Taking a Hard Look at Risk Management

The Mortgage Bankers Association just issued an insightful report into the risk management practices at financial institutions leading up to the financial crisis of 2008.  The report is entitled "Anatomy of Risk Management Practices in the Mortgage Industry: Lessons for the Future" and is authored by Clifford V. Rossi from the University of Maryland. The findings in the report are very candid in their criticism of the financial institutions and their reluctance to acknowledge the risks being taken.  Here is one of the reported lessons to be learned in the aftermath of the crisis.

Risk managers may have been effective in identifying risks, however, many firms appeared tone deaf to these subject matter experts. If senior management had elevated the risk officer position to one that had direct or even indirect reporting to the risk committee on the board of directors, it may have helped staunch some of the risk taking that occurred. Further, executive management must inculcate a culture of risk management where all employees actively are on guard for risks that exceed the risk appetite of the company. One way to incent depository institutions to build strong risk functions and culture is for FDIC to strengthen risk-based assessments on deposit premiums reflecting the strength of the risk management organization and quality of the firm’s risk infrastructure. By blindly following the herd, the largest mortgage originators effectively competed themselves out of business. Reliance on information gathered from brokers and sales staff regarding the competition can be valuable to firms, however, the information obtained needs to be carefully vetted against specified corporate objectives. A clear vision of what risks the firm is willing to take must be part of the strategic roadmap, and deviations from that plan must be accompanied by sound analytics and information even if short-term losses of market share and key individuals are likely. A corollary to this recommendation is that risk vision and therefore business strategy must take a long-run view into account in shaping risk direction.

It is refreshing to see an organization like the Mortgage Bankers Association taking a hard look at what went wrong and how we can work to prevent a similar crisis in the future.  However, the report also reminds the reader that a similar crisis occurred only 20 years ago during the Savings & Loan debacle.  So, it is crucial for companies to take the necessary steps this time around or we could be having a similar conversation in the very near future.

ERM Growing as an Accepted Practice

This year, the US Securities and Exchange Commission instituted new disclosure rules requiring public companies to inform their shareholders about the role of the board of directors in overseeing risk management. A major US law firm recently reviewed annual proxy statements of S&P 500 corporations to determine the extent and nature of risk management across various industries. One of the more interesting findings in the review was the number of companies who are employing Enterprise Risk Management programs to help manage their risks. Here is what they reported.

In the wake of the financial crisis, many companies have implemented more comprehensive and integrated risk management programs, and boards of directors have expanded their risk oversight to encompass not just the legal and financial risks that audit committees have traditionally overseen, but also the full panoply of risks that a company may face.  Enterprise risk management (ERM) is the current buzzword applied to a top-down holistic approach to risk management.  It addresses all of an enterprise’s risks—including operational, financial, strategic, compliance and reputational risks—under one umbrella, in contrast to the more traditional “silo” approach in which each operating function or division tackled risk independently.  ERM is not focused simply on risk reduction.  Rather, it encompasses an assessment of both upside and downside risks and, thus, helps inform the strategic planning process.  Indeed, to make informed decisions about the company’s strategic direction, the board must have a full understanding of all of the major risks involved.

Fifty-four percent of surveyed companies expressly used the term “enterprise risk management.” Sample disclosures are set forth below:

American Express Company:  “The Company relies on its comprehensive enterprise risk management process (ERM) to aggregate, monitor, measure and manage risks.  The ERM approach is designed to enable the Board of Directors to establish a mutual understanding with management of the effectiveness of the Company’s risk management practices and capabilities, to review the Company’s risk exposure and to elevate certain key risks for discussion at the Board level.  The Company’s ERM program is overseen by its Chief Risk Officer who is an executive officer of the Company and a member of the Company’s most senior management.”

Express Scripts, Inc.:  “In order to assist the board of directors in overseeing our risk management, we use enterprise risk management (“ERM”), a company-wide initiative that involves the board of directors, management and other personnel in an integrated effort to identify, assess and manage risks that may affect our ability to execute on our corporate strategy and fulfill our business objectives.  These activities entail the identification, prioritization and assessment of a broad range of risks (e.g., financial, operational, business, reputational, governance and managerial), and the formulation of plans to manage these risks or mitigate their effects.”

