MF Global: We're Back to Auditing Strategic Risks

For those of us who traffic in corporate governance, MF Global is the gift that keeps on giving.

That's more than we can say for MF Global's investors, of course, who still await word on when they might ever see the $1.2 billion in customer money that vanished just before MF Global filed for bankruptcy on Oct. 31. But corporate compliance officers, risk managers, and chief audit executives now have a sobering new example to bring to the board of directors when arguing for more autonomy and resources.

All the gory details were laid out by MF Global executives—including the now-disgraced former CEO, Jon Corzine—in Congressional hearings last week. Corzine and the rest appeared first before the Senate Agriculture Committee on Dec. 13 and then the House Financial Services Committee on Dec. 15. The documents and testimony aired last week paint a picture that would make any compliance officer wince: a CEO, Corzine, convinced that his bets on the market were correct; risk managers pushed to the side for speaking their minds; sloppy record-keeping, leaving regulators to piece together where that missing $1.2 billion might actually be.

Poor tone at the top, no support from upper management for an independent risk and compliance function, weak internal control—it's all in there. Indeed, as you read through the filings, you can find just about every misstep for corporate governance that every consultant has ever warned about in the last 10 years.

As I read through the documents and testimony, however, one theme kept emerging: the apparent inability of the chief risk officer to raise concerns about strategic risks. Those concerns go well beyond warnings like, “The value of our European sovereign debt now exceeds the limit set by the board,” which MF Global's chief risk officer did give. Any CRO can do that, and he or she doesn't even need the fierce independence advocated by the U.S. Sentencing Guidelines to do so. These days, warnings that some risk has exceeded pre-determined risk tolerances are practically pro forma.

Strategic risks are an order of magnitude more serious; they require the CRO—or the chief compliance officer, or head of internal audit, or chief ethics officer—to go the CEO or the board and say, “This is a bad idea.” When I last broached this subject in October, speaking more about internal audit's role in auditing strategic risks, that led to furious protests from the Institute of Internal Auditors and others that a careless approach to auditing strategic risks would compromise independence.

But the fact remains that strategic risks are what boards worry about, and are what can bring a company to swift demise—as MF Global shows. Compliance and governance executives need a way to handle strategic risks if they ever want that fabled “seat at the table” to help steer a company to sustained success. That's just the reality of the situation.

MF Global had two strategic risks that I could find. First was the obvious, the $6.3 billion in European debt the firm purchased throughout 2010 and 2011. As we've noted before, MF Global essentially shorted that debt through “repurchase to maturity” deals, where the firm bought sovereign debt and then immediately sold it, with a promise to the buyer that MF Global would repurchase the bond on the day it matured. That scheme skirts the bounds of prudent financial reporting, and sure enough, regulators decided over the summer that MF Global should post another $150 million in capital reserves to cover possible losses.

In other words, MF Global had liquidity risk—which, for financial firms, is a strategic risk. The CRO should have had the power to go to Corzine and the board and say, “This plan means we need to set aside $150 million more in reserves, or we shouldn't do it.”

According to at least one published report, however, MF Global sacked its previous chief risk officer, Michael Roseman, when he raised questions about Corzine's bet on European debt. The new CRO, Michael Stockman, arrived at the start of 2011 and had no authority to voice concerns about the broader consequences of trades the firm was making. That is, he lacked the authority to ask about strategic risks.

But MF Global actually had a second strategic risk that long predated the European trades: its poor technology. Corzine himself admitted last week that MF Global was a “voice-based broker,” taking orders over the phone and not exploiting the lower costs of electronic trading technology. Competitors using that electronic technology charged lower commissions, so MF Global had to keep its own rates low, which led to a weakened financial position. Which led to executives like Corzine making big bets to catapult the firm back into a stronger position.

How did Stockman manage his job as CRO, navigating Corzine's quest to score big in the markets and bring MF Global back into the leagues of big players? How did Roseman manage his job as CRO, when poor technology put MF Global in a weaker and weaker competitive position? We don't know yet; House and Senate staffers reportedly grilled both over the phone last week, but neither was called to testify. But so far, evidence suggests that both men had to interpret their job narrowly—leaving those broad strategic risks to build up and finally overtake the firm.

I suspect that no standard formula exists for risk, audit and compliance executives to address the threat of strategic risks. At their core, strategic risks arise when a company decides to do something, and real human beings in the boardroom and the C-suite are the ones who make those decisions. Calling them out on possible mistakes cannot be easy. But the alternative, as MF Global shows, isn't much fun either.