Risk management failure in Romanian public entities – lessons after two recent fiascos

Romanian public entities are legally obliged to implement the Code of Internal Control, which imposes them to develop and maintain comprehensive risk management. Two recent events – the imprisonment of the president of the Financial Supervisory Authority and the penalty of 1 million EUR applied by the European Commission to OPCOM and Transelectrica – have cast a shadow on the effectiveness of risk management in Romanian public entities. Starting from these fiascos, this article examines some common sources of flawed risk management.

The Financial Supervisory Authority, in its guiding role for the Romanian non-banking financial system should have been the home of correctness, exemplary moral conduct and state of the art risk management. However, the harsh reality seems to be exactly the opposite: after only one year of existence, its first president has been imprisoned under charge of malpractice. Or, such a serious deviation in a central institution that is supposed to protect the soundness of the capital market, insurance market and pension funds indicates either the lack or the complete failure of its risk management.

It therefore becomes questionable if senior managers of the Financial Supervisory Authority – recently characterized by the country’s president Basescu as a ”cloacae” that ”must be cleaned” – have the moral authority to speak about risk management after having passively witnessed the misdeeds of their former boss. Senior members of the ASF are on the list of speakers at the conference “Risk management – from theory to practice” scheduled for March 12 at the Palace of Parliament.

The penalty of EUR 1 million, applied by the European Commission to energy trading platform OPCOM and carrier Transelectrica for continuously breaking European Union fair competition rules during the last five years highlights another serious ineffectiveness of risk management. It does not matter much if the senior management of these entities knew the rules and knowingly broke them or did not know the rules and committed unintentional infringement. There is clearly a failure of risk management in both cases. This is especially remarkable as it materialized through a fine imposed by a foreign EU authority and not by a domestic regulatory agency.

As risk management is a way to create value, any failure of risk management will destruct value in some way, through direct and indirect effects. For instance, an indirect effect of the mentioned risk occurrences is loss of reputation. The reputational risk is highly speculative; it is not so much a question of what an entity actually does or fails to do but mainly a result of the public perception. And it is not good when the public perception of an entity is shaped by penalties imposed by EU authorities or by actions of the prosecutors from the National Anticorruption Directorate.

Many risks are either created of amplified by a naive approach to risk management that tends to simplify or disregard complex interdependencies between desirable attributes of management systems. A common misconception deriving from lack of proper education in risk management is to assume that a risk methodology and internal procedures are sufficient in themselves to assure the control of all relevant risks. An even more damaging mistaken belief is to consider risk management as a box-ticking process or other mechanical application of a methodology that can be performed by anyone who passed introductory risk training.

While a flawed risk management could luckily provide a limited degree of prediction and control, it can be very effective in creating the illusion that risks have been fully controlled. Unfortunately, it does not take long for such illusion to crumble under the weight of facts. The Financial Supervisory Authority will always be remembered as the regulatory institution whose first president was imprisoned for malpractice. OPCOM and Transelectrica will remain in history as the first – and hopefully the last – Romanian public entities penalized by the European Commission.

The success of an organization highly depends on the adequate understanding of its risk environment and the effectiveness of its risk responses, which requires complex knowledge about many risk related fields as risk is more a cultural construct that an objective reality. For example, a common source of fallacy in risk management resides in a natural tendency of most people to display overconfidence in their skills or judgement or perceiving themselves as being above average in various activities.

As Kelly suggests (2007; p. 20), a “particularly vexing version” of overconfidence is evident “among individuals who identify themselves as experts” when they exhibit “lack of discipline in applying their knowledge outside their area of expertise”. For instance, argues Kelly, “a PhD in risk management may have a tendency to render expert opinions in fields beyond his specialisation (say, competitive swimming)”. Obviously, his opinion on swimming is not really an expert’s view but “because the individual has ‘expert credentials’ his view is judged by others as being more credible than other views”. A similar reasoning is equally applicable when experts in various fields (acknowledged or self-proclaimed) render expert opinions in risk management.

Examples of overconfidence include: 1) trainers without relevant credentials delivering formative courses for future risk managers based on simplistic official guidance for risk management implementation or 2) people with no relevant formal qualification in risk management publicly speaking on the subject on various occasions. The fact is that risk management has exhilarated the imagination of many with more or less proper knowledge about the subject, so it is wise to judge any statement on risk management with a critical mind.

Finally, the beauty of risk management is that an entity can contribute to its progress by performing in either the good way or the bad way. Those who give honest consideration to properly understanding and managing risk may see their businesses secured, efficiency improved, and reputation increased, thus possibly becoming positive case studies for students. On the contrary, those who see risk occurring with significant impact on their business become case studies for failures of their risk management.

By Gabriel Popescu, guest writer.

Gabriel Popescu is an independent consultant in enterprise risk management and business continuity management. He holds the International Diploma in Risk Management of the Institute of Risk Management. He is a Member of the Business Continuity Institute and a Fellow of the Royal Society of Arts.