By THOMAS M. MULHARE, partner-in-charge of the Financial Services Group and Business Risk Consulting Group at Amper, Politziner & Mattia
In our troubled economic climate, there is an endless amount of uncertainty among stakeholders toward many companies' risk management capabilities. In one of the scariest examples, American International Group Inc. collapsed after it made too many credit default swaps insuring mortgage-backed securities. The government intervened, pumping billions into AIG.
Then, late in 2008, other insurance companies reported brutal third- and fourth-quarter losses. The soft premium market and losses on investments are combining to confront the insurance industry with its most challenging time in recent history. And poor risk management in the financial sector is at the core of a lot of the turbulence.
A recent survey of 125 chief financial officers conducted by Towers Perrin revealed that 62 percent of them blamed the current financial crisis on risk management departments' inability to understand complex financial instruments.
But in the same breath, or nearly the same breath, about 75 percent of the respondents said risk management was more important than financial management issues like securing equity financing, short- and long-term debt allocation, and others.
What does this say about the job of risk manager? It says that the role is constantly evolving, and that we are in the midst of a new era of risk management, where organizations are facing new challenges from all angles.
Knowing your organization's risk profile and appetite, as well as the inventory of risks it is susceptible to, is imperative. This last year has shown--either from an experienced loss event or simply from the newswire--how broad the spectrum of risks is that need to be considered.
Today's risk manager must wear many hats: policy-maker; liaison to the chief financial officer and general counsel; board of directors' adviser; manager of credit risk, political risk, product liability, cyber risk and intellectual property; and now more than ever, steward of enterprise risk management.
A NEW BREED
Not only should the new risk manager assess the complete inventory of a company's risk across all departments and businesses, she should be empowered to establish and implement a comprehensive risk management system that will ultimately be embedded into the culture of the company.
It will take an exceptional, experienced person to meet the challenges of the risk manager post--one who is confident, aggressive, inquisitive, persistent and well-rounded. An individual who has a solid grasp of all aspects of the business, knowledge of regulatory and legal affairs, and experience with financial reporting will do well.
This job description might attract someone with a chief operating officer background, or someone who has work experience in one of the disciplines mentioned above. The candidate does not necessarily have to be broadly educated, but she should possess a spectrum of experiences built on both her education and her specialty. There needs to be a rigorous formal process for assessing and addressing risks to the organization.
This is a challenging position, especially given that this person will need to earn the respect and confidence of the C-level executives and the board of directors, and who will also need the discipline to act objectively when the situation demands.
One challenge that will face the new risk manager will occur when other management wants to override controls that have been put in place to manage risk. There may be times when an override is necessary, but what is important is that the risk management process remains intact.
Top management, the board and the risk manager all have to agree that an override is necessary--and that by conducting an override, they will still be able to manage risk within the boundaries acceptable for the organization's risk profile and appetite.
A crucial lesson learned from the credit default swaps debacle was that some risk decisions--which were acceptable because of low risks to the entity--were proven to be faulty. Going forward, it will be the risk manager's role to challenge management to ensure that these decisions to increase the risk appetite are thought through.
Having knowledge of the company as a whole and knowing how individual risks are interrelated are key. This level of sophistication can originate from several areas. A risk manager who has worn all hats within the company already and has walked the shop floor will bring that experience to the table.
She will have been well-trained to grasp the nuances of the workings of each department and should have a process to embrace the intercommunications of all departments to provide periodic updates in all areas. Information flow, as well as sharing and communicating, is a key driver to the success of the risk management process.
TO THINE OWN SELF BE TRUE
Another sign of a sophisticated risk manager is her ability to be honest with herself about the limits of her expertise. If a pharmaceutical company risk manager is well versed in the risks involved in tablet production, having worked at such a plant, but has not done a stint in biopharma and so cannot speak first-hand to risks associated with injectibles and biologicals, she should know to seek out subject-matter specialists in those areas.
Whether help comes from hiring an outside expert, or pulling someone from the biopharma ranks, it is critical that the risk manager ensure that all bases are covered.
The message must come from the top that the risk manager has the authority to poke around in all corners of the business--there can be no out-of-bounds areas. Recent history has proven that anything less than full disclosure within a company can lead to disaster.
But what happens when other managers try to shut the risk manager out? This is where the persistence of the risk manager comes into play. The best risk manager is the one who is the most inquisitive--she is not afraid to ask questions until she receives answers that make sense.
She also doesn't hesitate to point to the overall strategy of the organization, which shows commitment from the top and a direct link to the company's performance directives. The risk manager should not be viewed by management as an impediment or a barrier, but as a partner in achieving the organization's objectives.
In the events that have unfolded over the last few months with the AIG saga and elsewhere on Wall Street, the pitfall that has been identified is that one department is making a lot of money for the company and so becomes untouchable. The implied message is to leave that department alone--there's no need to ensure that best practices are being followed.
But for the risk manager, this kind of dynamic should be the biggest red flag of all--and where she should push back hard and start asking the tough questions. If acceptable answers are not given, or if the risk manager is being blocked, she has an obligation to go to the CEO and board and ask them to intervene.
A FAVORITE SON?
The risk manager will need to push her agenda through to the executive suite to receive endorsement by the CEO, the board and even the general counsel. Once there is buy-in from the top levels, it should be well publicized throughout the company.
The message should be clear: It is the responsibility of every manager to communicate emerging risks, in real time, to the risk manager. If a risk that the organization accepted is getting beyond previously established parameters, that too needs to be reported to the risk manager.
It may be a challenge to overcome perceptions from other managers and employees that the risk manager is working against, not with, the rest of the team. But if the risk manager does not push to have that top-down endorsement, she is limiting her own powers and thus her effectiveness in helping the company.
Here is a statement that we have not heard enough after the demise of some of our financial institutions: "And the risk manager resigned when management overrode the controls." Or, "The risk manager complained to the board over the high level of risk the company was taking on." Looking to the future, as financial regulations increase, we may see this happening more often than not.
Risk management has nothing to do with the elimination of risk. Nor does it mean that new risks will not emerge once a system is in place. But there should be a consciousness of the risk so that, when it is uncovered or occurs, people will have an action plan in place to address the crisis.
The ideal risk manager will indeed be a strong personality and serve as the policeman of management. But personality alone will not get the job done. It will be that person's ability to assist in the implementation of the company's risk management system and to create a change in culture that will be the mark, the new definition, of the successful risk manager.
June 1, 2009
Copyright 2009© LRP Publications