In January 2008, a global financial institution reported a $7 billion loss had occurred when unauthorized trading positions were closed. This incident raised questions about the bank’s control procedures, particularly when an internal report concluded that bank officials failed to follow up on many warnings about questionable trades. While it will take time to sort through all the facts, one point is clear: This case is reportedly the largest derivatives loss ever. The bank joins a group of other banks and nonfinancial companies – including some proud and notable firms – that have suffered huge losses from financial instruments, although not as large.
This occurrence was an isolated event in which someone clearly did something wrong. The subprime lending crisis, however, is more systemic in nature. In March 2008, as write-downs of subprime mortgages continued to mount across the industry, Bear Stearns signed a merger agreement with JP Morgan Chase involving a stock swap for a paltry $2 a share, a decline of 99 percent from the stock’s peak price just over 14 months earlier.1 This represented a deterioration of almost $20 billion in market capitalization resulting from the company’s bets on the housing market and markets for subprime mortgage-backed securities. Friday, March 14, the last trading day, was a disaster for investors, as more than 180 million Bear Stearns shares changed hands – 50 percent more than the shares actually outstanding – with the end-of-day price closing down 47 percent at $30 per share. Over the following weekend, 90 percent of that value evaporated when the sale of Bear Stearns to JP Morgan Chase was consummated.
These spectacular losses are yet another reminder that there are severe penalties if the largest risk exposures are not identified in a timely manner, properly monitored and managed effectively. For example, there is the reputational damage and brand erosion that occurs when large, unusual and unexpected losses are reported. The resulting loss of confidence can drive a decline in market capitalization, downgrades in credit ratings and damage to key stakeholder relations. The losses can drain cash flow as the crisis unfolds, and make capital and financing harder to obtain, resulting in increased liquidity risk. A downward spiral can spawn intensive regulatory reviews and make a firm an acquisition target.
Indeed, the cost of surprise is high. Although the losses referred to above are most certainly a backdrop, any discussion of large risk exposures cannot be limited just to banks and insurance companies, nor should it be focused solely on financial risks. The notion of transparency is important with respect to the largest exposures, whether financial or nonfinancial, because an organization may have executives or employees willing to take risky bets or engage in activities that may not be in the enterprise’s best interests. This issue of The Bulletin suggests approaches for improving transparency into an entity’s most significant risk exposures, with the objective of minimizing the risk of unwanted surprises.
Understand why you make money
When disaster strikes, “How did this happen?” is a question often asked by board members, senior executives, shareholders, regulators, policymakers and auditors. It is often said that sudden success creates blind spots and deaf ears, followed by a familiar refrain: “The stars were making money, so we left them alone.” When circumstances change, and the losses stockpile and fingers begin to point, it is interesting how often we hear the comment, “We had no idea what risks they were taking.” That statement itself suggests a failure in the governance model.
There are many illustrations of the historical durability of the “How did this happen?” theme. Founded in 1762, Barings Bank was the oldest merchant bank in London until it collapsed in 1995 after one of its employees lost $1.4 billion speculating primarily on futures contracts. The Singapore-based employee operated without supervision from London headquarters. Not only was he the floor manager for Barings’ trading on the Singapore International Monetary Exchange, he was also the head of settlement operations and charged with ensuring accurate accounting for the unit. This operating process violated all the typical segregation-ofduties safeguards. After the collapse, the blame was placed on the bank’s deficient risk management practices. The rogue trader later wrote a book in which he stated, “People at the London end of Barings were all so know-all that nobody dared ask a stupid question in case they looked silly in front of everyone else.” One reason Barings chose to ignore internal audit reports about the need for segregation of duties in Singapore and other warning signs was that the brass in London thought the foreign operation was doing extremely well and did not want to “rock the boat.”
At Kidder Peabody, the over-the-market profitability of the government bond trading desk baffled just about everyone in the industry who knew of the circumstances. They could not figure out how it was accomplished, given the fundamentals in the industry. The bond trader had a supervisor who did not understand it either. This supervisor applauded and rewarded his shining star performer, even using him as the role model everyone should follow “if they were going to get ahead.”
