Knight Capital’s filings reveal scant oversight focus on tech risks for board
By Emmanuel Olaoye
WASHINGTON, Aug. 3 (Thomson Reuters Accelus) – Knight Capital Group’s public filings show that the company viewed technology systems among significant risks faced by the firm, but the duties outlined for its seven board members do not specify oversight of technology as a factor that could derail it, a threat the company now faces.
A $440 million trading foul-up blamed on software, which comes after problems with Facebook’s initial public offering and the Flash Crash of 2010, has put a renewed focus on the level of risk posed by technology.
Oversight of technology risk is not commonly specified as a board responsibility in financial services firms, but that may need to change as the consequences of failure in financial services firms rise, some analysts said.
“If you go back 10 years ago there was no risk committee on these boards. Now all of a sudden everybody has a board-level risk committee. As things happen what you are going to see is maybe we should be looking at these other issues too,” said Bernard Donefer, a financial technology expert and associate director of the Subotnick Financial Services Center at Baruch College in New York.
Knight Capital is fighting for its survival after it announced on that trading problems caused by a glitch in newly installed software would cost it $440 million and wipe out much of its capital.
The company, which acts as a market maker for buyers and sellers of securities, said the technology breakdown was caused by the installation of new trading software, which led to the company sending out numerous erroneous orders in NYSE-listed stock into the market.
On Friday the firm remained largely absent from its usual job of buying and selling stocks. At least one private equity firm had signed a non-disclosure agreement, a signal that it was looking at Knight’s books for a potential acquisition or investment. Other private equity firms said they would be looking at Knight.
SYSTEMS FAILURES SEEN AS THREAT
Knight acknowledged the seriousness of potential technology risks in its 2011 annual report.
“Capacity constraints, systems failures and delays may occur in the future and could cause, among other things, unanticipated problems with our trading or operating systems, disruptions in service to our clients, slower system response times resulting in transactions not being processed as quickly as our clients desire, decreased levels of client service and client satisfaction, and harm to our reputation,” Knight said.
“If any of these events were to occur, we could suffer substantial financial losses, a loss of clients, or a reduction in the growth of our client base, increased operating expenses, litigation or other client claimed regulatory sanctions or additional regulatory burdens,” it said.
Knight’s chairman and chief executive officer, Thomas Joyce, told Congress that Knight Capital deployed some of the world’s most sophisticated trading technology to execute client orders. He told lawmakers that trade execution was better than ever.
“Remember that during the course of the last few years, with the exception of two notable exceptions, the equity markets worked flawlessly,” Joyce told Congress in June, referring to the flash crash and the Facebook IPO.
Nevertheless, Joyce endorsed new standards for market makers, including stricter capital requirements.
MEETS TO CONSIDER SIGNIFICANT RISKS
Knight Capital’s 2012 proxy statement said the company’s board and its committees met regularly to consider “significant risks” facing the company,” but it did not specifically cite technology as a risk in that context.
The primary responsibility for managing operational risk lies with operating segments, Knight said in its annual report. “As new products and business activities are developed, we endeavor to identify operational risks and design controls to seek to mitigate the identified risks,” it said.
Top company executives with responsibility for risk management, according to the proxy statement, include Chief Financial Officer Steven Bisgay, who was charged with “enhancement of the company’s overall risk management infrastructure.”
Others with risk management responsibility included were Senior Managing Director George Sohos, head of market making, executive vice President Steven Sadoff, head of operations, service and technology, and senior managing director Alan Lhota.
In addition to CEO Joyce, six independent directors sit on the board. Among them is James Lewis, a former Morgan Stanley executive who had served as head of Morgan Stanley’s risk management committee. Board member James Milde, a former top technology executive with Sony Electronics and Pepsi Bottling, had “significant knowledge and understanding of matters related to information technology, an important area for the Company and its businesses,” the proxy statement said.
Management, the statement said, had a process in place that it used to “identify, analyze, manage and report” on all significant risks facing the company.”
“In performance of risk oversight, the board and its committees receive reports and regularly meet with the company’s chief executive officer and other senior managers on significant risks facing the company, including enterprise, financial, operational, legal, regulatory and strategic risks. The independent board members also discuss the company’s significant risks when they meet in the executive session without management,” it said.
Knight does not list a risk committee by name. Among the duties of the finance and audit committee are oversight of “risks relating to the financial statements and financial reporting processes, as well as key credit risks, liquidity risks, market risks, compliance risks and risks arising from related person transactions, and the guidelines, policies and processes for monitoring and managing those risks.”
A spokesman for Knight Capital asked for questions regarding the company’s risk management policies to be submitted by email but did not immediately respond. Attempts to reach Milde and Lewis for comment were not immediately successful.
Francis Byrd, leader of the corporate governance risk practice at Laurell Hill, a shareholder advisory group, said a board’s responsibility was to oversee risk and ensure that it understood the firm’s exposure. Even if directors have no direct experience in the financial markets, they should be able to ask the right questions, he said.
When trying to limit technology risk, it doesn’t matter how often a board meets if the firm fails to conduct enough monitoring and testing of its technology systems, said John Alan James, professor at Pace University’s Lubin School of Business.
“Again it comes back to how it is managed. It depends on how high a profile the CEO put on this,” James said.
Boards are generally concerned with credit- and market risk, said Baruch’s Donefer. He said it would be unusual for a board to have a risk management process that specifically dealt with technology risk.
“When they look at technology it becomes a lot harder to try to figure out exactly what is the risks that you are looking for. I would not expect the board to look at that level,” he said.
But going forward, technology may be part of the risk management responsibilities of financial company boards, he said.
Securities and Exchange Commission staff were accelerating their efforts to require exchanges and other market centers to have specific programs in place to ensure the capacity and integrity of their systems, SEC Chairman Mary Schapiro said in a statement.
The agency is also planning a roundtable in the coming weeks to discuss further steps to addressing technology failures.
The Knight Capital trading problems coincided with the rollout of a new “retail liquidity program” by the New York Stock Exchange for handling trades from retail investors.
NYSE president Duncan Niederauer told analysts in an earnings call that the exchange’s software was not a factor, and that users since January had been testing the new system, including Knight. Joyce had done an admirable job of coping with the situation, he said.
A firm could have all the necessary precautions and still be wiped out by a major development, Byrd said. “Sometimes companies plan for a mid size disaster and they get an extra large size disaster – risk can only be mitigated not eliminated,” he said.
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete (http://accelus.thomsonreuters.com/solutions/regulatory-intelligence/compliance-complete/) provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.) ᠀