Top Risks on the Horizon in 2009

In this final post of 2008, we look forward to a new year filled with uncertainty and risk.  Events of this past year will reverberate not only for the next few weeks or months, but throughout the coming year and potentially many years to come.  A year-end study completed by Ernst & Young highlights the top risks that companies across the globe will face in 2009.  Below are the rankings with results from the 2008 study in parentheses.  

The 2009 top 10 risk rankings

1. The credit crunch (2)
2. Regulation and compliance (1) 
3. Deepening recession (New) 
4. Radical greening (9) 
5. Non-traditional entrants (16) 
6. Cost cutting (7) 
7. Managing talent (11) 
8. Executing alliances and transactions (7) 
9. Business model redundancy (New) 
10. Reputation risks (22) 

Not surprisingly, credit related issues are the number one item on the list followed closely by regulation & compliance.  Companies of all sizes need to be prepared to address the rapid changes that may occur over the next year.  Having a solid framework to quickly understand changes in these risks and make quick adjustments will provide a significant competitive advantage.  Visit www.WheelhouseAdvisors.com to learn more.  

Distorting Risks to Bolster Pay

As more and more begins to emerge from the collapse of our financial markets, it is becoming clear that effective risk management was severely handicapped by those looking to increase their personal compensation.   The New York Times reported this past weekend some of the egregious mortgage lending practices at Washington Mutual ("WaMu") that led to the largest bank failure in American history.   

WaMu gave mortgage brokers handsome commissions for selling the riskiest loans, which carried higher fees, bolstering profits and ultimately the compensation of the bank’s executives. WaMu pressured appraisers to provide inflated property values that made loans appear less risky, enabling Wall Street to bundle them more easily for sale to investors.  “I never had a clue about the amount of off-the-cliff activity that was going on at Washington Mutual, and I was in constant contact with the company,” said Vincent Au, president of Avalon Partners, an investment firm. “There were people at WaMu that orchestrated nothing more than a sham or charade. These people broke every fundamental rule of running a company.”

The major problem here is not that WaMu was poorly managed, but that the practices at WaMu became accepted by the mortgage industry as a whole.  Major reform is desperately needed to ensure that practices such as these are prevented from "becoming the norm" again.

Worldcom's Bernie Ebbers - Naughty or Nice?

Well, it is Christmas Eve and children across the globe are wondering if good, old St. Nick will bring them toys for being nice this year or a lump of coal for being naughty.  Add to the list former CEO of Worldcom, Bernie Ebbers, who is requesting a Presidential pardon of his 25 year prison sentence for his role in one of the largest accounting frauds in history.  His request has attracted worldwide attention.  Here's what The Telegraph in London reported:

Mr Ebbers, 67, who was sentenced to 25 years in jail in 2005 for his part in WorldCom's spectacular collapse, has applied to have that sentence commuted by President George W Bush.  He continues to serve his sentence at Oakdale prison in Louisiana, a low-security facility, from which he is due for release on July 4, 2028, when he will be aged 86.  The fraud at WorldCom led to the country's biggest bankruptcy filing in July 2002, with almost 17,000 employees losing their jobs as a result of the scheme to bury expenses and inflate revenue.

In this season of giving, Bernie should be thinking about how he can give back to the 17,000 people who were impacted by his wrongdoing rather than asking for a gift.  Let's all hope he gets what he deserves for his request - the world's largest lump of coal.

Walking the Walk in 2009

Heading into 2009, many firms are beginning to realize the need to bolster their risk management practices and approaches.  The main challenge centers around the need for a solid risk management framework that can be employed throughout an organization.  In turn, the framework should shape the risk management culture with strong support from the CEO and Board of Directors.  In a recent article in Wall Street & Technology magazine, risk management is identified as the number one priority for financial firms in 2009.   Here is an excerpt:

Analysts agree that the biggest challenge firms face in managing risk is at the operating level. Risk managers will be given much more importance by a firm's top managers than in the past, when the pursuit of alpha typically came at the expense of risk mitigation. 

This certainly comes as no surprise given the severity of the current crisis driven largely by the neglect of risk management.  Everyone is talking the talk.  2009 is the year to walk the risk management walk.

SEC "Office of One" Ignores Massive Fraud

Some of you may recall previous posts regarding the SEC's office of risk management that contained only one staffer for many years.  Well, according to the Wall Street Journal, the one person office was notified earlier this year about Bernard Madoff's massive Ponzi scheme and did nothing to investigate.  The article details the many attempts of Harry Markopolos to alert the SEC to the fraud.  Mr. Markopolos final attempt was made to the head of risk management at the SEC, Jonathan Sokobin.   Here is the account of that attempt:

Early this year, Mr. Markopolos made one last major effort after receiving an email from Jonathan Sokobin, an official in the SEC's Washington, D.C., office whose job was to search for big market risks. Mr. Sokobin had heard about Mr. Markopolos and asked him to give him a call, according to an email exchange between them.  

Mr. Markopolos also sent Mr. Sokobin an email -- with the stark subject line "$30 billion Equity Derivative Hedge Fund Fraud in New York" -- saying an unnamed Wall Street pro recently pulled money from Mr. Madoff's firm after trying to confirm trades supposedly done in his account, but discovering that no such trades had been made.  It was his last try.  He never heard back about his allegations regarding Mr. Madoff.  "I felt pretty low," Mr. Markopolos recalls.  Mr. Sokobin, through an SEC spokesman, declined to comment.

To Mr. Sokobin's credit, he did reach out to Mr. Markopolos to investigate.  However, given the size of his office, it is not surprising he could not act quicker to bring the fraud to an end.  Greater evidence is not needed to justify more investment in risk management.

Turning a Blind-eye Toward Risks

For those of you who have been following The ERM Current,  you may recall the post "Show Me the Money and I'll Show You the Risks".  In that post, the main advice centered on the need to examine incentive structures to determine where excessive risk-taking may be occurring.  As the current financial crisis continues to unfold, the excessive risk-taking driven by grandiose incentives is becoming more and more evident.  Yesterday, the New York Times featured an article on this very topic.   Below is an excerpt from the article,

“Compensation was flawed top to bottom,” said Lucian A. Bebchuk, a professor at Harvard Law School and an expert on compensation. “The whole organization was responding to distorted incentives.” Even Wall Streeters concede they were dazzled by the money. To earn bigger bonuses, many traders ignored or played down the risks they took until their bonuses were paid. Their bosses often turned a blind eye because it was in their interest as well.  “That’s a call that senior management or risk management should question, but of course their pay was tied to it too,” said Brian Lin, a former mortgage trader at Merrill Lynch.

To be effective, risk management must have the authority and the independence to adjust incentive programs based on the risk appetite of the organization.  If risk managers are participating in the very incentive programs that they are charged with overseeing, then a blind-eye will always be turned toward excessive risk-taking.

Most Banks Lack Enterprise-wide View of Risks

According to a recent survey commissioned by Ernst & Young,  the vast majority of major financial institutions lack a consolidated view of risk across their organizations.  Only 14% of the 40 global banks surveyed indicated that they have a solid enterprise risk management program.  Given the current crisis and admission that risk controls are lacking, the majority of the respondents also indicated a need for increased investment in this area (see graphic below).  Some of the other findings of the study included the following.

Organizational silos, decentralization of resources and decision-making, inadequate forecasting, and lack of transparent reporting were cited as major barriers to effective enterprise-wide risk management. The need to create a risk-aware culture throughout the institution emerged as a top priority in the study -- three-quarters of all respondents cited its vital importance -- as banks struggle to develop a consolidated view of risk across business units and various risk dimensions.

The need for effective enterprise risk management programs is certainly clear not only for financial services companies, but also for non-financial services companies.  How effective is your company's risk management program?  For a no-cost, diagnostic review of your program, contact Wheelhouse Advisors today.

Gravely Concerned

In yet another example of the ineffectiveness of regulatory oversight, SEC Chairman Christopher Cox admitted today that the SEC failed to act on numerous red flags regarding Benard Madoff's hedge fund turned Ponzi scheme.  With an estimate of $50 billion in losses, the fraud dwarfs those uncovered at Enron and Worldcom that ultimately led to the creation of the Sarbanes-Oxley Act.  Mr. Cox stated the following in today's Wall Street Journal.

"I am gravely concerned" by the agency's regulation of the firm, Mr. Cox said.  According to Mr. Cox, Mr. Madoff "kept several sets of books and false documents, and provided false information involving his advisory activities to investors and to regulators."

To be effective, regulatory oversight must be re-examined and restructured to provide consistent and comprehensive control.  Without it, trust and confidence will not return to our financial markets.

