ERM Growing as an Accepted Practice

This year, the US Securities and Exchange Commission instituted new disclosure rules requiring public companies to inform their shareholders about the role of the board of directors in overseeing risk management. A major US law firm recently reviewed annual proxy statements of S&P 500 corporations to determine the extent and nature of risk management across various industries. One of the more interesting findings in the review was the number of companies who are employing Enterprise Risk Management programs to help manage their risks. Here is what they reported.

In the wake of the financial crisis, many companies have implemented more comprehensive and integrated risk management programs, and boards of directors have expanded their risk oversight to encompass not just the legal and financial risks that audit committees have traditionally overseen, but also the full panoply of risks that a company may face.  Enterprise risk management (ERM) is the current buzzword applied to a top-down holistic approach to risk management.  It addresses all of an enterprise’s risks—including operational, financial, strategic, compliance and reputational risks—under one umbrella, in contrast to the more traditional “silo” approach in which each operating function or division tackled risk independently.  ERM is not focused simply on risk reduction.  Rather, it encompasses an assessment of both upside and downside risks and, thus, helps inform the strategic planning process.  Indeed, to make informed decisions about the company’s strategic direction, the board must have a full understanding of all of the major risks involved.

Fifty-four percent of surveyed companies expressly used the term “enterprise risk management.” Sample disclosures are set forth below:

American Express Company:  “The Company relies on its comprehensive enterprise risk management process (ERM) to aggregate, monitor, measure and manage risks.  The ERM approach is designed to enable the Board of Directors to establish a mutual understanding with management of the effectiveness of the Company’s risk management practices and capabilities, to review the Company’s risk exposure and to elevate certain key risks for discussion at the Board level.  The Company’s ERM program is overseen by its Chief Risk Officer who is an executive officer of the Company and a member of the Company’s most senior management.”

Express Scripts, Inc.:  “In order to assist the board of directors in overseeing our risk management, we use enterprise risk management (“ERM”), a company-wide initiative that involves the board of directors, management and other personnel in an integrated effort to identify, assess and manage risks that may affect our ability to execute on our corporate strategy and fulfill our business objectives.  These activities entail the identification, prioritization and assessment of a broad range of risks (e.g., financial, operational, business, reputational, governance and managerial), and the formulation of plans to manage these risks or mitigate their effects.”

With more than half of the companies relying on ERM, the review shows that ERM is growing as an accepted practice beyond just financial services companies. If your company is looking to implement or simply improve your ERM program, Wheelhouse Advisors can help. Visit www.WheelhouseAdvisors.com to learn more.

Who Can Afford Not to Have an ERM Program?

Many people in the corporate world routinely argue that Enterprise Risk Management is simply a cost that few companies can afford to implement. However, time and again, it seems as though exactly the opposite is true. Companies can’t afford not having a robust ERM program. In reading today’s Wall Street Journal, one might find the following story on the off-shore oil drilling disaster to be eerily similar to the recent financial crisis. To make the case, financial terms have been included in parentheses to illustrate the point.

Without adequately planning for trouble, the oil business (financial services industry) has focused on developing experimental equipment (complex derivatives) and techniques (synthetic asset backed securities) to drill (operate) in ever deeper waters (more opaque markets), according to a Wall Street Journal examination of previous deepwater accidents (financial meltdowns). As drillers (bankers) pushed the boundaries, regulators didn’t always mandate preparation for disaster recovery or perform independent monitoring.

The Minerals Management Service (Federal Reserve, OCC, OTS, FDIC, etc.), the government agency that oversees offshore drilling (financial services), in recent years moved away from requiring specific safety measures (capital requirements) in offshore drilling (trading activities) and instead set broad performance goals (guidance for internal risk modeling) that it was up to the industry to meet. In joint MMS-Coast Guard (Federal Reserve, OCC, OTS, FDIC, etc.) hearings into the Deepwater Horizon accident (Bear Stearns, Lehman Brothers, AIG insolvency), Michael Saucier, an MMS official, testified that the agency “highly encouraged,” but didn’t require, companies to have back-up systems (specified risk limits) to trigger blowout preventers (increases in capital) in case of an emergency.

