Incentive compensation programs
Enhancing performance and avoiding problems
The 1992 movie “Glengarry Glen Ross” described an incentive compensation program (ICP) in the starkest possible terms. A real estate sales team is told, “We're adding a little something to this month's sales contest. As you all know, first prize is a Cadillac Eldorado. Would anyone like to know about second prize? Second prize is a set of steak knives. Third prize is you're fired. Get the picture?”
Salesmen heard a loud and clear message about the incentives and consequences of the program. While fictional, the scene depicted how companies can use ICPs to encourage certain behaviors to reach desired outcomes. Financial and nonfinancial incentives can be used to effectively link strategic behavior with performance. While most organizations have either formal or informal performance motivators in place, ICPs can also create unintended consequences if potential risks are not fully understood, controlled and monitored. In contrast, a well-designed ICP prevents undue risk-taking or other behaviors that can harm an institution’s stakeholders, reputation and operations. Management needs to use governance, compensating controls and ongoing monitoring to validate that the program is well-designed and is working as intended without creating unfavorable unintended consequences for key stakeholders.
Audit committees, boards of directors, chief financial officers, chief risk officers, chief auditors and compliance professionals are beginning to focus more attention on ICP governance in the wake of public regulatory actions associated with Wells Fargo. As a result of alleged improper sales practices, the bank was fined $185 million; however, added costs related to research, investigation, monitoring, compliance costs and potential litigation will likely produce a much larger organizational impact. Negative public perceptions also must be factored in. According to regulatory documents, the bank used an ICP to motivate and reward employees if they met sales goals for products and services―all valid aspects of an ICP. However, alleged weaknesses in controls and monitoring allowed problems to arise, including claims of opening new deposit accounts without customer authorization, transfers of funds to meet the qualified time period requirements and establishment of fake email accounts that were used to activate the accounts without customer knowledge.
In discussions with executives of middle market financial institutions, we are receiving more requests to perform ICP governance evaluations as part of a traditional internal audit program. They want to analyze the governance surrounding ICPs and test the adequacy of controls and monitoring programs. This is a prudent management oversight technique, since we expect banking regulators and consumer protection groups will be devoting more attention to ICPs, given the recent negative publicity regarding them.
Our discussions with financial institution clients have found that most have some form of ICP to drive and reward behavior; however, many of these ICP programs are decentralized throughout the organization, creating a challenge in performing an inventory of ICPs. Without a solid grasp on the nature, type and extent of ICP programs, the challenge of evaluating ICP governance and controls becomes increasingly difficult.
As a framework for the evaluation ICP governance, we suggest a two-phased approach to evaluating ICP risk and controls:
Phase 1: ICP program inventory and control environment risk assessment
During the first phase of a project, a complete inventory of ICPs must be documented prior to any assessment of governance programs. A good starting point is to make contact with human resources, payroll, internal audit and key department heads to obtain a baseline for both financial and non-financial award and compensation programs that may apply to employees, affiliates, third-party vendors and contractors.
Once the ICP inventory is complete, you can begin to evaluate program risk that is related to ICP structure, policies, procedures, administration, monitoring, testing, training, payout/holdback provisions, customer complaint resolution and employee whistleblower programs.
The objective of this first phase of the testing is to develop an inventory of ICP risk and governance attributes. An additional goal is to identify conditions that could create undue risk to the organization and potential gaps in ICP governance processes. After the inventory of ICP and risk attributes has been defined, you can move to a second phase to perform testing of potential high-risk ICP attributes.
Phase 2: ICP focal point testing
Once management better understands ICPs and the design of the control environment, the project team can perform focal point testing to verify the operational effectiveness of governance controls. This stage analyzes the benefits, definitions of potential risks and mitigating controls, the adequacy and effectiveness of internal controls, and the relationship between performance management systems and ICP awards. Internal control adequacy and effectiveness could examine:
- Independent testing/validation of results―e.g., new accounts, loan production (focal points)
- Quality control and oversight
- ICP approvals, payouts, holdbacks and claw-back provisions
- Independent internal audit coverage and testing
- Training and communication standards
- Consumer complaint trend analysis and investigation program
- Employee terminations tied to ICP program implementation
- Whistleblower or ethics complaint trends
Based on the two phases, bank executives can identify potential ICP control gaps and verify that the control environment is well-designed and working as intended. If weaknesses are identified, management can then take action to strengthen the control environment prior to your next regulatory examination.