The ERM Current™

Yesterday, the Federal Reserve released guidance to major financial institutions on how they should be managing compliance risk across the enterprise.  The guidance is very similar to enterprise risk management frameworks that have been in existence for some time now.  Here is an excerpt from their release describing the need for additional guidance.

While the guiding principles of sound risk management are the same for compliance as for other types of risk, the management and oversight of compliance risk presents certain challenges. For example, quantitative limits reflecting the board of directors’ risk appetite can be established for market and credit risks, allocated to the various business lines within the organization, and monitored by units independent of the business line. Compliance risk does not lend itself to similar processes for establishing and allocating overall risk tolerance, in part because organizations must comply with applicable rules and standards. Additionally, existing compliance risk metrics are often less meaningful in terms of aggregation and trend analysis as compared with more traditional market and credit risk metrics. These distinguishing characteristics of compliance risk underscore the need for a firmwide approach to compliance risk management and oversight for large, complex organizations. A firmwide compliance function that plays a key role in managing and overseeing compliance risk while promoting a strong culture of compliance across the organization is particularly important for large, complex organizations that have a number of separate business lines and legal entities that must comply with a wide range of applicable rules and standards.

The guidance is very well intended and comprehensive, but not well timed.  The subjects of this guidance should have been addressing these risks on an enterprise level well before the current collapse.  However, as the saying goes, “better late than never!”.  Your thoughts?  Click here to read the entire supervisory letter from the Federal Reserve.

As we move into the fourth quarter of a year filled with major corporate calamities, a recent survey of over 1,000 public company board members points to the need for stronger enterprise risk management.  Today, Corporate Board Member magazine released the results of their 7th annual survey entitled “What Board Members Think”.  This survey, conducted by PricewaterhouseCoopers, highlights the board members’ belief that shareholders deserve greater assurance that risks will be effectively managed.  The magazine reported the following.

When asked if they felt their board members could adequately meet the responsibility of monitoring the company’s multitude of risks, 81 percent of directors felt their board was capable; yet only 50 percent said their board was effective or very effective at monitoring a risk management plan to mitigate corporate exposures.

Based on this survey, board members seem to understand their role and also, more importantly, seem willing to address the challenge of holding management accountable for building and maintaining strong enterprise risk management programs.  Do you agree with these results?  Share your thoughts below.

Yesterday, the US Treasury released highlights of its proposed Executive Compensation Rules associated with the $700 billion Emergency Economic Stabilization Act (“EESA”).  Here is a summary of the key provisions.

Any financial institution participating in the Capital Purchase Program will be subject to more stringent executive compensation rules for the period during which Treasury holds equity issued under this program. The financial institution must meet certain standards, including: (1) ensuring that incentive compensation for senior executives does not encourage unnecessary and excessive risks that threaten the value of the financial institution; (2) required clawback of any bonus or incentive compensation paid to a senior executive based on statements of earnings, gains, or other criteria that are later proven to be materially inaccurate; (3) prohibition on the financial institution from making any golden parachute payment to a senior executive based on the Internal Revenue Code provision; and (4) agreement not to deduct for tax purposes executive compensation in excess of $500,000 for each senior executive. 

While this sounds good enough, there is a great deal of room for interpretation that may or may not help deal with the real problem at hand.  If you read my blog entry on September 24, you will have a better appreciation for the incentive programs leading to firms taking excessive risks.   The senior executives’ pay packages certainly added to the problem, but the great extent of the excessive risk taking is found throughout the institutions’ trading floors and mortgage origination ranks.  So, how will the Treasury ensure excessive risks are not taken by non-senior executives?  As with everything, the devil is certainly in the details.  I’m sure there will be more debate once the detailed rules are released. Stay tuned.

This week, Gartner Research is hosting its 2008 Annual Symposium in Orlando, Florida to discuss what is on the horizon for Information Technology professionals in the coming years.   Several Gartner analysts unveiled what they see as the nine most contentious issues for IT professionals over the next two years.  Risk management made the list as the third most contentious issue – specifically, determining the accountability for security and risk management as it relates to business applications.  Here’s what they had to say.

