van Daelen, Risk Management in European and American Corporate Law (2009), p. 23, available at: http://ssrn.com/abstract=1399647; M. Biegelman, Building a World-Class Compliance Program (2008), p. 77. 203 S. Bainbridge, The complete guide to Sarbanes-Oxley (2007), pp. 242, 247.
37
countries took the SOX as a model in implementing own corporate governance regulations –
like Japan204, Canada205 or Australia206.207
It is also very common that a general requirement on compliance with law and corporate
internal regulations has been included in a variety of national corporate governance codes –
like in the UK208, Belgium209, the Netherlands210 or Italy211. On the other hand, the EU started
to provide industry specific compliance standards for the energy212, chemical213, and food
production214 sectors.
204 The Act for the Amendment of the Securities and Exchange Act, etc. (Act No. 65 of 2006) and the Act for the Development, etc. of Relevant Acts for Enforcement of the Act for the Amendment of the Securities and Exchange Act, etc. (2006 Act No. 66), available at: http://www.fsa.go.jp/common/diet/164/index.html. 205 i.a. Certification of disclosure in issuers’ annual and interim filings (MI-52-109). 206 Corporate Law Economic Program – Audit reform and corporate disclosure (CLERP-9), available at: http://scaleplus.law.gov.au/pasteact/3/3673/top.htm. 207 I. Bizmanualz, Finance & Treasury Procedures for Compliance and Performance (2008), p. 438; A. Tarantino, Manager's guide to compliance (2006), pp. 82-83. 208 C.2.1.1, The Combined Code on Corporate Governance 2008, see supra fn. 179. 209 Principle 5.2./14, The 2009 Belgian Code on Corporate Governance, see supra fn. 182. 210 Principle II.1, The Dutch corporate governance code, see supra fn. 180. 211 Article 8 Principle 2, Italian Corporate Governance Code, available at: http://www.borsaitaliana.it/chi-siamo/ ufficio-stampa/comunicatistampa/2006/codiceautodisciplina.en_pdf.htm. 212 Proposal for a directive of the European Parliament and of the Council amending Directive 2003/54/EC concerning common rules for the internal market in electricity, COM (2007) 528 Final. 213 So-called REACH Regulation – Regulation (EC) No 1907/2006 of the European Parliament and of the Council of 18 December 2006 concerning the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH), establishing a European Chemicals Agency, amending Directive 1999/45/EC and repealing Council Regulation (EEC) No 793/93 and Commission Regulation (EC) No 1488/94 as well as Council Directive 76/769/EEC and Commission Directives 91/155/EEC, 93/67/EEC, 93/105/EC and 2000/21/EC, OJ L 396/1. 214 Food safety laid down in: Regulation (EC) No. 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety, OJ L 031/1.
38
IV. Current financial crises and economic losses due to a non-compliant
behaviour. Comparing legal risk management and compliance framework
The current financial crises can be described by three main elements: the mortgages crunch
due to the crises on sub-prime market, the financial crises, and the economic recession. All
three have occurred on the time scale one after another and can be defined as stages of how
the current economic situation has arisen. This chapter is divided into three parts describing
main stages how current economic situation has been developed. Each stage includes a
broader focus on the risk management and compliance mechanisms influencing current crises
on corporate and market level.
1. Sub-prime crunch
a) General overview
It has been widely recognized, that the current economic turbulences have its origins in the
U.S. mortgage market. During the period between 2002 and 2007, the U.S. real estate market
discovered a rapid investment boom. This has been specially the case due to the government
policy “house for every household”. Due to this policy, each household in the U.S. should be
offered the opportunity for having an own house. The privates, specially those mid- and mid-
below situated received an access to cheap credits for financing new houses. The U.S.
government had seen this as a valuable opportunity for a further long-term economic
development based on a fast growing construction sector. The policy could be considered as a
full success. The demand for new houses begun to grow increasingly as the U.S. citizens
started to buy more and more houses (quite often buying even several). The construction
segment started to boom and the real estate prices, due excess demand, started to grow fast as
well. The boom trend became stable for five years. This was possible, especially, due to very
borrow friendly mortgage secured credit instruments like the ARM (adjustable-rate
mortgages). Within ARM households became cheap credits exceeding sometimes the price of
the property subject to mortgage. The only security was the mortgage established on the
bought real estate. Quite often, during an initial period of up to 3 years, the borrowers needed
to pay only interest rates. Those conditions were possible because the real estate prices were
39
rising rapidly, so theoretically, in case the credit would default, the loan could be paid back
from the mortgage as the value of the house would exceed after short time the sum of
security. Parallel to this, the international financial market was very interested in supplying
capital in order to gain from the real estate boom.215 The trust in future development made it
possible for American institutions to combine several ARMs into one instrument called
mortgage-backed securities. Those securities had excellent ratings, so the investors where not
sensitive to measure their “ingredients” and to assess related risks. As the capital was broadly
coming and in order to perpetuate the real estate boom, the U.S. institutions started to give
credits to more and more risky creditors.
Illustration 6 – traditional model of mortgage lending vs. mortgage-backed securities (Source: BBC, http://news.bbc.co.uk/2/hi/business/7073131.stm)
This could only work until the real estate prices would appreciate. In 2007, the real estate
market was oversupplied, the prices went down and a sharp rise in U.S. mortgage default rates
occurred.216 The houses covered by default mortgages could not be sold. A historical depth of
215 The booming real estate market was the base that between 2001 to 2006 the United States was able to attract $ 3,573 billion (“lions share”) of world capital outflows (International Monetary Fund data), M. Fratianni, Financial crises, safety nets and regulation (2008), available at: http://ssrn.com/abstract=1286903. 216 S. Schwarcz, Understanding the subprime crises, South Carolina Law Review (Vol. 60/2009), pp. 550-552; The downturn in facts and figures, BBC NEWS 21.11.2007, available at: http://news.bbc.co.uk/2/hi/business/ 7073131.stm.
40
the fall in housing prices was the biggest impact.217 Also mortgage specialists like Freddie
Mac and Fannie May were on the way to insolvency.218 The sub-prime crunch began.
b) Risk management failures
Wrong and negligent risk management systems within the institutions active at the U.S.
mortgages market can be seen as the main reason for the sub-prime crunch. First of all, banks
active at the U.S. real estate financing market, due to regulatory framework as well as due to
easy access to capital disregarded the importance of a proper risk assessment.219 From one
side, they had several customers wanting to take a loan and booming real estate prices that
were increasingly boosting the value of mortgages. From the seconds side, mortgage banks
had an extremely high interest of the international financial institution in supporting the U.S.
real estate credit action by buying mortgage-based financial instruments (asset-backed
securities). Very smartly, several single mortgages have been securitized, due to risk classes,
within one financial instrument, which later has been acquired by financial institutions at
international market. Those backed securities have been seen as a very attractive financial
product, so the demand for them was high. The U.S. banks faced a situation, where high
demand for mortgage loans could be easily matched. This has been an incentive to make the
access for mortgage loans easier in order to achieve further profit from the market. Due to a
mid-term assumption of a constantly rising real estate price and a constant credit default rate,
banking institutions overlooked potential risks.
The U.S. financial institutions were not interested in the quality of the mortgage loans, as
suppliers of additional capital, assessing the risks related to U.S. mortgage based securities,
have primarily basing on ratings granted by rating agencies. Those ratings have been
excellent,220 as the U.S. real estate market was booming, the banks financial situation proper
and the safety of mortgages seen as adequate. But rating agencies assessing those backed
instruments have not assessed the quality of the mortgages as well. The impact was that the
quality of loan portfolio of the mortgage institutions lowered dramatically.221 The assessment
217 G. Gorton, The Panic of 2007, Nat’l Bureau of Econ. Research, Working Paper No. 14358 (2008), pp. 49-50, available at: http://www.nber.org/papers/w14358. 218 D. Bogoslaw, Fannie Mae and Freddie Mac: A Damage Report, BusinessWeek 29.08.2008, available at: http://www.businessweek.com/investor/content/aug2008/pi20080828_330540.htm. 219 A. Murphy, An Analysis of the Financial Crisis of 2008: Causes and Solutions (2008), p. 5, available at: http://ssrn.com/abstract=1295344. 220 R. Whalen, The Subprime Crisis -- Cause, Effect and Consequences, Indiana University, Networks Financial Institute Policy Brief 2008-PB-04, p. 12. 221 The downturn in facts and figures, BBC NEWS 21.11.2007, available at: http://news.bbc.co.uk/2/hi/business/ 7073131.stm.
41
of financial situation of lenders has not been proceeded. The simplification of credit giving
procedure brought only requirement of assessing the value of the property by an appraiser for
approving a credit, so the financial situation of the lender had lost its importance. The quality
of loan portfolio declined also, as the banks very commonly hired third parties – mortgage
brokers – who only focused on bringing new lenders. Those brokers, very often misused the
agency relation, in order to acquire new customers.222 Banks themselves lost control over the
granted loans and as the events of year 2007 showed it was only a rapid loan default rate rise
needed, strengthened with macroeconomic slowdown, in order to bring a financial
earthquake.
c) Compliance failures
The structure of sub prime market mortgage loans shows also a high compliance negligence.
