Jamal Mecklai: Let's hear it for clause 49!

MARKET MANIAC

Since compliance with Clause 49 of Sebi's listing agreement became mandatory on April 1, 2005, all listed companies have, in their March 2006 accounts, certified that the CEO and CFO "have evaluated the effectiveness of the internal control systems of the company and they have disclosed to the auditors and the Audit Committee deficiencies in the design or operation of internal controls, if any, of which they are aware and the steps they have taken or propose to take to rectify these deficiencies." However, the veracity of this certification will start coming out in the wash only from this year onwards, since there is often a huge gap between regulatory compliance and actual effectiveness of controls.

To give just one instance, a large manufacturing company I know had mandated one of the Remaining Four global audit/consulting firms to create an effective set of processes and controls to ensure that the CEO/CFO certifications could be made. This company has pretty high corporate governance standards and""unlike most other companies""it began this process as far back as April 2005, even though the certification would have to be made after March 2006. I understand it was a comprehensive project and, for market risk management, the company adopted the recommended policy and had a treasury software solution integrated with its ERP.

We advise the company on risk management and, to our surprise, found some glaring and potentially hugely costly lacunae. For instance, the company's policy on derivatives use had a dollar-denominated limit on the maximum permitted size of the company's outstanding derivative portfolio. This is standard boilerplate in so-called "global best practices" risk management policies, and companies need to watch out for such standardised practices which may come with a board-accepted brand name but which do not provide any real value. This approach""of seeing a dollar-denominated limit on, say, derivatives""is totally inadequate since it does not give the company any idea whatsoever of its risk, of how much money it could lose. In actual fact, the risk, in rupee cash flow terms on a derivative portfolio of, say, $20 million would depend on a large number of factors, such as the type of transaction (in general, the more complex, the riskier), the other currencies involved (the more volatile the currencies, the greater the risk), and, of course, the actual volatility in the market. Simply having an exposure limit of $20 million does not measure risk at all. For this reason, it is critical that a company set its risk limit in rupees (assuming its balance sheet is in rupees) rather than set exposure limits in dollars. Of course, this requires strong internal (or outsourced) analytic capabilities, particularly when, as in the present and many other cases, the kinds of transactions companies are undertaking are increasingly complex.

Again, companies need to have a clear articulation of the kinds of derivatives transactions they undertake, with a loudly defined negative list. In the example I mentioned, I was again surprised that the policy did not have any such constraints.

In the event, we found that the company had entered into several complex derivative transactions (where it would make money if yen LIBOR did not rise beyond a certain level), which, within two months, were seriously out-of-the money on a mark-to-market basis. Now, the company hadn't lost any money (in terms of cash flow) yet, but with markets suddenly getting volatile, the treasury was getting jittery and wanted to exit from the transaction. In one such case, the bank was willing to reverse the transaction at a loss to the company of Rs 1.5 crore, which was more than 1 per cent of the company's bottom line. The treasury did not want to accept the loss (if it did reverse the transaction), but it was concerned that the market could move further against it. And""surprise, surprise""it was contemplating another derivative transaction that would give it a front-end cash flow (sufficient to cover the loss on the earlier transaction) but which would create a fresh risk, this time on USD/JPY.

Now, this is just one example. But, from my experience, I know that it is not a one-off. Several companies tempted into the front-end savings offered by some exotic derivative transactions over the past two years have actually jumped deeper into the water by hiding losses by rolling over the risk. However, this is the first time I have seen it happening within the bounds of a CEO/CFO Clause 49 certification of risk management policy.

The point of this story is not to whip the company, who, of course, shall remain nameless, but rather to highlight the need for managements to recognise that mere regulatory compliance is seldom sufficient to provide a company with truly effective controls. This is because (a) regulators are generally not exposed to the market from a user perspective, and (b) more importantly, regulations are necessarily framed in general terms, whereas companies have to operate in specific micro-environments. And, finally, while certification from outside consultants is all very well, there is ultimately no substitute for doing it yourself.

And if you can't""if, say, the structure is too complex to value daily""don't.

The author is CEO of Mecklai Financial