In reality, it was alleged the trader was a “master chef” who cooked the books, causing the CEO of the parent company to circle the wagons. In a memorable CNBC interview in 1994, the CEO stated how embarrassed he was about the whole situation, and promised it would never happen again on his watch. Ultimately, the unit was sold.
And we aren’t just talking about public companies. In the 1990s, the Orange County, California treasurer was portrayed as the role model of superior government finance. He consistently made a minimum of 100 to 200 basis points more than anyone else, and received awards as one of the best municipal treasurers in the United States. When interest rates rose abruptly, several major municipalities placed calls to withdraw the operating monies they had invested in the Orange County fund to generate higher returns. When delays started to occur, rumors spread and a “run on the bank” began. That is when the truth surfaced. The treasurer had bet on declining interest rates by investing in very risky inverse bonds.
The fund portfolio was highly leveraged, with borrowings exceeding depositor funds by three times, a practice that was illegal. The board of supervisors charged with the responsibility to provide oversight of the treasurer’s activities did not ask the right questions and was complacent with the knowledge that the fund was earning over market and that it was acceptable to do so. In addition, the governing bodies of the many governmental entities invested in the fund for many years knew that their investments were earning over market. And they, too, did not ask the right questions.
Now we fast-forward to today’s subprime lending crisis, which has led to significant distress in the financial markets. Its root causes are many, making it systemic in nature as opposed to a one-off situation in a specific company.
Originators brokered financing of houses without regard to credit quality so they could get their up-front fees and walk. And there were other members of the cast. The President’s Working Group on Financial Markets concluded in its March 2008 report that there was a significant erosion of market discipline by those involved in the securitization process, including underwriters, credit rating agencies, investment firms, hedge firms and other global investors. This erosion is a result of breakdowns in underwriting standards, failures to provide or obtain adequate disclosures, and flaws in rating agency assessments of structured products, among other things. Why were such time-tested practices disregarded? Perhaps too many people were having a good time making a lot of money. However, those left standing when the music stopped are now paying the penalty.
According to another report issued in March 2008 by a group of European and U.S. regulators, the Senior Supervisors Group (SSG), four enterprisewide practices differentiated successful performance in the subprime lending market:
- Effective firmwide identification and analysis – The performers who reported fewer losses from subprime lending shared quantitative and qualitative information more effectively across the organization. In fact, according to the SSG report, some firms identified “the sources of significant risk as early as mid-2006” and “had as much as a year to evaluate the magnitude of the risks and to implement plans to reduce exposures or hedge risks while it was still practical and not prohibitively expensive.”
- Consistent application of independent and rigorous valuation practices across the firm – The best performers deployed “rigorous internal processes requiring critical judgment and discipline in the valuation of potentially illiquid securities.” Skeptical of rating agency assessments, these firms developed their own in-house expertise to assess credit quality and even tested their assessments by selling a small percentage of assets to obtain pricing data points.
- Effective management of funding liquidity, capital and the balance sheet – The firms avoiding the significant challenges faced by their less fortunate peers in the subprime market established more discipline by charging business lines for building contingent liability exposures to reflect the cost of obtaining liquidity in a more difficult market environment. They also aligned treasury activities more closely with risk management and took an end-to-end enterprisewide view to managing global liquidity risk.
- Information and responsive risk measurement, including management reporting and practices – The best performers had more effective management information systems, meaning executive management was more aware of the speed and severity of changes in the fundamental variables driving the market. These tools included stress testing,2 sensitivity analysis3 and scenario analysis4 by a function independent of the business lines that could review and interpret the results objectively and report them to executive management and the board. Although value-at-risk techniques were used, the firms recognized the limitations of such measures in terms of evaluating the degree of market volatility they may face. By combining quantitative rigor with qualitative assessments, these firms were able to apply the brakes and reduce exposures when they determined risks outweighed expected rewards.
All firms participating in the subprime market, including the “better performing” ones, took a hit. How much depended on how well they identified and managed the risk. However, no risk management process is bulletproof. As Alan Greenspan noted in a March 2008 op-ed published by Financial Times, the financial risk-valuation system failed under stress. He stated:
Asset-price bubbles build and burst today as they have since the early 18th century, when modern competitive markets evolved. To be sure, we tend to label such behavioral responses as non-rational. But forecasters’ concerns should be not whether human response is rational or irrational, only that it is observable and systematic.