In the macro perspective, the U.S. regulatory framework has not brought sufficient brakes in
order to slow down and sanction with safety requirements the getting wilder mortgage market
boom.223 On contrary, as strengthening the real estate market was a national policy, the
regulation on mortgage market has been kept very liberalized.224 It has to be stressed that the
stricter risk management requirements of the Basel II framework had not been adopted at all
at this time in the U.S.
At the corporate level, the negligence was even higher. Mortgage engaged institutions had not
adopted a proper protective compliance structure due to loan business activities. Lack of
appropriate internal rules and effective procedures made it possible to loose control over their
sub-prime activities. As the crises occurred in 2007, U.S. banking institutions were not
equipped with adequate internal control, risk management and compliance systems that would
have provided a quality system and an early risks detection framework to them. The
effectiveness of those systems would helped to milder the impact or even to hinder the crises
happening. Monitoring the quality of loan portfolio can be seen as a very important
management duty. Broader compliance problems of U.S. mortgage institutions can be seen
very well in cases of Fannie Mae and Freddie Mac. Both institutions worked as mortgage
specialists, buying mortgages from approved mortgage sellers. They have been active also as
intermediaries, securitizing owned mortgages into mortgage-backed securities and selling
222 Ibid. 223 C. Reinhart, K. Rogof, Is the 2007 U.S. Sub-Prime Financial Crisis So Different? An International Historical Comparison, Harvard University Working Paper 5.02.2009, pp. 10-11, available at: http://www.economics. harvard.edu/faculty/rogoff/files/Is_The_US_Subprime_Crisis_So_Different.pdf. 224 S. Schwarcz, Understanding the subprime crises, South Carolina Law Review (Vol. 60/2009), pp. 566 et seq.
42
them to investors in the secondary mortgage market. Fannie Mae faced an accounting scandal
with inappropriate accounting and internal control system (total cost of restatement $6.3
billion)225 in 2004 and Freddie Mac was fined with $3.8 million in 2006 by the Federal
Election Commission for illegal fund raising for members of the House Financial Services
Committee, a regulator that supervises the mortgage based financial institutions in the U.S226.
Both companies have been part to the bailout program of the U.S. government227 and been
seen as co-responsible for the sub-prime crunch.
2. Global credit crunch and financial crises
a) General overview
The falling house prices in the U.S. and the construction of mortgage-backed securities
extended the impacts of the sub-prime crises very fast in comparison to other sectors of
financial services not only in the U.S. but also worldwide.228 Falling sub-prime securitization
prices undermined the financial position of several banks in 2008. First victim was the U.S.
bank Bear Stearns, due to problems with its engagement in sub-prime market, it could only be
prevented from insolvency by merging with J.P. Morgan supported by the U.S. state in form
of public funds and guarantees.229 At the same time, the biggest underwriter of mortgage-
backed securities – U.S. investment bank Lehman Brothers – had to proceed enormous write-
downs because of troubling mortgages portfolio. 230 The problem of Lehman Brothers was
that it held to large positions of sub-prime and other mortgage backed securities.231 In
September 2008 Lehman had to file for bankruptcy in order to find protection from its
creditors. The negative developments in asset-backed securities (inclusive mortgage based
225Fannie Mae, Annual Report on Form 10-K, pp. 39 at seq., available at: http://www.fanniemae.com /ir/pdf/sec/2006/form10k_120606.pdf. 226 Z. Goldfarb, D. Cho, B. Appelbaum, Treasury to Rescue Fannie and Freddie: Regulators Seek to Keep Firms' Troubles From Setting Off Wave of Bank Failures, Washington Post: pp. A01. http://www.washingtonpost.com/wp-dyn/content/article/2008/09/06/AR2008090602540.html?hpid=topnews. 227 C. Barr, Fannie, Freddie: The biggest losers, CNNMoney.Com, 7.09.2008, available at: http:// money.cnn.com/2008/09/07/news/economy/shareholder_wipeout.fortune/index.htm. 228 J. Garfinkel, J. Sa-Aadu, A Decade of Living Dangerously: The Causes and Consequences of the Mortgage and Financial Crises (2008), pp. 23 et seq., available at: http://ssrn.com/abstract=1331294. 229 F. Allen, A. Babus, E. Carletti, Financial Crises: Theory and Evidence (2009), p. 2. 230 $2,8 billion only in the second quater of 2008, source: J. Anderson; E. Dash, Struggling Lehman Plans to Lay Off 1,500, The New York Times from 29.08.2208, available at: http://www.nytimes.com/2008/08/29/business/ 29wall. html?em. 231 J. Anderson; E. Dash, Struggling Lehman Plans to Lay Off 1,500, The New York Times from 29.08.2208, available at: http://www.nytimes.com/2008/08/29/business/29wall.html?em.
43
portfolios) interrupted also other big U.S. financial institutions like Citi Group,232 Merrill
Lynch233 or AIG234. Very quickly, the sub-prime crunch hit also non-U.S. institutions. The
U.K. mortgage specialized bank Northern Rock had to face deep liquidity problems between
2007 and 2008. It would have had to file for insolvency if it not had been nationalized.235 The
Swiss bank UBS has written off a total of $37 billion on U.S. mortgage-related loans and its
survival could not been assured without raising additional capital from investors.236 U.S.
mortgage-backed securities have also been part of security portfolios of several German
banks. Hypo Real Estate had to be nationalized, and several institutions like Commerzbank or
state owned Landesbanken had to make record write-downs and seek for survival chances
under the umbrella of national bail-out program.
But it is not only the sub-prime market that can be made responsible for the financial crises.
The U.S. sub-prime crunch hurt not only the mortgage-based instruments but also all other
structured asset-backed securities (ABS).237 Like domino-effect, instability of fixed-income
instruments had influenced negatively also other instruments markets.238 The fall of U.S.
financial system including the insolvency of Lehman Brothers had an unexpected impact on
worldwide financial market. The market for credit default swap (CDS)239 can be seen as a
perfect example. The collapse of Bear Stearns followed by two AIG hedging funds
insolvencies and later Lehman Brothers insolvency disrupted this market deeply. Due to their
insolvency, those institutions defaulted as parties to contracts, so millions of CDS stopped to
exist. This was a huge hit to the hedging strategies of the remaining parties. They had to
replace those instruments, but under a much higher price.
The sub-prime crunch and fall of big international financial institutions brought
destabilization of the interbank markets. Interbank markets play a key role in financial
232 Singing the blues, The Economist 27.11.2008, available at: http://www.economist.com/businessfinance/ displayStory.cfm?story_id=12689930. 233 B. Miller, C. Kong Ho, Merrill Lynch Cut to ‘Sell' at Goldman on Writedowns, Bloomberg, 5.09.2008, available at: http://www.bloomberg.com/apps/news?pid=20601087&sid=aDWTPYeHBS8g&refer=home. 234 A lifeline for AIG, The Economist 17.08.2008, available at: http://www.economist.com/businessfinance/ displayStory.cfm?story_id=12244993. 235 L. Lauren, Northern Rock Nationalized, Forbes.Com, 17.02.2008, available at: http://www.forbes.com/ 2008/02/17/northern-nationalize-bank-markets-cx_ll_0217northernrock.html. 236 R. Boyd, Another Swiss miss at UBS, CNNMoney.Com, 1.04.2008, available at: http://money.cnn.com/ 2008/04/01/news/companies/boyd_ubs.fortune/. 237 G. Krohn, W. Gruver, The Complexities of the Financial Turmoil of 2007 and 2008 (2008), pp. 11 et seq., available at: http://ssrn.com/abstract=1282250. 238 J. Garfinkel, J. Sa-Aadu, A Decade of Living Dangerously: The Causes and Consequences of the Mortgage and Financial Crises (2008), pp. 23 et seq., available at: http://ssrn.com/abstract=1331294. 239 CDS is a swap contract where the buyer makes a series of payments to the seller and, in exchange, receives a pay-off if a credit instrument (e.g. bond or loan) goes into default (fails to pay). This instrument has been used very often in hedging strategies, M. Simkovic, Secret Liens and the Financial Crisis of 2008 (2009). American Bankruptcy Law Journal, Vol. 83 (2009), p. 271.
44
systems,240 serving as a platform supplying banks with capital needed for their business
operations. How far the interbank markets have been destabilized can be seen on Illustration 7
illustrating the change of Libor – London Interbank Offered Rate during a very sensitive
period in 2008. The crisis on the interbank markets caused a worldwide credit crunch as banks
had neither the resources for further loan operations nor enough trust to borrow it at the
interbank markets.
