Top Risks on the Horizon in 2009

In this final post of 2008, we look forward to a new year filled with uncertainty and risk.  Events of this past year will reverberate not only for the next few weeks or months, but throughout the coming year and potentially many years to come.  A year-end study completed by Ernst & Young highlights the top risks that companies across the globe will face in 2009.  Below are the rankings with results from the 2008 study in parentheses.  

The 2009 top 10 risk rankings

1. The credit crunch (2)
2. Regulation and compliance (1) 
3. Deepening recession (New) 
4. Radical greening (9) 
5. Non-traditional entrants (16) 
6. Cost cutting (7) 
7. Managing talent (11) 
8. Executing alliances and transactions (7) 
9. Business model redundancy (New) 
10. Reputation risks (22) 

Not surprisingly, credit related issues are the number one item on the list followed closely by regulation & compliance.  Companies of all sizes need to be prepared to address the rapid changes that may occur over the next year.  Having a solid framework to quickly understand changes in these risks and make quick adjustments will provide a significant competitive advantage.  Visit www.WheelhouseAdvisors.com to learn more.  

Distorting Risks to Bolster Pay

As more and more begins to emerge from the collapse of our financial markets, it is becoming clear that effective risk management was severely handicapped by those looking to increase their personal compensation.   The New York Times reported this past weekend some of the egregious mortgage lending practices at Washington Mutual ("WaMu") that led to the largest bank failure in American history.   

WaMu gave mortgage brokers handsome commissions for selling the riskiest loans, which carried higher fees, bolstering profits and ultimately the compensation of the bank’s executives. WaMu pressured appraisers to provide inflated property values that made loans appear less risky, enabling Wall Street to bundle them more easily for sale to investors.  “I never had a clue about the amount of off-the-cliff activity that was going on at Washington Mutual, and I was in constant contact with the company,” said Vincent Au, president of Avalon Partners, an investment firm. “There were people at WaMu that orchestrated nothing more than a sham or charade. These people broke every fundamental rule of running a company.”

The major problem here is not that WaMu was poorly managed, but that the practices at WaMu became accepted by the mortgage industry as a whole.  Major reform is desperately needed to ensure that practices such as these are prevented from "becoming the norm" again.

Worldcom's Bernie Ebbers - Naughty or Nice?

Well, it is Christmas Eve and children across the globe are wondering if good, old St. Nick will bring them toys for being nice this year or a lump of coal for being naughty.  Add to the list former CEO of Worldcom, Bernie Ebbers, who is requesting a Presidential pardon of his 25 year prison sentence for his role in one of the largest accounting frauds in history.  His request has attracted worldwide attention.  Here's what The Telegraph in London reported:

Mr Ebbers, 67, who was sentenced to 25 years in jail in 2005 for his part in WorldCom's spectacular collapse, has applied to have that sentence commuted by President George W Bush.  He continues to serve his sentence at Oakdale prison in Louisiana, a low-security facility, from which he is due for release on July 4, 2028, when he will be aged 86.  The fraud at WorldCom led to the country's biggest bankruptcy filing in July 2002, with almost 17,000 employees losing their jobs as a result of the scheme to bury expenses and inflate revenue.

In this season of giving, Bernie should be thinking about how he can give back to the 17,000 people who were impacted by his wrongdoing rather than asking for a gift.  Let's all hope he gets what he deserves for his request - the world's largest lump of coal.

Walking the Walk in 2009

Heading into 2009, many firms are beginning to realize the need to bolster their risk management practices and approaches.  The main challenge centers around the need for a solid risk management framework that can be employed throughout an organization.  In turn, the framework should shape the risk management culture with strong support from the CEO and Board of Directors.  In a recent article in Wall Street & Technology magazine, risk management is identified as the number one priority for financial firms in 2009.   Here is an excerpt:

Analysts agree that the biggest challenge firms face in managing risk is at the operating level. Risk managers will be given much more importance by a firm's top managers than in the past, when the pursuit of alpha typically came at the expense of risk mitigation. 

