For the most part, I'm a true believer in
enterprise risk management (ERM). Properly implemented and applied within a
supportive culture and executive sponsorship, ERM creates improved organizational
resiliency, identifies and helps crush risks under organizational rocks, and
enables senior leadership to make better decisions in the light of a very complex
and risk-filled world.
by Chris Duncan
Business Management Consultant
However, as a risk professional, and an occasional observer of the world
around me, I'm at a loss as to where ERM was in the whole sub-prime, toxic portfolio,
market meltdown, insurance downgrade, credit market debacle? Why didn't we see
it coming, or did we? Did the financial meltdown train hit us because ERM failed
us, like a warning gate that malfunctions at a railroad crossing, or did the
bells and lights go off, but senior management ignored the warnings and drove
across the tracks anyway? Is ERM itself a waste of time and management effort?
If it is not a waste, what can we learn from this debacle to make ERM more effective
in the future?
One of the primary functions of ERM is to help identify and predict company-killer
risks and assist management in making better risk-based decision making to avoid
risks being realized that one can ill afford. And if you can't avoid them, the
goal is to attempt to mitigate (or transfer) them to a level that you can manage.
Unfortunately, there are many can't be predicted or mitigated, and an effective
ERM process is no guarantee that bad things won't happen to an organization.
As the famous risk philosopher, Calvin (of Calvin & Hobbes fame) says, "Some
days even my lucky rocket ship underpants don't help." However, an effective
ERM process should highlight and communicate to the most senior level of a company
the risks that matter, and help allocate finite resources to address the ones
you can influence.
Since 2005, Standard and Poor's has experimented with integration of ERM
effectiveness into the credit ratings of financial institutions, such as banks
and insurance companies … the very ones that have failed, or are currently failing.
S&P recently announced that it was expanding this ERM effectiveness scoring
integration into all rated companies. This is a long overdue recognition that
ERM matters to a company's ability to survive and thrive, and as ERM is increasingly
embraced, we will have more resilient, transparent, and profitable companies.
However, we would be doing our companies, clients, and our profession a disservice
if we did not ask ourselves, today and over and over again in the future, what
We should do our own postmortem on the apparent failure of ERM in the financial
services industry and apply these lessons. I fully expect as time goes by, and
we have a chance to research and reflect, answers to this failure will be evident
in the perfection of 20/20 hindsight.
Already financial legends such as Alan Greenspan have all but admitted that
he (and therefore the Federal Reserve) missed the magnitude of the financial
meltdown risk. Robert Schiller, a well-known economist, has been ringing the
warning bell of the real estate bubble for years. Many politicians have attempted
(and failed) to rein in the political power of Freddie Mac and Fannie May. E-mails
and instant messages from those very rating analysts charged with objectively
rating securitized mortgage instruments had been widely reported in the press
discussing this "house of cards." Expect much more detailed analysis in the
future on the risk management failures of our financial institutions once people
have a chance to get out from underneath the walls that fell on them in this
"house of cards."
Where was ERM in financial institutions, anyway? A recent survey of 316 financial
services executives by SAS/Economist Intelligence Unit (published September
2008, surveyed in July 2008, before the massive crash!) reports that 70 percent
of those surveyed blamed poor risk management for the current financial/credit
crisis. Seventy-one percent of these financial institutions reported that they
have an ERM strategy in place and in the process
of being implemented. Fifty-nine percent said that the financial crisis has
forced them to take a much closer look at their risk management programs.
Only 18 percent of those surveyed reported a fully
implemented, comprehensive ERM plan. At this limited level of ERM maturity,
one could easily argue that ERM didn't have a chance to make a difference in
heading off this crisis as it simply wasn't there.
One of the staples of truth in management is that work gets done through
people. We bring with us into well-defined processes preconceived notions of
how things work, or how we think they ought to work, and we are prone to messing
up the very best of work plans. Here are a few of my favorite failure points
Overreliance on beautifully formatted models, statistical analysis, spreadsheets,
and Power Point presentations lull us into a stupor of confidence in our "numbers."
As Billy Crystal's famous SNL character
Fernando would say, "Darling, and you know who you are, it's more important
to look good than to be good." Spreadsheets create specific answers, point estimates
that look "marvelous" but don't create a great deal of room for uncertainty,
debate, and critical thinking. Often "numbers" don't do an adequate job of showcasing
the impact on reputation risk or investor reactions based on loss of confidence
and market emotion.
Executives often miss a key point in understanding what a risk really is.
Often, being factually right is not enough. Understanding the likely public
(or regulator, or media) perception of these same facts may be the difference
in a company meltdown or a company triumph in adverse circumstances.
Many ERM practitioners say that you must quantify every risk in order to
manage risks. How does one "quantify" the potential of public outrage over executive
compensation decisions made in good economic times when the exit pay package
is paid in the bad times of layoffs that few can predict? An airline may be
in technical compliance with FAA regulations on fleet maintenance, but what
happens if the media discovers a track record of coziness with inspectors? There
may be a one in a million chance of a product fatality, but what happens if
the fatality happens to be a child? What is your risk if you handle a true accidental
workplace fatality with all the right responses, but the CEO comes off as uncaring
and calloused in the media?
If you are a bank, your primary asset is public confidence that hard-earned
savings are in good hands. What happens when that confidence is shaken because
you invested in some assets that are now highly uncertain? Risk is defined by
the perception of facts, not facts themselves.
A must read in any risk professional's bookcase is
The Black Swan, by Nassim Nicholas Taleb.
The basic premise of the book is that we believe we live in a "bell curve,"
a predictable world, and are taught such in business school and in the media.