Issue 3 – Business Accountability for Security and Risk Management.  Security and risk management is not just an IT issue. It is essential that the IT risk manager, using effective communications skills, persuade the appropriate IT owners and line-of-business managers to accept explicit, written responsibility for residual risk impacting their systems and processes, on either a direct or a dotted-line basis. Risk managers should develop mechanisms for assignment and acceptance of residual risk and risk decisions — for example, signature forms, processes, and policies that address the requirement and execution of risk acceptance. The risk manager should also develop mechanisms to convey residual risk levels that remove reference to technology but still support good risk-based decisions at a business level that may result in the implementation of technical controls.

Understanding the risks well enough to establish the appropriate accountability structure in advance of a risk event is a key element for strong risk management.  Otherwise, energy that should be focused on proactively managing risks becomes focused on determining who should be blamed for the risk that resulted in a catastrophe. Do you agree? Please share your thoughts below.

As we enter another week in the evolving crisis sweeping our financial markets, it is clear that the central figure in this crisis, the US Government, has been reacting to events as they happen.   From the outside, it appears that the Government is using a trial-and-error approach by launching various imperatives with little knowledge of the expected result.  This is crisis management at its worst.

Once this crisis has passed, our Government should look to our northern neighbors for a lesson in risk management. The Canadian Government has been endorsing a program called “Results for Canadians” since the late 90’s.  Part of this program focuses on how the Government can improve their approach in proactively dealing with potential risks.  In 2003, the Canadian Treasury Board developed an Integrated Risk Management Framework for use by all areas within the Canadian Government.  The Treasury Board explains the purpose of the framework as follows:

The Integrated Risk Management Framework provides guidance to adopt a more holistic approach to managing risk. The application of the Framework is expected to enable employees and organizations to better understand the nature of risk, and to manage it more systematically.

Could the US Government and Treasury use a risk framework, eh?  What are your thoughts?

Many people are asking about the huge technology investments made by financial institutions to provide risk management capabilities designed to prevent major market catastrophes (like the one we are currently experiencing). Well, based on a recent article in Information Week entitled “Risk Management Failings Spur Big Financial IT Investments“, huge investments were made and continue to increase.  However, simply investing more in technology is not the full answer.  Many institutions had the risk information readily available, but chose to ignore it because of greed.  According to Gregg Berman, risk management practice head at RiskMetrics, this was certainly the case.  He states,

“Given the levels of technology that we have today, this crisis we’re going through is something that was very avoidable.  This was not a natural disaster. The writing was on the wall for quite some time and people ignored it.”

So, once again, superior risk management practices hinge on the abilities of the right people creating the right culture supported by the right infrastructure.  Without all three legs of the stool (people, culture, infrastructure), well, you know what happens – someone will take the fall.

Earlier this week, Lynn Turner provided extensive testimony to the US House Committee on Oversight and Government Reform on the many ills of our current corporate and regulatory governance regime.  He had many great points, but one that stood out was his commentary on the demise of the Securities and Exchange Commission (“SEC”).  The following is an excerpt from Mr. Turner’s testimony.

“Regulation also failed to keep pace. At the Securities and Exchange Commission (“SEC”), the Office of Risk Management had been reduced to an office of one by February of this year. From 2005, the number of SEC enforcement division personnel was cut by 146 from 1338 to 1192 in 2007. In 2004, the SEC reduced the capital requirements for the largest Wall Street investment banks.”

As he points out, the SEC mirrored what many companies were doing themselves – cutting back in areas that were meant to prevent future catastrophe.  During good times, few concern themselves with growing risks or possible downturns.  However, the SEC took “putting your head in the sand” to a new level by reducing their office of risk management to one person.

Mr. Turner offered the following recommendations to Congress and the SEC.

“The SEC also needs to take actions to shore up confidence in the agency which I believe has been seriously eroded as a result of the current crisis. For example, the Office of Risk Management should be adequately staffed to allow the agency on a proactive basis to identify risks in the market place such as those created by excessive leverage, or new financial instruments that carry significant system risks such as credit derivatives. Once identified, a plan for promptly and appropriately addressing regulatory and public policy issues should be formulated and an action plan established on a proactive basis before, not after, the train wreck has occurred.”

