For the most part, I'm a true believer in enterprise risk management (ERM). Properly implemented and applied within a supportive culture and executive sponsorship, ERM creates improved organizational resiliency, identifies and helps crush risks under organizational rocks, and enables senior leadership to make better decisions in the light of a very complex and risk-filled world.
However, as a risk professional, and an occasional observer of the world around me, I'm at a loss as to where ERM was in the whole sub-prime, toxic portfolio, market meltdown, insurance downgrade, credit market debacle? Why didn't we see it coming, or did we? Did the financial meltdown train hit us because ERM failed us, like a warning gate that malfunctions at a railroad crossing, or did the bells and lights go off, but senior management ignored the warnings and drove across the tracks anyway? Is ERM itself a waste of time and management effort? If it is not a waste, what can we learn from this debacle to make ERM more effective in the future?
One of the primary functions of ERM is to help identify and predict company-killer risks and assist management in making better risk-based decision making to avoid risks being realized that one can ill afford. And if you can't avoid them, the goal is to attempt to mitigate (or transfer) them to a level that you can manage. Unfortunately, there are many can't be predicted or mitigated, and an effective ERM process is no guarantee that bad things won't happen to an organization.
As the famous risk philosopher, Calvin (of Calvin & Hobbes fame) says, "Some days even my lucky rocket ship underpants don't help." However, an effective ERM process should highlight and communicate to the most senior level of a company the risks that matter, and help allocate finite resources to address the ones you can influence.
Since 2005, Standard and Poor's has experimented with integration of ERM effectiveness into the credit ratings of financial institutions, such as banks and insurance companies … the very ones that have failed, or are currently failing. S&P recently announced that it was expanding this ERM effectiveness scoring integration into all rated companies. This is a long overdue recognition that ERM matters to a company's ability to survive and thrive, and as ERM is increasingly embraced, we will have more resilient, transparent, and profitable companies. However, we would be doing our companies, clients, and our profession a disservice if we did not ask ourselves, today and over and over again in the future, what went wrong?
We should do our own postmortem on the apparent failure of ERM in the financial services industry and apply these lessons. I fully expect as time goes by, and we have a chance to research and reflect, answers to this failure will be evident in the perfection of 20/20 hindsight.
Already financial legends such as Alan Greenspan have all but admitted that he (and therefore the Federal Reserve) missed the magnitude of the financial meltdown risk. Robert Schiller, a well-known economist, has been ringing the warning bell of the real estate bubble for years. Many politicians have attempted (and failed) to rein in the political power of Freddie Mac and Fannie May. E-mails and instant messages from those very rating analysts charged with objectively rating securitized mortgage instruments had been widely reported in the press discussing this "house of cards." Expect much more detailed analysis in the future on the risk management failures of our financial institutions once people have a chance to get out from underneath the walls that fell on them in this "house of cards."
Where was ERM in financial institutions, anyway? A recent survey of 316 financial services executives by SAS/Economist Intelligence Unit (published September 2008, surveyed in July 2008, before the massive crash!) reports that 70 percent of those surveyed blamed poor risk management for the current financial/credit crisis. Seventy-one percent of these financial institutions reported that they have an ERM strategy in place and in the process of being implemented. Fifty-nine percent said that the financial crisis has forced them to take a much closer look at their risk management programs. Only 18 percent of those surveyed reported a fully implemented, comprehensive ERM plan. At this limited level of ERM maturity, one could easily argue that ERM didn't have a chance to make a difference in heading off this crisis as it simply wasn't there.
One of the staples of truth in management is that work gets done through people. We bring with us into well-defined processes preconceived notions of how things work, or how we think they ought to work, and we are prone to messing up the very best of work plans. Here are a few of my favorite failure points in ERM.
Overreliance on beautifully formatted models, statistical analysis, spreadsheets, and Power Point presentations lull us into a stupor of confidence in our "numbers." As Billy Crystal's famous SNL character Fernando would say, "Darling, and you know who you are, it's more important to look good than to be good." Spreadsheets create specific answers, point estimates that look "marvelous" but don't create a great deal of room for uncertainty, debate, and critical thinking. Often "numbers" don't do an adequate job of showcasing the impact on reputation risk or investor reactions based on loss of confidence and market emotion.
Executives often miss a key point in understanding what a risk really is. Often, being factually right is not enough. Understanding the likely public (or regulator, or media) perception of these same facts may be the difference in a company meltdown or a company triumph in adverse circumstances.
Many ERM practitioners say that you must quantify every risk in order to manage risks. How does one "quantify" the potential of public outrage over executive compensation decisions made in good economic times when the exit pay package is paid in the bad times of layoffs that few can predict? An airline may be in technical compliance with FAA regulations on fleet maintenance, but what happens if the media discovers a track record of coziness with inspectors? There may be a one in a million chance of a product fatality, but what happens if the fatality happens to be a child? What is your risk if you handle a true accidental workplace fatality with all the right responses, but the CEO comes off as uncaring and calloused in the media?
If you are a bank, your primary asset is public confidence that hard-earned savings are in good hands. What happens when that confidence is shaken because you invested in some assets that are now highly uncertain? Risk is defined by the perception of facts, not facts themselves.