Illustration 7 – changes in Libor rates in the middle of the financial crises (Source: http://www.economist.com/businessfinance/displayStory.cfm?story_id=12381995)
Generally taking, the mortgage crunch disturbed bond markets, futures, swaps and many
more. The financial institutions having complex mortgage instruments in their portfolios had
to account huge value losses. This had an impact on the financial balance within those
organizations. Hedging strategies using very often low risk in theory mortgage-backed
securities were endangered. This has been the reason, why those instruments have been
included to portfolios of several institutions around the world. Mortgage market instability
and fall of U.S. financial sector had to misbalance those portfolios. This was a step to a total
crises. As the rating agencies first time evaluated the backed securities itself and not only
financial situation of issuing institutions, the ratings had to be corrected and dramatically
lowered. Accounting, huge value losses in the books and in order to fulfil minimum capital
requirement banks had to limit their crediting business. The liquidity ratio of banks began to
depreciate rapidly.241 Some of them, overleveraged gone insolvent, most suffered deep
problems. But the biggest impact was the trust crises. Banking institutions did not trust each
240 F. Allen, A. Babus and E. Carletti, Financial Crises: Theory and Evidence (2009), p. 10. 241 G. Krohn, W. Gruver, The Complexities of the Financial Turmoil of 2007 and 2008 (2008), pp. 24 et seq., available at: http://ssrn.com/abstract=1282250.
45
other and were not enthusiastic in keeping high capital flows (mutual borrowings, financing
and refinancing) within the banking system. This has been a large hit into the worldwide
financial system.
b) Risk management failures
The failure of risk management causing current financial crises can be analysed at two –
micro (corporate) and macro (systemic) levels.
At corporate level, institutions engaged in U.S. mortgage loans have not ensured the quality of
credit portfolio. Those mortgages, unhappily, have been securitized by intermediaries and
afterwards distributed to a international capital market. While securitizing, a superficial and
automatic approach on assessing risk brought negative consequences. Asset-backed
instruments have been securitized only relying on very general risk classes of single
mortgages provided by the mortgage crediting institutions themselves. “Backing” institutions
did not assess the quality of mortgage portfolio and were assuming that the constantly
growing real estate market would provide sufficient security. The next problem concerns
investors, who acquiring ABS at financial market, evaluated securities only within the credit
risk criterion depending on credit rating of those instruments given by rating agencies like
Standard & Poor or Moody’s.242 Those ABS had excellent ratings, typically “AAA”.243 Asset-
backed securities, being in fact bonds, have always been assumed as “safe” instruments so
investors had not the incentive to look “inside” those papers. Relying only on external credit
ratings, they had no overview what those instruments, specially in terms of quality, really
contained. So, in reality the process of securitizing and later acquiring ABS have run out of
control. The very brief risk management approach made early detection of several serious
risks impossible.244 This created a financial pyramid, where if one of basic pillars would
default, like real estate market in the U.S., due to mortgage-baked securities, the whole system
would collapse. A similar situation could be observed at other markets, like the CDS. The
credit default swaps have been widely used for hedging the ABS portfolio.245 A CDS is, in
fact, a credit risk transfer instrument. It serves as an insurance, in case a loan would go
242 A. Murphy, An Analysis of the Financial Crisis of 2008: Causes and Solutions (2008), pp. 4-5, available at: http://ssrn.com/abstract=1295344. 243 R. Whalen, The Subprime Crisis -- Cause, Effect and Consequences, Indiana University, Networks Financial Institute Policy Brief 2008-PB-04, p. 12. 244 F. Ostrup, L. Oxelheim, C. Wihlborg, Origins and Resolution of Financial Crises; Lessons from the Current and Northern European Crises (2009), p. 11, available at: http://ssrn.com/abstract=1407613. 245 G. Krohn, W. Gruver, The Complexities of the Financial Turmoil of 2007 and 2008 (2008), p. 12, available at: http://ssrn.com/abstract=1282250.
46
default. The dissolution of the CDS, due to bankruptcies of big players (e.g. Lehman), and
realization of those contracts, due to unexpected rise of mortgage loans defaults, have been
an additional element undermining the condition of international finances. Many critical
voices are blaming the CDS market due to low transparency and general deregulation.246 Lack
of transparency in some over-the-counter (OTC) derivative (including swap and future)
markets have also caused difficulties and uncertainties about the risk of some
counterparties.247
The current financial crises shows two negative approaches within the risk management
systems of financial institutions. First, concerns the assessment of credit and counterparty
risks. Financial institutions, entering business with a party or acquiring a certain financial
instrument, were basing risk assessment on ratings given by international rating agencies.
Financial institutions fully relied and trusted those ratings, even though they have been
prepared by private non-regulated institutions what indicates that the criteria and procedures
for rating have not been disclosed. Failures in risk management systems are related to the fact,
that risk assessment has been based on an assumption that those ratings will be correct. When
the market situation changed and ABS instruments have been dramatically devaluated,
financial institutions had not only to face huge write-downs but also holes in their portfolios.
This also undermined the situation at the financial market, as no one was sure whether the
present indicators would be correct. The second negative approach was related to the
complexity of financial products. Financial institutions lost control over products they have
been offering and purchasing. In fact, they did not understand many of them. Without true
understanding, an effective and adequate risk management system cannot be developed. For
example, the Lehman Brothers bankruptcy in September 2008 forced markets to re-assess
risk.248 The underestimation of counterparty risk exposure, specially within the cross-boarder
exposure, needed to be controlled. As IMF identifies:
246 F. Ostrup, L. Oxelheim, C. Wihlborg, Origins and Resolution of Financial Crises; Lessons from the Current and Northern European Crises (2009), p. 4, available at: http://ssrn.com/abstract=1407613. 247 International Monetary Fund, Lessons of the Financial Crisis for Future Regulation of Financial Institutions and Markets and for Liquidity Management (2009), p. 15, available at: http://www.imf.org/external/np/ pp/eng/2009/ 020409.pdf. 248 F. Allen, A. Babus, E. Carletti, Financial Crises: Theory and Evidence (2009), p. 3.
47
“The crisis revealed surprisingly large exposures of non-U.S. banks to the U.S. sub-
prime market and to Lehman Brothers, suggesting that the underlying vulnerabilities
were under-appreciated by both bank risk managers and supervisors.”249
The underestimation of international interdependence of the international market can be
demonstrated by taking a look on the credit default swap (CDS) market.
From the macro level, the current financial crises serves as a proof for integration and
interdependence of the global financial system. This was not symmetric with a common and
unified legal framework as well as international coordination. Exposure to systemic risk,
where the event is related to disruption of the financial system as a whole shall not only be
considered at corporate level. Companies can prepare themselves with insurances, but a real
help and prevention can only be provided by central banks, national and international
financial supervisors and other authorities250. The current situation showed that there was no
early cross-boarder detection system which would signalize negative developments coming.
Also in neutralizing the impacts of current financial crises cannot be found as a sufficient
cross-border cooperation. There is a lot of space for a closer coordination of international
market supervision.
c) Compliance failures
As nature of risk management failures of U.S. financial institutions show that the compliance
approach within the financial industry has not been a strong one. Even though, the U.S. enjoys
one of the strictest corporate compliance regulation worldwide especially with the SOX, still
the strict regulatory approach on the financial services is not as strong there as in many other
countries. Especially, as the Basel II accord had not been adopted in the U.S. before or during
the crises at all, and even now the planned implementation shall cover only the biggest
financial institutions. Likewise, a big part of institutions offering financial services, but
classified as NBFIs (Non-bank financial institutions)251 have been excluded for stricter risk
management and compliance requirements which U.S. banks have to fulfil. This liberal
approach also concerns several financial instruments. For example, future and other OTC
249 International Monetary Fund, Lessons of the Financial Crisis for Future Regulation of Financial Institutions and Markets and for Liquidity Management (2009), p. 16, available at: http://www.imf.org/external/np/pp/ eng/2009/ 020409.pdf. 250 International Monetary Fund, Initial Lessons of the Crisis (2009), pp. 6-11, available at: http:// www.imf.org/external/np/pp/eng/2009/020609.pdf. 251 Non-bank financial institutions – financial institution that are not having a full banking license or are not supervised by a national or international banking regulatory agency, J. Carmichael, M. Pomerleano, Development and Regulation of Non-Bank Financial Institutions (2002), p. 12.
48
instruments have not been combined with securities regulations what creates a highly
deregulated environment in the U.S.252
The impact of this laissez-faire environment can be seen in corporate crises of several U.S.
financial institutions like Bear Stearns, Lehman Brothers or Merrill Lynch. Those institutions
failed in creating an effective internal control system that would include a standardized cross-
divisional risk management and controlling system. As there has been no obligation of
fulfilling regulatory requirement and as institutions themselves have not been motivated to
place responsibility for that no internal rules were developed enabling complex, organization-
wide understanding and dealing with risks. As the example of Lehman shows, there was an
understanding of risk, but “there was to big faith in complex, abstract and abstract
mathematical models on risks. Due to lack of Basel II implementation in the U.S., risks have
not been identified and quantified within standardized categories. Risk management itself has
been a to decentralized process and risk reporting within the corporation have been
processed individually and not collectively. The existing risk management itself had a low
documentation and monitoring approach and the level of leverage have been extremely high.