This certainly comes as no surprise given the severity of the current crisis driven largely by the neglect of risk management.  Everyone is talking the talk.  2009 is the year to walk the risk management walk.

SEC "Office of One" Ignores Massive Fraud

Some of you may recall previous posts regarding the SEC's office of risk management that contained only one staffer for many years.  Well, according to the Wall Street Journal, the one person office was notified earlier this year about Bernard Madoff's massive Ponzi scheme and did nothing to investigate.  The article details the many attempts of Harry Markopolos to alert the SEC to the fraud.  Mr. Markopolos final attempt was made to the head of risk management at the SEC, Jonathan Sokobin.   Here is the account of that attempt:

Early this year, Mr. Markopolos made one last major effort after receiving an email from Jonathan Sokobin, an official in the SEC's Washington, D.C., office whose job was to search for big market risks. Mr. Sokobin had heard about Mr. Markopolos and asked him to give him a call, according to an email exchange between them.  

Mr. Markopolos also sent Mr. Sokobin an email -- with the stark subject line "$30 billion Equity Derivative Hedge Fund Fraud in New York" -- saying an unnamed Wall Street pro recently pulled money from Mr. Madoff's firm after trying to confirm trades supposedly done in his account, but discovering that no such trades had been made.  It was his last try.  He never heard back about his allegations regarding Mr. Madoff.  "I felt pretty low," Mr. Markopolos recalls.  Mr. Sokobin, through an SEC spokesman, declined to comment.

To Mr. Sokobin's credit, he did reach out to Mr. Markopolos to investigate.  However, given the size of his office, it is not surprising he could not act quicker to bring the fraud to an end.  Greater evidence is not needed to justify more investment in risk management.

Turning a Blind-eye Toward Risks

For those of you who have been following The ERM Current,  you may recall the post "Show Me the Money and I'll Show You the Risks".  In that post, the main advice centered on the need to examine incentive structures to determine where excessive risk-taking may be occurring.  As the current financial crisis continues to unfold, the excessive risk-taking driven by grandiose incentives is becoming more and more evident.  Yesterday, the New York Times featured an article on this very topic.   Below is an excerpt from the article,

“Compensation was flawed top to bottom,” said Lucian A. Bebchuk, a professor at Harvard Law School and an expert on compensation. “The whole organization was responding to distorted incentives.” Even Wall Streeters concede they were dazzled by the money. To earn bigger bonuses, many traders ignored or played down the risks they took until their bonuses were paid. Their bosses often turned a blind eye because it was in their interest as well.  “That’s a call that senior management or risk management should question, but of course their pay was tied to it too,” said Brian Lin, a former mortgage trader at Merrill Lynch.

To be effective, risk management must have the authority and the independence to adjust incentive programs based on the risk appetite of the organization.  If risk managers are participating in the very incentive programs that they are charged with overseeing, then a blind-eye will always be turned toward excessive risk-taking.

Most Banks Lack Enterprise-wide View of Risks

According to a recent survey commissioned by Ernst & Young,  the vast majority of major financial institutions lack a consolidated view of risk across their organizations.  Only 14% of the 40 global banks surveyed indicated that they have a solid enterprise risk management program.  Given the current crisis and admission that risk controls are lacking, the majority of the respondents also indicated a need for increased investment in this area (see graphic below).  Some of the other findings of the study included the following.

Organizational silos, decentralization of resources and decision-making, inadequate forecasting, and lack of transparent reporting were cited as major barriers to effective enterprise-wide risk management. The need to create a risk-aware culture throughout the institution emerged as a top priority in the study -- three-quarters of all respondents cited its vital importance -- as banks struggle to develop a consolidated view of risk across business units and various risk dimensions.

The need for effective enterprise risk management programs is certainly clear not only for financial services companies, but also for non-financial services companies.  How effective is your company's risk management program?  For a no-cost, diagnostic review of your program, contact Wheelhouse Advisors today.