Beyond the Models

A great deal of the blame relating to the current financial crisis has been focused on the improper use of computer models in determining the amount of risk within a company's portfolio.  A recent article in Bank Systems & Technology Magazine discusses key considerations for employing models to determine accurate risk levels.   The article also notes that proper model usage alone is not the answer.  The author rightly states, 

"Although selecting the right modeling tools for risk management is essential, one further mistake companies commonly make doesn’t have anything to do with tools. It is essential to ensure that corporate culture avoids the typical silo approach to running a business. As we continue to follow news on the economy, it becomes clear that companies that conduct risk management in business silos expose their firms to unnecessary and avoidable risks. Tying true enterprise-wide risk management to business performance management, along with implementation of the right tools, is the only way for companies to ensure long-term success."

Having an appropriate risk framework and governance structure is critical to creating a strong culture focused on effectively managing risks.  Wheelhouse Advisors can provide cost-effective solutions to help companies break-down the silos and implement successful enterprise risk managemement programs.  Visit www.WheelhouseAdvisors.com to learn more.

Keys to Success

A recent article at eWeek.com highlights the keys to a successful implementation of technology in support of an Enterprise Risk Management or Governance, Risk & Compliance ("GRC") program.  While the keys to success are fairly straightforward, it is surprising how many companies fail to address them prior to selecting a technology solution.   The keys to success are:

1. Define what ERM or GRC means to your organization.


2. Survey your organization's regulatory and compliance landscape.


3. Determine the most logical entry point and develop a phased approach.


4. Establish a clear business case, considering both short-term and long-term value.


5. Determine how success will be measured. 

Interestingly, the author of the article is a representative of one of the major GRC technology vendors.  While some vendors may want companies to rush to a purchase decision, this author agrees it is critical for companies to gain this perspective prior to evaluating solutions.  He states,

"With these steps complete, you will be in a much stronger position to qualify vendors and solutions and to determine the best fit for your organization, based on a well-defined project scope and equally well-defined business requirements and associated benefits."

Wheelhouse Advisors can provide an independent viewpoint and work with your company to achieve the keys to success.  Visit www.WheelhouseAdvisors.com to learn more.

Room for Improvement

A recent study by the Financial Executives Research Foundation highlights the opportunities for many companies to improve the effectiveness and efficiency of their Sarbanes-Oxley ("SOX") Compliance programs. In this week's edition of Compliance Week, the study was examined and those interviewed in the article all agreed that room for improvement still exists.  The four main areas of improvement for most programs are:

• Transforming controls to focus less on manual controls and more on automated and entity-level controls;


• Consolidating processes into a reduced number of systems or a reduced number of locations, through a shared-services or business process outsourcing approach;


• Adopting more sophisticated testing strategies, including remote testing; and


• Conducting SOX testing work more deliberately and selectively.

Wheelhouse Advisors is uniquely qualified to provide cost-effective solutions in each of these areas.  Visit our website at www.WheelhouseAdvisors.com to learn more.

Failure to Take Action

The U.S. House Committee on Oversight and Government Reform conducted a hearing on Tuesday into the circumstances leading to the recent collapse of Fannie Mae and Freddie Mac.  Chairman Henry Waxman provided the committee with several documents detailing numerous warnings by internal risk managers that were purposefully ignored by executive management.  Below is an example provided by Chairman Waxman.

On October 28, 2006, Fannie’s chief risk officer sent an e-mail to company CEO Daniel Mudd warning about a “serious problem” at the company. He wrote: “There is a pattern emerging of inadequate regard for the control process.”  In another e-mail on July 16, 2007, the same risk officer wrote to Mr. Mudd again, this time complaining that the board of directors had been told falsely that the “we have the will and the money to change our culture and support taking more credit risk.” The risk officer wrote: "I have been saying that we are not even close to having proper control processes for credit, market, and operational risk. I get a 16 percent budget cut. Do I look so stupid?"  But these warnings were routinely disregarded.

Much has been said about the failures of risk management leading to the current crisis.  However, it is becoming increasingly clear, through examples such as these, that the failure to take action on warnings provided by risk management led to the current crisis.

Simple is Better

In this month's edition of Internal Auditor Magazine, Neil Baker highlights real-world approaches to implementing a successful enterprise risk management program.  Leading experts from major corporations and professional services firms were interviewed about their ERM insights.  Wheelhouse Advisors participated in the development of the article and provided the following advice.

"A simple, consistent, and well-understood risk framework is vital," says John Wheeler, founder and principal at ERM consultancy Wheelhouse Advisors in Atlanta. That's especially true where people are burned out by U.S. Sarbanes-Oxley Act of 2002 compliance or are overloaded by corporate initiatives that get in the way of their "real jobs." 

Simple is always a better approach, especially during times of crisis or when competing priorities are serving as a distraction from the ultimate goal.  The best way to achieve this simplicity is to have a strong framework in place before spending effort and money on extra resources or technology.

ERM Skills in Short Supply

A recent survey of internal audit executives by Ernst & Young indicates that companies may need more help with monitoring enterprise risks.  As noted in a recent CFO.com article, the survey results are attributed to the excessive focus on internal controls over financial reporting by internal audit organizations.  Here is an excerpt from the article regarding the survey results.

Only 17 percent of respondents to the recent survey rated their current team's skill at enterprise risk assessment as "very competent." Just 19 percent said the same for fraud detection, 22 percent for use of technology and analytics, and 39 percent for business process improvement.  More than a third of respondents said it was "very difficult" to recruit people skilled at enterprise risk assessment. 

While some may view the survey results skeptically due to the fact that Ernst & Young is a provider of services related to the weaknesses, the Institute of Internal Auditors ("IIA") concurs with the findings.  

enterprise risk assessment, fraud detection, use of technology and analytics, and business process improvement — "should be absolutely fundamental and core to any internal auditor who is trying to take his job seriously," Dominique Vincenti, chief advocacy officer for the IIA, said.  "But we did not have a focus on those competencies over the past few years. We're suffering from a lack of supply."

Wheelhouse Advisors offers cost-effective enterprise risk management solutions and can help your internal audit organization climb the learning curve quickly.  Visit www.WheelhouseAdvisors.com to learn more.

ERM for Dummies

For those who are looking for a quick reference guide on Enterprise Risk Management, the Risk and Insurance Management Society has sponsored the publication of Enterprise Risk Management for Dummies. Similar to other "For Dummies" publications, this book presents the essentials of ERM in a humorous way. Here's how the authors describe the value of the publication, 

Enterprise Risk Management for Dummies offers a valuable start up guide for ERM first timers. You get easy-to-understand ERM terms and helpful instruction along with tools on how to get started developing your ERM program today. With this book, you’ll better understand what “risk” is – and why everyone needs to have it, how to identify risks in a variety of ways, and most importantly, how to effectively manage risk.

If you are looking for a quick and enjoyable primer on ERM, then this book is well worth the investment.  

Enterprise Risk Management is a Critical Need

In a recent speech to the International Conference of Banking Supervisors, Eugene Ludwig presented a compelling account of the lessons we should take away from the financial crisis.  Mr. Ludwig formerly served as U.S. Comptroller of the Currency and in his speech, he provides a clear perspective of the events that contributed to the crisis we now face.  In particular, he promotes the need for stronger risk management across markets and across corporate enterprises.  Here is an excerpt from his remarks.

"As the recent environment has shown, significant risks can be embedded in complex instruments and spread across a variety of regulated and unregulated institutions. And the same risks can be spread across one institution in toxic quantity because the risk is parceled out into different corporate pockets without the regulator or company being able to aggregate the risks appropriately. Therefore, regulators globally must work collaboratively to collect, share, and assess risks, to identify concentrations and to take action, and regulators and managements need be able to assess risks across the entire enterprise."

As Mr. Ludwig states, the ability to assess risks across the entire enterprise is critical to preventing unknown excessive risk-taking.  Wheelhouse Advisors is equipped to help companies build and strengthen their enterprise risk management programs.  Visit our website at www.WheelhouseAdvisors.com to learn more.

ERM Software Now a Priority for Many Companies

A recent article in Treasury & Risk Magazine highlights the fact that technology spending will certainly be impacted by the current financial crisis.  The article suggests that large-scale enterprise resource planning ("ERP") software implementations will most likely take a back seat to implementations of risk management related software products.  Here is an excerpt from the article.

