|
 |
|||||||
|
|
|
|
|||||||||||||||||
|
|||||||||||||||||||
|
|
|||
|
Feature
Credit Crisis: Don’t Blame Failed Risk Management What was absent in many of the companies that took undue risk was good governance. By Ellen Hexter If financial institutions are so good at understanding and managing risk, what are we doing in the subprime mess? One of the culprits being blamed for this financial disarray is poor risk management. Why are financial services companies, which are supposed to be wizards in risk management, unable to adequately manage their risks? Even more importantly, if risk management fails so spectacularly in the companies that are supposed to be good at it, what hope is there for other companies that have more complex risk issues to manage? Many companies are in the early stages of implementing enterprise risk management (ERM), a framework that encourages organizations to make decisions that are forward-looking and that take risks and rewards into consideration. Ideally, ERM provides tools to address root causes of risks, and to look across an entire company to understand the connection of risks and opportunities with the decisions that managers make. At many financial firms, connecting those dots is what was missing. What Shareholders Expect One of the greatest benefits that ERM can bring is to link risk management to governance. ERM can provide better transparency throughout an organization, allowing insight for senior leaders and boards of directors into how much risk the company is taking. Shareholders expect that good governance includes: • significant understanding of the risks within a company, • a sense of whether the company will meet its strategic and operating objectives, and • a board actively involved in succession planning at the very top of the company. None of these appear to have happened in the subprime meltdown. Was 2007, then, an example of risk management failures in these companies, or of governance failures? If decisions aren’t based on information that emanates from the risk infrastructure, that structure may do little good for stakeholders. Thus, the current subprime problems are less about risk management and more about governance failures. Where Is the Tie? Where is the tie between risk management expertise, ERM, and good governance in financial services companies today? It has been accepted that banks and insurance companies have been ahead of the curve with ERM because they have so much risk management infrastructure in place. For a few institutions, that may be the case. But regulation does not address strategic risk, and with that missing piece, risk management does not equal enterprise risk management. ERM is not the same as compliance. Moreover, having good risk infrastructure and risk modeling does not necessarily mean that executives will choose to follow what their risk signals and models are telling them. If those now building ERM within their organizations take away the lessons from the subprime mess, then we are likely to see fewer spectacular failures. Without the institutional understanding and consideration of risk alongside opportunity, ERM is merely an expensive exercise. Some people in the organization may know the risks, but unless there are mechanisms to clearly communicate these risks to the right levels, companies cannot effectively take advantage of this knowledge. The subprime debacle has taught us that having risk infrastructure in place doesn’t mean that even relatively sophisticated, relatively advanced users of risk management have the means or the interest to tie risks together or communicate them effectively. Perhaps as we look back on 2007, one of the lessons we need to remember is that good governance was absent in many of these companies that took undue risk. Three Scenarios There are three scenarios for those running these organizations that have suffered heavy losses: • To the extent that CEOs didn’t understand the risks, they deserved to lose their jobs. It is the responsibility of the CEO to understand the risks and rewards of the direction of the company and the decisions that are made to meet objectives. • To the extent that CEOs did understand but didn’t convey the risks they were taking, they too, deserve to lose their jobs. Shareholders, employees, customers, and other stakeholders have the right to understand the goals of a company and understand the level of risk they are taking by investing in, working for, or dealing with that company. • To the extent that senior leadership understood and was transparent about risks or understood and chose a different course of action, then these leaders should be acknowledged and rewarded for managing their companies well. None of these scenarios should ever be a surprise to a board of directors. Boards are in place to represent shareholders, and shareholders need to remind directors when they do not live up to their fiduciary responsibilities. A Board Response The subprime problems will be with us through many more months. The opportunity in 2008 is to hold boards of directors accountable for what happened in many companies. One of the ways that boards can respond is by being better advocates for building, and then actually using, enterprise risk management into their companies. ERM won’t ensure that every decision is the right decision, but it will provide tools for better-informed decisions. |
|||
Ellen Hexter is director, Enterprise Risk Management, at The Conference Board. She can be contacted at ellen.hexter@conference-board.org. Copyright © 2008 Directors & Boards, P.O. Box 41966 Philadelphia, PA 19101-1966. All rights reserved. Contact the webmaster. < Privacy Notice > |
||||