Gravely Concerned

In yet another example of the ineffectiveness of regulatory oversight, SEC Chairman Christopher Cox admitted today that the SEC failed to act on numerous red flags regarding Benard Madoff's hedge fund turned Ponzi scheme.  With an estimate of $50 billion in losses, the fraud dwarfs those uncovered at Enron and Worldcom that ultimately led to the creation of the Sarbanes-Oxley Act.  Mr. Cox stated the following in today's Wall Street Journal.

"I am gravely concerned" by the agency's regulation of the firm, Mr. Cox said.  According to Mr. Cox, Mr. Madoff "kept several sets of books and false documents, and provided false information involving his advisory activities to investors and to regulators."

To be effective, regulatory oversight must be re-examined and restructured to provide consistent and comprehensive control.  Without it, trust and confidence will not return to our financial markets.

Beyond the Models

A great deal of the blame relating to the current financial crisis has been focused on the improper use of computer models in determining the amount of risk within a company's portfolio.  A recent article in Bank Systems & Technology Magazine discusses key considerations for employing models to determine accurate risk levels.   The article also notes that proper model usage alone is not the answer.  The author rightly states, 

"Although selecting the right modeling tools for risk management is essential, one further mistake companies commonly make doesn’t have anything to do with tools. It is essential to ensure that corporate culture avoids the typical silo approach to running a business. As we continue to follow news on the economy, it becomes clear that companies that conduct risk management in business silos expose their firms to unnecessary and avoidable risks. Tying true enterprise-wide risk management to business performance management, along with implementation of the right tools, is the only way for companies to ensure long-term success."

Having an appropriate risk framework and governance structure is critical to creating a strong culture focused on effectively managing risks.  Wheelhouse Advisors can provide cost-effective solutions to help companies break-down the silos and implement successful enterprise risk managemement programs.  Visit www.WheelhouseAdvisors.com to learn more.

Keys to Success

A recent article at eWeek.com highlights the keys to a successful implementation of technology in support of an Enterprise Risk Management or Governance, Risk & Compliance ("GRC") program.  While the keys to success are fairly straightforward, it is surprising how many companies fail to address them prior to selecting a technology solution.   The keys to success are:

1. Define what ERM or GRC means to your organization.


2. Survey your organization's regulatory and compliance landscape.


3. Determine the most logical entry point and develop a phased approach.


4. Establish a clear business case, considering both short-term and long-term value.


5. Determine how success will be measured. 

Interestingly, the author of the article is a representative of one of the major GRC technology vendors.  While some vendors may want companies to rush to a purchase decision, this author agrees it is critical for companies to gain this perspective prior to evaluating solutions.  He states,

"With these steps complete, you will be in a much stronger position to qualify vendors and solutions and to determine the best fit for your organization, based on a well-defined project scope and equally well-defined business requirements and associated benefits."

Wheelhouse Advisors can provide an independent viewpoint and work with your company to achieve the keys to success.  Visit www.WheelhouseAdvisors.com to learn more.

Room for Improvement

A recent study by the Financial Executives Research Foundation highlights the opportunities for many companies to improve the effectiveness and efficiency of their Sarbanes-Oxley ("SOX") Compliance programs. In this week's edition of Compliance Week, the study was examined and those interviewed in the article all agreed that room for improvement still exists.  The four main areas of improvement for most programs are:

• Transforming controls to focus less on manual controls and more on automated and entity-level controls;


• Consolidating processes into a reduced number of systems or a reduced number of locations, through a shared-services or business process outsourcing approach;


• Adopting more sophisticated testing strategies, including remote testing; and


• Conducting SOX testing work more deliberately and selectively.

Wheelhouse Advisors is uniquely qualified to provide cost-effective solutions in each of these areas.  Visit our website at www.WheelhouseAdvisors.com to learn more.

Failure to Take Action

The U.S. House Committee on Oversight and Government Reform conducted a hearing on Tuesday into the circumstances leading to the recent collapse of Fannie Mae and Freddie Mac.  Chairman Henry Waxman provided the committee with several documents detailing numerous warnings by internal risk managers that were purposefully ignored by executive management.  Below is an example provided by Chairman Waxman.

