The release of the information about the horrendous manipulation of customer trust in order to achieve banking sales goals and bonuses has been well covered in the media. There has been concern that the fine is too light, especially considering the vast profits made last year, but what hasn’t made the news is the hidden costs of cleaning this mess up.

You’ll know from your own organization that replacement of one key employee is hard. Imagine having to replace upwards of 5,000. Outside of recruiting there’s loss of productivity, errors based on lack of experience, and training[1]. All this ranges from 16-200% of salary, and I would assume those costs will exceed the size of the direct fine.

The really big cost will be to ensure adequate future governance and compliance and will probably dwarf all of the above costs.

There seems to have been a failure of the three legs of the GRC concept:

  1. Risk
    Without Risk there is no need for Governance, nor Compliance. Clearly, with hindsight, there was a risk that it was possible for this type of activity to be carried out (I would have thought “Big Data Analytics” would have identified these patterns, but that’s another story). I suspect the risk that bank staff would fraudulently open accounts has been around for a long, long time.
  2. Governance
    In the form of bank regulations, internal policies and procedures, and management supervision – All these were likely present, but appear to have been ineffective or not complied with.
  3. Compliance
    It would not be unreasonable to expect that periodically all staff would have been required to review the rules of their business and to attest to their compliance with those rules – if so, wouldn’t a match-up of complaints with the attestations have raised a few alarms well before it reached the magnitude of wrongdoing that has been published.

The apparent failure to tie these three components together with the data that has probably been available in the incidents/complaints made suggests that more emphasis should be placed on developing, recording and assessing change in KRI’s (Key Risk Indicators) and KPI’s (Key Performance Indicators) to head off this type of situation before it blows up.