The point is deceptively simple. No matter how hard we try, we cannot model the future perfectly. There always will be uncertainty, and human behavior is part of the equation.
Therefore, if certain business activities are generating unusually high rates of return, directors and executive management must understand why. When the accounting rules are not black and white, or the nature of certain transactions and activities is very complex, directors and management must insist upon clarity. The subprime lending debacle is a clear example of how obscurity, complexity and confusion are a breeding ground for uneconomic activity driven by smart people who can “game the system.” Just because someone is generating significantly superior returns does not mean what they are doing is sustainable or not heading toward a disastrous end. In short, you’d better be sure. If the picture is so complex that no one understands it, someone has to take a step back and ask, “What are we doing and why are we doing it?” Our advice: If you do not understand the risks, ask the necessary questions until you do.
Identify and manage your “trust positions” Safeguarding assets and protecting enterprise value can be just as important over the longer term as creating enterprise value. The unbelievably large losses experienced by companies as a result of unauthorized trading or use of financial derivatives have certainly attracted the attention of the press as the losses wipe out enterprise value that took years to create. In many of these cases, neither the board of directors nor the CEO – nor, sometimes, even the CFO – understood, much less authorized, these large risk exposures. In the aftermath of such surprises, we often hear, “They didn’t know.” So, why didn’t they?
The answer begins with the failure to consider several questions. First, who is responsible for making the critical decisions every day? Also, are they the right people to make these decisions and are they capable of making them? Second, who is responsible for oversight, and are they properly positioned to be impartial and objective? Third, if there are different points of view between the parties, how are the differences settled and at what level within the organization?
These are the “macro questions” every successful business must ask constantly. Directors must ask these questions regarding executive management, who, in turn, must ask them regarding the organization’s employees who work in volatile or environmentally sensitive areas that can have a pervasive effect on the firm. The scope of these areas extends beyond financial risks and includes operational, compliance and other risks. They include personnel who make decisions and engage in activities affecting the enterprise’s customers, suppliers, physical assets, impact on the environment and reputation. Because we are talking about people whose actions or inaction can cause the enterprise significant harm, and whose decisions can create or sustain the entity’s largest risk exposures, we suggest they occupy trust positions.
For example, the actions and inaction of the captain and crew of the Exxon Valdez in 1989 resulted in a massive oil spill that affected their employer for almost 20 years and was – and still is – the largest man-made environmental disaster in history. As a result of the accident, Exxon made numerous changes to crew training, work patterns, navigational systems and tanker design. The compensation paid by the company for cleanup, fines and losses to date has exceeded a reported $3.4 billion. The resolution of the 1994 punitive damage award, which was reduced from $5 billion to $2.5 billion in the United States appellate court, is still pending and, after several appeals, was before the Supreme Court at the time this publication went to print. The reputational effects of this accident continue to this day every time someone raises the topic of environmental protection, not to mention the opportunity and legal costs incurred.
Consider as well the disastrous fire and explosion at a south Texas refinery managed by another global oil company. An investigation identified numerous failings in equipment, risk management, staff management, site working culture, maintenance and inspection, and general health and safety assessments. Budget cuts resulted in deferred maintenance. The metrics, incentives and management systems at the site focused on measuring and managing occupational safety (e.g., slips, trips and falls, driving safety, etc.) while ignor ing process safety (e.g., safety design effectiveness, hazard analysis, material verification, equipment maintenance, process upset reporting, etc.). An independent panel concluded that the company confused improving trends in occupational safety statistics for a general improvement in all types of safety. The reputational effects of this experience were not good. Here again was a large risk exposure that had developed over the course of several years as local management focused on the wrong things.
There are other examples. The nuclear power industry still feels the weight of the influence from the events at Three Mile Island and in Chernobyl. The highly publicized crisis in 2000 caused by defective tires made by a major tire manufacturer and installed on different vehicles by several major automotive manufacturers was a public relations nightmare for all involved, as tires shredded on the highway, leading to rollover accidents and more than 200 deaths and some 800 injuries, according to an independent study. After some missteps on the public relations front, the cost of the recall was staggering for both the manufacturer and the automotive companies, particularly the one that purchased 70 percent of the tires, and ultimately led to the end of a 95-year customer-supplier relationship. Finally, there are the recent massive product recalls of toys in the consumer products industry and of meat and poultry in the food processing industry. These recalls have affected the brand image of the companies involved and triggered calls for increased regulation. These are all examples of large risk exposures of an operational and compliance nature that developed over time into ticking time bombs waiting to explode; for the companies involved, the reputational effects obviously were highly negative.
