|
BarCopy
Headline
Financial meltdown proves need for companies to bolster their monitoring of risk
By Michael J. Moody, MBA, ARM
By now, sufficient time has passed to gain some additional insight into the financial mess that was 2008. As a result, many of the Monday morning quarterbacks have had an opportunity to express their opinions on the problems and what caused them. As we have noted in prior articles, risk management has been referred to frequently as a villain in the crisis.
A post mortem of the risk management failings has found that rather than one primary issue or area of risk management, it was really several issues that failed. The results of the analysis that followed have been well documented and continue to cast risk management in a negative light.
Risk management failures
The Economist Intelligence Unit Limited did an excellent job of identifying the overall failings of risk management in their Managing Risks in Perilous Times: Practical Steps to Accelerate Recovery. They note that few, if any, chief risk officers (CROs) will look back fondly on 2008 because after five years of unprecedented growth, in little more than 12 months the international financial system was brought to the brink of collapse. And, as they state, there were many actors to blame, including negligent lending practices, irresponsible borrowing and unrestrained economic expansion. However, poor management of risks ranks very high as a culprit.
Among the perceived weaknesses that occurred within the risk identification, assessment, and management areas, the following were listed as key shortcomings:
• Concern over the level of risk expertise in an organization, particularly at the highest levels
• Availability of recent and relevant data to populate risk models
• General lack of adequate stress testing and scenario planning
• Incentive systems that were constructed to reward short-term profits rather than long-term stability
• Risks that were not consolidated across all operational aspects
Despite this significant list of failings of risk management, it does not include what most experts agree was another critical failure within the ERM programs—namely the failure to sufficiently change the corporate culture towards risks.
Culture club
Many organizations have embraced an ERM approach over the past several years. This fact is confirmed in Deloitte’s sixth edition of its Global Risk Management Survey. The report, titled “Risk Management in the Spotlight,” provides an assessment as to how 111 financial service organizations from around the world are moving towards ERM and the additional work that is needed. They indicate that “Beyond methodologies, data, and technology capabilities, effectiveness in risk management may require enhancing or, in some cases, creating a pervasive risk aware culture throughout the organization.” Further, they note that “creating an environment and incentives that sustain this kind of culture over time,” is critical.
Creating the proper risk management culture takes a lot of work. And while there are many aspects to this issue, it can be summed up by what is known as the “tone at the top.” For many organizations, this means that management must start with an honest assessment of their organization’s risk awareness. While there are a number of ways to determine this awareness, several management consultants, including Towers Perrin, believe that assessment must focus on two major issues. The first is values and ethics, which are the core principles that drive behavior. Just as important, however, are the internal policies and practices, which they say are the application of the values and ethics.
Improving the risk-related culture of any organization will help the adoption of ERM going forward. Companies must establish an understanding of their risks and then manage those risks as an integral part of the corporate culture. In order to do this, it will be necessary for them to develop clear guidance of accountability. In addition, employees must have a risk awareness and be fully engaged in the process. Management must realize that they can shape a risk culture to influence appropriate behaviors that help the entire organization achieve its long-term goals as well as embody its values.
Things are not always as they appear
Many times, an analysis of those firms that were heavily involved with the current financial crisis would suggest that it was a failure of the CRO or the risk management program, when, in fact, it is a lack of a proper risk culture. While there were any number of bad actors who were deeply involved in the financial crisis, one of the early “poster children,” was Countrywide Financial Corporation.
Recently, a blogger provided some important information that was in the firm’s December 31, 2006, 10-K financial statement. This document, as well as several others that have recently been made public, illustrates the difficulty that some CROs faced within their own companies. One of the documents points out that Countrywide’s CRO, John P. McMurray, had raised a number of red flags about Countrywide’s loan practices. But, the documents also showed that Angelo Mozilo, Countrywide’s CEO, was fully aware of the risks the organization was taking.
In addition, documents submitted in an SEC filing in June 2009, showed that McMurray repeatedly “warned senior management of the increasing risks they were taking from a credit perspective.” This fact was confirmed in e-mails from Mozilo that stated he had “a full understanding of these risks.” Noted in an April 16, 2005, management meeting as dragging Countrywide down were:
• Non-conforming loans originated in May 2002 were twice as likely to default as loans originated in January 2000.
• The risk of home equity lines of credit defaulting had doubled over the past year, primarily due to the prevalence of reduced documentation in those loans.
• Countrywide had become a leader in the subprime market in four of six categories, whereas a year earlier it was only two of six categories.
Clearly, Countrywide’s CRO was aware of the situation and he apprised his superiors about the risks they were taking. However, these warnings were, for the most part, ignored. And as history has shown, it wasn’t only Countrywide that was going through this experience. Many other companies were having similar experiences.
Conclusion
Few people question the fact that the current financial crisis has been a failure of risk management. Study after study has shown that much of the financial damage that has occurred was brought about due to a less than robust risk management environment. Today, most people can see that it was a rush to profits at all costs across the entire international financial service sector that led to the corruption of this sector.
One of the long-term casualties of all this mess is the public’s trust, which will not be easily regained. And while the federal government is taking aggressive regulatory oversight measures, this issue will not be solved until the organizations involved create more appropriate risk aware cultures. Enterprise risk management must become a strategic imperative, and companies must align incentives to better reflect risk. Bottom line, organizations must infuse risk management into their performance objectives and business decisions.
As Towers Perrin points out, “To ensure that risk management is not only understood but embraced, management must weave ERM into the fabric of the organization, so that it is embedded into the organization’s structure, processes and organizational culture.” Nothing less will do, at this point.
|
