‘Damaged Reputation The Biggest Risk’

In the wake of the ever-changing regulatory environment, risk-data aggregation is becoming increasingly complex and arduous. Also, with the increasing requirements for compliance by companies and financial institutions. Thomson Reuters Risk Business managing director Phil Cotter walks BW Businessworld’s Clifford Alvares through the need for a proper risk management system. Edited excerpts.

What are the various types of risks that banks and companies are faced with these days?
In doing business with a third-party, whenever and wherever, an element of risk always presents itself. All sorts: financial risks, regulatory risks, reputational risks, supply-chain risks, competition risks, changing situation risks, risks of not knowing your customers, and so on and so forth.

The biggest risk perhaps for any organization is damaged reputation. This is associated with poor risk-management practices, which is feature of corporate governance, and whether the proper risk controls are in place. Banks are not the only ones to face such risks, even companies face these risks. And risks can turn out to be very, very expensive, with wide and massive ramifications.

But there are risks at all levels; clearly you cannot avoid them.
It is about managing risk, not avoiding it. Getting out of bed every day is a risk; who knows what might happen. The art of risk management is setting out goals and objectives and, within that defining the kin and amount of risk you are prepared to take. Then you have to ensure have appropriate controls. Risk management is what actually makes a company sustainable.

Clearly, in companies with a large number of people, not many be working in the firm’s best interest, though that is very difficult to assess. If the right kind of controls and capabilities are in place, you should be able to identify such behavior more rapidly than if you don’t have them. People always find ways to be beat the system, but if you can make life more difficult for them, then obviously, it can cost them.

In which areas do companies and banks need to manage risk?
After the 2008 economic crisis, banks needed support to meet the new regulations particularly in areas such as money laundering, bribery and corruption. Besides, they need to understand the whole complexity of the regulatory environment. We have also found that what we do is relevant to large corporations also. The risk supply chains have risen. Money launderers can use supply chains to launder money, and, hence companies have to know well their customers: individuals and companies they are dealing with.

Could you elaborate on the risks associated with supply chains?
Money launderers use the supply chain to launder money. If you are a drug smuggler and you want to get your dollars back from the US to Mexico in pesos, you could buy a company exporting chickens to the US, and then use that as a means of laundering your money into Mexico. So understanding who you are dealing with is becoming increasingly important. Of course, it is not just criminals. Terrorists also use money laundering to finance activities. Hence, companies globally can find it becoming complicated very quickly because of the number of areas they operate in. Domestically, too, there is a need for information to evaluate customer-supply chains, and assess the risks involved.

How can banks improve their risk management systems?
The first is there is an increasing need to know who you are doing business with. Governments around the world are trying to clamp down on money laundering; prior to 2008, banks were used by criminals, drug and arms smugglers, and people involved in human slavery.

It’s not good enough just to check their documents, you actually have to check the source of them, screen them against databases to see whether they have actually been associated with financial crime, whether they have been sanctioned by a government somewhere.

We also collect regulations from 700 regulators around the world. Our experienced lawyers and ex-regulators analyze these regulations and provide our customers with an analysis of the various regulations. Last year, we recorded 50,000 updates in regulations. So you can imagine if you are a global bank and are operating in 20-30 countries, you have to manage all those complexities.

Many Indian banks are faced with NPA problems. How can this be rectified?
GNPAs are an issue. Early warning signs that a company may be getting into trouble are increasingly needed to make sure action is taken earlier, before loan defaults. We obviously have a huge amount of information about companies. We can take that information and identify things that may indicate that a company is experiencing financial stress. This is another way to manage the NPA issue. Once you recognize a problem, you can act sooner.

Banks are tightening up their credit processes and trying to find ways to manage those companies that are sinking into trouble. The earlier you can intervene, the better you can work with customers to find ways of preventing NPAs. This helps the collection effort.

Domestically, banks are going digital. Do you see this as another area for a risk-assessment perspective?
The move towards digital economy is the right step, but it brings with it a new set of risks. This means there has to be significant investment within banks and others providing services on a digital basis to make sure that it is automated and smooth.

In India, know-your-customer has been the focus for some time. How can this be improved?
MBanks are looking at things they can do to understand their customers, not just from a risk exposure, but also to be able to provide them with better service because these checks can also take quite a lot of time. It can take several weeks to open a bank account. We can provide the vetting. We do actual validation of a document. We see whether individuals or companies have been associated with any crime the bank need to be aware of as a part of its own risk management.

We have over the years built a database of what we call high-risk businesses and individuals. That builds another layer of due diligence.

Also, Banks are required to report to the authorities what is called a suspicious transaction when they have reason to believe that the company or individual they are doing business with is acting suspicious; so, it’s imperative that they have this level of information.