Likely to fare better in the financial services meltdown is enterprise risk management (ERM) software, the tools many say could have mitigated the global credit collapse. “Never before has there been such a need for prudent financial risk management,” said Carol Beaumier, executive vice president with software provider Protiviti Inc. “Even the strongest of companies will find themselves subject to increased market pressures and regulatory scrutiny."

With investment dollars limited due to the tightening of corporate budgets, strong business cases must be made to reap the maximum benefits of any ERM related software implementation.   Wheelhouse Advisors provides cost-effective services to build a solid business case as well as evaluate, select and implement the appropriate ERM software solutions to achieve optimal results for your organization.  Visit www.WheelhouseAdvisors.com to learn more.

Penny Wise and Pound Foolish

Michael Chertoff, US Secretary of Homeland Security, recently shared his thoughts on the current financial crisis and how our nation has addressed it from a risk management perspective.  In his remarks to the Wharton Business School, Mr. Chertoff was quite candid about the United States' lack of preparation to manage risks before they manifested into a full-blown crisis.  He stated,

"The nation now faces financial woes that were to some degree or another predicted over a period of years, going back into the 1990s.... We have not managed to address the risk in a way that prevented what was ... a [financial] disaster of the magnitude of a natural disaster and a terrorism disaster."

He also warned that for both the US Government and corporations, risk management often becomes less of a concern once the crisis has subsided.  

"We begin to decide that we are spending too much money trying to avert the risk, and we begin to degrade our preparation once again." 

As we have seen with the escalating costs of the current financial crisis, risk management is certainly not an area to be penny wise and pound foolish.

State of ERM

The Risk and Insurance Management Society ("RIMS") just released its 2008 State of ERM Report and it provides some interesting perspective on the evolution of ERM programs across the globe.  A summary of the key findings is provided below.

• Organizations that have embraced ERM have realized a concrete advantage in their risk management competency. The study found that 93% of organizations with formalized ERM programs in place make better risk-informed decisions—a recognized competitive advantage over those that do not have an ERM program.


• Organizations that report they have an ERM program in place still fall significantly short of achieving managed or better risk maturity. The study demonstrates that, based on the ERM guidelines presented in RIMS Risk Maturity Model for ERM, only 4% of these companies have achieved a managed or better level of risk management competency in all risk competencies. This suggests that organizations may have a false sense about all that is required for an effective risk management program.


• Data from the study verifies that formalized infrastructures in well-managed ERM programs embody the 68 best practice guidelines for efficient and effective risk management programs as presented in RIMS Risk Maturity Model for ERM.


• The study links ERM to better business performance. There is a distinct correlation between companies that score higher on RIMS Risk Maturity Assessment and companies that possess higher credit ratings. The same is true of low scoring companies that, typically, possess lower credit ratings. Hence, better managed companies in terms of ERM practices benefit from better business performance.

So, the report certainly shows the ever increasing value of ERM programs.  However, progress remains to be made in many areas of ERM to extract its full value and help companies maximize their business performance.

Barking Up the Wrong Tree

A few weeks ago, The ERM Current™ included a blog entry about former US House Speaker Newt Gingrich's call for the repeal of the Sarbanes-Oxley Act.  Many of Mr. Gingrich's claims supporting his rationale that Sarbanes-Oxley is responsible for our current economic downturn were simply wrong.  Well, someone else also noted his poorly constructed argument and provided an alternative view last week in an op-ed article for the San Diego Business Journal.  Wade Lindenberger provided a compelling counter-point argument in his column as well as a practical view of the evolving nature of Sarbanes-Oxley Act compliance efforts.  He noted,

"In a time like this, people are always looking to blame something for the financial meltdown and turmoil. Sure, we are in a serious financial situation right now, but Sarbanes-Oxley is not to blame. In the six years since Sarbanes-Oxley was enacted, failures like Enron and WorldCom, which resulted mainly from finance and accounting shenanigans, have been nonexistent. The most recent failures of companies like Bear Stearns and Lehman Bros. resulted from poor business decisions and absentee risk management, all driven by good old-fashioned greed."

Those who continue to seek to repeal Sarbanes-Oxley are simply attempting to skirt the real issues at hand and also avoid future accountability for business-related fraud.  Mr. Lindenberger sums up the situation nicely by stating the following,

"When it comes down to it, the steps legislated by Sarbanes-Oxley are really nothing more than what we would expect from any thorough, well-run company."

ERM Case in Point

This week's rescue of Citigroup serves as a prime example of how fragmented approaches to risk management can have disastrous consequences.  The New York Times presented a thorough review of the actions and inactions occurring within the ranks at Citigroup that ultimately led to far excessive risk-taking.  In short, the risk oversight was relegated to those in the business units who had the most to gain by taking excessive risks.  This, in turn, led to the creation of a culture that considered risk management as an after-thought and did not promote a full understanding of risks across the enterprise.  Lynn Turner, formerly the chief accountant at the Securities & Exchange Commission, offered his view of Citigroup in the article.

“If you’re an entity of this size,” he said, “if you don’t have controls, if you don’t have the right culture and you don’t have people accountable for the risks that they are taking, you’re Citigroup.”

Financial and non-financial corporations alike should use the case of Citigroup as an example of how not to structure their risk management programs.  To be truly effective, enterprise risk management programs should be supported by a strong culture, strong controls and strong competencies in risk management disciplines. Visit www.WheelhouseAdvisors.com to learn more about building an effective enterprise risk management program.

Restoring Trust

Former SEC Commissioner Arthur Levitt recently testified before the Senate Banking Committee and offered his perspective on how to strengthen the regulatory oversight system in dire need of repair.  

"As we move forward in the process, we must make sure that there is an agency that is independent of the White House, dedicated to mandating transparency with robust law enforcement powers, with the wherewithal and knowledge to oversee and if necessary guide risk management, and built around one mission: protecting the interests of investors.  If we do, investors will know that they have someone in their corner, that the markets will be free and fair, and that they will invest with confidence."

As Mr. Levitt suggests, the key to stabilizing the financial markets is by restoring trust and one of the critical elements to restoring trust is effective regulatory oversight and risk management.

Falling on Deaf Ears

An article in yesterday's Washington Post provided some interesting details behind the collapse of Washington Mutual.  It appears that the Office of Thrift Supervision ("OTS") failed in its job to provide effective oversight by allowing executives at the nation's largest savings and loan institution to ignore the advice of its own risk managers.  Here is an excerpt from the article.

In 2005, a small group of senior risk managers drew up a plan that would have required loan officers to document that borrowers could afford the full monthly payment on option ARM loans. The plan was shared with OTS examiners, according to a former bank official who spoke on condition of anonymity because the bank's practices are the focus of a federal investigation as well as several lawsuits. "We laid it out to the regulators. They bought into it. They supported it," the former official said.  But when a new executive team at the bank nixed the plan, the former official said, "the OTS never said anything."

This is another example of the breakdown in regulatory oversight and management that fueled the current financial crisis.  It also shows that what is needed most is not necessarily more regulation, but more effective regulation.

Risk Management Now a Top Concern

Corporate executives are beginning to shift their priorities in response to the financial crisis and deteriorating economic conditions according to a recent survey by The Conference Board as reported in yesterday's Wall Street Journal.  It is no surprise that risk management is now a top concern.  What is somewhat perplexing is that risk management was not a top concern when the same survey was conducted in July (see survey results below).  

Risk management should always be a top concern, but many do not consider it as a primary focus area until times of crisis.  While it is human nature to react in this manner, the full benefit of strong enterprise risk management programs is gained by averting such periods of crisis.  Risk management attention and investment at this time is certainly warranted.  However, let's hope the investment and discipline is maintained so another crisis of this magnitude never comes to pass.   

Which Way Is Up?

It appears that the US Congress is beginning to ask themselves once again why they voted for a hastily arranged piece of legislation.  In testimony yesterday to the US House Financial Services Committee, Treasury Secretary Paulson had a rough time explaining why he used his $350 billion "allowance" in a way that differed from the original expectations.  Here is what Rep. Spencer Bachus of Alabama, the panel's top Republican, had to say:

"Changing too quickly, without adequately explaining why you've changed or what you're going to do next, risks sending mixed signals to a marketplace that is in dire need of certainty and a sense of direction."

In addition, American Bankers Association Chairman and CEO Edward Yingling said during the hearing,

"...it (TARP) is also a source of great frustration and uncertainty to banks. Much of the frustration and uncertainty is because of the significant and numerous changes to the program and misperceptions that have resulted on the part of the press and the public."

The continued changes to the application of the rescue packages are leaving both Congress and our financial markets asking themselves the same question - "Which way is up?"  It seems no one knows the answer.

