Serious deficiencies in how the finance industry manages risk have been exposed in a survey, entitled "Survey of Risk Management Perceptions and Practice of Financial Institutions in Hong Kong" undertaken by the Asia Risk consultancy and Hong Kong Baptist University’s highly regarded Centre for Corporate Governance and Financial Policy.

And these shortcomings are by no means confined to Hong Kong, said Dr. Alan Waring, Asia Risk’s Chief Executive. “I notice this around the world.”

The 60 financial institutions including commercial and investment banks, fund houses and asset management companies responding to the questionnaire showed considerable confusion, contradictions and false assumptions among those responsible for assessing their organisations’ risks, the survey found.

Waring said that among the surprise findings was that respondents felt that whereas their own organisation was not subject to undue risk, they believed that this was not the case for the industry sector as a whole. “In other words, ‘We’re OK but the rest are not’.”

However only a small proportion of the respondents recognised some of the key codes and standards, such as the Sarbanes Oxley Act in the US and the Australia New Zealand 4360 Risk Management Standard. Too often, companies that did recognise these codes assumed they covered all significant risk, which was by no means the case.

Moreover, most respondents said that controls to counter fraud in their organisations were effective. But at the same time they said that risks involving human resources and recruitment were among the top three dangers. “Why would that be? If they think that people risks are adequately controlled in terms of fraud and keeping bad eggs out, why would they be so concerned about HR and recruitment? Something doesn’t quite add up there.”

In addition risk management issues cropped up when due diligence is carried out prior to agreements on mergers and acquisitions, initial public offerings and joint ventures. The risk aspects that are currently examined typically include finance and contractual matters. But the “people” risks of the entities concerned – the differing corporate cultures and management systems, for example – are not considered at all. “So you can end up with the very real problem of marriages made in hell.”

There were other mistaken assumptions among companies about risk management, Waring said. “It is generally recognised around the world that to embed a significant change in the culture of an organisation is going to take in the order of five to 10 years, This survey suggests that people think it can be done in a couple of years. Highly unlikely, it’s unrealistic.”

Commenting on the crisis at French Bank Societe Generale, where a rogue trader ran up losses far in excess of those of Nick Leeson, who brought down Barings bank, Waring pondered: “How is it possible, 12 years after Barings, to have a broadly similar situation arising in the same sector in another bank? It’s as if none of the lessons have been learned.”