While there are many estimates of the cost to British Petroleum to deal with the Deepwater Horizon oil spill, the minimum consensus estimate right now is around $12-13 billion. Add to that estimate the recent market capitalization loss of nearly $50 billion and the case for having a robust ERM program seems fairly straightforward.

Reputation Is Everything

In last month’s issue of Operational Risk & Regulation magazine, Goldman Sachs’ operational risk management program and its focus on reputational risk was profiled.  The article focused on Goldman Sachs’ use of scenario analysis in anticipating the magnitude of reputational risk events.  Scenario analysis exercises such as these are very useful tools to increase the risk awareness within an organization.  Here is a summary of Goldman Sachs’ approach.

Goldman Sachs is using scenario analysis to study reputational risk, employing operational risk expertise within its broader risk management framework, according to its global co-heads of operational risk management, Spyro Karetsos and Mark D’Arcy.  The bank says it embraces events, even those creating more reputational risk exposure than financial risk exposure, into its framework.  “Franchise value is highly important within the organisation and managing reputational risk is a by-product of that,” says Karetsos, who is based in New York. “While it is not our responsibility to quantify reputational risk, there is an internal process that measures our exposure to those risks that are difficult to quantify, one of which is reputational risk.”

The timeliness of this story is ironic given the potential massive impact to the bank’s reputation as a result of the fraud charges levied by the Securities and Exchange Commission on Friday.  Once the announcement was made, the bank lost close to $12.5 billion in shareholder value by the end of the trading day.  Whether that loss can be overcome remains to be seen.  However, it does prove that in business, reputation is everything.

Out of Control

Yesterday, the U.S. Senate Subcommittee on Investigations conducted hearings to examine the largest bank failure in U.S. history and its role in the 2008 financial crisis.  The failure of Washington Mutual (“WaMu”) was largely the result of years of increasing involvement in the mortgage-backed securities market.  Over a four year period, WaMu increased their securitizations of subprime mortgages from about $4.5 billion in 2003 to $29 billion in 2006.  Altogether, from 2000 to 2007, they securitized at least $77 billion in subprime loans.  At the same time, WaMu allowed its lending practices and controls to erode in the pursuit of greater loan production and short-term profits.  Here is a summary of the investigators’ findings.

(1)   High Risk Lending Strategy. Washington Mutual (“WaMu”) executives embarked upon a high risk lending strategy and increased sales of high risk home loans to Wall Street, because they projected that high risk home loans, which generally charged higher rates of interest, would be more profitable for the bank than low risk home loans.

(2)   Shoddy Lending Practices. WaMu and its affiliate, Long Beach Mortgage Company (“Long Beach”), used shoddy lending practices riddled with credit, compliance, and operational deficiencies to make tens of thousands of high risk home loans that too often contained excessive risk, fraudulent information, or errors.

(3)   Steering Borrowers to High Risk Loans. WaMu and Long Beach too often steered borrowers into home loans they could not afford, allowing and encouraging them to make low initial payments that would be followed by much higher payments, and presumed that rising home prices would enable those borrowers to refinance their loans or sell their homes before the payments shot up.

(4)   Polluting the Financial System. WaMu and Long Beach securitized over $77 billion in subprime home loans and billions more in other high risk home loans, used Wall Street firms to sell the securities to investors worldwide, and polluted the financial system with mortgage backed securities which later incurred high rates of delinquency and loss.

(5)   Securitizing Delinquency-Prone and Fraudulent Loans. At times, WaMu selected and securitized loans that it had identified as likely to go delinquent, without disclosing its analysis to investors who bought the securities, and also securitized loans tainted by fraudulent information, without notifying purchasers of the fraud that was discovered.

