Ron Petersen, The Navis GroupAs we contemplate the stunning revelations that have come forth from the Wells Fargo scandal, and the similar circumstances that seem to have been involved in the recent findings of the Consumer Financial Protection Bureau of unethical and fraudulent collection practices by the Navy Federal Credit Union, I am reminded of one of the paradigms that I discovered in my twenty years of experience in two major corporations dealing with ethics, integrity, compliance, and investigations. What further spurred this contemplation was a story in my local newspaper that reported that the former treasurer of the Bourne, Massachusetts Parent Teacher Association had been arrested for embezzling more than $25,000. In my current role as a consultant to the community banking industry, I constantly encounter the “it can’t happen here” response, and that the relative smallness of an organization provides some sort of shield from fraudulent, unethical behavior. The Bourne story, along with many others, proves beyond a doubt that fraud and ethical misconduct can and does occur anywhere. A basic principle that appears to be involved in nearly every fraud is what I have come to call the trust paradigm. First, let’s be clear; trust is an essential element in the culture of any organization. Managers and leaders must have trust in their subordinates and employees must have trust in management and leadership. Lack of trust in any area can create a toxic environment that can threaten the success of an organization. Organizations thrive on trust, but the other side of the coin is, so do fraudsters. Fraudsters trust you and your organization in many ways, including: · They trust that you will trust them, and not question them too closely about their work. · They trust that your Code of Ethics is just a document that your organization has because it is required, and that nobody pays it much mind. It exists on paper, but not in the heart and mind of the organization. · They trust that your whistleblower process exists on paper, but they don’t view it as much of a threat. They trust that whistleblowers will be ignored, or better still, retaliated against. · They trust that your internal controls are weak and unmonitored. · They trust that your internal investigation process is ill-defined, weak, seldom used, and ineffective. There are two approaches to addressing the trust paradigm. One is to become cynical of everyone and everything. Assume that all employees will commit fraud and that all anomalies are indicative of fraud. This, of course, is a non-starter. Most employees want to do the right thing, are ethical, and do not commit fraud. The toxic atmosphere created by a culture of non-trust would be devastating to the organization. Rather than cynicism, leaders and managers should develop an approach of “healthy skepticism” along with an overriding spirit of trust. Ask questions about anomalies in results in a consistent, non-judgmental way, and be sure that you fully understand the cause and results. In other words, turn over the rocks in the road when you find them every time. Encourage a speak-up culture, and take the concerns of your employees seriously. If you do these things consistently, your employees will interpret it as the actions of an interested, concerned and supportive boss, rather than the arbitrary actions of a cynic. Leadership can support the effective navigating of the “trust paradigm” by insuring that a genuine culture of integrity thrives in the organization. You will never be able to prevent all misconduct, but an effective culture can enable you to quickly identify aberrations so that you can address them promptly, before they can cause real problems. Here is a series of questions that we encourage the leadership in our client organizations to contemplate introspectively when evaluating the overall culture of integrity in his/her organization: · Is our Code of Conduct comprehensive? Is it written in plain English in a manner to provide meaningful guidance to our employees in making ethical decisions, or is it legalistic, arcane, and written more to protect the institution? · Do the board and the leadership team communicate the importance of the Code and the institution’s commitment to integrity in a meaningful and effective way and on a regular basis? · Is the board effectively and publicly invested in the integrity of the institution? Is someone on the leadership team responsible for reporting to the board on this issue on a regular basis? Does the board spend meaningful time on components of your integrity program? · Is our process for receiving employee complaints clear, accessible, inviting, and well-publicized, or is it vague, obscure, and discouraging? Can an employee who wishes to report anonymously do so with complete confidence? Can we truly say that we have a “speak-up culture”? · Do we have an effective investigative process where complaints and allegations are investigated promptly, professionally, and objectively? Are the consequences of our investigations applied consistently across the organization? Do our employees believe that we have “organizational justice”? · Do we provide effective and regular training across the organization reinforcing the Code of Conduct and our expectations of ethical behavior? These questions provide a starting point for the evaluation of your integrity infrastructure. If you pursue this exercise, other questions will undoubtedly arise. The Navis Team has the experience and expertise to help you navigate this process and to take effective action to tune up your infrastructure. Many of the institutions where we performed the COSO exercise had good “check the box” compliance with the integrity and governance principles (1-5), but that is not enough in the post Wells Fargo era. Regulators have already served notice that they will be searching for similar symptoms in other banks. With focused attention on the process described above, you can move your institution from a “fraud won’t happen here because we are small and local” approach to a “fraud is less likely here because of the persistent attention that we place on our culture of integrity and its underlying infrastructure”.