On October 28, 2006, Fannie’s chief risk officer sent an e-mail to company CEO Daniel Mudd warning about a “serious problem” at the company. He wrote: “There is a pattern emerging of inadequate regard for the control process.”  In another e-mail on July 16, 2007, the same risk officer wrote to Mr. Mudd again, this time complaining that the board of directors had been told falsely that the “we have the will and the money to change our culture and support taking more credit risk.” The risk officer wrote: "I have been saying that we are not even close to having proper control processes for credit, market, and operational risk. I get a 16 percent budget cut. Do I look so stupid?"  But these warnings were routinely disregarded.

Much has been said about the failures of risk management leading to the current crisis.  However, it is becoming increasingly clear, through examples such as these, that the failure to take action on warnings provided by risk management led to the current crisis.

Simple is Better

In this month's edition of Internal Auditor Magazine, Neil Baker highlights real-world approaches to implementing a successful enterprise risk management program.  Leading experts from major corporations and professional services firms were interviewed about their ERM insights.  Wheelhouse Advisors participated in the development of the article and provided the following advice.

"A simple, consistent, and well-understood risk framework is vital," says John Wheeler, founder and principal at ERM consultancy Wheelhouse Advisors in Atlanta. That's especially true where people are burned out by U.S. Sarbanes-Oxley Act of 2002 compliance or are overloaded by corporate initiatives that get in the way of their "real jobs." 

Simple is always a better approach, especially during times of crisis or when competing priorities are serving as a distraction from the ultimate goal.  The best way to achieve this simplicity is to have a strong framework in place before spending effort and money on extra resources or technology.

ERM Skills in Short Supply

A recent survey of internal audit executives by Ernst & Young indicates that companies may need more help with monitoring enterprise risks.  As noted in a recent CFO.com article, the survey results are attributed to the excessive focus on internal controls over financial reporting by internal audit organizations.  Here is an excerpt from the article regarding the survey results.

Only 17 percent of respondents to the recent survey rated their current team's skill at enterprise risk assessment as "very competent." Just 19 percent said the same for fraud detection, 22 percent for use of technology and analytics, and 39 percent for business process improvement.  More than a third of respondents said it was "very difficult" to recruit people skilled at enterprise risk assessment. 

While some may view the survey results skeptically due to the fact that Ernst & Young is a provider of services related to the weaknesses, the Institute of Internal Auditors ("IIA") concurs with the findings.  

enterprise risk assessment, fraud detection, use of technology and analytics, and business process improvement — "should be absolutely fundamental and core to any internal auditor who is trying to take his job seriously," Dominique Vincenti, chief advocacy officer for the IIA, said.  "But we did not have a focus on those competencies over the past few years. We're suffering from a lack of supply."

Wheelhouse Advisors offers cost-effective enterprise risk management solutions and can help your internal audit organization climb the learning curve quickly.  Visit www.WheelhouseAdvisors.com to learn more.

ERM for Dummies

For those who are looking for a quick reference guide on Enterprise Risk Management, the Risk and Insurance Management Society has sponsored the publication of Enterprise Risk Management for Dummies. Similar to other "For Dummies" publications, this book presents the essentials of ERM in a humorous way. Here's how the authors describe the value of the publication, 

Enterprise Risk Management for Dummies offers a valuable start up guide for ERM first timers. You get easy-to-understand ERM terms and helpful instruction along with tools on how to get started developing your ERM program today. With this book, you’ll better understand what “risk” is – and why everyone needs to have it, how to identify risks in a variety of ways, and most importantly, how to effectively manage risk.

If you are looking for a quick and enjoyable primer on ERM, then this book is well worth the investment.  

Enterprise Risk Management is a Critical Need

In a recent speech to the International Conference of Banking Supervisors, Eugene Ludwig presented a compelling account of the lessons we should take away from the financial crisis.  Mr. Ludwig formerly served as U.S. Comptroller of the Currency and in his speech, he provides a clear perspective of the events that contributed to the crisis we now face.  In particular, he promotes the need for stronger risk management across markets and across corporate enterprises.  Here is an excerpt from his remarks.

