The ERM Current™

This week, the Institute of International Finance released a study of the compensation practices at major financial institutions around the globe.  The results point to a need to increase the linkage between risk management and pay practices.  The study was based on a set of seven principles outlined by the Institute of International Finance last year that seek to improve the compensation structures at these institutions.  Here is a summary of their findings.

Respondents are working towards convergence with the Institute of International Finance principles: current alignment varies by principle, some critical gaps need to be addressed (see figure 1 below). Respondents have a high degree of alignment to a number of the IIF’s principles; however, there have been critical gaps in the area of risk-adjusted performance measurement and compensation phasing to coincide with the risk time horizon of profit. Only 11% of respondents stated that they were fully aligned to Principle 3: risk adjustment and time horizon alignment, although the vast majority of institutions (83%) already have plans to close the gap. Indeed, 60% of respondents expect to be fully aligned to all seven principles once their plans are implemented.

Changes required for successful implementation

1. Organisational will and strong leadership are needed to ensure internal acceptance of changes to compensation policy. The current point in the cycle unquestionably represents the most opportune time to implement change, although survey respondents still believe that retaining competitiveness versus peers will be a challenge. In order to implement change, senior management, including the CEO, CFO and CRO, need to be fully involved in the change process and closely engaged with Human Resources on compensation. Boards should demand transparency around performance metrics and employee incentives to accurately appraise compensation schemes. We encourage supervisors and regulators to support an industry push towards compensation structures and governance that avoid any undue build-up of risk at financial institutions.
2. More effective oversight of the compensation system; improved checks and balances. Discussions with industry participants indicated that improving the governance process through which compensation is debated and validated, and striking the correct balance between fact-based metrics and more discretionary aspects, will be critical to shaping new compensation practices.
3. At a time of significant industry and individual stress, significant mobilization is required. Dedicated resources, senior management time and influence, and strong links between management, finance, risk and human resources teams will be necessary to implement the changes required.

Now is the time to align risk management and compensation so that another crisis of this magnitude can be avoided.  Wheelhouse Advisors is prepared to help you with your implementation challenges.  Visit www.WheelhouseAdvisors.com to learn more.

Risk Management can be only as effective as a company wants it to be, as evidenced by the continuing saga of American International Group (“AIG”).  The Wall Street Journal reported last week that certain high level executives who may have had a hand in limiting access of key risk management personnel remain on the job.  AIG’s Chief Risk Officer, Robert Lewis, was at the center of the discussion since he is responsible for AIG’s Enterprise Risk Management program.  Here’s what the WSJ had to say.

AIG’s outside auditor and a regulator raised concerns months before the bailout about the ability of AIG’s risk management to monitor what was going on in some units.

At an AIG board-committee meeting in January 2008, AIG’s auditor, PricewaterhouseCoopers LLP, “expressed concern that the access” Mr. Lewis’s department and other top AIG executives had into the financial-products unit, AIG Investments and other subsidiaries. Access “may require strengthening,” according to minutes of the meeting released by Congress last fall.

Two months later, the federal Office of Thrift Supervision, which regulated AIG’s financial-products unit, sent a letter to the company, also released by Congress. OTS said the unit “was allowed to limit access of key risk control groups while material questions relating to the valuation of the [swap portfolio] were mounting.”  The OTS said those “control groups” included Mr. Lewis’s department.

At a congressional hearing last week, Rep. Gary Peters (D., Mich.) asked AIG Chief Executive Edward Liddy, “Where was the risk management of your company? Where was the failure of your own internal risk-management procedures?”

Mr. Liddy responded, “We had risk-management practices in place. They generally were not allowed to go up into the financial-products business.”

Selective risk management within a company is a recipe for disaster.  Any area that is deemed “off-limits” should be a gigantic red flag for both senior management and the board of directors. 

As expected, the U.S. government is making its move to reform regulatory oversight and strengthen risk management practices at major U.S. financial institutions.   More will be required from these institutions, both in terms of capital as well as compliance and control.  Here is what the Wall Street Journal reported yesterday about U.S. Treasury Secretary Tim Geithner’s plans.

Mr. Geithner is expected to call for a strict and consistent set of regulations for large firms, as well as more power for the government to monitor emerging risks to the economy. The new rules will likely require financial institutions to hold more capital as a buffer against losses and will bolster risk-management standards. All told, the proposals would mean significant expansions of power for the Treasury, Federal Reserve and other regulators.

Preparations for these sweeping changes must begin now.  Is your company ready?  Visit www.WheelhouseAdvisors.com to learn more about how we can help.

Last week, the Governor of the Bank of England, Mr. Mervyn King, delivered a speech to a group of international bankers about how we can emerge from the current economic crisis successfully.  In his view, regulatory reform should be both “simple and robust” to be effective.  Here’s a brief excerpt from his speech.