A must read in any risk professional's bookcase is The Black Swan, by Nassim Nicholas Taleb. The basic premise of the book is that we believe we live in a "bell curve," a predictable world, and are taught such in business school and in the media. In this bell curve world, we believe we can predict the future by extrapolating from the past. The problem is that reliance on the past leaves little room for trend-busting changes that turn the predictability of the past into an irrelevant crystal ball exercise. When these events occur (i.e., "black swans"), they create massive, disruptive change in the world that we know.
For example, I recall having intense conversations with executives at a former employer (an airline) about the risk that oil prices might just be jumping off the historical tracks (it was $38 per barrel at the time, an unheard of run up from the mid-$20s) due to the expansion of the war on terror and likely perceived supply disruption, increasing evidence of "peak oil" supply, and increased demand from emerging growth economies of Brazil, India, China, and Russia. The suggestion was that we consider contingencies to survive as a business if there was a fundamental delinking of oil price trends from the past. This discussion was consistently dismissed because the historical experience was that "oil is a mean reverting commodity," and sure to return to the mid-$20s because it always had.
A similar black swan—residential real estate prices in the United States—had also "never" had a nominal decline in 30+ years of tracking home prices either … and real estate price drops "can only happen at a localized level." The Case-Schiller home price index of 20 major metropolitan areas shows a decline of 16 percent in home prices from July 2007 to July 2008. I, along with millions of others, also missed this particular black swan residing in our neighborhoods.
Thousands of companies and millions of people were making money on rising real estate prices. The "safe" money was in real estate, remember? We all enjoyed the rising housing prices, and the growth in real and paper wealth it represented. Few complained when the risk in the housing prices played in their favor. SUVs printed money for U.S. automakers year after year, and we all enjoyed the room and convenience of these gas-guzzling behemoths.
In insurance, the more exotic insurance and derivative products like credit default swaps made billions for powerful and aggressive risk-taking companies such as AIG. Banks worldwide enjoyed the high rate of return on assets and the portfolio effects of mortgage securitization for years. It would be a very courageous executive indeed to "cry in the wilderness" against the potential risks created from products generating handsome profits and cash flow. Imagine the poor fellow standing up to a high-powered CEO (picture Hank Greenberg!) and telling him or her that their multibillion dollar enterprise should not leverage its A+ balance sheet on poorly understood exotic derivatives, credit default swaps, and rising real estate prices when billions were to be made. That is a pretty ugly mental picture, isn't it?
Effective ERM occasionally requires a dose of contrarian views coupled with more than a dash of moral courage, the combination of which is often negatively equated with career advancement. For ERM to truly be effective, a company's culture, from the very top, should encourage the appropriate questioning of the status quo without killing the questioner. But that is a hard lesson to learn.
Warren Buffett summarized this trait of human and business behavior best when he said:
Most managers have very little incentive to make intelligent-but-with-some-chance-of-looking-like-an-idiot decision. Their personal gain/loss ratio is all too obvious; if an unconventional decision works out well, they get a pat on the back, and if it works out poorly, they get a pink slip. Failing conventionally is the route to go; as a group, lemmings may have a rotten image, but no individual lemming has ever received bad press.
It is easier on your career, your marriage, and your ulcers to swim with the prevailing current than against it. However, for ERM to be effective, occasionally one does have to swim against the tide and run the risk of getting eaten by the sharks.
Gone are the days when one person (a risk manager, CFO, CEO) can come to grips with all the risks of a single company. Risks in supply chain, in finance, in the environment, and in reputation are global in scope. Company-killer risks exist in the ripples of events like tainted milk in China, failing banks in Iceland, residential real estate prices in the United States, and commodity price volatility from Middle East politics and the illogical acts of terrorists.
ERM is not a centralized function to be administered at company headquarters, but a management capability and way of thinking that must be global in its scope to be truly effective. The entire leadership of an organization must be attuned to the internal and external risks that can impact an organization across the globe, with an ability to identify and communicate these risks to decision makers without retribution. If a company is depending on one person to be the risk safety net of the organization, ERM will fail, because one person will never know enough.
Finance, science, the economy, medicine, the environment politics—almost all areas of life, business, and governance is highly specialized, with experts having deep expertise in a particular area. More information is added in a day to the Internet than in some decades of human progress. Not only is it impossible to keep up with it all, it is increasingly hard to be a generalist in one's knowledge. We end up defaulting to the "experts" in a particular area because many times, we have neither the time, experience, nor sheer ability to figure out if they are smoking their own exhaust or not.
Regarding the sophisticated sub-prime collateralized mortgage bonds bought by many very smart, sophisticated banks and investors worldwide, one estimate from a prominent economist is that there are only a few hundred financial analysts or market specialists in the world that truly understand these products, where the risk truly is, and what they are worth. Well, we listened, we thought we understood, and we (and the experts) were wrong. Functional and expert sophistication typically overwhelms the general understanding of decision makers and critical control points.
Enterprise risk management works. It adds tremendous value to organizations large and small, public and private, U.S. and international. However, it is not the end all, and it does not mean that all risks will be eliminated. Sometimes monsters do come out from under the bed in the middle of the night. Sometimes we create the monsters ourselves because we don't examine ourselves to understand where the process of ERM could go wrong.
The above is by no means a complete list of how ERM can fail, but perhaps it will prompt some thinking by all. A healthy skepticism of ERM is always a good thing, and, as with pressure testing our own designs and processes, we get better. I for one am looking forward to learning all I can from the financial chaos of the recent months—at least then perhaps something good might come of it!
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.