November 11, 2014
3 Reasons Why Risks Are Mismanaged
by Donna Galer
ERM practitioners must determine how much they can rely on what colleagues in other functions or units say about a situation and its risks.
ERM can bring great benefits. By managing risk, it helps to minimize loss as well as maximize strategic profitability, optimize opportunities and enhance culture and reputation. Thus, when a loss occurs in a company that has been practicing ERM, the reaction is to be disappointed in ERM as a practice or to blame the ERM leader for faulty execution. It would be unwise, however, to react without further analysis and greater understanding.
No process or person is perfect; there will be times when ERM may fail to live up to expectations. Even with excellent execution, there will be times when a risk is too opaque or too complicated to be identified or managed effectively.
All ERM practitioners must determine how much they can rely on what their colleagues in other functions or business units say about a business situation and how much risk it holds, because there are, at least, three circumstances that might cause a business leader or “expert” to overlook or underestimate a risk. They are:
- Reluctance to expose or report a risk, for whatever reason,
- Lack of sufficient expertise or experience to recognize a risk or determine its size.
- Reliance on imprecise or inadequate standards and models that fail to signal a risk.
It is really not such a mystery why a business leader or staff member might be reluctant to identify a risk. Among the reasons are:
- Fear of being labeled a naysayer,
- Fear of derailing an initiative that has favor in the C-Suite, thus becoming persona non grata,
- Concern that identifying a risk might hurt personal compensation, at least in the short term.
An environment that is rife with these cultural stimuli will never produce transparency in risk identification and mitigation. Factors that can give rise to such an environment include:
- Senior management who cannot distinguish between a naysayer and someone who is risk-aware and committed,
- Senior management who have shown themselves to be closed-minded or have “shot the messenger” when presented with an issue,
- Staff at any level who are not able or willing to consider the long-term health of the organization.
An environment where risk is openly discussed is a prerequisite to being able to manage risk well, but producing such an atmosphere takes time and effort. Much has been written about ERM and culture, and this literature holds great advice about how to build a risk-aware culture. Among the collected wisdom is:
- The board and CEO must continuously champion ERM,
- Risk must be represented in strategy discussions, organizational performance management, various employee communications and individual performance plans,
- ERM must be given effective resources,
- The ERM process should be robust and repeatable,
- Mitigation plans should be closely monitored,
- Rewards or lack thereof should be determined on the basis of how well risk is managed per plans.
Lack of Expertise
Less sinister but no less dangerous a situation exists when the presumed experts do not have the knowledge or skill to identify risks within their spheres of responsibility.The person involved could be a business unit leader, a plant manager, a department/function head or a member of the C-Suite.
Consider the testimony given by Jamie Dimon, chairman and CEO of JPMorgan Chase, about the bank’s chief investment office (CIO). His bank lost billions of dollars from a large accumulation of synthetic derivatives tied to credit default swaps that crashed in value. These investments were handled by staff based in London, in a debacle nicknamed “The London Whale.” The following is an excerpt of that testimony before the Committee on Banking, Housing, and Urban Affairs in the U.S. Senate on June 13, 2012:
• “CIO’s strategy for reducing the synthetic credit portfolio was poorly conceived and vetted. The strategy was not carefully analyzed or subjected to rigorous stress testing within CIO and was not reviewed outside CIO.
• “In hindsight, CIO’s traders did not have the requisite understanding of the risks they took. When the positions began to experience losses in March and early April, they incorrectly concluded that those losses were the result of anomalous and temporary market movements, and therefore were likely to reverse themselves.
• “The risk limits for the synthetic credit portfolio should have been specific to the portfolio and much more granular, i.e., only allowing lower limits on each specific risk being taken.
• “Personnel in key control roles in CIO were in transition, and risk control functions were generally ineffective in challenging the judgment of CIO’s trading personnel. Risk committee structures and processes in CIO were not as formal or robust as they should have been.
• “CIO, particularly the synthetic credit portfolio, should have gotten more scrutiny from both senior management and the firmwide risk control function. “
This is truly a wake-up call to all organizations. It is an example of consciously adopted risk that produced billions of dollars of loss. The reason for its having reached the proportions that it did is described by the CEO as a lack of expertise, whether it be in terms of market knowledge, management controls and processes or something else.
To help ensure appropriate levels of expertise, an organization should ask these questions and act when the answer is negative:
- Do the leaders of significant areas of the organization have deep knowledge of their operations?
- Do the leaders of significant areas of the organization understand the importance of managing risk?
- Do the leaders of significant areas of the organization have critical thinking capabilities and the communication skills to articulate what the risk profile of their operation looks like?
- Do the leaders of significant areas of the organization ask for input from others who may be expert about risk?
- Are those who facilitate the risk management process adequately knowledgeable and given sufficient resources?
- Are there specialized risk management professionals in place in key areas, e.g. a chief information security officer (CISO) for information technology, as needed? Alternatively, is this role competently outsourced?
Inadequate Standards or Models
Organizations of all sizes rely on standards or models, either self-designed or designed by an expert group (governmental or professional), which indicate when some aspect of the business is exceeding a safe level of operation. Insurers use loss-modeling tools; banks use “value at risk” models; manufacturers use all sorts of gauges, such as air safety levels and equipment safe usage levels. There are also standards of safety applied to all manner of things both public and private, from buildings to transportation to infrastructure such as bridges, power grids and so on. These are routinely inspected to ascertain performance against pre-established standards of acceptability.
As can be readily appreciated, if the standard or model is faulty, then the business leader, staff or risk professional is placed at a disadvantage in identifying or evaluating the likelihood or the size of a risk.
Consider that the models used by many banks and investment houses before the financial crisis of 2008 did not help them avoid major losses. The testimony quoted above shows issues with the model used to monitor the synthetic credit portfolio at JPMorgan Chase.
Consider that, according to the Associated Press in 2013, “Of 607,380 bridges, the most recent Federal Bridge Inventory showed that 65.605 were classified as structurally deficient and 20, 808 were as fracture critical. . . . Officials say the bridges are safe.” How can a state or city risk manager know how to handle risk associated with the bridges when the standard of safety is so confusing? Not surprisingly, there have been some major bridge failures in the recent past.
Organizations need to vet their standards and models. For example, they could:
- Get second opinions on the model of choice,
- Use multiple models, not just one,
- Stress test the model at regular intervals,
- Establish contingency plans in case the model fails.
No organization will eliminate all uncertainty. However, with the right risk culture, knowledgeable leaders and robust models, an organization can minimize exposure to unanticipated and unmitigated risk.