Risk Management: Why It Failed, How to Fix It

Management support, governance, and design determine the strength of an ERM function.

Bruce Caplain
Managing Director, Internal Audit
The Blackstone Group

The recent financial industry meltdown and transformation leaves many questions — how did it happen? Could it have been avoided? Will it happen again? Though there are many theories about how the crisis began, there's no simple explanation. One theory is that responsibility lies with the consumer. Over the last decade, U.S. consumers took on more debt in real dollars, and as a percentage of income, than any other time in history. Debt took many forms including mortgages, second mortgages, lines of credit, credit card debts, auto loans, and student loans. The average consumer became oversaturated with debt.

From a lender's perspective, these were great times. They continually created and marketed new forms of debt, no matter how high the interest rates and how little collateral they took or loan documentation they required. Rarely did they hold onto this debt. Instead, they sold it, often to investment bankers who repackaged and sold pieces to other investors at a great profit to all (referred to as the greater fool theory). Everyone was making lots of money, and consumers were enjoying endless conspicuous consumption, oftentimes well beyond their means. And since buyers of securitizations wanted to increase profits even more, they leveraged these transactions.

At the same time, banks looked to increase profits. Since the consumer was saturated with debt, lenders had to find new consumers and did so by venturing further down the credit food chain. However, they didn't realize that the risks increased exponentially. Most likely, no one in risk management at the banks reported to the board the increased exposure assumed from the changed business model, and no one at the investment houses who bought the paper looked at correlations across investment categories, particularly not in light of their leverage.

Complicating matters further was the fact that rating agencies rated these securities AAA — the safest rating — so investors rarely looked at what they were buying. This fragile model only needed one bump to knock down the house of cards. And when housing prices stalled, it all fell apart. Yet if you asked any of the troubled organizations they would tell you, before the meltdown, that they had a strong risk management function.

So what went wrong at these financial firms, allowing such huge losses to occur? To know what was missing in the firms' enterprise risk management (ERM) functions, it is important to first understand what has to be in place for the ERM function to work correctly. Three factors have to be in place or there is a serious risk of failure: management's commitment (including that of the board), the organization's governance structure, and ERM's design.

MANAGEMENT AND BOARD COMMITMENT

The importance of tone at the top should never be underestimated. If management, or the board, does not show interest in an initiative, it will not be a priority and therefore will likely fail. Lehman Brothers had a strong risk management function, yet its Risk Committee (a sub-committee of the board) only met twice per year. Further, while the make-up of the board was quite impressive, the experience of board members in managing businesses such as Lehman's was thin. And Lehman wasn't alone in this.

When I first joined The Blackstone Group (TBG) there wasn't a formal ERM program in place; however, at the fund/business unit and executive levels, risk management was robust. The tone at TBG is clearly set at the top; and to reinforce their commitment, executive management also has US $1 billion of their own money invested alongside other limited partners. It's a bold statement in the belief of their risk management abilities. To say they have confidence in their investment ability ignores the rest of the equation — they also understand, manage, and monitor their risks. Successful investing over the long term cannot happen without proper risk management.

GOVERNANCE STRUCTURE

Governance structure can be a very broad topic, but in this discussion is limited to governance functions that exist within the organization, the individuals who oversee them, and how those functions interact with one another as they form the foundation for a solid ERM function. When talking about governance functions, one is referring to oversight functions within an organization that focus on risk and identify and mitigate issues.

Types of Functions
An organization's governance functions can be formal or informal, narrow or broad, coordinated or uncoordinated. Without the right combination for a given organization program, failure is likely. However, the governance structure and ERM functions should expect to evolve over a defined continuum.

Formal versus informal structures differ in degrees, but at one extreme the functions are loosely structured, without charters, oversight, or a defined mission; and at the other end they are well thought out by an oversight group and have clear and defined roles, reporting relationships, and scopes. One runs the risk of a lack of focus and discipline, while the other risks rigidity - both increasing the potential to miss emerging risks. Banks tend to be very rigid in their approach, which is likely part of the reason risks weren't identified and mitigated during the financial crisis. They were likely too focused on metrics to see the correlations or emerging risks across governance functions as they formed.

Governance functions can also be narrow or broadly defined. On the narrow end, one might only include internal audit and compliance, but as it expands it can include legal, information security, U.S. Sarbanes-Oxley Act of 2002 compliance, fraud risk management, vendor management, and ERM. Not all organizations need every aspect of this governance program. However, broader coverage is generally better as each area has a different focus and expertise. The downside is governance fatigue. Again, it is dependent on the organization's size, maturity, and culture.

Last is the degree of coordination among functions. A coordinated approach starts with thorough knowledge of each other's responsibilities and scope, as well as respect for each other's role. From there it's easy to build on responsibilities, boundaries, and reporting. To be successful though, a common language is needed. Each group needs to define risk the same way. Otherwise one area may highlight a risk as "high" while others consider it "medium" or "low." Creating confusion among business units will surely sidetrack or derail any ERM or governance program.

Without a coordinated approach among governance functions the business units will get fatigued quickly, creating a governance crisis rather than a governance focus. Goldman Sachs is renowned for its coordinated approach, and it has served them well through the current financial crisis.

An ERM function can't work unless it's gathering data from all ends of the organization. What better place to start than the governance functions, which by their nature identify risk? When risks are compiled via ERM, auditors can begin identifying hot spots and emerging risks that may not be identified by the individual governance units. This does not constitute an entire ERM function; rather it serves as a foundational piece.