(6)   Destructive Compensation. WaMu’s compensation system rewarded loan officers and loan processors for originating large volumes of high risk loans, paid extra to loan officers who overcharged borrowers or added stiff prepayment penalties, and gave executives millions of dollars even when its high risk lending strategy placed the bank in financial jeopardy.

These findings are not surprising in the aftermath of the financial disaster.  However, without significant oversight and change in the operations of financial institutions, a similar scenario will likely occur in the not too distant future.

Federal Reserve Focuses on Operational Risk

The Federal Reserve Bank (“FRB”) has started to step-up its examination focus on operational risks in the nation’s largest financial institutions as they seek to garner more supervisory authority through financial regulatory reform.  Not surprisingly, the FRB is looking at processes designed to support capital adequacy determinations, compliance with laws and regulations and compensation levels.  Operational Risk & Regulation Magazine provided the following report this week.

Although US regulators have not referred to the need to reform operational risk management regulation specifically, the Federal Reserve System has undertaken a series of horizontal reviews looking at op risk issues such as the Internal Capital Adequacy Assessment Process (Icaap), compliance risk and compensation. These are part of a broader programme of horizontal reviews looking at large, complex banking organisations (LCBOs).

As part of the same review, Fed supervisors are also reviewing compensation practices at regional, community and other banking organisations not classified as large and complex as part of the regular, risk-focused examination process. Ronald Stroz, assistant vice-president and head of the operational risk group at the Federal Reserve Bank of New York, commented during a panel discussion at OpRisk USA on March 24 this guidance will ensure incentives do not encourage excessive risk-taking, and that they are compatible with a sound risk management framework, supported by a strong corporate governance function with an active, effective board of directors that has risk management oversight.

Horizontal reviews of operational risk will continue in both frequency and intensity for the foreseeable future.  Are you prepared?  If not, visit www.WheelhouseAdvisors.com to learn how we can help.

Losing Their Way

The recent troubles of global car manufacturer Toyota offer a real-world example of the need to reinvent enterprises with a focus toward enterprise risk management.  As Jack Bergstrand and I discussed in our recent webcast, companies today are relying on outdated management principles that emphasize specialization and limited communication across business units.  This contributes to greater risk and ultimately a diminished brand.  Here is what Forbes magazine reported this week about the management failures at Toyota.

President Akio Toyoda acknowledged in an opinion piece he wrote for The Washington Post last week the company had “failed to connect the dots” between the sticky pedals in Europe, surfacing as early as December 2008, and those in the U.S. that culminated in the massive recalls. The error in Europe was corrected, starting with the Aygo hatchback in August 2009, and those models were not included in the latest global recalls.

Making the exact same product again and again – what’s known as “quality control” in manufacturing – isn’t the same thing at all as ensuring safety, according to Steven McNeely, who oversees safety management systems at Jet Solutions, a Richardson, Texas-based carrier.  “Management’s attention and oversight was focused on the business bottom line, and those metrics were quality measures. Management was not focused on safety risk assessment or risk management,” he wrote in his essay, “Lessons Learned From Toyota.”  Others say rigorous testing, managerial foresight and valuing customers are critical to the true Toyota Way, and the company has derailed from that path.

The greater size and complexity of today’s corporations demand a new way of managing.  If you agree, visit www.WheelhouseAdvisors.com to learn more.

Weak Links in Risk Management Programs

An article published in the current issue of Bank Systems & Technology discussed the weak links in the risk management infrastructures of some of the larger financial institutions during last year’s economic meltdown.  It seems that many institutions had to rely on highly manual, time consuming processes to understand their full risk exposures. Here is their view.

Weaknesses in the infrastructure often limited banks to identifying and aggregating exposures across the bank. A fragmented risk architecture dispersed over a multitude of systems made the reconciliation of the relevant data a time-consuming exercise, which was at best semi-automated, but more often a manual process. This led to banks needing far too long to aggregate their exposures and other relevant accounting and risk figures on a firmwide level. In the bankruptcy case of Lehman Brothers, for example, it was reported that it took some banks more than three weeks to determine their overall exposure to Lehman.