Ever since Y2K, the concepts of disaster recovery planning, business continuity planning, and now cyber-security response readiness have become constant points of focus for all of us in our institutions. As our firm has conducted table-top tests year after year, we point our clients to the action verbs in those three concepts: recover, continue, respond. Those table-top tests all seemingly come down to the basic elements of communication and decision making, regardless of the specifics of the disaster. Taking inspiration from Edgar Allan Poe and Stephen King, we have fashioned hurricanes, tornados, pandemics and chemical spills requiring immediate evacuation. We have burned down buildings and shut off electricity and communications everywhere east of the Mississippi. We have played out terrorist activities that severely impact the flow of commerce. We haven’t yet rolled out our Zombie Apocalypse or the invasion of New England by Quebec, but stay tuned. Interestingly, an additional “basic” element has been emerging. It seems that many different scenarios result in fear and uncertainty that create a short-term cash economy. We’ve all considered this haven’t we? And we have almost always recalled the George Bailey moment in “It’s a Wonderful Life” as he doles out a limited amount of cash to an angry and nervous community of customers. Allow me to pose this as a list of questions. In a cash rationing scenario ….. · How much cash do we have on hand? (branches and ATMs combined) · How would we move that around if normal security is unavailable? (if armored delivery is not available) · What’s the “number”? i.e. how much would you allow each customer per day, and for how long? · What about the safety of your staff as they execute this unpopular strategy? · If we don’t have access to balances, now what? · Do we understand the stand-in limits on our ATMs? · What if the ATMs can’t communicate with their underlying provider? · Can we shut off foreign transactions? i.e. non-customers? Would we want to? Would be allowed to? · Can we get more cash from the Fed and/or other suppliers? · What are their plans? · And so on and so on ….. One of the frustrations of business continuity planning is the vagary and seeming “black-hole”, “rabbit-hole” as you ponder various scenarios. But, BCP is about minimizing surprises and limiting the decision tree encountered under adverse circumstances, so here’s something very tangible that may be planned well in advance under calm conditions. We do know how much cash we have on hand, and we certainly know how many deposit customers we have and where they are located. It seems like an Excel moment to me. What-if analysis could easily use a daily allowable disbursement number as a variable and then calculate how long your institution could continue along that path. So why not do that in a quiet moment and add an appendix to your plan? This is no small suggestion. As we do these table-top tests and the subject arises, we spend a significant amount of time and resources speculating with no data in front of us. In a crisis mode, every moment may be precious, so proactivity beckons.
David B. Sidon CPA
The Navis Group
David B. Sidon: Gloucester, Massachusetts
The Navis Group was founded in 2003 by David Sidon, CPA. The Company is a New England based banking consulting group specializing in SOX/FDICIA/COSO, strategic planning, back-office efficiencies, business continuity tabletop testing, organizational architecture, and enterprise risk management.
Financial reporting controls integrity based on COSO guidance with respect to FDICIA/SOX requirements has been the key concentration for Mr. Sidon over the past decade, with more than 40 such projects completed, and with about half of those leading to the annual management of the COSO compliance effort. The COSO work has become the signature aspect of Navis’ branding and identity. Strategic planning is another element of concentration for Mr. Sidon, annually facilitating management and Board retreats and crafting the strategic planning documents emanating from those sessions.