Silence in the Boardroom

Yesterday, Rick Steinberg wrote a great article in Compliance Week detailing the many failures of risk management leading to the recent financial market crisis.  For those of you who may not know,  Mr. Steinberg is a leading authority on the topic of risk management and a principal author of the COSO Internal Control Framework that has become the de facto standard for public corporations and their boards of directors.  As such, Mr. Steinberg has a unique perspective of the unfolding events in each of the firms that have contributed to the market collapse.  In particular, Mr. Steinberg points to boards and their responsibility for holding senior management accountable.  He states,

"....the board must understand what management is doing to identify, assess, and manage significant risks facing the company. It must be comfortable that management has a process in place, and that the process is working effectively. The board must be comfortable with management’s appetite for taking on risk, and that senior management is positioned to obtain accurate information about key risks and relays that information to the boardroom."

While he also notes areas of weakness with other players such as the regulators and credit rating agencies, it is this critical component of risk management and corporate governance that cannot be ignored.  Without a strong enterprise risk management process and frequent communication between board members and management, companies will not be able to navigate the critical risks and new regulatory environment that is now on the horizon.

No Time for Complacency

In a speech last week to the Banque Centrale du Luxembourg, Vice Chairman of the Federal Reserve Donald Kohn provided a thorough analysis of events leading to the current financial crisis.  A major portion of his remarks focused on the inadequate investment in risk management by many financial institutions.  In his view, the long period of relative stability in financial markets bred a high level of complacency and inattention to the growing risks.  As he stated,

"Complacency contributed to the unwillingness of many financial market participants to enhance their risk-management systems sufficiently to take full account of the new (perhaps unknown) risks they were taking on."

Risk management should be a primary focus of all companies, financial and non-financial, at all times.  It is precisely the moment when profits are at their peak and economic times are good that companies should be most vigilent.  Now, we are in catch-up mode and must make greater investment in risk management to ensure complacency does not become part of the risk equation again.

A Call for Action

The Group of Twenty ("G-20") met in Washington, DC on Saturday to jointly develop action plans to address the growing economic crisis sweeping the globe.  A need for greater transparency and accountability in our financial markets served as the primary theme for the meeting.  The result of their discussion was a strong declaration regarding the root causes of the problems we are facing and recommended actions to remedy the situation.  One of their action plans focused squarely on risk management.  Below are the related risk management actions to be taken by the end of March 31, 2009.  

• Regulators should develop enhanced guidance to strengthen banks' risk management practices, in line with international best practices, and should encourage financial firms to reexamine their internal controls and implement strengthened policies for sound risk management.


• Regulators should develop and implement procedures to ensure that financial firms implement policies to better manage liquidity risk, including by creating strong liquidity cushions.


• Supervisors should ensure that financial firms develop processes that provide for timely and comprehensive measurement of risk concentrations and large counterparty risk positions across products and geographies.


• Firms should reassess their risk management models to guard against stress and report to supervisors on their efforts.


• The Basel Committee should study the need for and help develop firms' new stress testing models, as appropriate.


• Financial institutions should have clear internal incentives to promote stability, and action needs to be taken, through voluntary effort or regulatory action, to avoid compensation schemes which reward excessive short-term returns or risk taking.


• Banks should exercise effective risk management and due diligence over structured products and securitization.

A great deal of work will be required to properly address these recommendations.  However, the end result will be a much stronger global economy.  Wheelhouse Advisors can help your company quickly assess its risk & control programs and provide cost-effective solutions to the recommended actions.  Visit our website at www.WheelhouseAdvisors.com to learn more.

A Return of Systemic Risk?

The sudden about-face in the direction of the US Treasury's Troubled Asset Relief Program ("TARP") has brought on new fears of increasing systemic risk in the financial markets.  TARP was originally intended to lower systemic risk by ridding the markets of the toxic securities that currently plague the balance sheets of numerous financial institutions.  By leaving those securities on the balance sheets, many believe that a crisis in confidence will re-emerge.  Bloomberg.com noted the following comments yesterday from a credit strategist at BNP Paribas,

"Substantial risk still remains within the U.S. financial system,'' said Rajeev Shah, a London-based credit strategist at BNP Paribas.  "Uncertainty about existing troubled assets could lead to increasing systemic risk.''

Where do we go from here?  Who knows?  However, one thing is certain.  Changing plans in mid-stream is certainly no way to reduce uncertainty in the financial markets.

The Dukes of Moral Hazard

Yesterday, the Wall Street Journal discussed the impact of moral hazard on the behavior of both corporations and individuals.  With the ever increasing amounts of money being doled out to those who invested in risky derivative securities and their underlying assets, the impact of moral hazard cannot be ignored.  Wikipedia defines moral hazard in the following way.

Moral hazard is the prospect that a party insulated from risk may behave differently from the way it would behave if it were fully exposed to the risk. Moral hazard arises because an individual or institution does not bear the full consequences of its actions, and therefore has a tendency to act less carefully than it otherwise would, leaving another party to bear some responsibility for the consequences of those actions.

There is great debate about whether the current efforts by the US Government will lead to a greater risk of increasing moral hazard.  Some may compare today's situation to the behavior of the good ol' boys in the old TV show, "The Dukes of Hazzard".  They never crashed their car or went to jail even though they drove recklessly in every episode.  Sound familiar?

Speechless

Today's post leaves one speechless, both literally and figuratively.  In the figurative sense, few words can describe the ever increasing amounts of money that the US Government is pouring into financial institutions such as AIG.  Literally, there is not much more to say beyond what Barron's Bob O'Brien has to offer in his video post,  AIG Becoming a Money Pit?.

Repeal the Rescue Packages

Last week, former US House Speaker Newt Gingrich wrote an opinion in the San Francisco Chronicle renewing the call for a repeal of the Sarbanes-Oxley Act of 2002 ("SOX").  Mr. Gingrich's basic premise is that SOX went too far in regulating corporate governance and at the same time did nothing to prevent the collapse in financial markets.  As many others have complained in the past, Mr. Gingrich says that SOX is too costly and is preventing companies from going public.  Mr. Gingrich cites a $4.36 million cost per company from a recent Financial Executives International ("FEI") survey.  However, he fails to mention this figure is for the largest of companies (those with a market value greater than $700 million) and is out of date.  The most recent FEI survey figure for the largest companies is actually lower ($3.8 million) and for smaller companies that he is referencing in his IPO argument, the average cost is just over $600,000.  

Now, let's compare that to the updated "rescue" package for AIG.  Just this week, the package was increased to $150 billion.  That's right - billion with a "B".  And, as for the claim that SOX did nothing to prevent AIG's woes, it actually helped bring the woes to light.  It was the external auditor's disclosure of a material weakness in AIG controls (a SOX requirement) over credit default swap valuations that first held AIG management accountable and led to the departure of the CEO.  

Lastly, Mr. Gingrich says that SOX is driving companies overseas.  Well, if that is the case, then the "rescue" packages are certainly serving as a great incentive for companies to come back to the US.  Now, companies are lining up to receive US taxpayer money.  Those companies that do not want to be held accountable when accessing capital through public markets are probably better off in other markets.  SOX is not the problem - it is the "rescue" packages that need to be repealed.

Keep Your Eye on Compliance

The primary focus of most CFOs these days is credit and liquidity.  However, during a crisis such as the one we are experiencing, it is easy to become distracted and lose focus in other critical areas.  Compliance is one of these areas and with the recent election results, it is sure to be an area of great risk in the months and years to come.  Here's what Barry Bregman, a partner with CTPartners in New York, had to say about the topic at CFO.com.

That's not to say compliance has fallen by the wayside, especially at a time when the government is looking even harder at the operations of financial-services companies. "CFOs should make sure they have their eye on that ball and that they have the right people managing those functions."

Wheelhouse Advisors is equipped to help CFOs and their organizations maintain the proper focus on risk management and compliance with cost-effective solutions.  Visit www.WheelhouseAdvisors.com to learn more.

Responsible Investing on the Rise

According to recent studies by the CFA Institute, many people are looking to expand their concern for sustaining the environment to their investment portfolios.  In a publication released earlier this year, the CFA Institute noted the following.

A growing number of people are extending their social consciousness beyond driving hybrid vehicles or drinking fair trade coffee to pursuing a socially responsible investment strategy that reflects their values and core beliefs.... Socially responsible investing (SRI) integrates financial objectives with social and environmental objectives. SRI assets are growing at a faster pace than the broader universe of all investment assets under professional management.

In addition, those same investors are clamoring for stronger corporate governance and risk management within the companies that they are considering for investment.  Yesterday, the Financial Times quoted a proponent of responsible investing.