Several years ago, the US Army ditched their slogan “An Army of One” for obvious reasons.  I think the SEC may need to do the same.  Your thoughts?

Click here to read more of Lynn Turner’s testimony to Congress.

Yesterday, the US House Committee on Oversight and Government Reform had quite a session receiving testimony from those involved in events leading to the massive bailout of American International Group (“AIG”).  Of particular concern was a letter from Joseph St. Denis, an AIG accounting policy expert that had been hired, as he explained, “as part of an entity-wide effort to address material weaknesses by AIG’s external auditor”.   Unfortunately, Mr. St. Denis could not participate in this effort because he was restricted from reviewing the area with the highest risk – accounting for credit default swap derivatives.  

Mr. St. Denis resigned from AIG after serving just over a year due to restrictions placed on him by senior executives. After surfacing many legitimate issues, he was demoted even though he had received a stellar performance rating only a few months before.  Then, according to Mr. St. Denis, he was prohibited from reviewing the very area that led to AIG’s ultimate demise.  Joseph Cassano, head of AIG’s Financial Products group, was the executive responsible for the valuation of AIG’s Super Senior Credit Default Swap portfolio and the same executive who made the following statement to Mr. St. Denis:

“I have deliberately excluded you from the valuation of the Super Seniors because I was concerned you would pollute the process.”

The improper valuation of this portfolio led to another material weakness in 2007 and ultimately led to AIG’s death spiral.  Meanwhile, Mr. Cassano retired from AIG earlier this year and continues to receive $1 million per month in consulting fees from AIG.  In the words of famous musician Mark Knopfler, I think this is a clear case of “punishing the monkey while letting the organ grinder go free”.  Your thoughts?

Click here to read Joseph St. Denis’ letter to Congress

Yesterday, Richard Fuld, CEO of the recently defunct Lehman Brothers, testified before Congress in regards to his role in the demise of his firm.  Here is an excerpt from his prepared testimony.

No one realized the extent and magnitude of these problems, nor how the deterioration of mortgage-backed assets would infect other types of assets and threaten our entire system.  In April 2006, Chairman Bernanke predicted that the housing market “will most likely experience a gradual cooling rather than a sharp slowdown.”  In March 2007, he stated “the impact on the broader economy and financial markets of the problems in the subprime market seems likely to be contained.”  Similarly, Secretary Paulson said in June 2007 that the crisis in the mortgage markets “will not affect the economy overall,” echoing the views of the International Monetary Fund.  And at Lehman Brothers’ annual shareholder meeting, I too said what I absolutely believed to be true at the time – that the worst of the impact to the financial markets was behind us.

How could Mr. Fuld truthfully tell shareholders in April that “the worst was behind us” during a 2nd quarter performance period that would result in a loss to those same shareholders of $2.8 billion?  Also, how can he place blame on those outside his organization for a failure within his own organization?  He added the following later in his testimony.

We exist in a regulatory regime created in a vastly different world for vastly different markets. Some have compared the regulatory and risk management systems of our current markets to trying to run a bullet train on ancient track.

Blaming the system is as weak as it gets.  Call it a lack of accountability or responsibility or simply a lack of integrity.  To me, it sounds like Mr. Fuld tried to fool the market and lost.  Your thoughts?

An article in yesterday’s New York Times details the contribution made by Fannie Mae’s former chief executive officer, Daniel Mudd, toward the financial meltdown we are experiencing in the US mortgage securities market.  Mr. Mudd, like many other CEOs of his time, joined the group of lemmings chasing profits, placating investors and taking excessive risks.  The article points out that Mr. Mudd told employees to “get aggressive on risk-taking, or get out of the company.”  When Mr. Mudd’s chief risk officer warned him about the housing bubble and the potential negative impact to the company, Mr. Mudd argued that the market, shareholders and Congress all thought the companies should be taking more risks, not fewer.

While his name is literally Mudd, Fannie’s CEO also serves as a metaphor for the dozens of CEOs and many more executives who failed to heed the warnings of risk professionals in the face of external pressure and personal greed.   Do you agree?  Please join the conversation below.