The certification process—dealing with the personal risk of liability

Senior executives and officers in the financial services industry are often tasked with the responsibility of certifying processes in their respective departments. As the regulatory environment becomes increasingly complex, staying up to date on new legislation, evolving or new processes, and the corresponding internal controls can be daunting for any officer of a financial institution. This task is not to be taken lightly, as doing so may put the signing officer at risk of personal liability, should there be an overlooked error in the report. BDO's National Financial Services Practice leader, Sam Khoury, recently sat down with BDO Strategic Advisor, Gerry O'Mahoney to better understand these complexities and how to minimize the risks for the executive.

Gerry, what prompted you for the need to raise awareness of these risks?

Over a long career in a large Canadian Bank with a specific focus on the Wealth Management space I have certified many numbers, reports and declarations. However, it was while I was studying for the Chartered Director (C.Dir) designation from the Directors College (The Conference Board of Canada and the DeGroote School of Business at McMaster University) that I began to truly understand the significance of what I was doing each time I had put my “John Hancock” on all those documents.

In your experience, are there specific controls or criteria an executive should have in place before signing off on a particular process or report?

I have discussed this topic many times over the years and believe that every rational person who has ‘certified' or for that matter ‘assured' their CEO, the Board or Audit Chair of any number, completeness or compliance of any process or regulation has applied some criteria before making their personal declaration.

Have you developed a checklist or best practice to follow for these criteria?

The usual criteria we go through encompass some or all of the following:

1. Have I made this declaration before? Did I obtain any assurances at that time?
2. People: Do I have the right people running the function (Think of this as a “soft” control)?
3. Organization: Have we created the right structure in that area?
4. Segregation/Separation of Duties: Have we ensured that we have minimized the opportunity for inappropriate or fraudulent activity (Think of this as a “hard” control)?
5. Process: Have we implemented and structured our processing in a way that minimizes handoffs and rekeying? Have we documented same?
6. System: Has our system been proven, audited and certified that it operates as intended and contracted?
7. Compliance: Do we have a good process in place that keeps us updated and responsive to regulatory change?
8. Public Accountant Certification: We assumed that our auditors would do deep audits and provide the detailed certifications that we would rely on.

These seem like common sense steps to follow. Do they really need to be adhered to every time? What if the process being certified doesn't change from year to year? Do the same criteria need to be applied each and every time?

Often we become complacent, especially if we have previously signed that particular report. While this is very understandable it is fraught with danger:

1. If I made this declaration before the biggest questions are what has changed since then. Regulation is changing with ever increasing frequency.
2. Staff turnover rates are rising.
3. Structural/efficiency based restructurings are denuding companies of their higher paid seasoned trained staff and replacing them with poorly trained lower paid (inexperienced) contract personnel.
4. Systems are becoming more and more complex and changes are harder to implement and verify outputs.
5. Compliance staff are overwhelmed with the changes they are facing and augmenting overworked compliance groups with equally knowledgeable and committed people is almost impossible. This problem is further exacerbated by the lack of operational experience of compliance staff. In the past these staff came from operational departments, today they more frequently have a legal background with little or no experience of business processes!
6. Public Accounting firms' Audit Practices have reached a stage where they are relying on management's commitments on controls before they undertake the normal audit works. Some perhaps don't have the operational expertise to conduct the necessary reviews
7. Liability cases brought by shareholders and/or prosecutions by regulators in Canada has not been a common practice. Our neighbours to the south traditionally have been more litigious and their regulators more prone to seek high profile prosecutions but can we assume Canada won't go down the same track?

Thank you Gerry. It seems like there is a lot that needs to be considered as a signing officer in a financial institution and putting your “John Hancock” on anything can be a risky process.

Other articles in this series:
March 2016 - Irreconcilable Differences

For more information on the services BDO can provide to minimize the risks involved with the certification process and assist you in implementing tools to better manage these criteria and changing regulations, please contact:

Sam Khoury

Sam Khoury is a Partner and the National Financial Services Leader at BDO. He is an accomplished executive with over 20 years of assurance and risk advisory experience in the financial services industry. Sam specializes in providing independent assurance over critical processes and systems to satisfy key customers, suppliers and regulators. He can be reached at skhoury@bdo.ca or 416 369 6030.

Gerry O'Mahoney

Gerry O'Mahoney is a Strategic Advisor with BDO's Financial Services Practice. He has more than 30 years of global experience in the financial services industry specializing in Brokerage, Mutual Funds, Trading, Custody, Treasury and Corporate Banking Operations. Gerry is passionate about creating solutions in technically complex regulated environments. He can be reached at gomahoney@bdo.ca or 416 369 3065.