While competent people are an important aspect of managing risk, relying on them without limits, checks and balances, and independent oversight, monitoring and reporting is as
ill-advised as not understanding the risks inherent in what they are doing or failing to do. Following are 10 relevant questions to consider on a macro basis to ensure risks undertaken are not in excess of the board’s and management’s appetite for risk:
- Do we know who the people are who make decisions that affect or create large financial, operational or compliance risk exposures?
- Do we know where they are, what they are doing, and why they are doing it?
- Do we know who supervises them?
- Are we satisfied the appropriate risk management policies, procedures and controls are in place to manage and monitor their activities and capacity to perform?
- Are we satisfied with the reporting we receive on their activities, the results of their performance and the effectiveness of the oversight?
- How are we rewarding them? Are we convinced our reward system and culture are not creating dysfunctional “blind spots” that might drive a short-term focus and cause the chain of command to disregard warning signs about their activities?
- Do we have the appropriate checks and balances and segregation of duties in place to prevent or detect unauthorized activities? Put another way, do we know what access these individuals have to systems and information to which they should not have access?
- Are our policies and procedures effective in reporting on and monitoring their activities?
- AIs there a timely escalation process so we can “apply the brakes,” if necessary, and do we have a business continuity plan in place to handle a crisis, should one arise?
- Are we satisfied our managers bring us the full picture – the upside and downside – relative to taking advantage of an opportunity; for example, how much would it hurt if things didn’t go as planned, and does the potential upside adequately compensate the organization for taking on the downside risk?
Satisfactory answers to these questions will create greater transparency around the largest risk exposures that exist within the firm. Managing trust positions starts with identifying those exposures, and then designing the appropriate policies and procedures to manage them and providing strong monitoring and oversight.
Understand your risk profile
Issue 10 of Volume 2 of The Bulletin (available at www.protiviti.com) introduced the topic of enterprise risk assessment (ERA), a systematic and forward-looking analysis of the impact and likelihood of potential future events on the achievement of the organization’s business objectives within a stated time horizon. The ERA process encompasses an evaluation of available data, metrics and information, as well as the application of judgment. It is a dynamic process when it considers management’s risk tolerance, which is best determined using the same unit of measure5 as that used to measure performance against a stated business objective. The risk tolerance is therefore the degree of acceptable variation around the established unit of measure. Once tolerances are set, metrics and measures are monitored to ensure performance is managed within prescribed boundaries. Thus, risk tolerance is used to assess risk over time and ensure performance variability is reduced to an acceptable level.
Applied to the issue of the largest risk exposures, metrics can be used to report close calls, limit violations, out-of-tolerance performance, spikes in loss incidents, products in noncompliance and various other risk metrics that could prompt investigations to ascertain whether significant issues exist. Over time, an ongoing ERA process addresses questions such as: What types of risk exposures do we face; what is our appetite for risk; how much variability in earnings and cash flow are we willing to accept; how much are we willing to lose if we decide not to hedge a particular exposure; what regulatory constraints and requirements do we face; what are the risks inherent in our operations; and how much profit, if any, do we expect treasury to contribute to earnings?
In today’s rapidly changing operating environment, an ad hoc perspective regarding the enterprise’s risk exposures is inadequate. A detailed assessment requires a focused effort to gather all of the necessary data and involves careful examination of a company’s strategy and global operations. Determining precisely where risks lie is not an intuitive process. It is a disciplined, structured approach consistent with market-leading practices.
Pay attention to culture
Everything we’ve discussed so far provides insight as to an organization’s culture. A risk-aware culture means several things. First, it gives people in the organization – preferably all key personnel, but at a minimum structurally positions someone or some group within the organization – to be able to raise issues about something someone is doing, or point out situations where something is wrong or does not make sense, without fear of reprisals or repercussions that affect their compensation and career. Essentially, a risk-aware culture is one that encourages bottom-up communications enabling people to speak up, and be heard by the organization’s leaders.