"As the recent environment has shown, significant risks can be embedded in complex instruments and spread across a variety of regulated and unregulated institutions. And the same risks can be spread across one institution in toxic quantity because the risk is parceled out into different corporate pockets without the regulator or company being able to aggregate the risks appropriately. Therefore, regulators globally must work collaboratively to collect, share, and assess risks, to identify concentrations and to take action, and regulators and managements need be able to assess risks across the entire enterprise."

As Mr. Ludwig states, the ability to assess risks across the entire enterprise is critical to preventing unknown excessive risk-taking.  Wheelhouse Advisors is equipped to help companies build and strengthen their enterprise risk management programs.  Visit our website at www.WheelhouseAdvisors.com to learn more.

ERM Software Now a Priority for Many Companies

A recent article in Treasury & Risk Magazine highlights the fact that technology spending will certainly be impacted by the current financial crisis.  The article suggests that large-scale enterprise resource planning ("ERP") software implementations will most likely take a back seat to implementations of risk management related software products.  Here is an excerpt from the article.

Likely to fare better in the financial services meltdown is enterprise risk management (ERM) software, the tools many say could have mitigated the global credit collapse. “Never before has there been such a need for prudent financial risk management,” said Carol Beaumier, executive vice president with software provider Protiviti Inc. “Even the strongest of companies will find themselves subject to increased market pressures and regulatory scrutiny."

With investment dollars limited due to the tightening of corporate budgets, strong business cases must be made to reap the maximum benefits of any ERM related software implementation.   Wheelhouse Advisors provides cost-effective services to build a solid business case as well as evaluate, select and implement the appropriate ERM software solutions to achieve optimal results for your organization.  Visit www.WheelhouseAdvisors.com to learn more.

Penny Wise and Pound Foolish

Michael Chertoff, US Secretary of Homeland Security, recently shared his thoughts on the current financial crisis and how our nation has addressed it from a risk management perspective.  In his remarks to the Wharton Business School, Mr. Chertoff was quite candid about the United States' lack of preparation to manage risks before they manifested into a full-blown crisis.  He stated,

"The nation now faces financial woes that were to some degree or another predicted over a period of years, going back into the 1990s.... We have not managed to address the risk in a way that prevented what was ... a [financial] disaster of the magnitude of a natural disaster and a terrorism disaster."

He also warned that for both the US Government and corporations, risk management often becomes less of a concern once the crisis has subsided.  

"We begin to decide that we are spending too much money trying to avert the risk, and we begin to degrade our preparation once again." 

As we have seen with the escalating costs of the current financial crisis, risk management is certainly not an area to be penny wise and pound foolish.

State of ERM

The Risk and Insurance Management Society ("RIMS") just released its 2008 State of ERM Report and it provides some interesting perspective on the evolution of ERM programs across the globe.  A summary of the key findings is provided below.

• Organizations that have embraced ERM have realized a concrete advantage in their risk management competency. The study found that 93% of organizations with formalized ERM programs in place make better risk-informed decisions—a recognized competitive advantage over those that do not have an ERM program.


• Organizations that report they have an ERM program in place still fall significantly short of achieving managed or better risk maturity. The study demonstrates that, based on the ERM guidelines presented in RIMS Risk Maturity Model for ERM, only 4% of these companies have achieved a managed or better level of risk management competency in all risk competencies. This suggests that organizations may have a false sense about all that is required for an effective risk management program.


• Data from the study verifies that formalized infrastructures in well-managed ERM programs embody the 68 best practice guidelines for efficient and effective risk management programs as presented in RIMS Risk Maturity Model for ERM.


• The study links ERM to better business performance. There is a distinct correlation between companies that score higher on RIMS Risk Maturity Assessment and companies that possess higher credit ratings. The same is true of low scoring companies that, typically, possess lower credit ratings. Hence, better managed companies in terms of ERM practices benefit from better business performance.

So, the report certainly shows the ever increasing value of ERM programs.  However, progress remains to be made in many areas of ERM to extract its full value and help companies maximize their business performance.