Professional Diligence and Integrity: Lessons from the Wells Fargo Case for Risk Managers and Internal Auditors

 

The recent decision by the Office of the Comptroller of the Currency (OCC) against former Wells Fargo executives underscores the importance of professional diligence and integrity in risk management and internal auditing. This case highlights how failures in monitoring improper practices can lead to severe penalties, impacting both the company and its executives.

The OCC investigation revealed that Claudia Anderson, who served as the Community Bank Group Risk Officer, failed to adequately challenge the bank’s incentive program, neglected to implement effective controls to mitigate the risks of improper sales practices, and did not escalate known risks. Additionally, she was found to have provided false or misleading information to regulators during 2015 examinations. Former internal auditors David Julian, Chief Auditor, and Paul McLinko, Executive Audit Director, also failed to design effective audits to detect and document irregularities and did not properly escalate issues. In McLinko’s case, there was an additional concern regarding his compromised professional independence due to his close relationship with the bank’s retail division.

To prevent such scenarios, risk managers and internal auditors must operate with technical rigor, independence, and integrity, ensuring that internal controls are effective, and that risk oversight and escalation mechanisms function appropriately. Professionals in these areas need the courage to challenge policies and practices that could compromise governance and expose the organization to financial, regulatory, and reputational risks. Furthermore, it is crucial that they are embedded in a corporate culture that prioritizes transparency and compliance, thereby reducing their own exposure to potential penalties.

The Wells Fargo case serves as a critical warning: governance failures and oversight negligence can lead to severe legal and reputational consequences. For professionals in risk management and internal auditing, the lesson is clear— 
complacency and negligence are not options. A proactive and vigilant stance, grounded in best governance practices, is essential to ensuring that business decisions are made with ethics and responsibility.

Questions for Reflection:

1. How can corporate governance strengthen the independence and effectiveness of risk managers and internal auditors?
2. In what ways can companies foster a culture of transparency and compliance to mitigate fraud and irregularities?
3. What challenges do audit and risk professionals face when attempting to escalate critical issues within an organization?
4. How can companies ensure that incentive programs do not pose risks to organizational integrity?
5. What steps can professionals take to develop a more critical and proactive approach to risk identification and mitigation?

In future articles, I will explore these questions in greater depth. For now, I leave you with this thought:

Are you comfortable with how you are currently managing risks or conducting audits? Do you feel supported in questioning company practices that could pose governance, integrity, or reputational risks?

Be Happy!

The Importance of knowing How to Use Performance and Risk Indicators

By Eduardo Pardini

The success of an organization is not a matter of chance; it results from a well-structured set of practices that ensures its sustainability and growth over time. Among these practices, effective corporate risk management stands out as a critical component. However, for this management to be truly efficient, it is essential to have a monitoring system based on well-defined indicators.

Although much has been said about the importance of KPIs (Key Performance Indicators) and KRIs (Key Risk Indicators), significant doubts remain about when and how to use them effectively. This confusion is understandable, as both types of indicators have different yet complementary purposes:

• KPIs: Performance indicators that measure progress toward the organization's operational or strategic objectives. These measure the past, the results achieved, or risks that have already materialized. They are reactive, as management acts based on them to redirect activities and/or address the measured risk factor.
• Example: The sales conversion rate is a KPI used to measure the efficiency of a sales team in turning opportunities into actual clients.
• Another Example: The percentage of interest paid due to late payments to suppliers compared to the estimated residual risk and/or the acceptable risk level defined by the organization's risk appetite.
  
• KRIs: Risk indicators that provide early warnings of potential threats that could adversely impact the achievement of objectives. These are proactive indicators, anticipating future risks before they materialize.
• Example: An increase in household debt is a KRI indicating a potential risk of reduced planned sales levels.
• Another Example: Possible pressure on production costs due to a drought in the commodity-producing region, impacting the final product price.

Clearly distinguishing when and how to use these tools is crucial for ensuring that the organization has a holistic view of both its performance and the risks it faces.

The Strategic Role of Indicators

Simply implementing indicators is not enough; they need to be strategically selected and monitored. This means that each indicator must align with the organization's operational reality and strategic planning. Intelligent use of these tools is what differentiates prepared and insightful organizations from those caught off guard by unexpected risks or unattainable goals.

By monitoring KPIs, an organization can assess whether its goals are being achieved and identify opportunities for improvement. On the other hand, KRIs help anticipate and mitigate threats before they materialize, safeguarding the results already achieved.