Compensation dramatically impacts an organization’s culture and can cause the entrepreneurial, revenue-generation side of the business to get out of sync with the control, risk management oversight side. For example, if the control side of the business constantly stops new business opportunities without figuring out ways to make good deals better or marginal deals good, it will contribute to a risk-averse culture. On the other hand, if the entrepreneurial side of the business is focused on getting deals done at any cost, and the control side is an ineffective bridle, the organization may be exposed ultimately to ever-increasing risk exposures.
Because compensation is a critical determinant of behavior, the reward system should be carefully considered in terms of its impact. For instance, compensation for so-called “star performers” should be evaluated carefully to determine whether there is a cavalier and confrontational management style or “warrior culture” in which operating unit managers or individual employees tend to focus on short-term compensation and, thus, do not think enough – or at all – about long-term risks their activities may create for the enterprise.
In such cases, as Governor Randall Kroszner of the Federal Reserve said in a February 2008 speech, “It is the responsibility of senior management to provide the proper incentives and controls to counter the potential for individuals … to discount risks to the broader institution, and of course, to ensure that nefarious activity is promptly uncovered and stopped.” In addition, he noted that “managers and boards of directors should understand the consequences of providing too many short-term and one-sided incentives [and] would benefit from thinking about compensation on more of a risk-adjusted basis.”
As a final point, a risk-aware culture is one in which managers are encouraged to portray realistically the potential outcomes of prospective transactions, deals, investments, projects and budgeting decisions. The irony of such a culture is that robust dialogue about risk can lead the organization to take on more risk, not less. Increased understanding improves risk management capabilities and reduces uncertainty. An effective risk management oversight function, coupled with an ongoing enterprisewide risk assessment process, will help create an environment where risk is embraced in a positive, proactive manner at all levels of the organization, enabling issues to be brought out into the open.
Establish accountability for results
Once management and the board understand the financial, operational, compliance and other risk exposures embedded in the business, and have a process in place for refreshing this assessment as markets and operating conditions change, management must address – with the board’s input – which of those risks should be rejected or retained. If the decision is to reject a risk exposure because it is off-strategy, offers unattractive rewards or the enterprise doesn’t have the capability to manage it, then management must take the appropriate steps to avoid the risk. If the risk is strategic in nature, such steps might include adopting an exit strategy to get out of a market, business or geographic area, or targeting more specifically the entity’s business development and market expansion activities to avoid pursuit of “off-strategy” opportunities, or screening alternative capital projects and investments to avoid low-return, off-strategy and unacceptably high-risk initiatives. If the risk is financial in nature, examples of avoidance would include unwinding a derivatives or securities position or prohibiting or stopping completely the trading activities giving rise to the risk. If the risk is operational, steps to avoid it typically eliminate the risk at the source by re-engineering a flawed process or by designing and implementing internal preventive processes.
If an entity retains a large risk exposure – that is, it chooses not to avoid it – several risk responses are available. First, the enterprise can accept the risk at its present level, which is a choice management and the board should not make without disclosure to shareholders. For example, some global oil companies make no secret they are taking risk on natural gas prices and, in effect, are passing the risk on to their shareholders. Second, it can reduce the severity of the risk and/or its likelihood of occurrence. For instance, control activities reduce the likelihood of occurrence. Geographic dispersion of assets reduces the impact of the occurrence of a single catastrophic event, such as an earthquake or a hurricane, on the company. Third, it can share the risk with a financially capable, independent party. These decisions drive the need for formulating focused risk responses that are integrated within the enterprise’s strategy and business plan.
When reject/retain decisions are made, it is important to designate someone, or a group, function or unit, with the responsibility, authority and accountability to “own” the risk response. This is accomplished consistent with the tenet that each operating unit owns the risks and risk responses integral to its business with separate oversight. Risk owners, at a minimum, must (1) decide on the tactics around executing the selected risk response, (2) design the capabilities for managing the risks in accordance with the risk response, and (3) monitor these capabilities over time to make sure they perform as intended.