With more than half of the companies relying on ERM, the review shows that ERM is growing as an accepted practice beyond just financial services companies. If your company is looking to implement or simply improve your ERM program, Wheelhouse Advisors can help. Visit www.WheelhouseAdvisors.com to learn more.

One Step Closer

Last night, the US Senate voted in favor for the Restoring American Financial Stability Act of 2010. This has certainly been a long time in coming and, while important, it is just another step towards a major restructuring of the financial regulatory system in the US. The Act will certainly change as the Senate works with the House over the next several weeks to reconcile differences in the two versions of the bill.  Also, at nearly 1,500 pages in length, the interpretation and implementation of the Act's provisions will be fraught with debate. Finally, the Act does not address many of the major factors that led to the financial crisis of 2008 as The Economist points out below.

Financial reform is coming to America. On May 20th, after more than three weeks of often rancorous debate, the Senate approved the biggest overhaul of the financial system since the Great Depression, by 59 votes to 39. Its bill must now be reconciled with one passed by the House of Representatives in December. The result will be Barack Obama’s second big legislative victory of the year, after the passage of health-care reform in March.

As with most bills, this one has its share of pork and irrelevant provisions, including one requiring buyers of Congolese minerals to prove that the money they hand over is not being used to fund militant groups. But there is much meat at its heart. The bill would beef up the system for monitoring systemic risks. It would empower the Federal Deposit Insurance Corporation to wind down failing financial giants, imposing losses on creditors as well as shareholders. It would create an independent consumer financial-protection bureau. And it would toughen up oversight of derivatives, requiring most contracts to be channelled through clearing houses and traded on exchanges or exchange-like platforms.

Could this bill have prevented the crisis? Not by itself. Some of the most important reforms are outside its purview. Toughened-up capital and liquidity standards for banks will be hammered out by regulators from around the world in Basel. The Obama administration’s proposed tax on big banks will likely be advanced in different legislation. One glaring omission from the Senate and House bills is a plan to deal with Fannie Mae and Freddie Mac, the giant, accident-prone mortgage agencies now under government conservatorship.

As has been discussed on this blog for the past year and a half, change is certainly coming and only the companies that are well prepared will prosper during this unprecedented period of change.  Having a strong and resilient enterprise risk management program is critical and Wheelhouse Advisors can help.  To learn more, visit www.WheelhouseAdvisors.com.

Who Can Afford Not to Have an ERM Program?

Many people in the corporate world routinely argue that Enterprise Risk Management is simply a cost that few companies can afford to implement. However, time and again, it seems as though exactly the opposite is true. Companies can't afford not having a robust ERM program. In reading today's Wall Street Journal, one might find the following story on the off-shore oil drilling disaster to be eerily similar to the recent financial crisis. To make the case, financial terms have been included in parentheses to illustrate the point.

Without adequately planning for trouble, the oil business (financial services industry) has focused on developing experimental equipment (complex derivatives) and techniques (synthetic asset backed securities) to drill (operate) in ever deeper waters (more opaque markets), according to a Wall Street Journal examination of previous deepwater accidents (financial meltdowns). As drillers (bankers) pushed the boundaries, regulators didn't always mandate preparation for disaster recovery or perform independent monitoring.

The Minerals Management Service (Federal Reserve, OCC, OTS, FDIC, etc.), the government agency that oversees offshore drilling (financial services), in recent years moved away from requiring specific safety measures (capital requirements) in offshore drilling (trading activities) and instead set broad performance goals (guidance for internal risk modeling) that it was up to the industry to meet. In joint MMS-Coast Guard (Federal Reserve, OCC, OTS, FDIC, etc.) hearings into the Deepwater Horizon accident (Bear Stearns, Lehman Brothers, AIG insolvency), Michael Saucier, an MMS official, testified that the agency "highly encouraged," but didn't require, companies to have back-up systems (specified risk limits) to trigger blowout preventers (increases in capital) in case of an emergency.

While there are many estimates of the cost to British Petroleum to deal with the Deepwater Horizon oil spill, the minimum consensus estimate right now is around $12-13 billion. Add to that estimate the recent market capitalization loss of nearly $50 billion and the case for having a robust ERM program seems fairly straightforward.

