A Big Step Toward Convergence?

As the debate over financial regulatory reform continues in the U.S. Congress, a broader global debate is slated to take place this weekend in Toronto at the G-20 meetings. One of the primary topics on the G-20 agenda will be the convergence of financial reporting standards across the globe. Financial leaders are acknowledging that the increasing complexity of reporting standards impedes the ability of regulators, investors and counter-parties to understand the true nature of a company’s financial health. Here is what the Financial Times reported on the upcoming meetings this weekend.

Some accountants respond that the G-20 focus makes convergence harder to achieve. Politicians in the US or Europe will not give up sovereignty over accounting rules when the world is watching, they say. However, the spotlight on the profession by the G-20 could also offer an opportunity. It could provide a platform to tackle the broader failures of corporate reporting which are expected to need some form of political impetus to succeed.

Accountants and investors – and increasingly regulators – argue that the financial turmoil showed that greater clarity is needed not only in accounting rules but also in annual reports. Increased length and information in corporate reports has clouded the underlying picture of a company’s financial health, they say.

Getting enough support from politicians as well as regulators, investors and accountants to make significant changes is difficult as the debate over accounting standards has shown. However, the timing of the inquiry to coincide with the G-20 focus on accounting may give it a greater chance of success.

Financial reporting risk has become a top concern as the business community becomes more global. One of the primary ways to mitigate that risk is to adopt global standards for financial reporting. This weekend could represent a big step towards convergence of financial reporting standards.

Growing Web of Risks in Today’s Business World

As many companies look to better understand the complex risks within their organization, recent events are pointing to the increasing need to understand the even more complex risks posed by partner organizations. Richard Thaler, professor of economics and behavioral science at the University of Chicago, provided his view in the New York Times this week.

AS the oil spill in the Gulf of Mexico follows on the heels of the financial crisis, we can discern a toxic recipe for catastrophe. The ingredients include risks that are erroneously thought to be vanishingly small, complex technology that isn’t fully grasped by either top management or regulators, and tricky relationships among companies that are not sure how much they can count on their partners.

For the financial crisis, it has become clear that many chief executives and corporate directors were not aware of the risks taken by their trading desks and partners. Recent accusations against Goldman Sachs suggest the potential for conflicts of interest among banks, investors, hedge funds and rating agencies. And it is clear that regulators like the Securities and Exchange Commission, an agency staffed primarily with lawyers, are not well positioned to monitor the arcane trading strategies that helped produce the crisis.

The story of the oil crisis is still being written, but it seems clear that BP underestimated the risk of an accident. Tony Hayward, its C.E.O., called this kind of event a “one-in-a-million chance.” And while there is no way to know for sure, of course, whether BP was just extraordinarily unlucky, there is much evidence that people in general are not good at estimating the true chances of rare events, especially when human error may be involved. There was another major blow-out in the gulf 31 years ago by the Mexican rig Ixtoc I. So was this really a one-in-a-million risk?

In the current spill, the problems of assessing risk were complicated by the teamwork required among BP; Transocean, which owned the rig; and Halliburton, which had provided services like concrete work. “Of the 126 people present on the day of the explosion, only eight were employees of BP,”reported Ian Urbina in The New York Times. “The interests of the workers did not always align.”

Certainly, before a company can fully understand the growing web of internal and external risks inherent in their business activities, the company must have a disciplined approach to risk management. A strong enterprise risk management program can help in this regard. If your company is looking to implement or improve its enterprise risk management program, Wheelhouse Advisors can help. Visit www.WheelhouseAdvisors.com to learn more.

Weak Links in Risk Management Programs

An article published in the current issue of Bank Systems & Technology discussed the weak links in the risk management infrastructures of some of the larger financial institutions during last year’s economic meltdown.  It seems that many institutions had to rely on highly manual, time consuming processes to understand their full risk exposures. Here is their view.

Weaknesses in the infrastructure often limited banks to identifying and aggregating exposures across the bank. A fragmented risk architecture dispersed over a multitude of systems made the reconciliation of the relevant data a time-consuming exercise, which was at best semi-automated, but more often a manual process. This led to banks needing far too long to aggregate their exposures and other relevant accounting and risk figures on a firmwide level. In the bankruptcy case of Lehman Brothers, for example, it was reported that it took some banks more than three weeks to determine their overall exposure to Lehman.

An inflexible risk environment within the banks rendered them incapable of reacting to sudden changes driven by external and internal circumstances—for example, the ability to perform ad hoc stress tests to assess the impact of new stress scenarios designed to address a rapidly changing environment.

In short, the interlinkage among risk types was not captured. The recent crisis has exposed the strong dependency among credit risk, market liquidity and funding liquidity pressures. Banks need to move away from silo-based risk management to achieve a more integrated and connected way of managing risk.

An integrated approach is not only required, it is also the most cost-effective solution in times like these.  Wheelhouse Advisors provides services to help companies build an integrated risk management program.  Visit www.WheelhouseAdvisors.com to learn more.