Once risk ownership is clarified, a policy should be written to articulate what people must and cannot do. The actual format and details of the policy will vary from one company to the next and depend on the nature of the underlying risks. An effective policy structure often addresses the following:
- Objectives of managing and monitoring risk
- Responsibilities of risk owners and risk oversight personnel
- Roles and responsibilities of operating units in managing risk
- Enterprisewide risk tolerances linked to established business objectives (e.g., if management’s goals are to earn $3.50 per share and retire $500 million in debt during the coming year, how much exposure to earnings and cash flow variability can the business withstand?)
- Boundary controls and specific limit structures that management has put in place for authorized, potentially risky business activities linked to enterprisewide goals to specify the company’s “risk tolerance” (i.e., how much risk is the enterprise willing to accept?)
- Risk authorities empowering specific individuals to commit enterprise resources in conjunction with volatile and high-risk activities, and execute specific risk management responses
- Minimum risk controls (e.g., separation of duties, access limitations, etc.) that need to be in place in certain circumstances
- Required risk reporting, and the approved methodologies for measuring risk and marking-to-market portfolios of financial instruments and commodities
The policy structure is more effective if it addresses specific risk exposures that must be managed on a day-to-day basis and defines explicitly the primary risk responses that management has chosen. For example, it might address strategies for managing different types of risks, including acceptable or preferred risk management techniques and prescribed tools, products and practices. It might also point out risk management strategies, tools, products and practices that are specifically disallowed.
While the specificity of the policy enables effective accountability, it is only a start. After approving a policy statement, management must ensure, with board oversight, that established policies are addressed through effectively designed procedures, and that implementation of the procedures is monitored and enforced. From an accountability standpoint, the best control procedures and risk information will be worthless if traders, managers, operators and others in the so-called trust positions think they can be ignored. Management must make it clear to everyone that violation of established policies and limits will be subject to disciplinary action and, depending on severity, possible termination. When violations occur, they must not be tolerated.
Create a process for timely escalation
An important aspect of any control system is setting up an independent validation process that will drive transparency and facilitate timely escalation of issues. For example, a chief risk officer (CRO) facilitates the execution of the enterprise risk management (ERM) process and infrastructure. With the assistance of a staff function, the CRO supports the board (or a designated board committee), the CEO, the executive committee (or a designated risk management committee) and business unit management by:
- Establishing and communicating the organization’s ERM vision and objectives, risk appetite and risk management policy
- Recommending and, once approved, implementing an appropriate risk management oversight structure
- Establishing, communicating and facilitating the use of appropriate ERM methodologies, measurements, tools and techniques
- Facilitating effective enterprisewide risk assessments and monitoring the capabilities around managing the priority risks across the organization
- Implementing appropriate risk reporting to the CEO, board, audit committee and executive management
Through these activities, the CRO is in a position to escalate knowledge and insights regarding any large risk exposures requiring management and board attention. To be truly objective, the CRO should be insulated from and independent of business unit operations, and have appropriate access to and involvement with the board.
Assurance units also play an important escalation role with respect to the largest risk exposures. They include risk management compliance, internal audit and value-at-risk review. They perform audits and periodic or continuous reviews to provide assurances – through regular reports to the CEO, board, executive management and risk committee – that critical processes are performing effectively, key measures and reports are reliable, and established policies are in compliance. When critical checks and balances are not working; or unusual suspense accounts are accumulating huge unexplained balances; or established policies and procedures are ignored; or stress tests on financial portfolios point to very severe impacts on capital ratios and liquidity, if certain plausible events were to occur in the future; or assumptions underlying pricing models are out of sync with economic reality; or mark-to-market valuations of derivatives positions
do not appear to comply with established policies; or other significant indicators exist; then assurance units need to escalate this information in a timely manner.
From an organizational standpoint, assurance units should report to one level higher than the people over whom they have oversight. For example, in most companies they would report above the traders and treasurer to the company’s CFO. On the other hand, if a CFO gets involved in approving individual transactions, the assurance unit(s) should report to the CEO or directly to the board or audit committee.
Understanding why you make money, identifying and managing your trust positions and understanding your risk profile are essential for laying the foundation for identifying the enterprise’s largest risk exposures. The three principles of culture, accountability and escalation are vital to successful management of the largest risk exposures. As we stated in Issue 1 of the current volume of The Bulletin, if a company is overdosing on risk, knows it is doing so, and continues to do so anyway, a failure in the governance structure has occurred. And worse, if a company is overdosing on risk and does not know it – either through neglect or choosing to ignore the warning signs – a failure in governance and risk management has occurred.