An inflexible risk environment within the banks rendered them incapable of reacting to sudden changes driven by external and internal circumstances—for example, the ability to perform ad hoc stress tests to assess the impact of new stress scenarios designed to address a rapidly changing environment.

In short, the interlinkage among risk types was not captured. The recent crisis has exposed the strong dependency among credit risk, market liquidity and funding liquidity pressures. Banks need to move away from silo-based risk management to achieve a more integrated and connected way of managing risk.

An integrated approach is not only required, it is also the most cost-effective solution in times like these.  Wheelhouse Advisors provides services to help companies build an integrated risk management program.  Visit www.WheelhouseAdvisors.com to learn more.

Breaking Down the Silos

Last week, Wheelhouse Advisors participated in a webinar hosted by OpenPages that examined some of the root causes of the current economic crisis associated with operational risk management, and how operational risk management can be leveraged for strategic advantage moving forward.  John Wheeler, Managing Principal at Wheelhouse Advisors, described how operational risk management is the one discipline that binds all the other risk disciplines together in a truly successful enterprise risk management (“ERM”) program.  Mr. Wheeler discussed the following strategies for risk professionals to improve their operational risk management program and, in turn, increase the overall effectiveness of the ERM program.

•Simplify & Streamline

1. Eliminating redundant activities
2. Adopting common methods / terminology
3. Coordinate efforts across functional silos

•Develop an Active & Consistent Dialogue

1. Frame conversations in relevant terms (e.g. discuss underwriting and documentation improvements as it relates to improvements in credit quality)
2. Meet on “their turf” to develop greater understanding and buy-in

•Measure & Monitor

1. Agree on a few key risk indicators
2. Monitor relentlessly

The webinar provided much more information about how to use operational risk management practices and supporting technologies to manage risk in a cost-effective manner that will translate into a major competitive advantage.  To learn more about how Wheelhouse Advisors can help your company, visit www.WheelhouseAdvisors.com.

Weathering the Storm

In a HedgeWeek special report this month, particular attention is given to the topic of managing hedge fund risk.  One article describes the failings of hedge funds over the past year to be attributable to poor operational risk management practices.  Here is an excerpt from the article referencing Moody’s Investors Service’s view.

According to Moody’s, a significant portion of losses suffered by hedge funds last year probably reflects deficiencies in operational management and control.  “Losses that are disproportionately large in the context of the fund’s stated investment strategy may indicate inherent flaws in the firm’s approach to risk control that are not apparent until the market stresses become unexpectedly severe.  Alternatively, such losses may indicate an opportunistic departure from the investment strategy or portfolio guidelines described in the fund’s offering memorandums or other representations made to investors.  In Moody’s view, both scenarios indicate operational deficiencies.

Operational deficiencies can have tremendous impact at the worst possible time.  It is always better to know your weaknesses ahead of market catastrophes so you can remedy them to weather the inevitable storm. Wheelhouse Advisors can help your company or fund identify and correct the deficiencies in a cost-effective way. To learn more, visit us at www.WheelhouseAdvisors.com.

Reducing Expenses May Not Reduce Risk

More and more companies are looking for ways to reduce expenses and a popular method recently has been outsourcing.  While many benefits come with an outsourced relationship, so does increased risk.  Proper due diligence and carefully crafted service level agreements are essential.  However, with the recent fraud at Satyam in India, those activities may not be enough.  A recent article in CFO magazine highlights the problem. Here is a excerpt from that article.

The enormously inflated cash balances at Satyam have popped a hole in the reputation of the outsourcing market, which has grown from business offering solely tech business, to back-office work such as finance and accounting. “This has really shaken up the outsourcing industry,” says Peter Allen, a partner and managing director for outsourcing advisory firm TPI. “The industry is built on relationships that imply some level of trust and confidence and integrity.”

How comfortable are you with your outsourcing partner?  Have you assessed the risks with the relationship lately?  If not, Wheelhouse Advisors can help.  Visit www. WheelhouseAdvisors.com to learn more.