Diagnosing ERM Problems

As we emerge from the financial crisis and global economic downturn, many companies are beginning to realize the need for a comprehensive review of their Enterprise Risk Management (“ERM”) programs.  While some executives may think that their program is sufficient, they simply may have a false sense of security because they have just survived the recent crisis.

In reality, most organizations have been focused purely on survival and have allowed their more forward-looking risk management practices to take a back seat.  In addition, in order to weather the financial storm, some companies looked to risk management organizations for cost savings and scaled back their infrastructure and resources.  Ironically, it is the companies that have survived the crisis relatively unscathed that may be the least prepared and the most at risk for a future loss event.

So, how do you know how healthy your ERM program is today?  The best and most reliable way is to conduct an independent, diagnostic review of the program.  A diagnostic review should focus on two main components of the ERM program – the level of desired maturity and the core foundational elements.  First, a company needs to determine what level of maturity they are seeking to achieve.  This is based on a number of factors including the size of the company, the nature and complexity of the business, and the external environment in which the business operates.

After determining the desired maturity, the company should examine the core foundational elements that form the ERM program itself.  A comprehensive review of these elements will help the company understand both the progress toward the desired maturity level as well as the major gaps that may exist in the foundational elements.

Much like an annual physical check-up exam, it is a good idea to perform a diagnostic review of your ERM program on a periodic basis to ensure that it is providing the expected level of risk management discipline within your organization.  Wheelhouse Advisors has designed a quick and effective review to provide companies an independent view at a reasonable cost.  For more information, feel free to email us at navigatesuccessfully@wheelhouseadvisors.com.

How Mature is Your Risk & Control Program?

During the past decade, many significant events occurred that placed greater demands on how companies manage their risks.  At the beginning of the decade, we experienced the financial downturn associated with the bursting of the high tech/internet bubble.  Then, we had the after effects of the September 11th terrorist attacks.  Corporate accounting scandals at Enron and WorldCom created new financial reporting challenges in the form of the Sarbanes-Oxley Act of 2002.  Now, we are finally beginning to emerge from one of the greatest financial meltdowns in American history.  All the while, companies have been trying to keep pace with ever increasing levels of risk and regulation.

Much of the fallout from the financial crisis of 2008 can be attributed to the lack of coordination and integration of risk management practices at individual firms as well as across entire industries.  To be successful at managing risk going forward, companies must begin to examine how they are currently focusing their efforts and how they need to evolve their overall risk and control program.

The evolution path for most risk and control programs can be broken into four distinct stages – Developing, Implementing, Improving and Integrating (see figure below).   As companies begin to take a more focused approach to managing risk, they usually begin by simply reacting to regulatory demands or recent negative events that have occurred.   In this initial “Developing” stage, companies may create ad hoc task forces or assign individual teams to address the risks.

However, most companies begin to see the need for a more formal, enterprise-wide approach and enter the “Implementing” stage.  Here, a risk champion is typically named, standards are created and the various teams begin to align and share information.  Once the sharing of information begins, both horizontally and vertically through the company, inefficiencies and gaps become apparent.

Companies then move to the “Improving” stage in order to streamline processes and adopt best practices.  Finally, once the program has matured into an efficient mechanism on its own, it should be fully integrated into the business itself – at all levels.  It is this “Integrating” stage of evolution that is the holy grail of Enterprise Risk Management.

Where is your company on the evolution path?  What obstacles are you facing as you look to progress from one stage to another? Wheelhouse Advisors can provide both unique insight and practical solutions to help you reach the desired level of maturity.  To learn more, visit www.WheelhouseAdvisors.com.

Mind the Knowledge Gap

Former SEC Chairman Arthur Levitt delivered some very interesting remarks in a recent speech at the Annual Audit Committee Conference sponsored by the National Association of Corporate Directors ("NACD").  Mr. Levitt challenged companies to improve the knowledge base of its board members to allow for more fulsome discussions on risk.  He also provided some recommendations for better governmental oversight and regulatory reform.  Here are a few of his thoughts.