In this bell curve world, we believe we can predict the future by extrapolating
from the past. The problem is that reliance on the past leaves little room for
trend-busting changes that turn the predictability of the past into an irrelevant
crystal ball exercise. When these events occur (i.e., "black swans"), they create
massive, disruptive change in the world that we know.
For example, I recall having intense conversations with executives at a former
employer (an airline) about the risk that oil prices might just be jumping off
the historical tracks (it was $38 per barrel at the time, an unheard of run
up from the mid-$20s) due to the expansion of the war on terror and likely perceived
supply disruption, increasing evidence of "peak oil" supply, and increased demand
from emerging growth economies of Brazil, India, China, and Russia. The suggestion
was that we consider contingencies to survive as a business if there was a fundamental
delinking of oil price trends from the past. This discussion was consistently
dismissed because the historical experience was that "oil is a mean reverting
commodity," and sure to return to the mid-$20s because it always had.
A similar black swan—residential real estate prices in the United States—had
also "never" had a nominal decline in 30+ years of tracking home prices either
… and real estate price drops "can only happen at a localized level." The Case-Schiller
home price index of 20 major metropolitan areas shows a decline of 16 percent
in home prices from July 2007 to July 2008. I, along with millions of others,
also missed this particular black swan residing in our neighborhoods.
Thousands of companies and millions of people were making money on rising
real estate prices. The "safe" money was in real estate, remember? We all enjoyed
the rising housing prices, and the growth in real and paper wealth it represented.
Few complained when the risk in the housing prices played in their favor. SUVs
printed money for U.S. automakers year after year, and we all enjoyed the room
and convenience of these gas-guzzling behemoths.
In insurance, the more exotic insurance and derivative products like credit
default swaps made billions for powerful and aggressive risk-taking companies
such as AIG. Banks worldwide enjoyed the high rate of return on assets and the
portfolio effects of mortgage securitization for years. It would be a very courageous
executive indeed to "cry in the wilderness" against the potential risks created
from products generating handsome profits and cash flow. Imagine the poor fellow
standing up to a high-powered CEO (picture Hank Greenberg!) and telling him
or her that their multibillion dollar enterprise should not leverage its A+
balance sheet on poorly understood exotic derivatives, credit default swaps,
and rising real estate prices when billions were to be made. That is a pretty
ugly mental picture, isn't it?
Effective ERM occasionally requires a dose of contrarian views coupled with
more than a dash of moral courage, the combination of which is often negatively
equated with career advancement. For ERM to truly be effective, a company's
culture, from the very top, should encourage the appropriate questioning of
the status quo without killing the questioner. But that is a hard lesson to
Warren Buffett summarized this trait of human and business behavior best
when he said:
Most managers have very little incentive to make intelligent-but-with-some-chance-of-looking-like-an-idiot
decision. Their personal gain/loss ratio is all too obvious; if an unconventional
decision works out well, they get a pat on the back, and if it works out
poorly, they get a pink slip. Failing conventionally is the route to go;
as a group, lemmings may have a rotten image, but no individual lemming
has ever received bad press.
It is easier on your career, your marriage, and your ulcers to swim with
the prevailing current than against it. However, for ERM to be effective, occasionally
one does have to swim against the tide and run the risk of getting eaten by
Gone are the days when one person (a risk manager, CFO, CEO) can come to
grips with all the risks of a single company. Risks in supply chain, in finance,
in the environment, and in reputation are global in scope. Company-killer risks
exist in the ripples of events like tainted milk in China, failing banks in
Iceland, residential real estate prices in the United States, and commodity
price volatility from Middle East politics and the illogical acts of terrorists.
ERM is not a centralized function to be administered at company headquarters,
but a management capability and way of thinking that must be global in its scope
to be truly effective. The entire leadership of an organization must be attuned
to the internal and external risks that can impact an organization across the
globe, with an ability to identify and communicate these risks to decision makers
without retribution. If a company is depending on one person to be the risk
safety net of the organization, ERM will fail, because one person will never
Finance, science, the economy, medicine, the environment politics—almost
all areas of life, business, and governance is highly specialized, with experts
having deep expertise in a particular area. More information is added in a day
to the Internet than in some decades of human progress. Not only is it impossible
to keep up with it all, it is increasingly hard to be a generalist in one's
knowledge. We end up defaulting to the "experts" in a particular area because
many times, we have neither the time, experience, nor sheer ability to figure
out if they are smoking their own exhaust or not.
Regarding the sophisticated sub-prime collateralized mortgage bonds bought
by many very smart, sophisticated banks and investors worldwide, one estimate
from a prominent economist is that there are only a few hundred financial analysts
or market specialists in the world that truly understand these products, where
the risk truly is, and what they are worth. Well, we listened, we thought we
understood, and we (and the experts) were wrong. Functional and expert sophistication
typically overwhelms the general understanding of decision makers and critical
Enterprise risk management works. It adds tremendous value to organizations
large and small, public and private, U.S. and international. However, it is
not the end all, and it does not mean that all risks will be eliminated. Sometimes
monsters do come out from under the bed in the middle of the night. Sometimes
we create the monsters ourselves because we don't examine ourselves to understand
where the process of ERM could go wrong.
The above is by no means a complete list of how ERM can fail, but perhaps
it will prompt some thinking by all. A healthy skepticism of ERM is always a
good thing, and, as with pressure testing our own designs and processes, we
get better. I for one am looking forward to learning all I can from the financial
chaos of the recent months—at least then perhaps something good might come of
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.
Please use the print button on the IRMI toolbar to print/preview this page.
© 2000-2013 International Risk Management Institute, Inc. (IRMI). All rights reserved.