By JAMES LAM, president, James Lam & Associates, a provider of consulting and training solutions focused on risk management
Barrack Obama was elected the 44th U.S. president on a platform of change. This historic election coincides with the most severe financial crisis since the Great Depression. Many books will be written about the root causes of the financial crisis--failed housing policies, lax regulatory oversight, complex structured products, inaccurate debt ratings, and undisciplined institutional and individual borrowers.
In my opinion, at the core of the financial crisis there has been a failure in risk management. As such, risk professionals should also think about an agenda for change and reflect on how we can make our profession more effective. Here are five critical changes that should be considered.
AGENDA #1: STRENGTHEN BOARD OVERSIGHT
According to recent surveys, risk management has replaced accounting issues to become the top concern for corporate boards. In the past, boards were often seen as the "audience" with respect to risk management. At board committees, they approved risk policies, reviewed risk reports and got PowerPoint presentations designed mainly to assure them risks are well managed.
In the future, boards must be active "participants" in the risk management process. They must debate risk tolerance levels, challenge management on critical business and financial strategies, and hold management accountable for the risk-return performance of past decisions.
To strengthen board oversight, boards should consider establishing a separate risk committee, especially at companies operating in risk-intensive industries (e.g., banking, insurance, energy). At a minimum, boards must ensure that risk management is allocated sufficient time and attention at the full board and/or audit committees. Boards should also consider adding risk experts to their ranks.
AGENDA #2: INCREASE RISK MANAGEMENT INDEPENDENCE
Where was the outcry? Why didn't we hear about chief risk officers going directly to the board or quitting out of protest given what was going on under their watch?
I believe a central issue is the continued lack of true independence of risk management. In the past, companies have worked to ensure that the risk management function is independent relative to the profit centers.
In the future, we must recognize that the company is one big profit center. As such, risk management should be, to a sufficient degree, independent relative to corporate management. This is similar to, but not to the full extent of, the independence of internal audit.
One organizational solution is to establish a dotted-line reporting relationship between the chief risk officer and the board or board risk committee. Under certain circumstances (e.g., CEO/CFO fraud, major reputational or regulatory issues, excessive risk taking), that dotted line may become a solid line such that the chief risk officer can go directly to the board without concern about his or her job security or compensation.
Ultimately, to be effective, risk management must have an independent voice. A direct communication channel to the board is one way to ensure that this voice is heard.
AGENDA #3: IMPLEMENT ENTERPRISE RISK MANAGEMENT
One of the key lessons from the current financial crisis (and previous financial crises) is that major risk events are usually the consequence of not one risk, but a confluence of interrelated risks. In the past, companies managed risk by silos, or they might have established enterprise risk management programs in name and not in practice.
Ample evidence exists that the silo approach to risk management has contributed to the ineffective management of interdependent risks in the current crisis. As an example, a recent front-page Wall Street Journal article reported that the risk model used by American International Group to manage the credit derivatives business only considered credit default risk, but not the mark-to-market or liquidity risks associated with the business.
In the future, companies should implement ERM programs that will analyze multirisk scenarios that may have significant financial impact. For banks, that would include the integrated analysis of credit, market and liquidity risks. For insurance companies, that would include the integrated analysis of investment, liability and interest rate risks. For all companies, there are critical interdependencies across business, financial and operational risks that must be managed on an integrated basis.
AGENDA #4: ESTABLISH DASHBOARD REPORTING
What gets measured gets managed. It is difficult to implement ERM when companies continue to measure and report risks by silos. There is a general sense of dissatisfaction among board members and senior executives with respect to the timeliness, quality and usefulness of risk reports.
In the past, companies reported on individual risks separately. These reports tend to be either too qualitative (risk assessments) or quantitative (value-at-risk metrics). Risk reports also focused too much on past trends and current risk exposures.
In the future, companies should develop forward-looking, role-based dashboard reports. These reports should be customized to support the decisions of the individual or group, whether that is the board, executive management, or line and operations management. These dashboard reports should integrate qualitative and quantitative data, internal risk exposures and external drivers, and key performance and risk indicators.
Initially, companies should develop concise decision-based "paper dashboards." Over time, the databases, analytics and reporting should be automated. These "electronic dashboards" would be the risk analog to the touch-screen "Magic Map" pioneered by CNN to show real-time voting trends by state, including drill-down capabilities into granular voter segments.
AGENDA #5: CREATE A FEEDBACK LOOP
How do we know if risk management is working effectively? This is perhaps one of the most important questions facing boards, executives, regulators and risk managers today.
In the past, the effectiveness of risk management might have been measured by the achievement of development milestones, or the lack of policy violations, losses or surprises.
In the future, qualitative milestones or negative proves will no longer be sufficient. We need to establish performance metrics and feedback loops for risk management. Other corporate and business functions have such measures and feedback loops. Business development has sales metrics, customer service has customer satisfaction scores and human resources has turnover rates.
In order to establish a feedback loop for risk management, its objective must first be defined in measurable terms. I believe the objective of risk management can be defined as to minimize unexpected earnings volatility. In other words, the objective of risk management is not to minimize absolute levels of risks or earnings volatility, but to minimize unknown sources of risks or earnings volatility.
Based on this definition, companies can perform earnings-at-risk analysis at the beginning of each reporting period. This analysis would identify the key risk drivers and quantify potential earnings impact (e.g., a 1 percent increase in rates would reduce earnings by 5 percent, or a 2 percent decrease in market share would reduce earnings by 12 percent.).
At the end of each reporting period, companies can perform earnings-attribution analysis, in which they can identify the actual earnings drivers and sensitivities. Over time, the combination of these two analyses could provide a powerful performance measurement and feedback loop. Such a feedback loop would help the board and management to ensure that risk management is effective in terms of minimizing unexpected earnings volatility.
Finally, I believe this type of analysis should be provided with the earnings guidance of publicly traded companies. Relative to the current laundry-list approach of risk disclosure, earnings-at-risk and earnings-attribution analyses can provide much higher levels of risk transparency to investors.
Change will not happen if we don't first recognize that it is needed. I have no doubt that there is an agenda for change in risk management. This agenda will include many critical issues not addressed in this article, such as capital markets reform, regulatory oversight, management incentives, and risk disclosure requirements. However, I am a believer in maintaining one's own backyard. As a risk professional, I believe we should all do a bit of self-reflection and engage in a serious discussion on what should be the agenda for change in our profession.
January 20, 2009
Copyright 2009© LRP Publications