A group-wide risk portfolio have not exists as well as several risks were overseen.”253
The outcome of this deficiencies was the company’s exposure to risks related to mortgage-
backed securities became unprotected within investment portfolio what had negative
consequences later on. Even though, there have been no regulatory compliance requirements,
all of the named shortcomings could be avoided by adopting best practice rules, like the
COSO risk management framework.
But even a stricter regulatory approach could not have prevented the financial crises coming
to Europe. An excellent example provides German Hypo Real Estate (HRE). This bank faced
a deep corporate crises in early 2008. Without help from the German bail-out program and
later nationalization it would probably have gone insolvent. As a report from the German
Bundesbank states HRE's “compliance with key banking regulations on managing liquidity
and other market risks must be seen as nonexistent”.254 This occurred not least because the
German financial-markets regulator BaFin was unable to execute the HRE's compliance as
252 M. Simkovic, Secret Liens and the Financial Crisis of 2008, American Bankruptcy Law Journal, Vol. 83 (2009), p. 288. 253 Based on an interview with Alex Davidson, former head of compliance and regulation at Lehman Brothers. Source: Complinet, Compliance has greater role than before crisis, says ex-Lehman head of compliance, http://www.complinet.com/connected/news-and-events/webcasts/great-crash/share/great-crash-articleA.pdf. 254 D. Crawford, M. Walker, German Regulator Warned of Hypo Bank Problems Before Bailout, WSJ from 28.05.09, p. A6, available at: http://209.85.135.132/search?q=cache:J5KpI11AKOAJ:online.wsj.com/article/ SB12 4346085723259931.html.
49
German law does not allow BaFin to regulate holding companies. In addition, HRE was
exposed, due to its Irish daughter company Depfa, in a very high extend to U.S. mortgage-
based securities crunch. So, even a strict regulation, implementing Basel II framework, was
not able to ensure a serious and conscious corporate risk management and compliance
approach. It has to be stressed, that German banks lost on account of the financial crises
between €200 billion to €300 billion (it is estimated that only €100 billion had been written
down).255
3. Economic recession
a) General overview
As a result of credit crunch on the market, access to capital in form of credits has been
diminished to corporate and private persons. The crises of trust of financial market players has
stretched also to other industries.256 Lower access to capital, specially credits, lower capital
transfers and lack of trust in further development pushed institutional and private investors, as
well as simple households, to lower their spending at all.257 This brought the international
economy to a situation where the whole demand began to fall dramatically. Lower demand
brought excess supply and problems in selling produced goods. Companies have been left
with finished products and huge stocks of inventory. Lower production, investment and
household spending made the macro economic impact of falling GDP rates, rising
unemployment and unpredictable economic environment.258
b) Risk management failures
It is not only the financial crises itself that can be blamed for enormous economic losses
across corporations of all industries. In past years, several corporations from non-financial
industries started to offer financial products as well. As excellent examples serve in-house
banks of main automotive corporations, helping to push the sales of cars, offering cheap car-
255 D. Crawford, M. Walker, German Regulator Warned of Hypo Bank Problems Before Bailout, WSJ from 28.05.09, p. A6, available at: http://209.85.135.132/search?q=cache:J5KpI11AKOAJ:online.wsj.com/article/ SB124346085723259931.html. 256 U. Osili, A. Paulson, Bank Crises and Investor Confidence, Federal Reserve Bank of Chicago Working Paper No. 2008-172, pp. 2 et seq. 257 Ibid. 258 U. Osili, A. Paulson, Bank Crises and Investor Confidence, Federal Reserve Bank of Chicago Working Paper No. 2008-172, p. 2.
50
loans or leasing services. At the same time, several industry corporations gained importance
at complex financial product markets. This extended the global exposure to problems creating
current financial crises. As well, some unfortunate risk management approaches and decisions
undermined financial positions of several corporations. As examples can serve:
• Porsche SE – where not lower sales but billion € engagement in OTC transactions
undermined the financial situation of the car producer.259
• British Airways Plc – where losses due to wrong fuel-purchases hedging strategy
exceeded losses generated by lower sales.260
• GMAC (being a financial-services part of automotive corporation GM) – where
subsidized loans and lease strategy, as well as exposure to mortgage operations turned
into a big threat for the entire group.261
• Polish coal industry – where big profits due to participation in currency hedging on
the OTC market undermined the financial performance after the market situation
changed.262
c) Economic losses due to non-compliant behaviour
It is often stressed that a non-compliance or non-adequate compliance with risk management
rules has been a cause for the current crises. The inadequate risk assessment and management
approaches at financial institutions like Fannie Mae, Freddie Mac, Lehmann Brothers, Hypo
Real Estate and others. But also compliance scandals during last years like the cases of:
• Siemens – bribery scandal263
• ThyssenKrupp – anti-competitive behaviour264
• Societé General – mismanagement of an employee and internal control failure265
259 T. Katzensteiner, A. Riedl, M. Boschen, Die Akte Porsche, WitrschaftsWoche from 8.06.2009, pp. 101 et seq. 260 Short-sellers target M&B and British Airways, Reuters on 3.06.2009, available at: http://www.reuters.com/ article/hedgeFundsNews/idUSLNE56200U20090703. 261 J. Stempel, GMAC mortgage lender teeters toward bankruptcy, The New York Times from 6.10.2008, available at: http://www.nytimes.com/2008/11/06/business/worldbusiness/06iht-deal07.1.17579017.html. 262 T. Głogowski, Pawlak wyrzuca prezesów za opcje, Gazeta Wyborcza from 22.06.2009, available at: http://gospodarka.gazeta.pl/Gielda/1,85951,6746110,Pawlak_wyrzuca_prezesow_za_opcje.html. 263 A. Höpner, Siemens zahlt 800 Millionen Dollar, WirtschaftsWoche on 15.12.2008, available at: http:// www.wiwo.de/unternehmer-maerkte/siemens-zahlt-800-millionen-dollar-381406/. 264 EU Court: ThyssenKrupp Must Pay EUR3 Million Cartel Fine, DowJones Deutschland on 01.07.2009, available at: http://www.dowjones.de/site/2009/07/eu-court-thyssenkrupp-must-pay-eur3-million-cartel-fine.html. 265 SocGen postmortem, Financial Times on 25.01.2008, available at: http://www.ft.com/.
51
brought economic losses due to enormous fines from public authorities or ineffective
compliance and internal control systems.
52
V. Would a stricter regulatory approach avoid current financial crises?
Considerations de lege ferenda. The financial services industry is perhaps the most regulated in the world. However,
regulations seem to have done little to prevent current crisis.266 There are some areas where
stricter or sometimes more harmonised legal framework could prevent some negative
developments causing current crises. With improvements concerning legal framework for
corporate risk management and compliance the extent of current financial crises could surely
be reduced and impacts for the economy would be smoother.
1. Specifying general corporate risk management requirement
A general corporate requirement for dealing with risks can be found under several
jurisdictions. The biggest problem concerns the uncertainty of provisions related to risk
management. Under some jurisdiction, like in U.S. or Germany, a requirement for a full
function corporate risk management has not been regulated expressis verbis. It can be
generally interpreted from duty program of management or from supervision responsibilities
of the corporate organs. A bit easier situation exists when it comes to compliance. A general
requirement for corporate compliance has been included under most jurisdictions as a
management responsibility. But in both cases, legislator typically provides no further
guidelines how to live and realise at corporate level risk management and compliance
systems. As support can serve non-binding best practise frameworks created by certified
auditors associations and other forums. They provide more specified guidelines on how to
structure those functions within a corporation. But, those provisions serve as non-binding
recommendations. For a greater transparency and legal certainty, the state should take a
bigger role in a form of supervising, influencing and sanctioning provisions concerning risk
management and compliance systems.267 As good example can serve the formulation of
national corporate governance codes, where state power has generally a greater influence on
the private codification practice. Another important task is the further unification of standards
on the international arena. As current financial crises showed, errors in one deregulated state
266 F. Allen, A. Babus and E. Carletti, Financial Crises: Theory and Evidence (2009), pp. 29-30. 267 Generally taken, current legislator is introducing risk management and compliance requirements without bearing the responsibility for an universal transparency, equality and unity for organizational fulfilling of legal duties.
53
can have negative consequence in states having relatively stricter framework.268 In present,
interference of markets should have impact on creating equal standards that everyone has to
comply with, otherwise the mechanisms of current financial crises will repeat quickly.
