When Assessing Risk, Don’t Forget the People

The Conference Board released a report today about the need for stronger integration of human capital risks into a company’s overall enterprise risk management program.  Too often, these risks are left to the human resources department to manage alone with little understanding of the potential impact to a company’s entire operation.  After surveying 161 leading companies worldwide, here is what the researchers discovered.

At most companies, human capital accounts for at least half of operating costs and can have a significant impact on business results. However, the study finds that human capital risk (HCR) — which can range from unionization/labor relations to offshoring and outsourcing to staffing in a pandemic — tends to be siloed in human resources departments, away from the companywide assessment and mitigation processes of enterprise risk management (ERM). This arrangement prevents information about HCR from having a role in the comprehensive, aggregate view of risks, root causes, interactions, and impacts through which leaders set priorities and determine overall strategy.

Out of eleven risk categories, executives ranked HCR as having the fourth highest impact on business results, ahead of financial, reputational, supply chain, and IT risks. This high ranking is evidence that HCR should be taken seriously as an enterprise risk.  However, less than one-third (31 percent) of companies believe they effectively assess human capital risk, and 24 percent believe they do an ineffective job.

During an economic crisis such as the one we have experienced, many companies lose sight of what really drives a business – people.  Understanding the risks associated with the primary business driver is certainly a no-brainer.


Added Stress in the United Kingdom

Last week, the Wall Street Journal reported that financial institutions in the UK are being subjected to even more stringent stress testing requirements than their US counterparts. The Financial Services Authority (FSA) is requiring the largest financial institutions to conduct what it calls “reverse stress testing”. These tests are designed to determine what an institution will need to recover from a catastrophic operational risk event such as a natural disaster or pandemic. Evidently, the UK bankers are none too pleased with the request according to the following report.

Bankers call it the latest example of regulatory overkill. Executives protest that they are wasting countless hours dreaming up outlandish doomsday scenarios. The chief executive of a major U.K. bank said the tests are predicated on “a massive confluence [of] absurd scenarios” in which executives passively watch events unfold rather than trying to stabilize the situation. Bankers are especially worried that the process could result in them being forced to hold more capital. The FSA said in a planning document that the tests “may result indirectly in changes to the levels of capital held by firms” if the exercise “identifies business model vulnerabilities that have not previously been considered.”

An FSA spokeswoman defended the exercise. “It might seem outlandish to them, but the point is that it pushes the business model to the point it collapses,” the spokeswoman said. She said the banks also should be evaluating relatively mundane situations like what they would do in the event of a major internal fraud.

What is somewhat surprising by this report is the fact that these financial institutions should have already conducted similar scenario planning and testing as part of the Basel II Capital Accord requirements. However, since the Basel II requirements were largely self-regulated, it appears that the banks did not do their homework the first time around. For those bankers in the US who did not do their homework as well, you might want to get started before the teacher asks for it.

Is This Just the Tip of the Iceberg?

The Congressional Oversight Panel released its November report today and it focused on the continued foreclosure crisis. The panel is calling for additional investigation by regulators and is also requesting that the U.S. Treasury provide additional evidence of their claim that the crisis has been averted.  Below is an excerpt from their report as well as video commentary from the chairman of the panel, Senator Ted Kaufman.

At this point the ultimate implications remain unclear. It is possible, however, that “robo-signing” may have concealed much deeper problems in the mortgage market that could potentially threaten financial stability and undermine the government‟s efforts to mitigate the foreclosure crisis. Although it is not yet possible to determine whether such threats will materialize, the Panel urges Treasury and bank regulators to take immediate steps to understand and prepare for the potential risks.

In the best-case scenario, concerns about mortgage documentation irregularities may prove overblown. In this view, which has been embraced by the financial industry, a handful of employees failed to follow procedures in signing foreclosure-related affidavits, but the facts underlying the affidavits are demonstrably accurate. Foreclosures could proceed as soon as the invalid affidavits are replaced with properly executed paperwork.

The worst-case scenario is considerably grimmer. In this view, which has been articulated by academics and homeowner advocates, the “robo-signing” of affidavits served to cover up the fact that loan servicers cannot demonstrate the facts required to conduct a lawful foreclosure. In essence, banks may be unable to prove that they own the mortgage loans they claim to own.

Only time will tell whether the foreclosure issues are merely the tip of the iceberg.  However, if the issues are real, then the financial institutions and other involved parties will be best served to proactively address the problem now rather than hoping it goes away on its own.

The Need for ERM is Crystal Clear

Unlike the waters of the Gulf of Mexico, the need for companies to have robust enterprise risk management (“ERM”) programs became crystal clear during an interview of former BP CEO Tony Hayward aired this week by the BBC. Here’s some of the highlights from the interview.