“Responsible investors benefit from better risk management, greater transparency, and an active engagement with companies to promote better management,” says Helena Vines Fiestas, a policy analyst for Oxfam. “Social, environmental and governance issues are also key features of their investment analysis. In this climate, responsible investors offer a real way forward.”

What's good for the environment can also be good for companies looking to navigate the ever changing world in which we live.

Playing with Fire? You Get Burned.

For those of you who have studied Finance and Investments, you are certainly familiar with the father of Modern Portfolio Theory, Harry M. Markowitz.  Mr. Markowitz earned the Nobel Prize in Economics for his recognition of the benefit of diversification in reducing risk in a given portfolio of securities.  In yesterday's Wall Street Journal, Mr. Markowitz was quoted on the role of financial engineers in today's financial crisis.   Below are his remarks.

"Diversifying sufficiently among uncorrelated risks can reduce portfolio risk toward zero," he says in an interview. "But financial engineers should know that's not true of a portfolio of correlated risks."

More specifically, Mr. Markowitz is referring to the financial engineers who created the mortgage-backed securities using tranches of various types of mortgages and touting their diversification benefits.  What they failed to mention, was the fact that risk is not mitigated when using similar types of securities with correlated returns.  Not only is risk not mitigated, it is exacerbated like throwing gasoline on a fire.  I guess those involved in creating this mess either fell asleep in class the day Modern Portfolio Theory was discussed or simply sold a pack of lies.  In either case, they were playing with fire and a whole bunch of people got burned.

A New Day

A new day has dawned in America with the results of a historic presidential election.  What will this mean for corporations?  Will new regulations be placed on business?  What will the impact be on the economy?  Well, with the economic challenges facing not only the United States, but also the entire world, one thing is for certain - change is coming.  Change can be embraced or feared.  For those prepared for change, it represents huge opportunity.  For those focused on the past, change can be the ultimate risk.  Is your company prepared for change?  Share your thoughts here.

Growing Systemic Risk - Revisited

If you have been following The ERM Current™ over the past few weeks, you will probably recall discussions about systemic risk permeating the financial markets.  Well, yesterday the Wall Street Journal chronicled the making of the engine that fueled the systemic risk.  Much of the credit derivative problem emanated from AIG and their use of sophisticated computer models to value the risk within each of their financial products. An academic consultant from Yale University promoted these models and was paid handsomely for it.  His name is Gary Gorton and here is what he had to say just last month.

"You have this very, very complicated chain of the movement of the risk, which made it very opaque about where the risk finally resided. And it ended up residing in many places. So the whole infrastructure of the financial market became kind of infected, because nobody knew exactly where the risk was." 

The primary objective of these financial products was to be "opaque" so investors would unwittingly buy into the scheme.  However, when the institutions who peddled these products placed their faith in the computer models to value the risks, their fate was sealed.

The Auditors Are Coming!

Last week, the Public Company Accounting Oversight Board ("PCAOB") released proposed standards for auditors to examine and utilize risk assessments in their upcoming audits of major corporations.  These standards could prove to be significant in the evolving audit approaches for internal control over financial reporting (i.e. Sarbanes-Oxley Section 404).  Mark Olson, PCAOB Chairman commented on the purpose of these new standards,

“An appropriate assessment of risk is the foundation of a high quality audit. Today’s proposals are intended to strengthen that foundation, which should result in improvements throughout the audit.”

In performing their assessment of risk, auditors are guided first to examine the company's own assessment of risk.  For those companies that do not have a solid framework and/or understanding of their risks, this new standard could be problematic.   The standard states,

The auditor should obtain an understanding of management's process for:

a. Identifying risks relevant to financial reporting objectives, including risks of material misstatement due to fraud ("fraud risks"), b. Assessing the likelihood and significance of misstatements resulting from those risks, and c. Deciding about actions to address those risks.

Factors that should be evaluated in determining which risks are significant risks include:

a. Whether the risk is a fraud risk; Note: A fraud risk is a significant risk. b. Whether the risk is related to recent significant economic, accounting, or other developments; c. The complexity of transactions; d. Whether the risk involves significant transactions with related parties; e. The degree of complexity or judgment in the recognition or measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and f. Whether the risk involves significant transactions that are outside the normal course of business for the company, or that otherwise appear to be unusual due to their size or nature.

If your company is looking to strengthen its risk assessment process or build a new risk assessment framework to prepare for the new proposed standard, then click here to contact us and learn more about how our firm can help your company Navigate Successfully™.

Canary in a Coal Mine

During the recent boom in mortgage-backed securities and credit derivatives, many risk managers were hired to serve as the "canary in a coal mine" for financial institutions.   In the past, coal miners would bring a canary with them to work to ensure that they did not die as a result of carbon monoxide poisoning.  If the canary stopped singing and died, then the coal miners knew to evacuate due to the risk of high levels of carbon monoxide gas in the mine.   The problem with the financial institutions was that the canary (i.e. risk manager) stopped singing in many cases.  The miners (i.e. bankers) chose not to pay attention to the canary at their own peril.  

Just this week, the following was published in US Banker magazine.

"There’s a lot of finger pointing going around about what led to the current financial market breakdown, but perhaps the most ridiculous target of blame is the very idea of financial derivatives, as if these products sprang out of the ground like a particularly potent crop of poison ivy while no one was looking. In reality, a lot of people were looking, and a fair number of risk managers were warning, but too many institutions were either ignoring or mis-measuring the risk."

Rather than solely rely in the future on sophisticated models, the magazine suggests that many financial institutions are getting back to basics.  Edward Hida, a risk management expert from Deloitte, is quoted by the magazine as saying that it all begins with:

"a strengthening of governance and monitoring. The chief risk officer “should serve as a central point. Risk management should be a robust process across functions.”

He makes a great point, but the rest of the organization must heed the warnings of the chief risk officer in the future or suffer the same fate as the poor souls at the bottom of the mine.

GRC Software Swamp

When you think of a swamp, what comes to mind?  Murky, squishy, and difficult to find your way through? Well, the same can be said for today's Governance, Risk & Compliance ("GRC") software marketplace.  There are many vendors crowding the market with all sorts of products that address various components of GRC. However, it is extremely difficult for companies to determine what software may be best suited for their processes and environment.  That's because the software market and the products themselves are evolving continuously.  

Wheelhouse Advisors can help you determine not only your requirements, but also the solutions that are best suited for your company.  It starts with gaining a solid understanding of your GRC process design and overall vision for the desired end state.  With that in hand, Wheelhouse Advisors can then work to help you successfully navigate through the swamp to find a software product that will enable your program to reach its fullest potential.  

Visit www.WheelhouseAdvisors.com to learn more about how we can help your company Navigate Successfully™.

You can pay me now... Or, pay me later!

A study was released this week that examines worldwide regulatory compliance efforts and implementations in large organizations.  The results of this study are surprising, if not alarming, given the current state of the worldwide economy.  Sponsored by CA and conducted by GMG Insights, the study found that many organizations in Europe and the Asia/Pacific Region are not fully compliant with many regulations even though they are required to be.  For example, 46% of European companies and 50% of Asia/Pacific companies anonymously reported that they are not fully compliant with the Sarbanes-Oxley Act.  To be sure, these companies do not have very mature risk and control programs.  The researchers conducting the study concluded the following.

"The conclusion we come to, is that in-spite of the rising costs associated with compliance and the severe penalties that can come from non-compliance, organizations are still managing down to a “just enough to get by” strategy. In our opinion this strategy cannot be sustained. Organizations face exponential growth of regulations and systems affected by those regulations must be monitored. Managing compliance with an ad hoc approach subjects organizations to significant risks. Recognition of the organizational risk and the growing costs will ultimately drive the adoption of broader, enterprisewide compliance management solutions."

These companies and many others may believe they are saving money by addressing compliance in this fashion.  However, most will ultimately find that this short-term, ad hoc approach will not only lead to greater risk of potential non-compliance, but also to greater cost due to fragmented and duplicate activities.  As the mechanic says to his customer in the oil filter commercial, "you can pay me now..... or pay me later".

A Financial 9/11?

Last week, two past chairmen of the US Federal Reserve provided their perspectives on the current financial crisis gripping the world economies.  Alan Greenspan testified before the US House Committee on Oversight and Government Reform that we are experiencing a "once-in-a-century credit tsunami".  He went on to say that, "In 2005, I raised concerns that the protracted period of underpricing of risk, if history was any guide, would have dire consequences."

