Features: Risky Business


Risk managers are heading back to the drawing board after finding their systems were incapable of flagging up the perils that have brought the financial and corporate worlds to their knees.

ERM-Apr-09 First developed more than a decade ago, the concept of enterprise risk management (ERM) has gained increasing prominence. Complex and seemingly advanced risk management strategies gave banks and corporations the confidence to invest in instruments and areas that previously would have been deemed too speculative. With a sophisticated risk management system backing them up, what could go wrong? The answer, as it turned out, was “everything.”


There is no doubt that the systems for identifying and managing risk have become more sophisticated and, in many ways, more effective. But they are far from perfect, and if relied upon too heavily, they can be downright dangerous. Analysts believe that much of the recent carnage in the corporate and financial worlds has been the result of over-reliance on complex models coupled with a series of poor communications choices and a misguided zeal for satisfying compliance standards, which together helped drown out the warning signals of even the best corporate ERM programs.


Whether it was employees at the middle rungs of corporate life reluctant to shoot at sacred corporate cows or overly confident top executives intent on calling the shots, corporate boards frequently never saw the red flags that could have diminished the current economic troubles. “There may have been hubris at the top—an attitude that ‘I’m the boss’ and ‘It’s part of my job to make decisions,’” says Steve Saporito, managing director of the enterprise and risk finance practice at Willis in New York. “So data fed back to the top was ignored or trumped by an ‘I know better’ attitude.”


Another serious risk that did not appear on any official corporate risk register was that employees who had critical information that could torpedo an accepted way of doing business were afraid to say anything. “It’s what I would call ‘career-path anxiety’—middle management afraid to come out and make a declarative statement that an accepted practice is not good for the company,” says Saporito. “People were reluctant to raise an issue.”


Mathew Allen, practice leader at the enterprise risk services and solutions group at Marsh in New York, agrees that flaws in the ways that the rank-and-file could send critical information upward was partly responsible for thwarting the best-intended risk management plans. “It was difficult in many corporations for bottom-up communication…for people at the lower levels to communicate to all tiers of an organization in a way that gave the leadership critical information, “ says Allen. “How information is managed at each layer was highly subjective. And that was one of the biggest failures.”


Often, too, a company maintained a so-called “siloed” approach to managing its risks, which meant that top managers were not able to get a comprehensive view of the information collected by the various divisions and marketplaces encompassing a multinational’s operations. “You have to do something with the information. Too many times it was out of sight, out of mind,” says Randy Nornes, executive vice president at Aon Risk Services in Chicago.


A company’s risk surveillance activities are frequently delegated to a risk manager or department separated from other business lines. “The person was in a room down the hall and not part of the company decision-making. Or the information might have been treated as compliance and taken by an internal audit team,” Nornes adds.


Coupled with the gigantic size of today’s multinationals, this siloed approach of managing information has proved a time bomb for many corporations. “There was not a well-defined process for communicating bad information. How do you bridge the silos of some of these huge organizations?” asks Allen. “There was no appreciation of the risks of growing that large.”

Compliance Breeds Complacency
Carol Fox, senior director of risk management at Convergys in Cincinnati, Ohio, agrees that an over-dependence on government compliance standards—many of which were created after scandals at companies such as Enron, Worldcom and Parmalat rocked the financial markets in the early part of the decade—also contributed to the black hole of unexpected risks. Risk managers thought that by meeting new standards set by the US Sarbanes-Oxley act or the US Securities and Exchange Commission or the Financial Services Authority in the UK they were taking care of risky business practices, as they kept regulators happy.


“There was an over-reliance on compliance, particularly for financial risks, that if you checked the boxes on the compliance forms, the corporation will be all right,” says Fox, who also is immediate past chair of the Risk and Insurance Management Society (RIMS) enterprise risk management development committee. “ERM took on a compliance stance. What was missing was taking the broader view and looking at the universe of risks facing a corporation,” she says. Nornes agrees: “The audits assumed the enterprise risk management responsibility. ERM didn’t become an integral part of the guidance for running a business,” he says.


Peter Fahrenthold, managing director of risk management at Continental Airlines in Houston, Texas, agrees that the risk management systems frequently were not crossing the various divisions of a corporation and then placing the information about those risks in one place for evaluation by a chief risk officer or risk committee. “You have to define your key business risks and collect the information in a structured and exhaustive way,” says Fahrenthold, who is a member of the RIMS ERM development committee. “You have to take a look at all the facts and take the middle ground.”


