This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The main events that triggered the loss at the bank
All types of operational risk can be traced back to four root causes. In case of Caforilus these causes and events are explained as under:
In case of Caforilus, it was people who triggered the loss. The Sales & Marketing Director Mark Hughes was involved in a fraud that could not be identified either by the operational risk department or by the finance department. There was also lack of understanding between the different levels of staff. They were rather incompetent to understand the fraud.
He was not taken as a potential risk because he always had to come with different offerings like FA Cup tickets etc. It was quite easy for him to deceive all his top management by maintaining good social relationships, which should not have happened and the top management must have maintained a line between professionalism and social life. Vincent H O'Neil (2009, p.62) said that “At all levels, the institution's management must actively discourage the pursuit of short-term gains that violate the institution's rules or risk management fundamentals.”
Apart from that, when Helen took his case of potential fraud to the Chief Internal Auditor Keith Garret, she did not take it seriously just because of the false reputation he had created at the bank. Mark's attitude towards the lower staff was completely opposite from that towards the top Management. This shows his lack of professionalism and weak ethics at work. As stated in the end of the case study, there may be other people involved as well, because a fraud of £8 million cannot go away that smoothly without the help of others.
The company's whistle blowing policy was not clear, in case, if a senior or a top management person is involved in a fraud. The policy should be such that it explains and covers every level of the bank's staff because most of the big frauds are committed at the upper management level. Also, none of the internal control departments could identify the fraud committed by Mark. There must have been checks and balances in placed, like; daily checks upon every transaction made, reconciliation, counter checks and approval checks and no one should be exempted.
The finance department should have identified the false companies created in the names of Mark's relatives' despite the position of Mark.
There was no such technological event which triggered the loss at the bank.
The environment at the Caforilus PLC was not suitable for many reasons. The relationship between different levels of employees was not good, as in case of Helen, Mike did not treat her well; he was famous for his bulling with the lower staff. That is why Helen was looking for another job, which is not good as it increases turnover. In the case study the Internal Chief Auditor also rejected Helen's request for an enquiry without investigation just because she was complaining about director of sales and marketing.
The overall risk culture of the bank was not on a proper track because there was no appetite for risk. There was no difference between professionalism and social life as all the higher level employees were easily deceived by Mark. When Helen tried to investigate about Mark, nobody supported her except her friend and an officer from fraud department.
The actual/potential impact of the fraud on bank
The major impact of this fraud was that Mark was running away with £8 million and nobody even had a hint about it, which shows the inefficiency on behalf of bank and the weakness of their risk control. This would impact the reputation of the bank to a great extent and also lower the moral of the staff at the bank, because Mark was given so much importance over all of them by the top level managers and at the end he turned out to be the culprit. If accidently, Helen had not seen those invoices, it would have been a disaster for the bank.
Another aspect of this is that Mark was also destroying the organizational culture of the bank as he was bulling his employees, which could affect their moral and performance. Also, if Mark would have run away with the fraud, the lower level managers would have been targeted by the bank, because they were at the operational level. The investors would have lost interest at the bank because if a bank cannot handle its internal risk, that shows the inefficiency on behalf of the bank if it comes to managing capital.
Operational risk management framework at Caforilus PLC and steps to improve it
There was no effective operational risk strategy followed by the bank as there was no apatite shown in the case study to mitigate this kind of risk. Sumit Paul-Choudhury (2000, p.24) said that “It has only been in the past few years, however, that the industry has recognized that some important pieces of the puzzle are missing. For all their skill at managing the kinds of financial risk that make their counterparts in most other industries blanch, risk managers in the financial services industry have much to learn about some more commonplace risks”. The same happened with Califorilus as they were not prepared for the operational risk and that was where Mark was able to exploit the bank. There must be a clear definition of risk according to that institution and it should be communicated to every person in the organization so there is a risk culture.
According to BASEL 2 pillar two (736) “The failure to properly manage operational risk can result in a misstatement of an institution's risk/return profile and expose the institution to significant losses.” The statement certainly emphasize on the importance of having a solid operational risk strategy within the organization, which in case if Caforilus is not there. They were not able to identify the fraud committed by Mark but luckily it was Helen who saw the invoices and started investigating herself, although she was from marketing department. If the bank has to identify the risk there should be a proper strategy in place.
The risk can only be identified if there is a proper risk strategy which can include controls and checks on daily basis. There was no such system in Caforilus, the transactions made by Mark were never checked and reconciled, just because he was Director of Sales and Marketing. When Helen told her suspicion to the Internal Chief Auditor, she replied that Mark can handle the department's budget on his own and he has the authority over it. Yes! He has the authority but the bank should place measures in order to identify the risk which originates from such high levels of authority. There was no risk identification strategy for people in the top management like Mark.
There was no clear understanding of risk at Caforilus. No responsibility was shown when Helen talked to Chief Internal Auditor and other people. There was no accountability like daily checks and no appetite to analyse risk and report it, and it seemed like they were all hypnotized by Mark.
The risk management staff should have shown responsibility and must have caught Mark before Helen did, because it was their job to analyse risk at every level and report it.
Risk Control and Mitigation
There was certainly lack of activity monitoring. Everyone was happy the way things were happening because they didn't even looked at Mark in a way that he could be a fraud. This is where the controls were breached and there were no controls as such to mitigate risk at the bank. No daily checks were done, there was no proper reporting of events that is why Mark was able to create a miscellaneous account and pour the bank's money into it. The bank was not even aware of with which companies Mark is dealing? Mark was able to pay invoices that were from the bogus companies created in the names of his relatives.
Measurement and monitoring
Every process in the bank must be measured and monitored on daily basis. But in case of Caforilus, there was no such measurement and monitoring. The internal audit staff should check the accounts on a regular basis to monitor the different trends because it's their job.
There was not a single hint of risk reporting in the case study. Only if Helen could not have looked at those fake invoices and identified the miscellaneous account, things could have been worst. This risk should have identified by the finance or audit department and reported to the higher authorities. The risk department should have assured that the reporting is done properly and regularly.
Critical Analysis of cultural and ethical framework and how to improve it
The cultural and ethical framework at Caforilus PLC was never satisfied. First of all, the behaviour of Mark towards his junior staff members was unacceptable and that is why Helen was searching for another job as well. He used to bully his junior staff. On the other side, Mark's behaviour was completely opposite towards his senior colleagues. He was famous as a problem solver, a good guy and the one who get things done. He also used to get them football tickets and other entrainment.
Well! This culture surely can't be a risk aware culture. Mark should not be allowed to bullying junior staff and the senior managers should have kept a line between professionalism and social life. Definitely, no one from the higher authorities was aware, what's going on in the bank? No ethics, no professionalism, no monitoring, everything was going wrong.
The Caforilus PLC should develop a strong banking culture, where there is equal opportunity for every staff member to grow, where they are treated in a good professional manner. Emphasis should also be made on developing a relation between bank and the staff. These implementations can help in boosting the employees' morale and will help the bank to grow.
On the risk management side, risk must be well defined within the bank. There should be a proper risk management strategy which will include all the important aspects of managing risk at the departmental level as well as the managerial level. So that nobody is excused.