2. Risk assessment and credit ratings
Current legal framework enabled not only financial institutions but also all other corporations
to use a certain automatisation concerning risk management while playing at the international
financial market. Companies were typically assessing the risks concerning certain financial
instruments like bonds or asset-backed securities relying on credit ratings prepared by rating
agencies. The rating agencies themselves are private entities dealing commercially with
providing ratings. At the same time, they do not generally disclose the rules and criteria for
rating. Generally, rating agencies do not act as state agents. As just the legislator itself has not
directly influenced or supervised the rating process. So, in the international market,
participants rely on external assessments done by organizations who do not provide
transparency about their activity. There is a high level of trust given by the market
participants. Financial institutions rely on external measurements typically having no
possibility to estimate whether the ratings are correct and reliable. This approach had to bring
a negative impact in the current crises.
It is undisputed, that the “big three” rating agencies Standard & Poor’s, Moody’s and Fitch
played starring roles in current failure of finance.269 Those agencies enjoyed a high level of
trust. Their ratings have been main - and sometimes even the only - part of assessing credit
risk by institutions active at the financial market. Those ratings served as a recommendation
for investing or avoiding certain financial products. The same considered the creditworthiness
of business parties as well. The ratings themselves had and still have the power to influence
the price of capital for market participants.270 In former times, there have only been bigger
banks that were using the internal criteria (e.g. Basel II approach – IRB) as an alternative of
substitutions for external ratings. But, as the sub-prime and later the financial crises show,
268 International Monetary Fund, Initial Lessons of the Crisis (2009), pp. 2-5, 10-11, available at: http:// www.imf.org/external/np/pp/eng/2009/020609.pdf. 269 Rating agencies – The wages of sin, The Economist 23.04.2009, available at: http://www.economist.com/ businessfinance/displaystory.cfm?story_id=13527929; A. Sy, The Systemic Regulation of Credit Rating Agencies and Rated Markets, IMF Working Paper 09/129, p. 3, available at: http://ssrn.com/ abstract=1422699. 270 A. Sy, The Systemic Regulation of Credit Rating Agencies and Rated Markets, IMF Working Paper 09/129, p. 9, available at: http://ssrn.com/abstract=1422699.
54
those ratings have not been reliable measures. Before the crises happened, rating agencies in
evaluating credit risks were following certain market trends. But, due to weak regulation, their
rules had a lot of gaps (e.g. the systemic risk exposure).271 Assessing this in detail is not
possible as the rules for rate giving are not public.
Participants of the financial market fully entrusted the accurateness of the external rating
system, failing to rely more on own knowledge, business judgement and resources.
Assumption of stability and correctness of external rating, made it easy to develop
instruments of a before unseen complexity. Organizations, relying on that “external
knowledge” related to this highly sophisticated mathematical models, did not exactly know
what the products they were offering or buying were about, and had also low understanding of
the instruments of the market they approached. Without this basic understanding the
development of a proper risk management system that would support decision making was
not possible. This was one of the main reasons for current crises.
There are some reforms considered in relation to credit risk assessment. From one side, it
seems to be promising, to encourage financial market participants to rely more on their own
risk assessment resources. Clearly, the credit ratings of rating agencies are a subject to
considerations. In the U.S., the main focus goes on extending the competition between rating
agencies.272 But, what is more important, there is a bigger transparency in the rating market
needed. As a very smart initiative can be seen the EU proposal obliging rating agencies to
disclose their rating criteria and procedure, so everyone could evaluate on what conditions a
certain rating has been given.273 This would help to improve conditions and create more
understanding and discussion on corporate risk culture.
3. Auditing
Under current regulatory framework, the external audit plays a very important role in
assessing the implementation of risk management and compliance provisions by corporate
271 E. Wymeersch, Corporate Governance and Financial Stability, Ghent University, Financial Law Institute Working Paper No. WP 2008-11, p. 5. 272 R. Chang, Entry barriers stifle U.S. credit ratings competition, Reuters on 24.06.2009, available at: http://www.reuters.com/article/ousiv/idUSTRE55N4VU20090624. 273 EU Commission consultation on (i) a draft Directive / Regulation with respect to the authorisation, operation and supervision of credit rating agencies (CRAs) and (ii) on policy options to address the problem of excessive reliance on credit ratings, available at: http://www.ec.europa.eu/internal_market/consultations/2008/securities_ agencies_en.htm.
55
entities. It is generally taken the annual auditor who proofs whether a corporate risk
management or compliance system has been adopted and assesses its functionality, adequacy
or effectiveness.
Every larger corporate274 scandal renews the question of effectiveness and independence of
annual audits. The same issue arisen after the analysis of corporate crunches with relation to
Fannie Mae, Freddie Mac, Bear Stearns, Lehman Brothers, Hypo Real Estates (HRE) and
more examples of the current crises.
The existence and further assessment of risk management and compliance systems has under
several jurisdictions been laid down under the assessment of certified auditors. The regulator
gave them a special guaranteeing function which has to ensure that corporation fulfils its legal
requirements concerning inter alia accounting, financial reporting and internal control
standards. Coming to the company as external and independent assessors, they have the task
to undertake a deep, cross-functional analysis of that issues. The impact is the certification or
non-certification of corporate reports, which are of great importance for the capital market.
There are several voices of critics concerning this system. Many argue that the independence
of certified auditors is getting weaker.275 This shall be especially because of the fact that
companies choose on their own the annual auditors and also pay by themselves for their
assessments. There is a high risk, that the auditors will not be able to overcome the temptation
of handling in favour (and without sufficient scrutiny) for the assessed company in order to
keep the client satisfied. Another problem concerns the structure of the international auditing
market. It has been dominated by few major players who started to take an important part in
consultant services.276 Their deep linkage (through several business relations with assessed
companies) undermines also their independence. As the example of HRE or Lehman Brothers
shows, those companies passed positively the annual audit tests even though their situation
was rather critical and poor. Perhaps, a more independent system, where auditors would be
designated by financial supervisors would set a higher safety level. And, for example, the
services of certified auditors could be then paid from a centralized fund, to whom each
assessed firm would have to contribute to. The greater independence and scrutiny of annual
auditors, could serve as a good mechanism for reducing the systemic risk and enhancing
better standards for corporate risk management and compliance in the financial industry.
274 Like Enron, Worldcom or Parmalat. 275 M. Jennings, The seven signs of ethical collapse (2006), pp. 184 et seq. 276 Ibid.
56
4. Accounting standards
As the correctness of credit ratings offered by rating agencies have been due to the crises
undermined, companies may look for other sources of information that can be used while
assessing credit or counterparty risks related to a potential business partner. One source of
information could come from disclosure of financial data that banks have due to market
transparency regulation, have to publicise within financial reporting. But even this channel
can be taken as sufficient. Due to very flexible application of international accounting
standards (IFRS), information disclosed by different banks within financial reporting is
incomparable.277 The same problems face corporations of all other industries.
A comparative study on annual financial reports of 16 biggest European banks have been
recently prepared by the international audit and consulting company KPMG. The research
showed that even though the annual reports disclose a massive portion of data,278 the bank’s
discretion in interpreting and applying accounting standards makes comparableness of data
between institutions hardly difficult. One problem concerns disclosing judgements in applying
accounting policies and sources of estimation uncertainty, where generally taken, the
information given cannot serve as sufficient in understanding the bank’s accounting
approach.279 The second uncertainty concerns the applicability of IAS 39 – fair values
measurement. In accounting fair value is used as an estimation method to calculate the market
value of an asset or liability for which a market price cannot be determined.280 Within annual
financial reports of 16 biggest European banks can be observed that the scope and methods
for application of fair value complicates a comparison of positions on financial assets and
financial liabilities among them.281 A very sensitive area is concerning also disclosure of risk
management information. The main differences affect:
277 Banks and accounting standards – Messenger shot, The Economist 8.04.09, available at: http://www.economist.com/opinion/displaystory.cfm?story_id=13446745; KPMG-Studie: Abschlussberichte von Banken schwer vergleichbar, FAZ 9.07.2009, p. 19. 278 Including up to 300-400 pages. 279 KPMG, Focus on transparency – Trends in the presentation of financial statements and disclosure of information by European banks (2009), pp. 14-16. 280 International Valuation Standards Committee, Exposure Draft of Proposed Revised International Valuation Standard 2, para. 6.4, available at: http://www.ivsc.org/pubs/exp_drafts/ivs2.pdf. 281 KPMG, Focus on transparency – Trends in the presentation of financial statements and disclosure of information by European banks (2009), p. 17.
57
• Disclosure of credit risk – where “significant variability in respect of the spread of
individual vs. collective impairment” is stated
• Disclosure of market risk – Banks used different assumptions and parameters in
calculating their market risk exposure
• Disclosure of liquidity risk – Not all banks show their liquidity ratio and different
methods used for liquidity management and measurement; only some banks used
Basel Committee recommendations for quantitative and qualitative exposures on their
liquidity risk.282
Being able to compare financial performance of business partners is an important value for
stabile and transparent markets. Stricter accounting rules, preventing such a wide discretion
and flexibility in application as now, would bring more transparency and trust into the
financial world.283 This is a postulate, that for years, could not find implementation. There are
some reform movements seen, like the EU and FASB initiatives toward stricter regulation on
fair value method.284 A stricter regulation on accounting standards could probably not avoid
current financial crises, but would help to create more healthy environment for financial
services market.
