Browse > Home / F&A Blogs / Outsourcing and Madoff

Outsourcing and Madoff

August 14, 2009

In a recent interview of Z24 (Dutch internet news channel) and the Chief Risk Officer of Fortis Bank Netherlands (3 billion revenue 2008, 184 billion in assets) the risk management practices of the bank were discussed. The CRO stated among others that the board was closely involved with all new product introductions, and determines how new products fit into the risk profile of the bank.

If so much attention goes into risk analysis, even at board level, how can it be that Madoff and Lehman Brothers were not detected earlier? In my opinion is one of the main reasons lacking insight in de risk profile of the whole value chain and an underestimation of the ‘risk dynamics’. And looking at the value chain also means outsourcing as the times are long gone that banks ‘produced’ all their financial products and services themselves.

As the term outsourcing is typically used for situations were internal employees and assets are transferred/sold to an external party, is outsourcing not always the right term. But looking from a risk management perspective is it not that relevant whether your relationship with the business partner is based on acquiring, purchasing or outsourcing. In all cases does the bank ‘import’ risk by dealing with an external vendor.

outsource Risks In Banks

The point I want to make is that banks pay a fair amount of attention to new product introductions and selecting a new business partner to outsource internal activities to or buy services & products from. This means that most banks will have done some kind of due diligence before signing contracts with Madoff and Lehman Brothers. What many banks failed to do is to monitor these partners adequately and adjust their risk profile and control strategy accordingly. Financial institutions have been outsourcing various back office activities and buying complex products and services from others and lost the overview of the risks within their value chain.

Even though some financial institutions have business relationships with hundreds of partners is the control strategy of most banks still very much oriented towards the internal activities. This despite that in some cases more risk is ‘imported’ than produced by the financial institution itself. This immaturity is reflected in the control strategy for external partners. Most organizations do not get much further than a ‘right to audit’ and (miss-)using SAS70 statements to get some insight in the control maturity of its partners (more on SAS70 here and here).

The immaturity of the control strategy deployed for external partners is reflected in education curriculum for risk managers and auditors. They learn how to control the internal organization while understanding how to exercise control over external partners is dealt with in maybe 10-15% of the course time. I expect this to change soon with banks using proper risk mitigation framework, as financial institutions and their clients are not waiting for a Madoff 2.0.


Written by · Filed Under F&A Blogs 

Comments

Got something to say?