However, in a 2005 speech, Mr. Greenspan lauded the sophistication of risk management related to derivatives that led to us to the current financial market collapse.  He noted the following, 

"The use of a growing array of derivatives and the related application of more-sophisticated approaches to measuring and managing risk are key factors underpinning the greater resilience of our largest financial institutions..."

Another former chairman, Paul Volcker, provided a simpler view at a roundtable session at Columbia University last week.  He stated, 

"We are dealing with unprecedented events, and unprecedented events call for unprecedented measures.  I think we really are going to have to rebuild the system pretty much from the ground up."

Instead of a "tsunami", maybe Mr. Greenspan should have used a different metaphor - a financial 9/11, perhaps?  Just as we are now rebuilding the World Trade Center, we will need to rebuild, according to Mr. Volcker, the financial system headquartered only a few blocks away on Wall Street.  Your thoughts?

Better Ingredients. Better Governance.

This weekend, the Wall Street Journal included the opinion of John Schnatter on the current financial crisis.  For those of you who do not recognize his name, Mr. Schnatter is none other than "Papa John" of the famous pizza franchise, Papa John's.   As Chairman of the Board at Papa John's International, Inc., Mr. Schnatter points out that the failings of the many corporations that were involved in the carnage started in the boardroom.   With weak oversight, these companies did not possess the strong level of governance required to hold the CEO accountable as the bubble expanded.  Mr. Schnatter explains,

"As our nation works its way through this crisis, and we look for explanations as to how we reached this point and how to avoid another crisis in the future, let us keep in mind that a significant set of checks and balances -- ultimately ending with the boards of directors -- has failed."

Checks and balances must be improved, beginning with the board and ending with strong controls throughout the enterprise.  As Papa John himself says, better ingredients lead to better pizza and, in the case of enterprise risk management, better governance.

How Mature is your Risk & Control Program?

Do you know how mature your risk and control program may be?  More importantly, do you know how mature you want your program to be?  Wheelhouse Advisors provides services to give companies a better understanding of the current state of their risk and control program as well as how to achieve the desired state. Through a comprehensive diagnostic review, Wheelhouse Advisors can quickly provide Executive Management and Board Members an independent view of their program.  We examine the following five main components to determine the maturity level.  

1. Infrastructure


2. Control Portfolio


3. Governance Model


4. Capabilities


5. Cost Structure

Clients can then use the results of this diagnostic review to develop a road map that will help them achieve the desired maturity in their risk and control program.  If you would like to learn more about how Wheelhouse Advisors can help your company, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

Operational Risk Is Quickly Gaining Attention

As the financial crisis continues to unfold, one area of risk management that is gaining an increasing amount of attention is operational risk.  Operational risk is typically defined as the risk of loss resulting from inadequate or failed internal processes, people, technology or from external events.  Earlier this year, the massive trading losses at Société Générale resulting from the activities of a rogue trader exemplified the need for stronger operational risk management practices.  Just last week, the Financial Times reported that,

".....some of the world’s biggest investment banks, including Goldman Sachs, Morgan Stanley and Citigroup, issued a report criticising risk management at their own institutions and urging “serious and sustained investment” in better people and technology."

Greater investment is needed to get ahead of the operational risk curve before the next rogue trader comes along.  What do you think?  Please share your comments below.

Risk Management as a Competitive Advantage

When asked, most corporate executives do not think of risk management or regulation as a competitive advantage.  That is until confidence and trust are no longer commodities, but highly treasured assets.  Looks like the US Government is also realizing the value of risk management and regulation.   Earlier this week the Wall Street Journal noted the following,

"Two years ago this month, Treasury Secretary Henry Paulson was talking about how the regulatory pendulum "may have swung too far" in the wake of corporate scandals earlier this decade.  Mr. Paulson's fear: That overly burdensome regulation would make U.S. capital markets less innovative and competitive globally. If only."

Yes, how quickly things change.  If you are interested in learning more about how Wheelhouse Advisors can assist your company in strengthening risk management to become a competitive advantage, visit our website at www.WheelhouseAdvisors.com or email us at NavigateSuccessfully@WheelhouseAdvisors.com.

A Case for Strategic Risk Management

Yesterday, Federal Reserve Governor Randall S. Kroszner delivered a speech to the 2008 Annual Risk Management Association Conference in Baltimore, Maryland.  In his speech, Governor Kroszner made the case for strengthening risk management practices by integrating risk management with strategic planning.  Governor Kroszner stated,

"In my view, an effective overall corporate strategy combines a set of activities a firm plans to undertake with an adequate assessment of the risks included in those activities. Unfortunately, many firms have forgotten the second part of that definition. In other words, there can be no real strategic management in financial services without risk management, hence my use of the term "strategic risk management." Risk management needs to be interwoven into all aspects of the firm's business and should be part of the calculus for all decision-making. Strategic decisions about what activities to undertake should not be made unless senior management understands the risks involved; assessing potential returns without fully assessing the corresponding risks to the organization is incomplete, and potentially hazardous, strategic analysis."

While many institutions may have thought they were considering risks when setting strategy, most were blinded by the potential profits without a healthy consideration of the risks.  As Governor Kroszner reiterated in his remarks,

"...the ongoing fundamental transformation in financial services offers great potential opportunities for those institutions able to integrate strategy and risk management successfully, and I will argue that survival will hinge upon such an integration...."

Click here to read Governor Kroszner's full speech.

An Office of One - Revisited

For those who have been keeping up with The ERM Current™ this month, you might recall the blog from October 9 titled "An Office of One".   It details the Security and Exchange Commission's approach to risk management and the impact of cutting the office of risk management back to one person.  Well, in reading some earlier thoughts from former SEC Chairman Harvey Pitt, it seems that the vision for Enterprise Risk Management at the SEC was much broader and simply suffered under the current administration of Chairman Christopher Cox.   As Mr. Pitt explained in a Compliance Week article earlier this year, 

My years in government have taught me that government seems far more adept at examining the past than anticipating the future. When I became chairman of the SEC in 2001, for example, the agency had never—not once in its nearly seven decades—ever conducted a top-down management review of efficiency and processes. While the result of the review I commissioned recommended the creation of a risk-management group within the SEC, this recommendation has taken years to implement, and even then with a paucity of resources that makes the effort almost worse than never having undertaken it.

Mr. Pitt deserves credit for his vision.  If only he had been around longer to have seen it fully implemented, we may have been experiencing different and much less severe consequences today.

Better late than never!

Yesterday, the Federal Reserve released guidance to major financial institutions on how they should be managing compliance risk across the enterprise.  The guidance is very similar to enterprise risk management frameworks that have been in existence for some time now.  Here is an excerpt from their release describing the need for additional guidance.

While the guiding principles of sound risk management are the same for compliance as for other types of risk, the management and oversight of compliance risk presents certain challenges. For example, quantitative limits reflecting the board of directors’ risk appetite can be established for market and credit risks, allocated to the various business lines within the organization, and monitored by units independent of the business line. Compliance risk does not lend itself to similar processes for establishing and allocating overall risk tolerance, in part because organizations must comply with applicable rules and standards. Additionally, existing compliance risk metrics are often less meaningful in terms of aggregation and trend analysis as compared with more traditional market and credit risk metrics. These distinguishing characteristics of compliance risk underscore the need for a firmwide approach to compliance risk management and oversight for large, complex organizations. A firmwide compliance function that plays a key role in managing and overseeing compliance risk while promoting a strong culture of compliance across the organization is particularly important for large, complex organizations that have a number of separate business lines and legal entities that must comply with a wide range of applicable rules and standards.

The guidance is very well intended and comprehensive, but not well timed.  The subjects of this guidance should have been addressing these risks on an enterprise level well before the current collapse.  However, as the saying goes, "better late than never!".  Your thoughts?  Click here to read the entire supervisory letter from the Federal Reserve.

Board Members Agree - ERM is Top Priority

As we move into the fourth quarter of a year filled with major corporate calamities, a recent survey of over 1,000 public company board members points to the need for stronger enterprise risk management.  Today, Corporate Board Member magazine released the results of their 7th annual survey entitled "What Board Members Think".  This survey, conducted by PricewaterhouseCoopers, highlights the board members' belief that shareholders deserve greater assurance that risks will be effectively managed.  The magazine reported the following.

When asked if they felt their board members could adequately meet the responsibility of monitoring the company's multitude of risks, 81 percent of directors felt their board was capable; yet only 50 percent said their board was effective or very effective at monitoring a risk management plan to mitigate corporate exposures.