282 KPMG, Focus on transparency – Trends in the presentation of financial statements and disclosure of information by European banks (2009), pp. 26, 34, 36 et seq. 283 C. Johnson, A. Mosich, W. Meigs, Financial Accounting (2003), para 1.14-1.15. 284 EU executive to ease fair value on banks – document, Reuters 10.10.2008, available at: http://www.reuters.com/article/governmentFilingsNews/idUSLA68354320081010; Financial Accounting Standards Board, Determining the Fair Value of a Financial Asset When the Market for That Asset Is Not Active, FASB Staff Position No. 157-3 (2008).
58
VI. Conclusions
There is no clear answer whether a stricter risk management and compliance framework
would help to avoid current financial crises. It has to be considered that every business
decision bears a certain level of hazards and that very often making brave decisions is
essential for business success.285 Also the cyclicality of economies, when after a period of
growth a crises has to come in order to prepare another period of growth has always been an
important part of the markets during history.286 Due to this theory, a stricter regulatory
approach on corporate risk management and compliance would probably not avoid current
crises occur, but definitely would deeply change its form and extend.
There are some areas, where a stricter regulatory framework would change a lot. This
concerns the regulation of several financial instruments like credit default swaps, over-the-
counter instruments or assed-backed securities. Also a different approach to risk assessment
and clearer rules creating regulated environment for credit rating agencies could encourage
preventive measures as well. At the same time, stricter and more detailed rules for
arrangement of corporate risk management and compliance systems that is executed by a
different certified audit model would bring more harmonization and enhance corporate risk
culture, specially in the financial services industry. This would probably help to create more
effective early risk detection systems at the corporate level. Parallel to this, a different
positioning of national and international financial supervision could coordinate and deal more
conscious with exposure of the entire economic to systemic risks. Specially, a greater
international cooperation would be very promising.
Note that the need of corporate risk management and compliance will grow further. As the
economic environment will constantly become more complex, sophisticated and
internationalized, both functions can bring new positions and approaches to corporations at an
essential – cross-corporate level. The main postulate for the legislator in creating prospective
legal framework is to enhance a wider international coordination and harmonization on risk
management and compliance issues, so a minimum set of standards would be required
worldwide.
285 P. Drucker, Management (2007), p. 125. 286 M. Wolfson, Financial Crises (1994), pp. 143 et seq.
59
The current crises should be used as an incentive chance for reforms. As M. Wolf argues, “the
man is getting well, but without handling the illness can come back very quickly”.287
287 M. Wolf, After the storm comes a hard climb, Financial Times from 15.07.2009, available at: http:// www.ft.com/cms/s/0/1f7ab9d4-70aa-11de-9717-00144feabdc0.html.
60
Bibliography
Books and commentaries
Adam A., Handbook of Asset and Liability Management (John Wiley and Sons 2008).
Akkizidis I., V. Bouchereau, Guide to optimal operational risk & Basel II, (Auerbach Publications 2006).
Alexander K., R. Dhumale, J. Eatwell, Global governance of financial systems (Oxford University Press, USA 2006).
Altenähr V., T. Nguyen and F. Romeike, Risikomanagement kompakt (Verlag Versicherungswirtschaft GmbH 2008).
Ammann M., Credit risk valuation (2. Edition, Springer 2001).
Arner D., Financial stability, economic growth, and the role of law (Cambridge University Press 2007).
Bainbridge S., The complete guide to Sarbanes-Oxley (Adams Media 2007).
Ballwieser W. [ed.], W. Grewe [ed.], Wirtschaftsprüfung in Wandel (C.H. Beck 2008).
Banks F., Corporate Legal Compliance Handbook (Aspen Publisher 2002).
Barth J., G. Caprio, R. Levine, Rethinking bank regulation (Cambridge University Press 2006).
Basin V., Die Modernisierung der 8. EU Richtlinie unter Einfluss des Sarbanes-oxley Acts (Grin Verlag 2009).
Berwanger J., S. Kullmann, Interne Revision (Gabler Verlag 2007).
Biegelman M., Building a World-Class Compliance Program (John Wiley and Sons 2008).
Bizmanualz I., Finance & Treasury Procedures for Compliance and Performance (Bizmanualz, Inc. 2008).
Bluhm C., L. Overbeck, Ch. Wagner, An introduction to credit risk modeling (Chapman & Hall/CRC 2002).
61
Boos K., R. Fischer, H. Schulte-Mattler, Kreditwesengesetz (4. Edition, C.H. Beck 2008).
Bowden A., M. Lane, J. Martin, Triple bottom line risk management (John Wiley and Sons 2001).
Brink G. van den, F. Romeike, Corporate Governance und Risikomanagement im Finanzdienstleistungsbereich. Grundlagen, Methoden, Gestaltungsmöglichkeiten (Schäffer-Poeschel 2004).
Burke, D., Guy, K. Tatum, Audit Committees, A Guide for Directors, Management, and Consultants (5. Edition, CCH, Inc. 2008).
Carmichael J., M. Pomerleano, Development and Regulation of Non-Bank Financial Institutions (World Bank Publications, 2002).
Chew D., Corporate Risk Management (Columbia University Press 2008).
Chorafas D., Implementing and auditing the internal control system (Palgrave Macmillan, 2001).
Chorafas D., Stress testing for risk control under Basel II (Butterworth-Heinemann 2007).
Clarke T., International corporate governance : A Comparative Perspective (Routledge 2007).
Crouhy M., D. Galai, R. Mark, The essentials of risk management (McGraw-Hill 2006).
Culp Ch., The risk management process : Business Strategy and Tactics (John Wiley and Sons 2001).
Daft R., R. Allen, E. Sandburg, Management (8. Edition, South-Western College Pub 2008).
Doorley J., H. Garcia, J. Osborn, Reputation Management (2. Edition, Routledge 2006).
Drucker P., Management (HarperBusiness 2007).
Effros R., Current legal issues affecting central banks (Volume 4, International Monetary Fund 1998).
Fiege S., Risikomanagement- und Überwachungssystem nach KonTraG Prozess, Instrumente Instrumente, Träger (Gabler 2006).
Fischer R., H. Schulte-Mattler, Kreditwesengesetz. Kommentar zu KWG und Ausführungsvorschriften (C.H. Beck 2008).
62
Fleischer H., Handbuch des Vorstandsrechts, (C.H. Beck 2006).
Fletcher W., T. Plette, The Sarbanes-Oxley Act: Implementation, Significance, and Impact (Nova Science Publishers 2008).
Friedman A. and S. Miles, Stakeholders: theory and practise (Oxford University Press, USA 2006).
Fus S., Business Continuity Management bei Finanzdienstleistern (Grin Verlag 2008).
Gallati R., Risk management and capital adequacy (McGraw-Hill 2003).
Geishecker L., R. Weston, Risk! (AMR Research 2007).
Griffiths A., S. Wall, Applied economics (Pearsons Publications 2007).
Gutterman A., The legal considerations in business financing (Quorum Books 1994).
Hauschka Ch. [ed.], Corporate Compliance (C.H. Beck 2007).
Hilz-Ward R., O. Everling and N. Löhndorf, Risk Performance Management (Gabler 2009).
Hommelhoff P., K. Hopt, A. v. Werder, Handbuch Corporate Governance (Verlag Otto Schmidt 2003).
Hopt K., H. Wiedemann [ed.], Aktiengesetz Großkommentar (7. Edition, Walter de Gruyter 2008).
Jennings M., The seven signs of ethical collapse (St. Martin's Press 2006).
Johnson C., A. Mosich, W. Meigs, Financial Accounting (John Wiley and Sons 2003).
Jorion P., Value at Risk (2. Edition, McGraw-Hill 2000).
Kaltofen D., S. Paul, S. Stein, Retail Loans & Basel II: Using Portfolio Segmentation to Reduce Capital Requirements (CEPS 2005).
Kalwait R., R. Meyer, R. Erben, Fr. Romeike, O. Schellenberger, Risikomanagement in Der Unternehmensfuhrung (Wiley VCH 2008).
Kraft C., Die Mindestanforderungen an das Risikomanagement (Grin Verlag2008).
Luz G., W. Neus, P. Scharpf, P. Schneider, M. Weber [ed.], Kreditwesengesetz (KWG) (9. Edition, Schäffer-Poeschel 2009).
63
Leitch M., Intelligent Internal Control and Risk Management (Ashgate 2008).
Mallin C., Corporate Governance (2. Edition, Oxford University Press, 2007)
Martin T., T. Bär, Grundzüge des Risikomanagements nach KonTraG (Oldenbourg Verlag 2002).
Merna T., F. Al-Thani, Corporate Risk Management (2. Edition, John Wiley and Sons 2008).
Moeller R., COSO Enterprise Risk Management (John Wiley and Sons 2007).