While taking the best bets to create enterprise value is necessary in managing any business, it is prudent and important that the sunlight is shining, for all to see, on the bets undertaken. The successful prevention of severe losses from large risk exposures begins and ends with an effective risk management infrastructure that the company uses and acts upon.
Key Questions to Ask
Key questions for board members:
- Does the board take substantive steps to understand the company’s significant risk exposures or is it just engaged in occasional ad hoc and reactive treatment of risk and risk management in the boardroom? Are you satisfied that management engages the board in a dialogue about taking on significant risks before commencing the activities (such as an acquisition) giving rise to the risk, or is the board informed after the fact? Do the reports submitted to the board provide transparency about the largest risk exposures throughout the organization, including the risks undertaken by different business units and activities?
- If the company engages in significant trading activities or uses derivatives in a significant way, is the financial and risk management strategy clear? For example:
- Are the objectives clear (e.g., does the program exist to hedge exposures or generate profits)?
- Are the hedging strategies effectively articulated, including the particular instruments allowed?
- Are liquidity implications reported upon and well understood, including contingency planning?
- Is there a limit structure that specifies management’s risk tolerance? Is there an exit strategy articulating the level of maximum acceptable loss and a process in place to unwind the positions if the limit is hit?
- Is it clear who is authorized to execute transactions?
- Have the responsibilities of risk oversight personnel been defined, and do they have the appropriate backgrounds to ensure trading and derivatives risks are well understood?
- Are sufficient risk controls in place, including segregation of duties around executing transactions, access controls, settling transactions and valuing positions?
- Are counterparty risks periodically reviewed, defined and well understood?
- Is there adequate and consistent periodic reporting on the risks, based on marking the portfolios to market?
Key questions for management:
- Is there an enterprisewide process in place to identify and prioritize your significant risks in the context of your business strategy? Have you defined the entity’s risk appetite so that you can effectively delineate unacceptable risk exposures? Do you know what the largest risk exposures facing the company are? For example, is anyone engaged in activities that are, in effect, “betting the company” or putting its reputation at risk? If so, do you involve the board in assessing them and the actions to take?
- Do you involve the board in the assessment of strategic business risks, including the decisions as to which ones to accept and which ones to reject? Do you periodically revisit your risk assessment to determine whether circumstances and conditions have changed or whether there are new emerging risks?
- Is effective accountability for the largest risk exposures established through a clear policy structure and effectively designed procedures, metrics, measures and monitoring? Does management make it clear to everyone that violation of established policies and limits related to the largest risk exposures is subject to disciplinary action?
- Is there an effective escalation process to ensure problems are recognized and addressed before they start? Are you satisfied that individuals within the organization are willing to contact those above them in order to warn them of the problem? In this regard, does the organization have an open, risk-aware culture?
1As this publication was released to print, JP Morgan Chase had increased its offer to $10 a share in response to a class action lawsuit filed on behalf of shareholders to challenge the terms of its acquisition of Bear Stearns.
2Stress testing takes a given “base case” portfolio or forecast and modifies its value to reflect the effects of a hypothetical, extraordinary and highly unlikely situation or event that would result in severe financial stress if it were to occur in the future.
3Sensitivity analysis determines the aggregate variation in financial performance by assessing the impact attributable to a small differential change in one or more underlying key risk factors on individual exposures at a given point in time.
4Scenario analysis determines the aggregate variation in financial performance by assessing the impact of large risk factor changes, as defined by a specific scenario, on individual exposures. As with sensitivity analysis, scenarios and their earnings impact are evaluated in a deterministic manner, i.e., no assessment is made of the probability that the events will actually occur. However, scenario analysis is a more robust measurement methodology than sensitivity analysis because it involves multiple variables that are changed dramatically, and uses intricate economic forecasts and models to reprice exposures and portfolios based upon the assumed changes and forecasts.
5Examples of a unit of measure include capacity utilization, number of safety incidents/hours worked, staff attrition rate, number of units sold, etc.
Bulletin (Volume 3, Issue 4)