Let’s talk about steps that need to be taken by corporate boards on their own. In general, I favor elements that improve transparency and accountability. Basic improvements, like giving investors access to the proxy, would push boards to be more proactive, and more sensitive to investor concerns.

But being more accountable is a lot easier when you have the right expertise. Right now, independent board members often don’t have the base of knowledge they need. When someone working every day inside a corporation is presenting information and analysis to the board, there will always be a gap between what they know and what the board knows. This gap is inevitable, but it need not be permanent. That is why I would strongly favor that boards of directors include individuals with financial market experience, and especially expertise in understanding, pricing, and managing risk. With even one  member regularly raising challenging questions and issues, boards would be able to press management to think far more creatively about issues such as counter-party risk, operational risk, and so on.

Mr. Levitt is right in his view that the knowledge gap must be bridged to ensure board members are truly effective in their roles.  It will take renewed efforts on both sides - management and board - to accomplish this feat. However, not only will they benefit, their shareholders will as well.

Too Much Risk

Yesterday, the Financial Crisis Inquiry Commission conducted a hearing to examine the failure of Bear Stearns in 2008.  The theme of the testimony by Bear Stearns was that there was too much risk in the broker-dealer's capital structure. Here is what the Wall Street Journal reported.

Former Bear Stearns Chief Executive Officer James Cayne said Wednesday that his firm's risk level was too high in the year before it collapsed. "That was the business," Mr. Cayne told a hearing held by the Financial Crisis Inquiry Commission, a congressional panel scrutinizing the financial crisis. "That was really industry practice. In retrospect, in hindsight, I would say leverage was too high." Commission Chairman Phil Angelides said Bear Stearns was leveraged at a ratio of 38 to 1, sometimes as high as 42 to 1, and held $46 billion in exposure to mortgages. "How is that model sustainable in the event of any market disruption of significance?" he asked.

The simple answer to Chairman Angelides' question is that the model is not sustainable at that level of leverage. The problem is that in 2004 the SEC allowed firms like Bear Stearns to increase leverage from a prior limit of 12 to 1 to much higher levels.  So, the government can also look to itself when seeking to place blame for the market collapse.

Investors Seeking More ERM Disclosure

On a morning where the Dow Jones Industrial is down over 2%, many investors may be wondering how to get a better understanding of the companies in which they are looking to invest.  These investors might be well served to research the effort that a company is devoting to manage their risk effectively.  A recent article by Lawrence Richter Quinn provides interesting perspective for those looking to learn more about how to evaluate a company's enterprise risk management program.  Here's some of what he has to say.

It is a difficult task for investors to discover which companies are working to manage risk from an enterprise-wide perspective - and an even more difficult job discovering who is doing so effectively. Many board members don't understand ERM, believing it to be simply another potentially costly, hard-to-measure regulatory fiat from Washington. Many others believe that effective ERM can be achieved simply by expanding their SOX-related reporting and controls efforts, which is not the case.

Because it's a new management discipline, what constitutes "best practices" in ERM has yet to be defined; currently it's being defined industry by industry, but few if any companies promote themselves as being "best of the best" in ERM or risk management.

So, how do you know who's working hard at effective ERM? A growing number of companies, particularly outside the U.S., devote a significant portion of their annual reports discussing risk management, regardless of whether they specifically call it ERM. Generally, investors interested in discovering who's doing a comprehensive job at risk management - and reporting it publicly in their annuals - need to look abroad. Just north of the border, Canadian-based companies discuss risk extensively in their annuals and they are a good place to start looking into this area further.

One way to quickly see if the company you are researching does have ERM is to check for a Chief Risk Officer (CRO). While CROs are most often found in the energy, banking and insurance industries, more aggressive manufacturing companies are moving in that direction as well. Another clue is found in a tiny nut of companies that have managers specifically in charge of coordinating their ERM efforts. These managers will have the words "enterprise risk" in their titles.

While the U.S. is still playing catch-up on effective risk management disclosures (even though the SEC is beginning to crack-down with new proxy rules this year), U.S. companies are beginning to strengthen their enterprise risk management capabilities.  Those companies that are not working to strengthen their capabilities will certainly suffer a competitive disadvantage as a result.