Montana P., B. Charnov, Management (Barron's Educational Series 2000).
Müssig A., Bilanzielle Risikovorsorge und außerbilanzielle Risikoberichterstattung (Gabler 2006).
Olson D., D. Wu, Enterprise Risk Management (World Scientific Publishing Company 2007).
Pal N., From Strategy to Execution: Turning Accelerated Global Change into Opportunity (Springer 2008).
Parmenter D., Key performance indicators: Developing, Implementing,and Using Winning KPIs (John Wiley and Sons 2007).
Peltzer M., Deutsche Coprorate Governance , Ein Leitfaden (2. Edition, C.H. Beck 2004).
Powell A., Basel II and developing countries (World Bank, Financial sector operations and policy department 2004).
Power M., The Risk Management of Everything: Rethinking the Politics of Uncertainty (Demos 2004).
Ramos M., How to comply with Sarbanes-Oxley section 404 (John Wiley and Sons 2006).
Ringleb R., T. Kremer, M. Lutter, A. v. Werder, Kommentar zum Deutschen Corporate Governance Kodex (2. Edition, C.H. Beck 2005).
Rogers C., Financial reporting of environmental liabilities and risks after Sarbanes-Oxley (John Wiley and Sons 2005).
Romeike F., Lexikon Risiko-Management (Bank Verlag Köln 2004).
Schmidt K., M. Lutter [ed.], Aktiengesetz Kommentar (2. Edition, Verlag Otto Schmidt 2008).
64
Scott H., Capital adequacy beyond Basel: Banking, Securities, and Insurance (Oxford University Press, USA 2005).
Senge L. [ed.], Karlsruher Kommentar zum OWiG (2. Edition, C.H. Beck 2006).
Tarantino A., Manager's guide to compliance (John Wiley and Sons 2006).
Tarullo D., Banking on Basel (Peterson Institute 2008).
Trenerry A., Principles of Internal Control (New South Wales University Publishing Limited 1999).
Williams H., Federal banking law and regulations (American Bar Association 2007).
Wolf K., B. Runzheimer, Risikomanagement und KonTraG, (4. Edition, Gabler 2003).
Youngberg B., The Risk manager's desk reference (2. Edition, Jones & Bartlett Publishers 1998).
Reports, research papers & professional standards
Begründung zum Regierungsentwurf eines Gesetzes zur Kontrolle und Transparenz im Unternehmensbereich (KonTraG), Begr RegE BT-Drucks 13/9712.
Committee on Corporate Laws of the American Bar Association, Model business corporation act annotated: official text with official comments and statutory cross-references (2005).
Financial Accounting Standards Board, Determining the Fair Value of a Financial Asset When the Market for That Asset Is Not Active, FASB Staff Position No. 157-3 (2008).
Gorton G., The Panic of 2007, National Bureau of Economic Research, Working Paper No. 14358 (2008).
Institut der Wirtschaftsprüfer in Deutschland (IDW), Prüfungsstandard 340: Die Prüfung des Risikofrüherkennungssystems nach §317 Abs. 4 HGB, Die Wirtschaftsprüfung 1999 (WPg 1999), pp. 658 – 662.
International Monetary Fund, Initial Lessons of the Crisis (2009), http://www.imf.org/ external/np/pp/eng/2009/020609.pdf.
International Monetary Fund, Lessons of the Financial Crisis for Future Regulation of Financial Institutions and Markets and for Liquidity Management (2009), http://www.imf.org/external/np/ pp/eng/2009/ 020409.pdf <last visit: 15.07.2009>.
International Valuation Standards Committee, Exposure Draft of Proposed Revised International Valuation Standard 2, http://www.ivsc.org/pubs/exp_drafts/ivs2.pdf <last visit: 15.07.2009>.
65
KPMG, Focus on transparency – Trends in the presentation of financial statements and disclosure of information by European banks (2009),
Osili U., A. Paulson, Bank Crises and Investor Confidence, Federal Reserve Bank (FRB) of Chicago Working Paper No. 2008-172.
Reinhart C., K. Rogof, Is the 2007 U.S. Sub-Prime Financial Crisis So Different? An International Historical Comparison, Harvard University, Institute of Economics Working Paper 5.02.2009.
Sy A., The Systemic Regulation of Credit Rating Agencies and Rated Markets, International Monetary Fund, IMF Working Paper 09/129 (2009).
The Institute of Risk Management (IRM),The Association of Insurance and Risk Managers (AIRMIC) and ALARM The National Forum for Risk Management in the Public Sector, Risk Management Standard, http://www.theirm.org/publications/documents/Risk_Management_ Standard_030820.pdf <last visit: 15.07.2009>.
United States Government Accountability Office (GOA), Financial Regulation – Review of Regulators’ Oversight of Risk Management Systems at a Limited Number of Large, Complex Financial Institutions (2009), http://www.gao.gov/new.items/d09499t.pdf <last visit: 15.07. 2009>.
Whalen R., The Subprime Crisis -- Cause, Effect and Consequences, Indiana University, Networks Financial Institute, Policy Brief 2008-PB-04.
Wymeersch E., Corporate Governance and Financial Stability, Ghent University, Financial Law Institute Working Paper No. WP 2008-11.
Elst Ch. Van der, M. van Daelen, Risk Management in European and American Corporate Law, European Corporate Governance Institute, Law Working Paper No. 122/2009 TILEC Discussion Paper No. 2009-023.
U.S. Committee of Sponsoring Organizations of Treadway Commission, COSO Enterprise risk management – integrated network, available at: http://www.coso.org/Publications/ ERM/COSO_ERM_ExecutiveSummary.pdf <last visit: 15.07. 2009>.
Corporate sources
BASF Group, Compliance Program of the BASF Group, http://www.basf.com/group/ corporate/en/about-basf/vision-values-principles/code-ofconduct/index <last visit: 15.07.2009>.
Coca-Cola Company, Coca-Cola Company Ethics & Compliance, http://www.thecoca-colacompany.com/citizenship/ governance_ethics.html <last visit: 15.07.2009>.
Deutsche Bank AG, Legal, Risk & Capital, http://www.db.com/de/content/company/ legal_risk_capital.htm?dbiquery=null%3Arisk+management <last visit: 15.07.2009>.
Fannie Mae, Annual Report on Form 10-K, http://www.fanniemae.com/ir/pdf/sec/2006/ form10k_120606.pdf <last visit: 15.07.2009>.
GlaxoSmithKline, GlaxoSmithKline Compliance Programme, http://www.gsk.com/about/ corp-gov-ethics.htm <last visit: 15.07.2009>.
66
ING Group, ING Group Compliance Risk Management Charter and Framework, http://www.ing.com/group/showdoc.jsp?docid=139868_EN&menopt=cog|coc|gpo <last visit:
15.07.2009>.
Merck & Co., Inc. Comprehensive Compliance Program, http://www.merck.com/about/ compliance/ ccp.html <last visit: 15.07.2009>.
METRO Group, METRO Group Compliance Program, http://www.metrogroup.de/servlet/ PB/menu/1138270_l2/ index.html <last visit: 15.07.2009>.
UniCredit Group, Compliance function, http://www.unicreditgroup.eu/en/Governance/ compliance.html <last visit: 15.07.2009>.
UniCredit Group, Risk management program, http://www.unicreditgroup.eu/ucg-static/ downloads/credit_risk_ENG.pdf <last visit: 15.07.2009>.
Report of Investigation by the Special Investigative Committee of the Board of Directors of Enron Corp. v. 1. 2. 2002, availbale at: http://news.findlaw.com/hdocs/docs/enron/sicreport/ index.html.
Report of Investigation by the Special Investigative Committee of the Board of Directors of Worldcom, Inc. v. 31. 3. 2003, availbale at: http://www.edgar-online.com/bin/irsec/finSys_ main.asp?dcn=0000931763-0300186 2&x=118&y =17.
Articles
Bürkle J., Corporate Compliance – Pflicht oder Kür für den Vorstand der AG, Betriebs Berater 2005 (BB 2007), pp. 565-570.
Burwitz G., Das Bilanzrechtsmodernisierungsgesetz - Eine Analyse des Regierungsentwurfs und der Änderungsvorschläge des Bundesrats, Neue Zeitschrift für Gesellschaftsrecht 2008 (NZG 2008), pp. 694-700.
Campos Nave J., S. Bonenberger, Korruptionsaffären, Corporate Compliance und Sofortmaßnahmen für den Krisenfall, Betriebs Berater 2008 (BB 2008), pp. 734-740.
Fratianni M., Financial crises, safety nets and regulation (2008), http://ssrn.com/abstract =1286903 <last visit: 15.07.2009>.
Garfinkel J., J. Sa-Aadu, A Decade of Living Dangerously: The Causes and Consequences of the Mortgage and Financial Crises (2008), http://ssrn.com/abstract=1331294 <last visit: 15.07.2009>.