Former BP PLC chief Tony Hayward has acknowledged that the company was unprepared for the disastrous Gulf of Mexico oil spill and the media frenzy it spawned, and said the firm came close to financial disaster as its credit sources evaporated.

In an interview with the BBC to be broadcast Tuesday, Hayward said company’s contingency plans were inadequate and “we were making it up day to day.”

Hayward said BP had found itself unable to borrow from international investors during the spill crisis, threatening its finances. He said that before a meeting with President Barack Obama at the White House in June, “the capital markets were effectively closed to BP.” “We were not able to borrow in the capital markets, either short or medium term debt at all, ” he said. “It was a classic financial crisis issue.”

Hayward’s successor, Bob Dudley, told the program that “these were frightening days” for BP. “With a company the size of BP, its reputation, what it does — you almost can’t quite believe how close you are” to financial disaster, he said.

This interview demonstrates the catastrophic impacts of a risk event not only to the environment at large, but also to every corner of the company responsible for the event occurring. BP obviously did not have a comprehensive ERM program at the ready that resulted in improvisation and ultimately a full-blown crisis. Only a company of BP’s size and resources could weather this type of event. So, how effective is your ERM program?

SEC Seeks to Shed Light on Foreclosure Crisis

The U.S. Securities & Exchange Commission (“SEC”) has entered the foreclosure fray by requiring publicly traded financial services companies to disclose their estimated risk of foreclosure related losses. Here’s what Bloomberg Business Week reported on the recent SEC actions.

Lenders must disclose circumstances that they “reasonably expect” to have an “unfavorable impact” on financial results, the SEC said in a letter posted on the agency’s website today. The letter was sent because of “concerns about potential risks and costs associated with mortgage and foreclosure-related activities,” the SEC said. Federal regulators and attorneys general from all 50 states are investigating whether loan-servicing companies used improper procedures during foreclosure proceedings, including so-called robo-signers who didn’t check documentation. Investors such as Pacific Investment Management Co. have demanded that banks buy back faulty loans that were bundled into bonds.

These forced disclosures will shed more light on the potential dollar impact of an operational risk that was neither fully anticipated nor proactively managed.

Obfuscating Operational Risk Management

Operational Risk Management is continuing to evolve as a key component of an Enterprise Risk Management (“ERM”) program. However, it continues to be an area of great debate as a formal discipline due to its broad focus and impact across the business. One area that confuses and frustrates many businesspeople when confronted with operational risk is the notion of risk appetite vs. risk tolerance. In some cases, the two terms are used interchangeably. However, in other cases, risk appetite refers to the total amount of risk to be taken to achieve a given business objective and risk tolerance refers to specific risk limits associated with a given business activity. The Institute of Operational Risk has developed guidance that is practical and useful for risk practitioners in dealing with these terms. Here’s their view.

In simple terms, expressing Operational Risk Appetite is a question of defining what is acceptable to an organisation and what is not. This could be achieved by deciding, for each type of risk, what is acceptable, what is unacceptable, and the parameters of the area between those two (i.e. what is tolerable).

Regardless of the way these terms are used, the key for operational risk managers is to help businesspeople understand risk in their own terms rather than in risk management vernacular. Otherwise, the focus will remain on terminology rather than what is really important – creating value for the business.

Lessons Learned from the Foreclosure Crisis

The recent foreclosure crisis is just another chapter in the financial meltdown that began in 2007.  As a result of the frenzy to securitize mortgage loans back in the middle of the decade, the required paperwork to foreclose on a property is difficult, if not impossible, to retrieve. Now, financial institutions are finding that the outsourced foreclosure work is faulty at best and fraudulent in many cases. Here’s what the Wall Street Journal reported today.

In recent days, some lenders named in the foreclosure inquiries have said they would no longer use the services of some of these law firms for new foreclosures. Ally Financial Inc.’s GMAC Mortgage has pulled business and dispatched executives and a new team of lawyers to Florida to ensure foreclosure cases are being handled correctly, according to a person familiar with the situation.

The law firms and a Lender Processing unit, Docx LLC, which did work at a suburban Atlanta office, handled the nitty-gritty paperwork necessary to verify key document batches, including ownership transfer of a loan, known as an assignment, and the amount owed by a borrower losing his home. That paperwork processing at the law firms and lenders allegedly didn’t review all information needed, such as who owned the loan or borrower financial information, the Florida attorney general claims. The Florida attorney general’s office is looking at possible use of “fabricated documents” used in foreclosure actions in court, according to the attorney general.

This situation provides a few lessons in risk management. First, it demonstrates the lingering effects of poor controls when dealing with massive amounts of transactions complicated by a highly complex securitization process. Second, it also shows that the operational risks to a given company extend well beyond its walls to its outsourcing partners’ ability to properly control its business.  Finally, with the crisis today clearly rooted in the actions of the past, it demonstrates the need for more forward-looking risk management programs.