Reporting Lines
The way an organization is structured has a direct impact on how it is perceived, and how it operates. Governance functions are no different. Some organizations consolidate governance functions under a governance, risk, and compliance group (typically seen in banks), some report centrally to a chief risk officer, and still others are decentralized with varying reporting lines. In the first two models, unless the head of that group is also the corporate auditor, an independence issue may arise as the chief audit executive (CAE) will be auditing, and therefore critiquing his or her boss' functions. It could even be argued that the CAE shouldn't "own" all governance functions as some are perilously close to operational units and therefore beyond the acceptable scope of a CAE. Moreover, other governance areas like compliance and information security need to be audited, and the CAE cannot objectively audit him- or herself.

The decentralized model too has its downsides. It can only work in organizations that have the right culture and governance units that are open and cooperative with one another. As a benefit, this model allows oversight by experts in their area. For example, compliance can report to the general counsel as that person best understands compliance issues and therefore is in the best position to support that group.

ERM needs to be independent and therefore can be driven by internal auditing (as long as ERM isn't involved in setting risk limits and performing other activities that could impede its independence), or led by an ERM head that reports administratively to the chief operating officer (COO) and functionally to the audit or risk committee of the board. If ERM is not independent, issues raised may be quelled by management without the board's knowledge. If one were to examine the companies that failed during the current crisis, one would often see an ERM function reporting functionally to management; clearly this is a flaw in corporate governance structures that has to change.

ERM DESIGN

ERM design can take many forms, and will look different at implementation than several years down the road. Implementation design is critical to the program's success, and therefore careful consideration of various factors needs to be given before starting.

Varying ERM Programs
Ask 100 people for a definition of ERM and you are bound to get at least 100 different answers. ERM can be defined along a broad continuum (see "Spectrum of ERM Programs," right) with a very informal, decentralized discussion-based process at one end and a quantitatively, metric driven, rigid technical model at the other. Finding the organization's "sweet spot" is key to establishing an effective function. Organizations should not enter this continuum with the expectation of staying in that spot; rather it should be thought about as a journey that starts when they begin an ERM practice. At TBG, we entered the continuum with an ongoing risk assessment process and by implementing centralized reporting across governance functions, but without metrics or intense quantitative analyses.

Practically speaking, a program that is purely or heavily quantitative will inevitably fail as it will miss emerging risks. I once interviewed a job candidate who explained to me that his organizationimplemented an ERM process at a financial institution using more than 2,000 key risk indicators (KRIs) that were monitored regularly. This person was convinced that at least 1,000 KRIs could be implemented at TBG within a year. That interview ended quickly. If one is focused on 2,000 KRIs, he or she is most likely missing the risks often only garnered through discussions with management and understanding the business. Implementing 1,000 KRIs at a firm like TBG would be crippling, and it flies in the face of how risk is managed. It is therefore important to understand the organization, how to obtain the information needed to fill ERM's objectives, and where the organizationwants to venture on this journey.

Key Program Elements
When starting an ERM program, knowing what the end product will look like helps the risk managers understand the elements needed. Our goal at TBG was to develop executive- and board-level reporting, enabling both groups to see key risks on a consolidated basis. Supporting this is a summary of the firm's top risks, including owners, mitigation plans, and time to remediate.

When compiling risks across the organization, start with the function that has the broadest scope — internal auditing — as it is auditing's role to perform risk assessments and update them on an ongoing basis. The "Enterprise Risk Pyramid," left, is an example of how an ERM function can build and leverage from each of the governance functions with the ultimate goal of developing consistent and transparent risk reporting.

Some elements needed to appropriately build ERM include ongoing visibility with all levels of management and insight into the organization's inner workings. As discussed earlier, a common language used across all governance functions is needed. This language allows for governance issues to be aggregated and summarized by business unit, risk type, and issue. It doesn't have to be complicated — rather it's best if it's simple so it's easily applied by all governance functions — and understood consistently by management. Generally the language comprisesa discussion around how one defines the various levels of "likelihood" and "impact" of a risk, and how quickly that risk can occur.

Different views of the organization need to be incorporated as well — for example, what are the "game over" scenarios? In other words, what could happen to an organization that would force it to follow the path of other financial companies as they cease to exist? Engaging in such discussions can be a difficult exercise, but the result allows for clear mitigation plans and the ability to monitor on an ongoing basis. Most likely neither Goldman Sachs or Morgan Stanley ever thought to include in their risk management "play book" a scenario that almost forced them out of existence because their competitors merged or filed for bankruptcy thereby causing a lack of confidence in the markets and their business?

Perhaps most important to an effective ERM programis understanding correlations — among risks, investments, or both — across the organization. Correlating risks are those risks that if they matriculate, would trigger another risk, which in turn could trigger another. For example, if interest rates increase, sub-prime borrowers — many of whom have teaser, or floating, rates — will not be able to make their mortgage payments. They will default on their mortgages, causing a rash of foreclosures, thus pushing housing prices down and diminishing the value of mortgage-backed securities, which in turn causes significant losses to holders, and so on. This is a familiar story. Most banks and financial firms focused on each event as a separate risk occurrence rather than a cause and effect. Effect was limited to a specific risk, and not correlated to other risks.

Lastly, as risk managers look at various elements to include when building an ERM function, they should include events. Events are simply those things (generally bad things) that happened in the industry, or within the organization, in the past. As each event occurs, the ERM function should be assessing whether those same risks exist within the organization, and if they do, if they are adequately mitigated.

LOOKING FORWARD

When establishing an ERM function, or evaluating an existing function, the events of the previous yearshould be used as a guide for those things that worked, and for those that didn't. ERM is an exciting program that when done right puts the risk manager at the center of an organization's activities, providing guidance to management and objective insight to the board on risks and exposures. It's also a great complement to an internal audit program that is always identifying emerging risks and ensuring they are properly mitigated. If ERM is done right, perhaps the next economic downturn won't be so severe.

To comment on this article, e-mail the author at bruce.caplain@theiia.org.