Garfinkel J., J. Sa-Aadu, A Decade of Living Dangerously: The Causes and Consequences of the Mortgage and Financial Crises (2008), http://ssrn.com/abstract=1331294 <last visit: 15.07.2009>.
Hauschka Ch., Der Compliance-Beauftragte im Kartellrecht, Betriebs Berater 2004 (BB 2004), pp. 1178-1182.
Hauschka Ch., Von Compliance zu Best Practice, Zeitschrift für Rechtspolitik 2006 (ZRP 2006), pp. 258-261.
Hüffer U., Die leitungsbezogene Verantwortung des Aufsichtsrates, Neue Zeitschrift für Gesellschaftsrecht 2007 (NZG 2007), pp. 47-54.
67
Kort M., Verhaltensstandardisierung durch Corporate Compliance, Neue Zeitschrift für Gesellschaftsrecht 2008 (NZG 2008), pp. 81-86.
Krohn G., W. Gruver, The Complexities of the Financial Turmoil of 2007 and 2008 (2008), http://ssrn.com/abstract=1282250 <last visit: 15.07.2009>.
Lingemann S., D. Wasmann, Mehr Kontrolle und Transparenz im Aktienrecht: Das KonTraG tritt in Kraft, Betriebs Berater 1998 (BB 1998), pp. 853-862.
Lösler T., Das moderne Verständnis von Compliance im Finanzmarktrecht, Neue Zeitschrift für Gesellschaftsrecht 2005 (NZG 2005), pp. 104-108.
Mattheus D., P. Hommelhoff, Risikomanagementsystem im Entwurf des BilMoG als Funktionselement der Corporate Governance, Betriebs Berater 2007 (BB 2007), pp. 2787-2790.
Meyer C., Gesetz zur Modernisierung des Bilanzrechts (Bilanzrechtsmodernisierungsgesetz - BilMoG) - die wesentlichen Änderungen, Deutsches Steuerrecht 2009 (DStR 2009), pp. 762-768.
Murphy A., An Analysis of the Financial Crisis of 2008: Causes and Solutions (2008), http://ssrn.com/abstract=1295344 <last visit: 15.07.2009>.
Ostrup F., L. Oxelheim, C. Wihlborg, Origins and Resolution of Financial Crises; Lessons from the Current and Northern European Crises (2009), http://ssrn.com/abstract=1407613 <last visit: 15.07.2009>.
Pampel G., Die Bedeutung von Compliance-Programmen im Kartellordnungswidrigkeiten-recht, Betriebs Berater 2007 (BB 2007), pp. 1636-1639.
Schwarcz S., Understanding the subprime crises, South Carolina Law Review (Vol. 60/2009), pp. 549-570.
Simkovic M., Secret Liens and the Financial Crisis of 2008, American Bankruptcy Law Journal, Vol. 83 (2009), pp. 253-295.
Wall F., Komptabilität des betriebswirtschaftlichen Risikomanagements mit den gesetzlichen Anforderungen?, Die Wirtschaftsprüfung (WPg 2003), pp. 457-471.
Wolf K., Zur Anforderung eines internen Kontroll- und Risikomanagementsystems im Hinblick auf den (Konzern-) Rechnungslegungsprozess gemäß BilMoG, Deutsches Steuerrecht 2009 (DStR 2009), pp. 920-924.
Newspapers articles & other sources
A lifeline for AIG, The Economist on 17.08.2008, http://www.economist.com/businessfinance/ displayStory.cfm?story_id=12244993, <last visit: 15.07.2009>.
Anderson J., E. Dash, Struggling Lehman Plans to Lay Off 1,500, The New York Times from 29.08.2208, http://www.nytimes.com/2008/08/29/business/29wall.html?em <last visit: 15.07. 2009>.
Barr C., Fannie, Freddie: The biggest losers, CNNMoney.Com, 7.09.2008, http:// money.cnn.com/2008/09/07/news/economy/shareholder_wipeout.fortune/index.htm <last visit:
15.07.2009>.
68
Bogoslaw D., Fannie Mae and Freddie Mac: A Damage Report, BusinessWeek on 29.08.2008, http://www.businessweek.com/investor/content/aug2008/pi20080828_330540.htm <last visit:
15.07.2009>.
Boyd R., Another Swiss miss at UBS, CNNMoney.Com, 1.04.2008, http://money.cnn.com/ 2008/04/01/news/companies/boyd_ubs.fortune/ <last visit: 15.07.2009>.
Chang R., Entry barriers stifle U.S. credit ratings competition, Reuters on 24.06.2009. Available at: http://www.reuters.com/article/ousiv/idUSTRE55N4VU20090624 <last visit: 15.
07.2009>.
Compliance has greater role than before crisis, says ex-Lehman head of compliance, Complinet, http://www.complinet.com/connected/news-and-events/webcasts/great-crash/share/ great-crash-articleA.pdf <last visit: 15.07.2009>.
Crawford D., M. Walker, German Regulator Warned of Hypo Bank Problems Before Bailout, WSJ from 28.05.09, p. A6, http://209.85.135.132/search?q=cache:J5KpI11AKOAJ:online. wsj.com/article/SB12434608723259931.html <last visit: 15.07.2009>.
EU Court: ThyssenKrupp Must Pay EUR3 Million Cartel Fine, DowJones Deutschland on 01.07.2009. Available at: http://www.dowjones.de/site/2009/07/eu-court-thyssenkrupp-must-pay-eur3-million-cartel-fine.html.
EU executive to ease fair value on banks – document, Reuters on 10.10.2008, http:// www.reuters.com/article/governmentFilingsNews/idUSLA68354320081010.
Goldfarb Z., D. Cho, B. Appelbaum, Treasury to Rescue Fannie and Freddie: Regulators Seek to Keep Firms' Troubles From Setting Off Wave of Bank Failures, Washington Post on 7.09.2008, http://www.washingtonpost.com/wp-dyn/content/article/2008/09/06/AR20080906 02540.html?hpid=topnews <last visit: 15.07.2009>.
Höpner A., Siemens zahlt 800 Millionen Dollar, WirtschaftsWoche on 15.12.2008. Available at: http:// www.wiwo.de/unternehmer-maerkte/siemens-zahlt-800-millionen-dollar-381406/.
J. Anderson; E. Dash, Struggling Lehman Plans to Lay Off 1,500, The New York Times from 29.08.2208. http://www.nytimes.com/2008/08/29/business/29wall.html?em <last visit: 15.07. 2009>.
Lauren L., Northern Rock Nationalized, Forbes.Com, 17.02.2008, http://www.forbes.com/ 2008/02/17/northern-nationalize-bank-markets-cx_ll_0217northernrock.html <last visit: 15.07. 2009>.
Miller B., C. Kong Ho, Merrill Lynch Cut to `Sell' at Goldman on Writedowns, Bloomberg on 5.09.2008, http://www.bloomberg.com/apps/news?pid=20601087&sid=aDWTPYeHBS8g& refer=home <last visit: 15.07.2009>.
Singing the blues, The Economist on 27.11.2008, http://www.economist.com/businessfinance/ displayStory.cfm?story_id=12689930 <last visit: 15.07.2009>.
SocGen postmortem, Financial Times on 25.01.2008. Available at: http://www.ft.com/.
The downturn in facts and figures, BBC NEWS on 21.11.2007, http://news.bbc.co.uk/ 2/hi/business/7073131.stm <last visit: 15.07.2009>.
Timmermans C., Company Law as Ius Commune?: First Walter van Gerven Lecture (2002), http://www.law.kuleuven.ac.be/ccle/pdf/wvg1.pdf <last visit: 15.07.2009>.
Wolf M., After the storm comes a hard climb, Financial Times from 15.07.2009. Available at: http:// www.ft.com/cms/s/0/1f7ab9d4-70aa-11de-9717-00144feabdc0.html.
69
Katzensteiner M., A. Riedl, M. Boschen, Die Akte Porsche, WitrschaftsWoche from 8.06.2009.
Short-sellers target M&B and British Airways, Reuters on 3.06.2009, available at: http://www.reuters.com/ article/hedgeFundsNews/idUSLNE56200U20090703.
Stempel J., GMAC mortgage lender teeters toward bankruptcy, The New York Times from 6.10.2008, available at: http://www.nytimes.com/2008/11/06/business/worldbusiness/06iht-deal07.1.17579017.html.
Głogowski T., Pawlak wyrzuca prezesów za opcje, Gazeta Wyborcza from 22.06.2009, available at: http://gospodarka.gazeta.pl/Gielda/1,85951,6746110,Pawlak_wyrzuca_prezesow _za_opcje.html.
Court decisions
Decision of VG Frankfurt a.M. from 8 July 2004, 1 E 7363/03 (I), Zeitschrift für Wirtschafts- und Bankrecht (WM 2004).
Caremark International, Inc. Derivative Litigation, 698 A.2d 959 (Court of Chancery of Delaware – Newcastle County – September 25, 1996).
Stone v. Ritter, 911 A.2d 362 (Supreme Court of Delaware –November 6, 2006).