The risk of not managing risks

By Julián Laski

A couple of years ago, I was faced with the challenge of carrying out the audit of an important Latin American public entity. When I say “important”, I mean the size of the institution, its strategic nature and the volume of its operations, with a number of resources – financial, human and technological – according to its size.

A few months before starting the tasks, I was surprised to read an email sent by the institution’s Systems area, where it was requested to inform which computer would enter the entity by the audit team, specifying the brand, model and number of Series of devices. I must admit that at that moment I was impressed: I imagined that if I were asked for such data with such anticipation, I would encounter an entity that would have a robust control structure, which is not so common in the public sector of the region.

Until the day came: I had my first meeting in the entity, to which I was, of course, with my computer – the same one I had declared a few months before. As soon as I arrived, I found a security post in which a guard asked me to show the laptop I was entering. “Good, now, they are going to collate the information I indicated a few months ago,” I thought. But at that point I began to realize that, again, not everything that glitters is gold: the security employee began to take note of the computer data by hand on a worksheet, where instead of typing the number Serial, wrote down the license of the operating system, whose label was stuck to the back of the laptop. “It does not matter, then he will check it and inquire about the inconsistency,” I told myself … But no, that never happened. And I was not asked for the computer when I left. Not even the next day: as the guard knew me, he only asked me if he had the same laptop as the previous day, and as I said yes, in my successive entries he did not even consult me ​​about it. And, not controlling myself at the exit, no one analyzed the possibility that he was taking me something much more valuable than a computer (which could well be mine or another): the information of the institution.

This situation ignited my warning signals – like every auditor, I am skeptical by nature – regarding the risk analysis by the public entity. For that reason, I asked to speak with the person in charge of the area of ​​risks. The answer was clear: there was no risk manager there, but it was the financial manager who handled insurance. That is, it was assumed that insurance contracting was the only possible risk response. Almost resigned, I joined the financial manager, and asked him about the insurance they had hired. “We invest more money in insurance every year, because we want to be calm,” he told me. When I asked about the type of claims for which they had insurance, I realized that they did not cover half of the possible events for which coverage could be contracted. The subsequent result of the insurance audit was lapidary, and it almost cost the position to the financial manager, who was so calm simply to spend money …

Does insurance reach as a response to risk? No, clearly. Is it enough to know that many resources are invested in coverage for quiet sleep? Even less. An organization that manages its risks effectively must:

List possible financial and non-financial risks to which you are exposed. Therefore, it is not usually advisable for a financial manager to be responsible for risk management. There are no unlikely risks or absolutely unexpected events; If not, let us think about the attack on the Twin Towers, per case.
Evaluate adequately, through qualitative and quantitative tools, the probability and impact of events that could affect the achievement of their objectives. Not all risks are just as important! For the entity, it has a much greater impact if someone takes, by whatever means, a database without permission, than the possibility that an official or visitor enters with one computer and leaves with another.
Design and implement adequate risk responses, not only considering insurance coverage, but also mitigation, risk avoidance and, in some cases, even the need to accept risk. We can not take action against all risks, but we must know them and be aware of them. If there is a possibility that it rains, and our goal is to go see an Atlanta football game, outdoors, what can we do, besides waiting for the sky to not cloud?
Verify that the measures taken are effective, and monitor the strategy against risk. A risk can be important in a moment, and stop being it afterwards.

When the controls impose to concrete a business

By Julián Laski

A few weeks ago I received, like many other times, a call from the call center of an important and well-known commercial bank, through which I was offered a credit card. While I do not usually be interested in these types of proposals, where the “small print” usually hides a trap (and some cost), this time my curiosity could do more. And, paying attention, I thought it was a good chance, so I decided to ask what requirements in terms of documentation were needed to proceed with the process. When they told me that they only needed the copy of my document, I opted to accept and proceed to manage the issuance of the card.

From there, the operator of the call center, following the manual in which he was probably trained, began to request the basic data that, intuitively, would be filling in a system: full name, date of birth, occupation, etc. Until, in a moment, we come to the key question, the point of discord: “You are not obligated subject in the matter of prevention of money laundering and financing of terrorism, no?”. The way he asked the question, I would be sincere, was tempted to say no, but I thought it was the truth, so I told him that as an external auditor of financial statements of companies with assets over $ 10,000,000 (Ten million pesos), I am obligated to prevent money laundering. For those unfamiliar with the subject matter, being an obligor is merely included in a list of natural or legal persons who, due to their work or profession, must report a suspicious operation linked to money laundering and financing of terrorism , Without meaning anything in particular. It is something like an assistant referee in football: you must tell the judge of the meeting if you notice any fouls during the game. But for the operator of the call center, probably because of ignorance, my answer aroused alarms and suspicions by virtue of what its procedure indicated. That is why the talk, which was going on in a cordial tone, took an unimaginable turn: in the first instance, the call center operator told me that, directly, she could not apply for the card and that the procedure could not proceed. When I asked the reason, he told me that it was because I was framed in Law 25,246 of money laundering of criminal origin.

Although I did not lose sleep getting the card (in fact, they were offering it to me, I was not requesting it), I was disturbed by the situation, and I told my interlocutor that I was actually a forced subject, not a fugitive or a suspect Of justice. He then asked for a moment to speak to his superior while I waited on the line, which happened for about 20 minutes, during which I was tempted to interrupt the telephone communication on several occasions in order to continue my work. Then the call was restarted and the call center supervisor told me that they would call me the next day to see “how we were going” because, he admitted, the system prevented the process from being continued when the answer to the question “Subject Obliged? “Was a yes, because the bank had strict internal controls and wanted to ensure that its clients were subjected to a strict prior review process.

The situation indicated in this article, where a commercial management was hampered by an alleged need for adherence to internal controls, shows that only one side of the coin is considered as one of the three objectives of internal control models, which Is to comply with applicable laws and regulations (in this case, a procedural manual). Thus, the first of the aforementioned objectives of any control system is left aside, which is to achieve efficient and efficient operations. After all, if a bank – a for-profit company – does not sell its financial products, how do you achieve your goals? One might even ask how the bank gives a credit card without a problem or credit analysis to a client who is not an obligor, but if it is, even if it has the best financial situation, the process is interrupted … Curious, no doubt . But everything is in order to comply with what the procedures manual indicates.

The day after the first telephone conversation I had with the call center operator, I received a call from another bank employee, who told me that “despite being a compulsory subject” – again, as if it were a sin – they could process My application – I did not ask for anything, the bank was the one who offered it – if I presented myself at the branch of the bank and delivered a series of documents which, I believe, only lacked my birth certificate: identity document, Income, inscription as an obligor, last tax payments, affidavits … Pap

Portfolio Items