Washington Mutual Dissected - Deficient Risk Management, Controls, and More

A May 18th article in Compliance Week by Rick Steinberg (former PwC partner who was the lead partner on the development of the COSO internal controls framework) doesn’t mince any words when it comes to practices at Washington Mutual (WaMu). He believes, and his points are cogent, that WaMu “created such a toxic environment for itself, one so bad that you have to wonder how anyone within the organization could survive, and whether any amount of help — oxygen, liquidity, or otherwise — could have saved the company.”

He quotes Senator Carl Levin: “Using a toxic mix of high-risk lending, lax controls, and compensation policies that rewarded quantity over quality, Washington Mutual flooded the market with shoddy loans that went bad.”

I thoroughly recommend a careful and thoughtful read of the article. While there are issues relating to fraud (in loan processing), risk management, and controls, the primary issue was leadership and the corporate culture — what Rick would call Control Environment issues in the COSO internal control model. The tone at the top was hardly conducive to ethical and risk/controls-conscious behavior by management or staff.

I like the way Rick ends, and will use his last paragraph to end this post:

“Companies seeking to drive up the top line without regard to quality seem to allow established controls to be diminished or ignored. Sometimes this is done intentionally, other times subconsciously in concert with the shortsighted push for quantity. This is where the risk officer, compliance officer, legal counsel, audit executive, audit committee, and others need to step up and do what’s necessary to ensure business initiatives are well controlled—to ensure that long-term business goals are indeed likely to be met.”

Posted on May 18, 2010 by Norman Marks

Share This Article:    

  1. In my opinion this is fuel on the fire for rethinking modern interpretation of risk managment. Risk management is not an exercise that evaluates external threats or the consequenses of a specific transaction. It is understanding the strengths and vulnerabilities of business objective managment first and then applying awareness of risks. Seems like a simple nuance but it is not. Would a battle commander spend all of his time evaluating the weopans that may face him in a battle and ignore the training of the soldiers, or the measurement of the armor quality they wear. That seems silly. Yet when we look at modern risk management we see complicated lists of risks and tools to slice and dice them. When all the while management has not effectively implement management controls that will allow them to have transparency in objective implementation and oversight....

  1. Dan, we usually agree but unless I misunderstand your comment "Risk management is not an exercise that evaluates external threats or the consequenses of a specific transaction" we fundamentally disagree.

    Effective risk management programs consider risks to the organization's strategic and operational objectives. They should consider all kinds of external threats, including:

    • Competitors
    • Advances in technology (which apply to a company like SAP, or my prior companies in high-tech)
    • Supply chain disruption
    • Changes in the economic environment
    • Changes in the regulatory environment
    • Hackers
    • and many more

    At SAP, we apply risk management techniques as part of the daily practice of deal and decision making, and in project management.

    • Risks to development projects are identified, assessed and managed
    • We do the same for all large revenue transactions
    • We apply risk management is adding partners to our massive ecosystem

    Risk management when it is fully mature is something that is part of the culture. It is not something you do only on Fridays.

    I believe you need to take both a top-down (value driver - strategy, objectives, plans - risk to strategy, objectives, plans) and bottoms-up (risks to achieving the objective of the hiring decision, selection of a vendor, assignment of staff to lead a project) approach.

  1. Norman,

    I think I missed a word. I meant to note that risk management is not "Just" and exercise of external risks or the risks to a transaction. In order for it to be meaningful and value adding to the organization, it must include awareness of the strength of management. There are prerequisite activities in understanding the "management" of risk management.

    In the implementation of risk management, one can come across many tools to list and digest risk, yet risk is only given meaning if it can be sourced to the objectives it threatens. In the process of sourcing that risk an awareness of business objective management strength will really determine the exposure to the risk. In the case of WAMU, they moved the army into the battle field and taken off the heavy armor. The location of the army (the risks it was assuming) and the state of the armor (controls) would have been much more meaningful information to the WAMU Board than the impact and likelihood of an arrow being shot (risk).

Leave a Reply