By Michael Crimmins, who has worked on risk management and Sarbanes Oxley compliance for major banks
As more news comes to light about JPMorgan’s inadequate supervision of its CIO desk, the source of its multi-billion-dollar losses, it’s clear an investigation of violations of Sarbanes Oxley (SOX) is warranted. At a minimum, Congressmen and the public should demand that the SEC and/or the DOJ owe it to us to pursue a SOX-related enforcement action. SOX was passed in the wake of Enron to end the all-too-common “I’m the CEO and I know nothing” defense, and the CIO operation is looking more and more Enron-like with every passing day.
By way of background, here’s the certification that’s at the heart of Sarbanes-Oxley. A false certification carries civil penalties against the signators and criminal penalties if the certification is fraudulent.
Management has completed an assessment of the effectiveness of the Firm’s internal control over financial reporting as of December 31, 2011. In making the assessment, management used the framework in “Internal Control — Integrated Framework” promulgated by the Committee of Sponsoring Organizations of the Treadway Commission, commonly referred to as the “COSO” criteria.
Based upon the assessment performed, management concluded that as of December 31, 2011, JPMorgan Chase’s internal control over financial reporting was effective based upon the COSO criteria. Additionally, based upon management’s assessment, the Firm determined that there were no material weaknesses in its internal control over financial reporting as of December 31, 2011.
The effectiveness of the Firm’s internal control over financial reporting as of December 31, 2011, has been audited by PricewaterhouseCoopers LLP, an independent registered public accounting firm, as stated in their report which appears herein.
Signed Jamie Dimon, CEO and Douglas Braunstrein CFO
The certification also contains this qualifier.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
At first glance the qualifier looks like fair warning that the inherent limitations in designing an internal control framework may not work perfectly. But JPM has designed its internal control system to meet the COSO standards, which are pretty comprehensive, There shouldn’t be much risk that internal control inadequacies can be attributed to poor design (or they would not have met the COSO criteria, making the certification invalid) so the disclaimer should be considered boilerplate.
What Risk Management Failures Should the SEC Investigate?
One key element of an effectively operating internal control system is having the people and systems in place to operate the controls. There were some critical staffing gaps in the CIO group at the time the 2011 certification was signed, which should make the SEC skeptical that the internal control processes dependent on these people were operating effectively.
The head of the CIO group was working from home, the CIO treasurer’s office was vacant (a fact which hadn’t been publically disclosed), limits procedures and controls were reportedly revised by staff that normally wouldn’t have that authority. The unit was apparently exposed to the classic ‘Key man risk’ problem we witnessed with Jon Corzine at MFGlobal. If the risk committee didn’t acknowledge this particular risk and design a process to mitigate it then the risk committee’s role in the internal control framework is also up for review. The fact that the former AIG risk head was a member of JPM’s risk oversight committee raises some eyebrows. Given that in 2011 the CIO contributed over 20% of the bank’s profit, that meant it was a significant operation and warranted close monitoring. It would constitute an egregious internal control breakdown, NOT an egregious ‘mistake’ if any of these people risks were not adequately mitigated.
There has been a lot of reporting regarding the replacement of the Value at Risk model after the disclosure of the London Whale’s position in March 2012. I’d like to focus on two areas where the VaR restatement impacts SOX.
If the model was replaced in 2011, then the adequacy of the model review process impacts the 2011 internal controls certification. The pricing and risk model review process is a key internal control. If it turns out that the replacement model was implemented before December 31, 2011, then the controls certification will need to be reviewed in light of the events of April. Note that JPM may try to point to the disclaimer, but I’d doubt they could successfully argue that the VaR models inadequacy only came to light as a result of subsequent events, without looking incompetent.
The second issue is that VaR by design does not measure tail risk. Yet JPM Morgan has said that the CIO’s role was hedging tail risk. Thus VaR would be incapable of measuring the riskiness of the bets the CIO was taking. Any references to the Var for this portfolio by JPM are misleading and disingenuous. As a result it is hard to accept that publishing a VaR for the portfolio would satisfy the SEC’s risk disclosure requirements.
If JPM’s explanation that the CIO portfolio was designed to hedge tail risk is true, then the hedges against those risks would presumably be way out of the money, low volatility hedges. The risk estimation of a portfolio like that would not be captured in the VaR. The likelihood of a significant price change on the hedge would be a rare occurrence. VaR only captures the risk expected under normal market conditions.
Since the loss was announced and JPM reinstated the original model JPM has made reassuring comments that even though the old model produced a risk figure that was twice the size of the new model, none of the losses it experienced in the first quarter exceeded the VaR. However they also announced that in the first 13 days of April they experienced $2 billion of losses. If by some miracle those losses are distributed in such a way that they fall below the VaR on each day they experienced a loss, JPM may be able to avoid explaining to its investors that VaR is inherently incapable of measuring the risk of tail hedges in the CIO portfolio.
The SEC should immediately demand that JPM publicly disclose a risk estimate of the underlying tail risks these ‘hedges’ are designed to offset. Presumably these estimates are provided to the risk oversight committees, so they should be available to the regulators.
The overarching key control SOX imposes on corporations is honest disclosure.
Since the CIO losses were disclosed Dimon has taken a lot of liberties with the English language. He has repeatedly described these positions as hedges, yet the accounting rules JPM is obliged to use for their public reporting and disclosures emphatically define the transactions as NOT hedges. The accountants at JPM have to report these transactions as trading positions, in spite of their chief’s mischaracterizations in his public comments. Dimon’s gotten around this conflict by coining a fictional financial term, an economic hedge. I haven’t seen anyone call him on the use of this bogus term, but the SEC should be pointing out that no such term exists in their vocabulary. Doubly so since Dimon apparently interprets the Volcker rule’s hedging exemption to apply to these undefined ‘economic hedges’.
He also avoids labeling these transactions as trading positions by referring to them as ‘economic hedges’ to
manage structural and other risks including interest rate, credit and mortgage risks arising from the Firm’s ongoing business activities. ( Per the March 30, 2012. 10Q)
Yet there is no definition of ‘structural risks” anywhere in the 10Q. Again the SEC seems strangely incurious about the definition of the term even though everyone is dying to know just what risks he’s talking about.
The poor language choice that I think is going to give JPM the most trouble is Dimon’s reassuring statements to the markets that the reserves that have built up in the Investment portfolio have been and will continue to be mined to cover the losses in the CIO trading portfolio. These positions are reported in the financial statements as Investments and receive favorable accounting treatment because they are meant to provide liquidity protection for depositors in the event of a market shock.
From a SOX perspective the financials have been misstated for the entire period the firm viewed these as part of the CIO trading portfolio. From a depositor’s or regulator’s perspective the intended use of that portfolio is alarming.