A lesson of history is that few generations have been able to avoid a repetition of earlier banking crises. The essential problem is that we can no more bind our successors than our predecessors were able to bind us. Rare events, even when dramatic at the time, lose their power to shape policy as memory recedes. The role of institutions is to retain a collective memory and to resist the temptations of the present. That is one of the most important roles of a central bank. It is accepted as such in the domain of monetary policy. And there is an equivalent role in financial stability.

The introduction of simple and robust policy tools into a regulatory regime based on the exercise of constrained discretion would make it easier to resist overly rapid expansion of financial institutions. In particular, the authorities should maintain a clear focus on the issues that matter when the worst occurs – liquidity and leverage. It should be intrusive, in the sense of knowing what is going on, but not bureaucratic. A system in which it is easier for a large bank to expand and then destroy its balance sheet than for an individual to open a bank account has lost focus. That is not the fault of regulators, but a reflection of the pressures and incentives they have faced – from all of us.

The same can be said for a company’s enterprise risk management program – a simple, yet robust approach is required to be both successful and sustainable.  Wheelhouse Advisors can help you build an effective ERM program to meet these objectives.  Visit www.WheelhouseAdvisors.com to learn more.

In a recent webinar to the Institute of Internal Auditors, John A. Wheeler from Wheelhouse Advisors provided a view of the role that internal auditors should play in the development and sustainment of a company’s Enterprise Risk Management (“ERM”) program.  One of the main points from the webinar was that internal auditors must help management look forward to emerging risks rather than reacting to current loss events.  In the current environment, internal auditors are uniquely qualified to guide management in this direction.  A recent report on the state of the internal audit profession by PricewaterhouseCoopers confirms this view.  Here is what they had to say.

To provide the greatest value, internal audit departments, as well as a company’s risk management function, should strive to anticipate and monitor the risks that are truly relevant to the success of the business. As previously noted, the strategic and business risks that have recently lead to breathtakingly rapid drops in shareholder value have caught even the most sophisticated risk management functions by surprise. Now more than ever, companies need an objective evaluation of, and additional assurance over, their enterprise risk management functions. The forward-thinking internal audit leader will want to consider the following:

• Board members, shareholders, regulators, and rating agencies have questioned internal audit leaders about their risk management evaluation capabilities. Successful departments have the answers and play an important role in the company’s overall ERM process.

• In 2008, S&P began to formally review ERM programs and consider risk management capabilities in their credit-rating process, putting this topic on the table with boards, CEOs, CFOs, and treasurers. With risk at the center of company creditworthiness, internal audit leaders—given their knowledge of risks and controls—should be part of the solution.

• Many companies have established risk committees to lead enterprise risk management efforts. This sets up a new constituent that requires internal audit leadership attention.Internal audit will increasingly have a place at the table when it comes to identifying and managing risk within the organization. In broadening the scope of its activities beyond financial and compliance risks, internal audit can also demonstrate value by enhancing the organization’s enterprise risk management function. 

Internal audit should, therefore, align its efforts with the company’s changing risk profile, especially those strategic, operational, and IT risks that are integral to shareholder value. If properly aligned, internal audit leaders will be in a position to provide assurance over the risks that are most relevant to the company, as well as to provide assurance over the company’s ERM function itself.

Wheelhouse Advisors can help your internal audit group build a risk assessment framework and audit program to ensure your ERM efforts are solid.  Visit www.WheelhouseAdvisors.com to learn more.

A recent study by Governance Metrics International found that many large corporations either have or are looking to implement an Enterprise Risk Management (“ERM”) program.  However, few companies have yet to fully integrate their program into their business processes.  Treasury & Risk Magazine noted the following about the study’s findings.

The report highlights the case of Tyco International, a $20-billion diversified industrial company, which seven years ago was a risk manager’s nightmare. Its CEO indicted and later convicted of defrauding shareholders of $400 million and its books cooked beyond recognition, Tyco was often mentioned in the same breath as Enron and WorldCom. Today, broken up, restructured and under completely new management, Tyco has put risk management front and center in its strategic planning and operations. 

“Today risk management is a component of how this company operates on a day-to-day basis,” says John Jenkins, Tyco’s corporate secretary. “So, for example, with strategic planning, it’s not a matter of the risk manager sitting on the side and suddenly chiming in; it’s just a component of the whole process.” 

Integration is critical for an ERM program to be truly successful.  Visit www.WheelhouseAdvisors.com to learn more.

The debate over financial regulatory reform continues on Capitol Hill with a great deal of attention on compensation practices.  It has become blatantly obvious that incentive plans have not been designed to promote the best interests of shareholders or the long-term viability of institutions.  Here is what Federal Reserve Chairman Ben Bernanke had to say as reported in yesterday’s New York Times.

