| | | Effective PR

Is "CEO" too big a job for one person?

Nigel Morris-Co...

The "did he jump or was he pushed" departure of Brian Hartzer, the CEO of WestPac Banking Corporation in Australia after it became known that it had more than 23 million cases in which it did not act correctly under counter-money laundering laws is the latest example of a CEO going from his job under a cloud. In the past, that's usually been an end to at least some of the discussion. But this time it's different. This time the failures were so big and so fundamental that it calls into question conduct of the entire organisation including the full board and much of the management structure. It also raises something else. In large, complex, highly regulated groups, is the role of CEO too big for one person? As the financial services sector moves inexorably (and I would argue rightly) towards personal responsibility, is it time to review where responsibility lies in relation to specific areas of management.

I do not wish to prejudice or prejudge the Westpac case and so I make it clear that I have simply used one reported fact as a starting point for speculation, assumptions and theories and in this analysis, I do not intend that it should be directly referred to that case. It is important to say that because the failures that I list, along with responsibilities for them are for the purposes of illustration only and should not be considered to be statements of what happened or attributions of responsibility to individuals or groups of persons.

Having worked through a complex and extensive background, the payoff is that this analysis is quite simple.

The origins of the Westpac case are that, allegedly, when some work was being done on a reporting system, a flag was not set. The flag would have triggered reports relating to transactions that met certain criteria. Because the flag was not set, the reports were not produced. That simple error was a human error. There were 23 million cases involving correspondent banking and known criminals that should have been reported but were not - that much is known from the AUSTRAC material.

So now to the supposition on my part and I am concerned, in the context of this article with only one allegation, that being that no internal reports were generated in relation to a specific type of activity which the bank expected to be monitoring for.

The first question to be asked is why there were no effective checks on the system as it was implemented and/or modified. The system may be considered mission critical and therefore should be subject to at least double-checking. As has been seen in relation to aeroplane crashes, some people do not actually check the work, they check the records. They literally look to see if someone has ticked the boxes. If the systems engineer who was required to implement and/or modify the system ticks the box to say that he has done something, then all those that come after rely on that tick. We do not know if that was the case here but I use that example to demonstrate that checking records is not the same as checking work. Let us suppose that someone did think "it's odd that we are not getting transaction reports for that type of transaction" - unless he went back to the source, i.e. the system itself, he would have met a series of supervisory or monitoring documents all of which relied not on what was actually done but on what was declared to have been done.

For the purposes of the article, then, the pivotal point is this: is it reasonable for a CEO to rely on reports by those to whom responsibility is delegated or should he, personally, go and, figuratively, check the spark plugs and sniff the exhaust to see if the engine of his company is working properly? If he should, how is he supposed to acquire the skills and experience necessary to deal, in detail, with every job in the organisation?

The next question is, in a way, an extension of the first: how can it be that no-one noticed for several years that a very specific type of high-risk transactions did not appear in any internal reports. Good practice requires that information that is absent can be as important as information that is present. This is a systemic issue: internal monitoring systems were not properly designed or defined; even when such systems are designed by external consultancies, the final responsibility lies with the board.

But, once more, is it reasonable to expect the CEO to know, in detail, what should be in every report that is produced across a large and complex organisation? The number of compulsory statutory and regulatory reports increases daily and in an international company there are literally dozens of extremely important additions or changes. Yes, it is a common point in almost all legal systems that ignorance of the law is no defence but realistically can we expect one individual to have read, understood and ensured action on every single piece of law and regulation that affects the group across multiple jurisdictions? The answer, surely, has to be "no."

And so, it seems to me that far too much is expected of a single person that is termed the CEO. I would argue that legal and compliance is far too big and far too complex to be handled by a single person, too. Should companies have a Chief Legal Officer plus several Chief Compliance Officers each having specific areas of expertise? If so, should they be on the board and, regardless of whether they are, should they have full personal responsibility?

Here there are two diametrically opposed schools of thought. From a regulatory viewpoint: yes, and if they fail, lock them up or turn them into industry outlaws. From the point of view of the "responsible officer," that simply pushes down the same problems as face the CEO but, unlike the CEO, the responsible officer has a very specific problem: he does not have authority over staff and he does not have authority over other departments. He can be subject to enforcement action if staff are not trained but he cannot, in the vast majority of organisations, force people to attend training nor can he make a final determination of what training they have, where and when and how often. Those decisions are made by the personnel department which holds the purse strings. But there is no mechanism for holding the personnel director (which, note, does often has a board seat) to account for frustrating the training demands of the responsible officer. Why? Because regulators define which roles they will directly regulate and personnel management isn't one of them.

Is there a solution? Yes, make the entire board responsible for failures with special emphasis on the CEO (who it is right should not escape) and the director or directors who are responsible for a) the systems in which failures occurred and b) the departments in which they occurred. And finally, in cases of systemic failure over periods of years, there should be a special place in Hell, or at least in regulatory enforcement, for internal audit. They are the last line of defence against such failures, specifically charged with finding things that overworked CEOs and responsible officers may have missed.

---------------- Advertising ----------------

| | | | |