Sustainable and Lasting Success

When properly applied, the combination of KPIs and KRIs is not merely a recommended practice; it is an indispensable condition for ensuring the sustainable success and longevity of an organization. These indicators enable companies not only to monitor their operations but also to act proactively in response to risks and opportunities.

Thus, by adopting an indicator-based approach, organizations strengthen their capacity for anticipation, enhance their resilience, and achieve consistent results over time.

Final Reflection

I invite you to reflect: Is your organization using KPIs and KRIs in an integrated and strategic manner? If not, it might be time to reassess your monitoring processes and tools. After all, the future belongs to companies that know where they are and where they are going—without losing sight of the risks along the way.

The Role of Internal Audit in Corporate Longevity

Internal audit plays a crucial role in maintaining the sustainability and longevity of a corporation. 

To understand this, we must first identify the main reasons why companies fail, drawing on the insights of Professor Jim Collins, widely recognized for his work in business management and leadership. Collins' research explores the reasons behind corporate failure, providing an in-depth analysis of the factors that lead once-successful organizations into decline. Based on his findings, here are the key factors:

1. Arrogance of Success

Prolonged success can lead to complacency, where leaders believe that their size guarantees continued success. This overconfidence often causes warning signs to be ignored, leaving the company vulnerable to market changes and new competitors.

2. Uncontrolled Growth

Pursuing growth without solid strategic planning is risky. When strategy is misaligned with the organization’s mission, efforts and capital are often misapplied to activities that do not create value within the company's purpose. This can lead businesses to exceed their risk appetite. Expanding without focus or entering markets without proper preparation compromises the company’s foundation, risking a loss of control over resources and processes.

 3. Loss of Focus on Core Competencies

As companies diversify, they often lose sight of what initially made them successful. Neglecting their core competencies can diminish their relevance in the market and weaken their competitive position.

4. Denial of Reality

Companies fail when they refuse to acknowledge real problems, choosing instead to remain in denial. Rather than addressing issues and adapting, they persist with ineffective practices, worsening their situation. This is particularly evident when there is no structured, integrated risk management process in place.

5. Erosion of Organizational Culture

The loss of a strong corporate culture can weaken internal cohesion and demotivate employees. A lack of alignment between the company's mission, culture, and organizational values is often an early warning of imminent decline.

6. Lack of Innovation

Companies that do not innovate become stuck in the past, while more agile competitors take their place. The lack of innovation is not limited to products but also extends to how the company operates and responds to change. In an era of disruptive innovation, the pace of change can outstrip a corporation's ability to adapt, creating a significant gap that erodes competitiveness.

The Role of Internal Audit

In this context, internal audit plays a vital role in preventing corporate decline. Rather than focusing solely on identifying faults or assigning blame, its primary function is to pinpoint opportunities for improvement in governance, risk management, and internal controls. To achieve this, auditors must shift their mindset from reactive activities, such as merely finding errors, to a proactive approach that looks toward the future and seeks opportunities for enhanced performance.

Internal audit helps the company maintain focus on its core competencies, assess growth strategies, and promote innovation with security, ensuring that the organization avoids pitfalls like arrogance or negligence.

By continuously, independently, and impartially monitoring operations and strategic decisions, internal audit provides valuable insights to management, helping them confront reality and take corrective actions before problems escalate. In this way, internal audit becomes a key ally in ensuring the sustainability and longevity of the organization.

Stay happy!

Road Map for the annual internal audit plan based in risks

The annual audit work plan is a very important tool for the effectiveness of internal audit activity, especially when it is based on a view of corporate risks, which impact operational processes, which are segments of the business cycles of the corporation and drivers of the organization's efforts and resources to fulfill its mission, resulting in value creation for the related parties or stakeholders.

The audit plan aims to optimize audit resources (available time and travel budget), with its ability to bring gains to the organization by carrying out performance assessments, legal compliance or financial audits.

In this figure, I summarize the stages necessary for the construction of an annual plan that meets all the value creation needs, by internal auditing for the corporation.

Remembering that this process of creating an annual plan can and should be used by internal control specialists, as the principles are the same. 

I would just add the following comment - If the corporation has two areas, internal audit and internal control, the best thing is to create synergy between the two, and the basis is in the construction of the annual plan, so that, once the audit work plan has been approved, the internal control area prepares its own considering the processes and/or objects that are not part of the audit plan, in order to avoid shadowing ou duplication of efforts, and, in addition, to increase the scope of the processes and/or activities evaluated. 😉