The recent global economic crisis and subsequent recession was devastating, but was it really a surprise to those in the financial sector? BDO Senior Manager Francisco Basdekis discusses about a ‘tool’ that guards against economic crisis…
REGULATORY AGENCIES and industry organisations began warning of liquidity issues in the financial markets in late 2006 and early 2007. In January 2005, Federal Reserve Governor (Edward Gramlich) warned about instability in the subprime mortgage market and possible corrections in the housing market, noting the subprime incidence of mortgage brokers.
Likewise, certain reports indicated that real estate gains came to an abrupt halt in the first quarter of 2006. In late 2007, articles in the mainstream media put the blame squarely on poor risk management practices.
Board members and shareholders alike have expressed their outrage as companies have taken billion-dollar write-downs on transactions that were calculated as remote risks in financial models. Audit committees were questioning why audit risk assessments, conventional financial controls and corporate compliance activities did not reveal the extent of the potential collapse, particularly with so much emphasis given to Sarbanes-Oxley2 (SOX) financial controls and compliance efforts.
Pursuit of accountability
In the pursuit of accountability, additional questions continue to be asked: ‘Where were the risk managers?’ ‘Why did the CFOs’ and Treasurers not highlight these risks?’ ‘Where were the internal and external auditors?’ ‘Why were executives and boards not exercising more oversight?’ ‘Did the rating agencies fail to adequately understand, assess and report on risks taken by these companies?’ ‘Where were the regulators?’
In short, who should have been protecting investors against these unintended consequences? Was there a risk management failure? While it is certainly easy—and perhaps even gratifying to some—simply to lay the blame for these failures on risk management, a closer look reveals that these issues did not arise from a failure of risk management as a business discipline.
Rather, the Risk and Insurance Management Society contends that the financial crisis resulted from a system-wide failure to embrace appropriate enterprise risk management behaviours—or attributes—within these distressed organisations.
Additionally, there was an apparent failure to develop and reward internal risk management competencies. From the boardroom to the trading floor, individuals on the front line who were taking—and trading in—these risks ostensibly were rewarded for short-term profit alone.
Finally, there was a failure to use enterprise risk management to inform management’s decision making for both risk-taking and risk-avoiding decisions. Risk and Insurance Management Society believes that several key enterprise risk management behavioral attributes — if designed and implemented comprehensively and systemically — could have identified and mitigated, if not prevented, these losses for many of these entities.
Further, there is no ‘manual of enterprise risk management’ to tear up. Risk management is a general term referring to the overall process of addressing risk, not any one particular method for mitigating risk. The term ‘enterprise risk management’ covers risk management in the broadest possible terms, encompassing all forms of risk management activity across the entire organisation.
Today, a measure of stability has returned, but significant volatility remains, complicating our ability to effectively manage global risk and sustaining an uncomfortable level of uncertainty.
From sovereign debt to tsunamis, the universe of enterprise risk seems broader and more consequential than ever before, requiring new frameworks for strategic thinking. Those doing that thinking — ranging from C-suites, corporate boards, chief risk officers, and risk managers — have identified the need to take much broader, enterprise-wide views of complex risk interrelationships in order to effectively deal with new realities of risk.
The terms ‘risk management,’ ‘enterprise risk management’ and ‘financial risk management’ are often used in ways that make it seem that the terms are interchangeable, when in fact they are not. To help distinguish between these similar-sounding concepts, some descriptions have been provided below.
‘Risk Management’ is a broad term for the business discipline that protects the assets and profits of an organisation by reducing the potential for loss before it occurs, mitigating the impact of a loss if it occurs, and executing a swift recovery after a loss occurs.
It involves a series of steps that include risk identification, the measurement and evaluation of exposures, exposure reduction or elimination, risk reporting, and risk transfer and/or financing for losses that may occur. Effective risk management and board oversight should not be premised on risk avoidance.
Use of hedging contracts
Every corporation is exposed to and takes risks daily. What is important is to manage the balance of risk and reward and to identify and minimise the consequences of a negative occurrence to the extent possible.
All organisations practice risk management in multiple forms, depending on the exposure being addressed. However, the term used to describe that process will vary based on the nature of the organisation’s operations. For example, both a financial institution and a non-financial institution will have risk management procedures that address the threat of damage to physical assets from hazards such as windstorm or fire.
Both organisations will also have risk management processes that involve the use of hedging or derivative contracts designed to mitigate financial exposures such as interest rate or currency fluctuations.
The financial institution will refer to the process of managing financial exposures as ‘risk management’ due to the relative significance of that process to that organisation. In contrast, a non-financial institution will often describe this financial exposure mitigation process as ‘financial risk management’ and use the term ‘risk management’ to describe the use of insurance or similar risk transfer techniques related to the protection of physical assets. The key point is not the difference in the use of the term ‘risk management’.
Of more importance is the fact that both these definitions indicate a significant limitation of the overall scope of the risk management process in those organisations—a limitation that is removed through the adoption of the ERM process.
Consolidated risk profile
Enterprise Risk Management (ERM) represents a revolutionary change in an organisation’s approach to risk. ERM broadens the scope of risk management behaviours to include every significant business risk of the organisation, comprehensively and systemically. It requires that all of these risks be considered in relation to each other to create a consolidated risk profile.
It expands the scope of risk management practices beyond the physical and financial exposures discussed above to include issues such as long-term strategy, competitor response, human capital, and operational exposures, to name a few. In addition, ERM can potentially identify situations in which risk can be a competitive advantage instead of only a threat.
The past three years have seen more companies recognising the importance of enterprise-wide risk management and, often for the first time, adopting practices to implement it. ERM has become a more important strategic consideration as well, enabling better-informed and more confident decision making in such areas as acquisitions, geographic expansion, and new product development and launch.
Big picture approach
More companies, too, are moving to a higher level of maturity in their risk management processes, focusing more on proactively managing risk rather than reactively mitigating it. Enterprise Risk Management can, and does, help companies perform better and avoid surprises.
ERM encompasses all aspects of an organisation in managing risks and seizing opportunities related to the achievement of the organisation’s objectives … not only for protection against losses, but for reducing uncertainties, thus enabling better performance against the organisation’s objectives.
ERM promotes a ‘big picture’ approach to risk management. It recognises that various events may converge to increase a firm’s risk exposure and resulting losses. An effective risk management structure accounts for potential risks in all aspects of a firm’s operation and analyses the firm’s overall risk appetite and response strategy.
The 2008 economic crisis is the poster child for improving risk management practices and, hopefully, will motivate boards, stakeholders, and policymakers to promote meaningful ERM programmes.