Based on this survey, board members seem to understand their role and also, more importantly, seem willing to address the challenge of holding management accountable for building and maintaining strong enterprise risk management programs.  Do you agree with these results?  Share your thoughts below.

The Devil is in the Details

Yesterday, the US Treasury released highlights of its proposed Executive Compensation Rules associated with the $700 billion Emergency Economic Stabilization Act ("EESA").  Here is a summary of the key provisions.

Any financial institution participating in the Capital Purchase Program will be subject to more stringent executive compensation rules for the period during which Treasury holds equity issued under this program. The financial institution must meet certain standards, including: (1) ensuring that incentive compensation for senior executives does not encourage unnecessary and excessive risks that threaten the value of the financial institution; (2) required clawback of any bonus or incentive compensation paid to a senior executive based on statements of earnings, gains, or other criteria that are later proven to be materially inaccurate; (3) prohibition on the financial institution from making any golden parachute payment to a senior executive based on the Internal Revenue Code provision; and (4) agreement not to deduct for tax purposes executive compensation in excess of $500,000 for each senior executive. 

While this sounds good enough, there is a great deal of room for interpretation that may or may not help deal with the real problem at hand.  If you read my blog entry on September 24, you will have a better appreciation for the incentive programs leading to firms taking excessive risks.   The senior executives' pay packages certainly added to the problem, but the great extent of the excessive risk taking is found throughout the institutions' trading floors and mortgage origination ranks.  So, how will the Treasury ensure excessive risks are not taken by non-senior executives?  As with everything, the devil is certainly in the details.  I'm sure there will be more debate once the detailed rules are released. Stay tuned.

Who's to Blame? The Better Question is "Who's Accountable?"

This week, Gartner Research is hosting its 2008 Annual Symposium in Orlando, Florida to discuss what is on the horizon for Information Technology professionals in the coming years.   Several Gartner analysts unveiled what they see as the nine most contentious issues for IT professionals over the next two years.  Risk management made the list as the third most contentious issue - specifically, determining the accountability for security and risk management as it relates to business applications.  Here's what they had to say.

Issue 3 – Business Accountability for Security and Risk Management.  Security and risk management is not just an IT issue. It is essential that the IT risk manager, using effective communications skills, persuade the appropriate IT owners and line-of-business managers to accept explicit, written responsibility for residual risk impacting their systems and processes, on either a direct or a dotted-line basis. Risk managers should develop mechanisms for assignment and acceptance of residual risk and risk decisions — for example, signature forms, processes, and policies that address the requirement and execution of risk acceptance. The risk manager should also develop mechanisms to convey residual risk levels that remove reference to technology but still support good risk-based decisions at a business level that may result in the implementation of technical controls.

Understanding the risks well enough to establish the appropriate accountability structure in advance of a risk event is a key element for strong risk management.  Otherwise, energy that should be focused on proactively managing risks becomes focused on determining who should be blamed for the risk that resulted in a catastrophe. Do you agree? Please share your thoughts below.

Does the US Government Need ERM?

As we enter another week in the evolving crisis sweeping our financial markets, it is clear that the central figure in this crisis, the US Government, has been reacting to events as they happen.   From the outside, it appears that the Government is using a trial-and-error approach by launching various imperatives with little knowledge of the expected result.  This is crisis management at its worst.

Once this crisis has passed, our Government should look to our northern neighbors for a lesson in risk management. The Canadian Government has been endorsing a program called "Results for Canadians" since the late 90's.  Part of this program focuses on how the Government can improve their approach in proactively dealing with potential risks.  In 2003, the Canadian Treasury Board developed an Integrated Risk Management Framework for use by all areas within the Canadian Government.  The Treasury Board explains the purpose of the framework as follows:

The Integrated Risk Management Framework provides guidance to adopt a more holistic approach to managing risk. The application of the Framework is expected to enable employees and organizations to better understand the nature of risk, and to manage it more systematically.

Could the US Government and Treasury use a risk framework, eh?  What are your thoughts?

Blame Technology? Not so fast!

Many people are asking about the huge technology investments made by financial institutions to provide risk management capabilities designed to prevent major market catastrophes (like the one we are currently experiencing). Well, based on a recent article in Information Week entitled "Risk Management Failings Spur Big Financial IT Investments", huge investments were made and continue to increase.  However, simply investing more in technology is not the full answer.  Many institutions had the risk information readily available, but chose to ignore it because of greed.  According to Gregg Berman, risk management practice head at RiskMetrics, this was certainly the case.  He states,

"Given the levels of technology that we have today, this crisis we're going through is something that was very avoidable.  This was not a natural disaster. The writing was on the wall for quite some time and people ignored it."

So, once again, superior risk management practices hinge on the abilities of the right people creating the right culture supported by the right infrastructure.  Without all three legs of the stool (people, culture, infrastructure), well, you know what happens - someone will take the fall.

An Office of One

Earlier this week, Lynn Turner provided extensive testimony to the US House Committee on Oversight and Government Reform on the many ills of our current corporate and regulatory governance regime.  He had many great points, but one that stood out was his commentary on the demise of the Securities and Exchange Commission ("SEC").  The following is an excerpt from Mr. Turner's testimony.

"Regulation also failed to keep pace. At the Securities and Exchange Commission (“SEC”), the Office of Risk Management had been reduced to an office of one by February of this year. From 2005, the number of SEC enforcement division personnel was cut by 146 from 1338 to 1192 in 2007. In 2004, the SEC reduced the capital requirements for the largest Wall Street investment banks."

As he points out, the SEC mirrored what many companies were doing themselves - cutting back in areas that were meant to prevent future catastrophe.  During good times, few concern themselves with growing risks or possible downturns.  However, the SEC took "putting your head in the sand" to a new level by reducing their office of risk management to one person.

Mr. Turner offered the following recommendations to Congress and the SEC.

"The SEC also needs to take actions to shore up confidence in the agency which I believe has been seriously eroded as a result of the current crisis. For example, the Office of Risk Management should be adequately staffed to allow the agency on a proactive basis to identify risks in the market place such as those created by excessive leverage, or new financial instruments that carry significant system risks such as credit derivatives. Once identified, a plan for promptly and appropriately addressing regulatory and public policy issues should be formulated and an action plan established on a proactive basis before, not after, the train wreck has occurred."

Several years ago, the US Army ditched their slogan "An Army of One" for obvious reasons.  I think the SEC may need to do the same.  Your thoughts?

Click here to read more of Lynn Turner's testimony to Congress.

Punishing the Monkey at AIG

Yesterday, the US House Committee on Oversight and Government Reform had quite a session receiving testimony from those involved in events leading to the massive bailout of American International Group ("AIG").  Of particular concern was a letter from Joseph St. Denis, an AIG accounting policy expert that had been hired, as he explained, "as part of an entity-wide effort to address material weaknesses by AIG's external auditor".   Unfortunately, Mr. St. Denis could not participate in this effort because he was restricted from reviewing the area with the highest risk - accounting for credit default swap derivatives.  

Mr. St. Denis resigned from AIG after serving just over a year due to restrictions placed on him by senior executives. After surfacing many legitimate issues, he was demoted even though he had received a stellar performance rating only a few months before.  Then, according to Mr. St. Denis, he was prohibited from reviewing the very area that led to AIG's ultimate demise.  Joseph Cassano, head of AIG's Financial Products group, was the executive responsible for the valuation of AIG's Super Senior Credit Default Swap portfolio and the same executive who made the following statement to Mr. St. Denis:

"I have deliberately excluded you from the valuation of the Super Seniors because I was concerned you would pollute the process."

The improper valuation of this portfolio led to another material weakness in 2007 and ultimately led to AIG's death spiral.  Meanwhile, Mr. Cassano retired from AIG earlier this year and continues to receive $1 million per month in consulting fees from AIG.  In the words of famous musician Mark Knopfler, I think this is a clear case of "punishing the monkey while letting the organ grinder go free".  Your thoughts?

Click here to read Joseph St. Denis' letter to Congress

Fooled by Fuld?

Yesterday, Richard Fuld, CEO of the recently defunct Lehman Brothers, testified before Congress in regards to his role in the demise of his firm.  Here is an excerpt from his prepared testimony.

No one realized the extent and magnitude of these problems, nor how the deterioration of mortgage-backed assets would infect other types of assets and threaten our entire system.  In April 2006, Chairman Bernanke predicted that the housing market “will most likely experience a gradual cooling rather than a sharp slowdown.”  In March 2007, he stated “the impact on the broader economy and financial markets of the problems in the subprime market seems likely to be contained.”  Similarly, Secretary Paulson said in June 2007 that the crisis in the mortgage markets “will not affect the economy overall,” echoing the views of the International Monetary Fund.  And at Lehman Brothers’ annual shareholder meeting, I too said what I absolutely believed to be true at the time – that the worst of the impact to the financial markets was behind us.