Last week, Ben S. Bernanke, the Fed chairman, also called on regulators to supervise executive pay at banks more closely to avoid “compensation practices that can create mismatches between the rewards and risks borne by institutions or their managers.” Much of the plan would require the approval of Congress, where divisions are forming over how best to overhaul financial industry oversight.

The core of effective risk management hinges on the alignment of a company’s strategic objectives, risk appetite and compensation plans.  Once these become out of alignment, the company will certainly suffer over the long-term.

This week, the U.S. Senate Committee on Banking, Housing and Urban Affairs held a hearing into the lessons learned in risk management oversight at federal financial regulators.  Not surprisingly, all of the representatives from each regulatory agency agreed that risk management practices in the institutions they regulate must be strengthened.  Here is what Mr. Timothy Long from the Office of the Comptroller of the Currency had to  say.

The unprecedented disruption that we have seen in the global financial markets over the last eighteen months, and the events and conditions leading up to this disruption, have underscored the critical need for effective and comprehensive risk management processes and systems. As I will discuss in my testimony, these events have revealed a number of weaknesses in banks’ risk management processes that we and the industry must address. Because these problems are global in nature, many of the actions we are taking are in coordination with other supervisors around the world. 

More fundamentally, recent events have served as a dramatic reminder that risk management is, and must be, more than simply a collection of policies, procedures, limits and models. Effective risk management requires a strong corporate culture and corporate risk governance. As noted in the March 2008 Senior Supervisors Group report on “Observations on Risk Management Practices During the Recent Market Turmoil,” companies that fostered a strong risk management culture and encouraged firm-wide identification and control of risk, were less vulnerable to significant losses, even when engaged in higher risk activities.

Hindsight certainly is clearer given the magnitude of the recent economic meltdown.  However, these views must remain with us as we emerge from this downturn and inevitably enter better economic times.  

A new report about reputation risk management was released this week by The Conference Board.  The report is based on the findings of The Conference Board Reputation Risk Research Working Group and a survey of 148 risk management executives of major corporations.

More than three quarters of the respondents to the survey said their companies are making a substantial effort to manage reputation risk (82 percent) and they have increased focus in this area over the last three years (81 percent).

Other key findings of the study:

• Reputation risk should be managed throughout the organization. Although communication is of critical importance in responding to a risk event, a company’s reputation should be considered during the preparation and execution of strategy and new projects, which hasn’t been the case in most companies.
• Reputation risk is often not incorporated into risk management. Only 49 percent of executives surveyed said that the management of reputation risk was highly integrated with their enterprise risk management (ERM) function or another risk oversight program.
• Assessing reputation risks is a top challenge. Fifty-nine percent indicated that assessing the perceptions and concerns of stakeholders was an extremely or very significant issue, making it the highest-ranked challenge.
• Media monitoring has become more sophisticated. Today, there are tools to assess whether coverage is positive, neutral or negative; the credibility of publications; the prominence of coverage, etc.
• Efforts are being made to quantify the value of reputation. A select group of companies is making progress in this area by working with specialist consulting firms to quantify the impact of reputation on share price.
• Social media are gaining influence, but most companies are ignoring them. Although consumers and investors are increasingly gathering information from blogs, online forums, and social networking sites, only 34 percent of the survey respondents said they extensively monitor such sites, and only 10 percent actively participated in them.

Given the speed and efficiency of today’s modern communication and news infrastructure, reputation risk should be a serious concern for all companies.  As Warren Buffett said, “It takes 20 years to build a reputation and five minutes to ruin it.”

More and more companies are coming to the realization that risks can no longer be ignored and must be managed in a proactive manner.  An article in this month’s Business Finance magazine provides a perspective on the rapid evolution of enterprise risk management in organizations of all shapes and sizes.  Here’s a brief excerpt:

It’s no secret that many publicly listed, closely-held, and even not-for-profit organizations have begun to embrace enterprise risk management (ERM) as a corporate imperative. Corporate boards have reassessed their role in today’s legal and economic environment and are beginning to exert pressure on the C-suite (the CFO in particular) to understand and analyze enterprise risk as a necessity to help achieve corporate objectives. Further, analysts are beginning to question CFOs and CEOs during earnings calls about how the company is addressing risk from an enterprise basis. And, with Standard & Poor’s and Moody’s coming under fire for less-than-rigorous evaluations of risk to corporate ratings, ERM will likely stay at the forefront of leadership attention.

What is your company doing to address risks in a more proactive manner?  

Visit www.WheelhouseAdvisors.com to learn how we can help your company Navigate Successfully™.

™