The Florida State Board of Administration (SBA) looks set to reject substantial governance reforms recommended by its consultant, Crowe Horwath.
Crowe Horwath has recommended that risk management could be compromised if the roles of executive director and chief investment officer are not separated. It has raised concerns of a “conflict of independence” caused by the chief risk and compliance officer (CRCO) reporting to Ashbel “Ash” Williams.
As both executive director and CIO of SBA, Williams oversees five funds with combined assets of more than $146.1 billion.
“Best practice would suggest that the CRCO report to the board of trustees or the executive director,” Crowe Horwath says, in recommendations to SBA trustees contained in a report into the funds’ policies and procedures completed in October.
“Independence of the CRCO may be impaired in reporting to the CIO.”
Any governance changes must be included in an investment policy statement that under Florida law has to be reviewed by the SBA’s investment advisory council (IAC), before being approved by trustees.
The policy statement was last reviewed in June this year. At the IAC’s quarterly meeting this week it decided to maintain the current structure of the fund, continuing Williams’ dual role as executive director and CIO.
The council’s recommendation will go to the board of trustees for a final decision this week as part of its approval of the investment policy statement.
Crowe Horwath in its “top” recommendations to trustees advises to “consider establishing a direct reporting relationship between the CRCO and the board of trustees/designees, or separating the roles of the executive director and the CIO”.
In the revised investment policy statement, investment risk management remains the domain of the executive director/CIO.
The policy gives Williams primary responsibility for both administrative and investment sides of SBA’s operations.
“The executive director is responsible for managing and directing administrative, personnel, budgeting and investment related functions, including the hiring and termination of investment managers, bundled providers and products,” the policy states.
When it comes to risk management, Williams also has overall responsibility, with no indication of operational checks or balances on this process.
The executive director’s role in risk management is to:
- Identify, monitor and control/mitigate key investment and operational risks.
- Maintain an appropriate and effective risk management and compliance program that identifies, evaluates and manages risks within business units and at the enterprise level.
- Maintain an appropriate and effective control environment for SBA investment and operational responsibilities.
- Approve risk allocations and limits.
Crowe Horwath looked at the governance structures of a number of US public pension funds, noting that most schemes split these two roles and/or had senior risk and compliance staff reporting to the board.
In examining the reporting structure of 15 US public pension funds it also found most funds had the CIO report to either or both the executive director and the board.
Two funds, the North Dakota Retirement and Investment Board and the South Carolina Retirement System Investment Commission, had one person fill both the most senior administrative role and the CIO position.
Crowe Horwath handed down 63 recommendations as part of its report, with 49 accepted by management.
Nine recommendations were partially accepted and five recommendations require action by either the audit committee, IAC or the board of trustees.
Crowe Horwath found SBA had not yet fully developed an annual assessment program to assess the performance of its compliance policies and procedures.
“The CRCO has developed a framework to assess risk across the organisation, both by risk category and assessment area; however, the current program does not appear to identify those aspects of the program that have become deficient or include mechanisms for remedying the deficiencies,” the report notes.
It also found that SBA’s risk and compliance unit had completed formally documenting 70 per cent of its oversight functions and processes.
The report recommends completing this formulisation of oversight functions and linking it to an overall enterprise risk assessment that engages the entire organisation.
Crowe Horwath also notes that SBA’s oversight of external managers is better developed in the public asset classes than in private asset classes.
As part of its analysis, Crowe Horwath looked at the action SBA had taken to comply with the recommendations of a 2009 Deloitte compliance program assessment and statutory changes.
The report found that SBA had met 65 per cent of the 17 recommendations handed down by Deloitte, as well as meeting 83 per cent of 59 additional considerations of the wide-ranging review.
Crowe Horwath’s analysis did not extend to testing the operational effectiveness of these changes.
The report notes that SBA was progressing from a situation where management “manages risk and compliance” to where management designs and monitors a “risk and compliance management system”.
Crowe Horwath judged the maturity of this process, saying that SBA had reached a midway “developed” stage where “formal processes have been defined and documented; processes are consistently executed; [and] processes may be consistently executed based on a timetable or in response to a request (ie exception reporting)”.
Management disagreed with this assessment, saying equal weighting was given to 12 key non-investment risks and investment risks.
“Given SBA’s mission as an investment management organisation we believe the investment risks are the highest priority and should have a significantly greater weight than operational risk,” an internal memo outlining management’s response to the Crowe Horwath report states.