Enterprise Risk Management—Subprime fallout 04/08

Enterprise Risk Management

Subprime fallout

ERM still has a long way to go

By Michael J. Moody, MBA, ARM

Subprime mortgages. Until recently, most of us had no idea what they were or just how popular they had become. Thanks in large part to significant failings within the financial service sector, most of us are now all too familiar with this subject. It has been front and center, not only in the financial trade press, but the general press as well, for the past 12 months or so. And unfortunately, with every passing day, there are some new revelations about the extent of the problem. At this rate, it may well be another 12 to 18 months until the full scope of the problems is known.

As it sits today, however, it is clear that this situation will have a deep and profound impact, not only on the investing public and the subprime loan holders, but the general public as well. This crisis has forced home owners across the nation into default or even bankruptcy. But for the vast majority of us, the worst is yet to come. While the exact details of a “bailout” are yet to be resolved, it’s certain to have a steep price tag that we will all have to share.

This situation has left many wondering how this ever could have gotten so far out of control. And it is an especially interesting question since the financial services sector has been such an outspoken supporter of enterprise risk management (ERM). ERM has been touted as a viable method of managing risks to prevent these types of events from occurring. So what happened?

Program gaps

One of the primary areas where ERM differs from traditional risk management is in its holistic view of an entity. In fact, one of the most serious shortcomings of traditional risk management, according to Sim Segal, FSA, CERA, MAAA, managing director and head of Aon Global’s ERM service offering in the Americas, is “its silo-based risk framework.” And as long as the siloed approach remains, he says, “It will be impossible to obtain a true picture of an organization’s risks.” However, since financial institutions have been involved with enterprise risk management for so long, many people believed that by now they would have moved beyond the silo approach.

“Such is not the case,” notes Michel Rochette, MBA, FSA, assistant director in Aon Global’s ERM practice. He points out, for example, that there is often a lack of linkage between the retail bank operation’s credit underwriting and the investment division’s securitization of the subprime loans. As a result, he says, “There was often no aggregation or even calculation of enterprise risk exposure.”

Segal notes, “The failure to capture the interactivity of all key risks and calculate enterprise risk exposure resulted in no clear definition of the institution’s risk appetite.” And the development of a proper risk appetite is a critical factor in the success of any ERM program.

Additionally, Rochette states that it is important for any ERM program to foster a strong risk culture, “but in the case of many of these financial institutions, they simply lacked a strong risk culture.” Banks have long functioned on a “boom and bust cycle,” he points out. Just look at their past record, he says—the dot-com explosion and implosion, the directed research controversies, the sovereign loan crisis of the 1980s, and the list goes on. All of these situations point to “a strong profit-focused environment,” that is not complemented with a strong risk culture.

Thus, ERM metrics are not integrated fully into the decision-making process. And it is important to move beyond a profit-focused approach because, as we have found numerous times, “behavior always follows incentives,” Segal points out. History has proven that “people will continue to take more risk to gamble for higher returns so long as their employers do not hold them accountable for the increased risk exposure, but rather only reward them for excess returns.” Rochette adds that while banks have made significant progress in developing formal risk-based metrics, “most do not properly adjust their incentive compensation formulas for risk exposures.”

Other trouble spots

A number of financial institutions also have major issues with their risk quantification, notes Segal. “It would appear that risk exposures were only quantified on a residual or net basis and not on an inherent or gross basis,” he says.

Residual risk exposure is what remains after mitigation reduces inherent risk exposure. For example, an inherent risk exposure of $100 million for a hurricane destroying a building is mitigated by insurance coverage of $80 million to a residual exposure of $20 million.

Segal says “If these institutions had measured and reported risk exposures on both bases, it would have revealed that inherent risk exposures were spiking dramatically.” These institutions sold many mortgages that dramatically increased the risks to their customers. Segal says, “These institutions should have been aware that these customers were more likely than usual to default, which raises the question of suitability.” Higher chance of defaults means an increase in the institution’s inherent risk exposure.

“However, they likely believed their residual risk exposure was still within tolerance, since their mitigation tactic was largely to lay these risks off on their suppliers—those investors who purchased the risks from the lending institutions via securitized investments. As these lending institutions now realize, Segal says, “Increasing the risks of failure of both your customers and your suppliers is not a very good business model.”

Rochette adds, “It’s important to measure exposure on both an inherent and residual basis, since mitigation strategies don’t always work as well as planned.” At this point, it is becoming clear that lending institutions did not fully assess the probability that key guarantors would not be able to honor their obligations. As a result, the subprime loans have raised serious questions about the financial condition of MBIA, Ambac, FGIC and others. Rochette says, “The downgrades of these organizations immediately triggered downgrades of all their guaranteed debt in both the private and public sectors.” This explains recent calls to split these guarantors into two independent entities—one for public debt and one for private debt.

Another significant failing of many of the financial institutions, indicates Segal, “was in the disclosure area, as most of these firms did not have adequate internal and external risk reporting.” He adds, “When it is all sorted out, we will likely find that the appropriate ERM information was not reported to the board of directors for most of these lending facilities.” He goes on to point out that “external disclosures, such as 10-K risk disclosures were likely also not accurately or clearly reporting the increasing risk.” Some of this is the result of most lending institutions not quantifying risks in terms of their potential impact on shareholder value, but rather on a more traditional balance sheet basis. “This is troubling,” says Segal, “since protecting shareholder value is their primary fiduciary responsibility.”

Conclusion

As noted above, many of the financial institutions that are at the heart of the subprime mess have not advanced their ERM programs sufficiently enough to prevent this type of disaster from occurring. Bottom line, Segal suggests, “Most of these lending institutions do not have a rigorous enough ERM process in place.” But would it have mattered anyway?

Standard & Poor’s, in commenting on the subprime mortgage situation, notes, “Many lending institutions have reported steep losses in the value of their securities backed by subprime mortgages. Despite the severity of some of the losses, we expect the effects to be less severe for those institutions that, in our opinion, demonstrate stronger ERM practices.”

Aon agrees with this conclusion. Segal says, “If there is a single largest reason why we have the subprime crisis, it’s because lending institutions generally did not have robust ERM programs.” More specifically, he says, “Most were not properly quantifying and reporting risks on both an inherent and residual basis and, also, were not properly calculating enterprise risk exposure and managing it to a well-defined risk appetite.” Further, there was likely a lack of appropriate disclosures both internally to the board and externally to shareholders and other stakeholders of risks related to new products offered to the subprime market. *

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.