Beyond the Models

A great deal of the blame relating to the current financial crisis has been focused on the improper use of computer models in determining the amount of risk within a company’s portfolio.  A recent article in Bank Systems & Technology Magazine discusses key considerations for employing models to determine accurate risk levels.   The article also notes that proper model usage alone is not the answer.  The author rightly states, 

“Although selecting the right modeling tools for risk management is essential, one further mistake companies commonly make doesn’t have anything to do with tools. It is essential to ensure that corporate culture avoids the typical silo approach to running a business. As we continue to follow news on the economy, it becomes clear that companies that conduct risk management in business silos expose their firms to unnecessary and avoidable risks. Tying true enterprise-wide risk management to business performance management, along with implementation of the right tools, is the only way for companies to ensure long-term success.”

Having an appropriate risk framework and governance structure is critical to creating a strong culture focused on effectively managing risks.  Wheelhouse Advisors can provide cost-effective solutions to help companies break-down the silos and implement successful enterprise risk managemement programs.  Visit www.WheelhouseAdvisors.com to learn more.

Canary in a Coal Mine

During the recent boom in mortgage-backed securities and credit derivatives, many risk managers were hired to serve as the “canary in a coal mine” for financial institutions.   In the past, coal miners would bring a canary with them to work to ensure that they did not die as a result of carbon monoxide poisoning.  If the canary stopped singing and died, then the coal miners knew to evacuate due to the risk of high levels of carbon monoxide gas in the mine.   The problem with the financial institutions was that the canary (i.e. risk manager) stopped singing in many cases.  The miners (i.e. bankers) chose not to pay attention to the canary at their own peril.  

Just this week, the following was published in US Banker magazine.

“There’s a lot of finger pointing going around about what led to the current financial market breakdown, but perhaps the most ridiculous target of blame is the very idea of financial derivatives, as if these products sprang out of the ground like a particularly potent crop of poison ivy while no one was looking. In reality, a lot of people were looking, and a fair number of risk managers were warning, but too many institutions were either ignoring or mis-measuring the risk.”

Rather than solely rely in the future on sophisticated models, the magazine suggests that many financial institutions are getting back to basics.  Edward Hida, a risk management expert from Deloitte, is quoted by the magazine as saying that it all begins with:

“a strengthening of governance and monitoring. The chief risk officer “should serve as a central point. Risk management should be a robust process across functions.”

He makes a great point, but the rest of the organization must heed the warnings of the chief risk officer in the future or suffer the same fate as the poor souls at the bottom of the mine.

You can pay me now… Or, pay me later!

A study was released this week that examines worldwide regulatory compliance efforts and implementations in large organizations.  The results of this study are surprising, if not alarming, given the current state of the worldwide economy.  Sponsored by CA and conducted by GMG Insights, the study found that many organizations in Europe and the Asia/Pacific Region are not fully compliant with many regulations even though they are required to be.  For example, 46% of European companies and 50% of Asia/Pacific companies anonymously reported that they are not fully compliant with the Sarbanes-Oxley Act.  To be sure, these companies do not have very mature risk and control programs.  The researchers conducting the study concluded the following.

“The conclusion we come to, is that in-spite of the rising costs associated with compliance and the severe penalties that can come from non-compliance, organizations are still managing down to a “just enough to get by” strategy. In our opinion this strategy cannot be sustained. Organizations face exponential growth of regulations and systems affected by those regulations must be monitored. Managing compliance with an ad hoc approach subjects organizations to significant risks. Recognition of the organizational risk and the growing costs will ultimately drive the adoption of broader, enterprisewide compliance management solutions.”

These companies and many others may believe they are saving money by addressing compliance in this fashion.  However, most will ultimately find that this short-term, ad hoc approach will not only lead to greater risk of potential non-compliance, but also to greater cost due to fragmented and duplicate activities.  As the mechanic says to his customer in the oil filter commercial, “you can pay me now….. or pay me later”.

GRC Convergence – Where’s the “B”eef?

Many software vendors and professional services firms are touting their abilities to converge or integrate what has become a common buzz word – “GRC”.   For those who are unfamiliar with the term, GRC stands for Governance, Risk and Compliance respectively.  In many companies, activities related to each of these areas often over overlap and lend themselves to duplicative efforts as well as excessive costs.  As such, there is a true need and benefit to integrating these disciplines.  

However, what is often missed in this push for convergence is the need to first integrate these disciplines into the business processes themselves.  The greatest convergence benefit will be achieved when Enterprise Risk Management becomes a part of running the business, rather than a separate exercise performed by units outside of the business.  By focusing first on the “B” (the business) with the “G”, “R” & “C” in mind, GRC convergence will begin to occur naturally as a by-product of the business integration efforts.  Then, when that little old lady from the burger joint comes to review your Enterprise Risk Management Program (or more likely a rating agency, regulator or auditor), you will know the answer to the most important question.  Share your thoughts and comments below.