Continental, for example, needed to hedge oil prices last year to maintain its fuel costs while not damaging its liquidity. A responsible risk management stance helped it fare well when oil prices headed downward last fall, as the company was not as heavily hedged against escalating oil prices as its competitors.


The purchasing department of a convenience store chain, for example, may be saving money by buying soft drinks for all its stores at a low cost per unit, Fahrenthold says. But a comprehensive review of all the company’s risk might show that the limited storage space in these small convenience stores means the large inventory of soft drinks must be stored outside each convenience store. That opens the management to the risks of theft and of employee back injuries as they move cases of soft drinks into the stores. “You need a chief risk officer to look at a report and ask what makes sense and to test the theories that people are holding,” he adds.


Nornes agrees that an enterprise risk program must not only identify a company’s risks but also have enough detailed information on how different variables could affect those risks and, subsequently, the bottom line. “There has to be an understanding of how you make money as a business,” he says. “Some companies became too big and too complex.”


Retailers, for example, garnered revenue during the years of economic growth by issuing in-house credit cards, an expensive endeavor that also meant they were holding these credit balances on their balance sheets. “That took working capital away from the business,” Nornes says. The economic downturn then increased retailers’ liabilities, as financially strapped consumers could not pay down their credit card balances.

The Risks of Risk Management
Another significant factor behind the failure of enterprise risk management to raise red flags was the over-reliance, particularly by financial institutions, on complex mathematical models for measuring risks in their various portfolios. The most widely used model was the VaR, or Value at Risk, a group of related models popularized in the early 1990s. The VaR group of related models shared a mathematical framework and was built around statistical ideas and probability theories developed hundreds of years ago. It can measure the boundaries of risk in a portfolio over short durations, assuming a normal market.


“VaR is a good way to measure a couple of dimensions of transactional or portfolio risk. Unfortunately, it did a very poor job of measuring the risks that got everyone into trouble,” says Allen, referring to the risks associated with derivatives. ”Not only did it give a false positive reading,” he continues, “but it simply didn’t provide insight into the broader implications of heavily interrelated systemic risks.”


Together this created an interdependence of risks that few truly grasped. “Financial institutions were saddled with far more risk than they understood,” says Allen. “There were too many people looking at a single measure and thinking everything was all right. You cannot tell the performance of a car if you are looking only at one dial, like the speedometer.” Fox adds that companies were not looking for certain extreme factors that were not probable but possible. “You have to be thinking about the 10% of possibilities that could cripple a company but are so remote,” she says.


Finally, risk experts point to an executive incentive system that rewarded executives for assuming risk by focusing on short-term goals and returns as another factor for the economic woes. “The average tenure of a CEO is now very brief, about three years,” says Carole Switzer, president of the Open Compliance and Ethics Group (OCEG) in Phoenix, Arizona. “That encourages managers to maximize short-term returns and objectives. There wasn’t a long-term commitment.”


A non-profit organization, OCEG aims to help organizations improve performance by integrating governance, risk management and compliance processes. “If boards don’t establish a standard level of tolerance for risk and set policies and procedures that are in accordance with those standards, then managers will take on more risk in hope of a good reward,” says Switzer, adding that she expects corporate boards will be paying more attention to enterprise risk management concepts in the years ahead.


“There are two possible reactions to this crisis,” adds Switzer. “Companies can follow it [ERM] faster and get better at it, or they can hunker down and spend no money and freeze like deer in the car headlights.”

With its roots reaching back to the early 1970s when Swedish risk manager Gustav Hamilton first proposed the “risk management circle,” enterprise risk management (ERM) is a more holistic—and radical—approach to managing a company’s myriad risks. Much more than the purchase of property and casualty insurance to protect against losses from fires and lawsuits, ERM encompasses the management of the entire spectrum of a corporation’s risks, including long-term strategy, operations, reputation, human capital, finances, compliance and information. Its growth has been fueled by a variety of factors, from security and technology issues, to the tighter financial disclosure and compliance standards of today’s regulators, to the increasingly competitive global business environment. It requires that all risks be considered in relation to one another and even can identify situations in which risk can be a competitive advantage.



by Paula L. Green