How could Mr. Fuld truthfully tell shareholders in April that "the worst was behind us" during a 2nd quarter performance period that would result in a loss to those same shareholders of $2.8 billion?  Also, how can he place blame on those outside his organization for a failure within his own organization?  He added the following later in his testimony.

We exist in a regulatory regime created in a vastly different world for vastly different markets. Some have compared the regulatory and risk management systems of our current markets to trying to run a bullet train on ancient track.

Blaming the system is as weak as it gets.  Call it a lack of accountability or responsibility or simply a lack of integrity.  To me, it sounds like Mr. Fuld tried to fool the market and lost.  Your thoughts?

My Name is Mudd

An article in yesterday's New York Times details the contribution made by Fannie Mae's former chief executive officer, Daniel Mudd, toward the financial meltdown we are experiencing in the US mortgage securities market.  Mr. Mudd, like many other CEOs of his time, joined the group of lemmings chasing profits, placating investors and taking excessive risks.  The article points out that Mr. Mudd told employees to “get aggressive on risk-taking, or get out of the company.”  When Mr. Mudd's chief risk officer warned him about the housing bubble and the potential negative impact to the company, Mr. Mudd argued that the market, shareholders and Congress all thought the companies should be taking more risks, not fewer.

While his name is literally Mudd, Fannie's CEO also serves as a metaphor for the dozens of CEOs and many more executives who failed to heed the warnings of risk professionals in the face of external pressure and personal greed.   Do you agree?  Please join the conversation below.

Where is the A-Team?

At many companies around the world right now, executive management is feverishly looking for ways to cut costs and eliminate headcount to bolster the bottom line.  As I have heard many times before, many are probably asking themselves, "Do we really need an A-Team to handle our enterprise risk and compliance activities?"  As a result, risk management and compliance are areas that are typically cut first.  While that may be helpful to the bottom line in the short run, it typically comes back to haunt companies as we are seeing today in the many corporate failures related to poor risk management and compliance practices.  

So, those same executives shoud be asking themselves, "Do we have the right talent to address our risk management and compliance activities?"  Some key skills required for the "A-team" include:

• Solid understanding of the business


• Well informed on regulatory and compliance requirements


• Ability to see the big picture beyond just the rules


• Uncompromising integrity and courage


• Strong communications skills to articulate risk exposures as well as opportunities


• Capability to persuade and influence appropriate behavior in others

So, as budget season winds down in many corporations, executives need to be very careful not to succumb to the temptation to cut what may seem like a non-essential activity.  As Mr. T from the original A-team would say, "I pity the fool who cuts enterprise risk!"  Do you agree with Mr. T?  Comment below.

Fannie + Freddie = Fraud

According to recent reports about investigations into the corporate governance and accounting practices at Fannie Mae and Freddie Mac, it appears that the two Government Sponsored Entities (GSEs) did not learn their lesson from improper disclosures made only a few years ago.  This is what was reported by the Associated Press yesterday.

The mortgage finance companies said Monday that a federal grand jury in New York is investigating accounting, disclosure and corporate governance issues at Washington-based Fannie and McLean, Va.-based Freddie.  Critics have long questioned the companies' bookkeeping.  Last November, for example, a Fortune magazine story said new accounting procedures at Fannie Mae masked potential losses on bad loans.  And several years ago, both Fannie and Freddie were forced to restate billions in earnings after federal regulators discovered accounting irregularities at both companies.

If we can't trust these GSEs to clean up their act and root out fraud, how can we again trust our government with $700 billion of our money to handle the very same mortgage-backed securities that ran through these corrupt GSEs?  What are your thoughts?  Please join the conversation below.

GRC Convergence - Where's the "B"eef?

Many software vendors and professional services firms are touting their abilities to converge or integrate what has become a common buzz word - "GRC".   For those who are unfamiliar with the term, GRC stands for Governance, Risk and Compliance respectively.  In many companies, activities related to each of these areas often over overlap and lend themselves to duplicative efforts as well as excessive costs.  As such, there is a true need and benefit to integrating these disciplines.  

However, what is often missed in this push for convergence is the need to first integrate these disciplines into the business processes themselves.  The greatest convergence benefit will be achieved when Enterprise Risk Management becomes a part of running the business, rather than a separate exercise performed by units outside of the business.  By focusing first on the "B" (the business) with the "G", "R" & "C" in mind, GRC convergence will begin to occur naturally as a by-product of the business integration efforts.  Then, when that little old lady from the burger joint comes to review your Enterprise Risk Management Program (or more likely a rating agency, regulator or auditor), you will know the answer to the most important question.  Share your thoughts and comments below.

Growing Systemic Risk - Who Knew?

I'm writing today's post while visiting historic Boston, Massachusetts to review a evolving technology platform for managing Enterprise Risk & Control Programs.  Since I'm in Boston, I thought it would be appropriate to share some insight from an Economist at the Federal Reserve Bank of Boston, Ralph C. Kimball.  Mr. Kimball published his article, "Failures in Risk Management", in the New England Economic Review back in January 2000.  In his article, he describes in wonderful detail the forces of systemic risk that our economy is struggling with today - a full eight years after his writing.

As we are experiencing painfully today with the unraveling of financial institutions' hedging strategies and use of derivatives such as credit default swaps, Mr. Kimball notes,

"While an individual firm may mitigate its risks by purchasing insurance or hedging, these actions do not reduce systemic risk in the economy, but only transfer it elsewhere."

This transfer of risk has been accelerated throughout the US and global economies by the fervent use of securitization and leverage.  Individual firms such as Washington Mutual, AIG and Lehman Brothers were acting in their own best interest while spreading the systemic risk contagion.  As Mr. Kimball rightly concludes,

"....the greater the amount of risk mitigation undertaken through hedging or the purchase of insurance, the more likely that unforeseen losses will migrate quickly from one market to another, or from one country to another. That is, while hedging acts to reduce independent risk, it can enhance systemic risk."

What the economy is facing today is no surprise.  What is surprising is how long it took the Federal Reserve and others to address the mushrooming systemic risk infecting our economy.  Who knew?  Mr. Kimball knew.

What are your thoughts?  Share your comments below.

Corporate Fraud Risks Are On The Rise

In its recently released 2008 Global Fraud Report, The Economist Intelligence Unit and Kroll stated that corporations are reporting an overall 22% increase in fraud in 2008 as compared to a similar survey conducted in 2007.  The report noted that weakened internal controls and high staff turnover were the leading cause of the fraud increase.  The average company in the survey lost more than $8 million due to fraud at some point during the last three years.  Can your company afford these fraud risks and the potential impact on other areas such as public image, reputation and the resulting impact on shareholder return?  Share your thoughts below.  Also, to read more about this compelling report, click here.

Newly Released ERM Report from The Economist

As the economy continues to weaken and capital markets are shaken to their core, Enterprise Risk Management ("ERM") is surfacing as a "must-have" program for not only the largest financial services firms, but also for companies of all sizes.  Just this month, a new report published by The Economist Intelligence Unit underscores the need for solid ERM programs.

What Should Board Members Be Doing Now?

In times like these, the tension in most corporate board rooms is thick, but many board members may not be taking the necessary actions to ensure that they or their fellow members are not unduly exposed.   At the core of the issue is requiring management to establish a solid Enterprise Risk Management ("ERM") program that surfaces the appropriate issues and holds management accountable for addressing risks in a proactive manner.

The following was noted by Joann Lublin and Cari Tuna in Monday's Wall Street Journal.

"Now, more boards may take a bigger role in risk management. During a Sept. 9 roundtable held by the National Association of Corporate Directors, 24 chairmen of audit committees agreed "the whole board needed to be engaged" in monitoring risk, an association official says."

Other areas that board members need to address include the following.

• Pick directors with temperament, skills and experience to spot warning signs


• Engage in regular scenario planning


• Choose independent law firm as future crisis adviser


• Create an effective risk-management committee


• Appoint a nonexecutive chairman


• Develop and practice an emergency communications system


• Prepare for special committee to explore crisis's cause and remedies

Board members are realizing that in today's turburlent climate, a lack of action toward addressing a company's risks can be more deadly than originally thought.  Just ask the board members at Lehman, they can surely tell you.

What other areas should board members address to strengthen a company's corporate governance and enterprise risk management practices?  Please share your thoughts by commenting below.