|
Enterprise Risk Management
Lessons from the financial meltdown
RIMS study probes systemic failures
By Michael J. Moody, MBA, ARM
The past few years have been filled with some of the United States’ most massive business failures, both in and out of the financial service sectors. Not only has this state of affairs been categorized as a major financial mess but, at this point, it appears to be far from over. Each day offers new revelations about the worsening state of the economy. It’s little wonder that so many people are searching for culprits.
One of the most frequently cited causes of the crisis is a failure in risk management. Rough Notes has tackled this problem several times over the past year or so, but enterprise risk management (ERM) continues to receive significant negative attention and is frequently cast as the “fall guy.” While a number of studies and white papers have addressed this situation, the Risk and Insurance Management Society (RIMS) recently published a white paper that provides some interesting perspectives regarding the 2008 financial meltdown.
The RIMS perspective
In the new study titled “The 2008 Financial Crisis: A Wake-up Call for Enterprise Risk Management,” RIMS makes the case that while there certainly were risk management failings, risk management as a business discipline didn’t fail. The paper identifies four specific failures and the results of each of these failings. In addition, RIMS also outlines several methods to resolve these implementation shortcomings.
Systemic failures
The RIMS white paper points to several key failures. The first was an over-reliance on the use of financial models. The paper states that all too often organizations mistakenly assumed that risk quantification based solely on financial modeling was reliable as a predictive tool. But the paper points out that because most financial models are based on past experience, they are not reliable. Organizations believed that some remote risks were so small that they could be excluded from the risk analysis. In hindsight, it was frequently these low probability, worst-case scenarios that caused the most damage.
Unfortunately, these types of mistakes regarding the dependence on risk modeling occurred among other participants as well. The rating agencies, for example, also fell prey to these wrongful assumptions.
Second, RIMS points out that organizations relied too much on compliance and controls to protect their assets. The organizations believed that controls could change human behavior. But RIMS points out that the controls did not evolve in scope or speed sufficiently to keep up with new risks that were being taken. In addition, the controls frequently ignored emerging risks.
Standard and Poor’s has been pretty up front with its opinion about the importance of properly assessing an organization’s ERM capabilities. S&P is not looking for ERM to be solely about meeting some compliance and/or disclosure requirements. It says that simply instituting some monitored compliance program is not enough.
Third, financial institutions involved in the meltdown failed to embed ERM throughout their organizations. RIMS notes that while financial institutions were one of the first market segments to adopt ERM and many companies had senior management buy-in of the ERM concept, the fundamental principles were not sufficiently embedded within their organizations.
But according to RIMS, merely implementing a risk management process across an enterprise is not enough; it must support front-line risk ownership, as well as governance oversight. “Enterprise risk management is not a panacea for all the uncertainties facing a company.” Nor, for that matter is it a guarantee that bad things will never happen. It needs to be remembered that organizations cannot create and capture value without assuming some risks.
The fourth failure noted in the RIMS paper has to do with the “failure to properly understand, define, articulate, communicate and monitor risk tolerances, with the mistaken assumption that everyone understands how much risk the organization is willing to take.” Just as cars have brakes and credit cards have spending limits, RIMS says, without them the risks taken by drivers or shoppers could prove to be disastrous.
Similarly, organizations need to have a method of applying the “brakes” when risks have the potential of forcing an organization out of control with ruinous results. The RIMS report states that it is a key that top management and the board all know what the company’s risk tolerance is. RIMS notes that it is not surprising that risk appetite management, including setting appropriate risk tolerance levels, was one of the major failures that led to the current financial mess.
Not all doom and gloom
While there are any number of cases where investment firms failed to utilize the full scope of ERM, the RIMS white paper points to the fact that some of these firms did get it right. They note that Goldman Sachs used ERM, and it made a difference in their results. They say that Goldman Sachs adjusted its position in mortgage-backed securities beginning in 2006, when many competitors thought they were just being overly cautious. Proof, says RIMS, that ERM “can, and does, help companies perform better and avoid surprises.”
Even in financial organizations where large losses occurred, at least some people were asking the right questions. For example, at Fannie Mae and Freddie Mac, which may well represent the poster children of the meltdown, risk management was occurring. According to Rep. Henry A. Waxman, D-Calif., chairman of the House Oversight and Government Reform Committee, risk managers at both organizations were raising warnings about the dangers of investing heavily in the subprime and alternative mortgage market. The problem was that for the most part, senior management ignored their warnings.
Conclusion
RIMS points out that ERM “isn’t intended to prevent a company from taking risk,” but rather it is intended to help the company’s management to understand risks better. And as history has now shown, simply implementing an ERM program is not enough. The key to long-term success is to have all levels of the organization involved, so it becomes a vital part of the company’s culture.
At the end of the day, RIMS believes that the current financial mess should serve as a wake-up call for ERM. It notes that in order to prevent future catastrophe, now is the time to implement an ERM strategy. RIMS’ says that the lessons learned from what went wrong are universal and can apply to all businesses. In addition, for ERM to be effective, it must fundamentally change the way organizations think about risks. RIMS points out, “When ERM becomes part of the DNA of a company’s culture, the warning signs of a market gone astray cannot go unseen so easily.”
The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF), an independent consulting firm established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved. |