Mr. Sidon is also recognized in the industry for his business continuity tabletop exercises. He has conducted full-day, full-immersion business continuity exercises for many banking associations including Massachusetts, Connecticut, New York, Maryland and Kentucky. Participants have survived hurricanes, ice storms, wide-scale electrical outages, pandemics and cyber attacks. At the individual bank level, tornadoes, fires, chemical spills, electrical outages, cyber breaches and terrorist threats have been played out. The exercises are part consulting; part improv theatre. Including freelance consulting work from 1998 to 2003, David has provided consulting services to more than 100 different institutions. The key descriptive word in that last sentence is “different”. Banks may all use checks that are rectangular in shape, but, after that, people, cultures, systems, geography, and complexity all contribute to a rich diversity institution to institution.
Personally, his credentials include a Bachelors degree in Business Administration (Merrimack College, as part of their initial co-op class), a CPA license, and a Masters degree in Finance from Bentley. After 13 tax seasons in public accounting and a brief dabble in private industry as a CFO, Mr. Sidon’s banking career commenced in 1985 as a young director at Gloucester Cooperative Bank. After starting out as the mortgage department (small bank - many hats - one man department) he eventually spent the last three years of his ten year tenure as CEO. In 1996, Mr. Sidon joined a larger commercial bank, Gloucester Bank & Trust, as CIO, running a three bank data center. After the BankNorth signs were installed on the GB&T building in 1998, his consulting career was launched; just in time for Y2K.
David managed Y2K readiness and testing projects for numerous New England banks, but also included work as far away as Guam. One of the interesting aspects of Y2K planning was that investment in banking technology was either escalated or delayed around that fateful and, as it turned out, uneventful date. System searches and implementation project management followed in the early years of the new century.
Mr. Sidon led a team that attempted to form, open and capitalize a de novo bank from late 2001 through June 2003, and although all approvals were attained, capital in the post 9/11 market recession was not adequately available.
On July 1, 2003, The Navis Group was born, soon moving into the newly emerging ERM (risk) disciplines, inclusive of technology and information security (GLBA) risks. He has assisted numerous client banks with risk programs, committee charters, risk appetite statements and risk metrics, regularly serving as a contributing member of client banks’ Risk Committees.
In addition to working with client institutions, Mr. Sidon has worked with the Massachusetts Bankers Association and Connecticut Bankers Association on various programs. For MBA, he facilitates a series of CFO forums and Risk Manager Forums. For CBA, as a faculty member of the Connecticut School for Financial Management, he instructs a risk class and serves as the driver of the financial simulation model underlying the school’s capstone resident session. For many associations, he has presented and facilitated ERM sessions and provided COSO-related education...
Kevin W. Nunes: Gloucester, Massachusetts
email@example.com / 978-423-7296
After graduating from Salem State College in 1984 with an accounting degree, Kevin joined the “Big 8” accounting firm of Arthur Andersen & Co., spending time in both the audit and tax divisions before leaving to join a division of ITT/The Hartford Group in Boston as a financial and reinsurance analyst. In 1991, Kevin joined Gloucester Bank & Trust Company (GB&T), where, along the way to becoming the bank’s CFO/Treasurer, he also ran the in-house operations center and was head of human resources. In 1996, Dave Sidon joined GB&T to develop its in-house systems processing excess capacity into a data center serving other financial institutions, beginning a long-standing association with Kevin that continues to this day.
In 2001, Kevin re-connected with David Sidon to become part of the core management team and the initial investor group for the formation of a de novo bank – Navis Bank – on Cape Ann, the precursor to the formation of the Navis Group in 2003. Kevin’s specific banking experience includes asset/liability management and liquidity planning, development of financial models for strategic planning and balance sheet modeling, bank regulatory compliance and investment portfolio management. As well his experience with forensic accounting and his background in audit and as a financial analyst lends itself to the work Navis Group does for its client banks, especially with respect to the FDICIA/SOX/COSO work that has become a mainstay of the practice
In 2001, Kevin re-connected with David Sidon to become part of the core management team and the initial investor group for the formation of a de novo bank – Navis Bank – on Cape Ann, the precursor to the formation of the Navis Group in 2003.
Kevin’s specific banking experience includes asset/liability management and liquidity planning, development of financial models for strategic planning and balance sheet modeling, bank regulatory compliance and investment portfolio management. As well his experience with forensic accounting and his background in audit and as a financial analyst lends itself to the work Navis Group does for its client banks, especially with respect to the FDICIA/SOX/COSO work that has become a mainstay of the practice