boards approved risk policies, reviewed risk reports, and viewed PowerPoint presentations designed mainly to assure them risks were well managed. In order to provide effective oversight, however, boards must be active participants in the risk management process. They must debate risk-tolerance levels, challenge management on critical business and financial strategies, and hold management accountable for the risk–return performance of past decisions. To strengthen their oversight, boards should consider establishing a separate risk committee, especially at risk-intensive companies (e.g., banking, insurance, energy). At a minimum, each board and its standing committees must ensure that risk management is allocated sufficient time and attention. Boards should also consider adding risk experts to their ranks.
Greater Risk Management Independence
During the excesses of the pre-crisis environment, where was risk management? Why didn't we hear about chief risk officers going directly to the board, or quitting out of protest given what was going on under their watch? I believe a central issue was the continued lack of true independence of risk management, which companies are only now beginning to address seriously. Since the trading losses suffered by Barings and Kidder, Peabody in the mid-1990s, companies have worked to ensure that the risk management function was independent relative to trading, investment, and other treasury functions. However, companies are finally going further to ensure that risk management remains independent relative to corporate and business-unit management as well. This is similar to the independence that internal audit enjoys, though to a lesser extent because risk management should function both as a business partner and risk overseer. One organizational solution has been to establish a dotted-line reporting relationship between the chief risk officer (and chief compliance officer) and the board or board risk committee. Under extreme circumstances (e.g., CEO/CFO fraud, major reputational or regulatory issues, excessive risk taking), that independent dotted-line reporting relationship can ensure that the chief risk officer can go directly to the board without concern about his or her job security or compensation. Ultimately, risk management must have an independent voice to be effective. A direct communication channel to the board is one way to provide that.
Focus on Enterprise-Wide Risk Management
A key lesson from the latest financial crisis as well as those preceding it is that major risk events are usually the consequence not of one risk, but of a confluence of many interrelated ones. Historically, companies managed risk within silos, with each organizational division handling its own, but, in 2008, it became glaringly obvious that this approach could lead to catastrophic failure. Even as the crisis was unfolding, the Wall Street Journal reported that the risk model used by AIG to manage its credit derivatives business only considered credit-default risk, but not the mark-to-market or liquidity risks associated with the business.16 Companies should implement ERM programs to analyze multi-risk scenarios that may have significant financial impact. For banks, that means integrating analyses of business, credit, market, liquidity, and operational risks. Insurance companies must also assess the correlations between investment, liability, interest-rate, and reinsurance risks. All companies must manage strategic risks and the critical interdependencies across their key risks on an organization-wide basis.
In the United States, the Federal Reserve implemented a series of formal stress-testing requirements for banks to quantify their vulnerability to various risk scenarios. The Fed's Comprehensive Capital Analysis and Review (CCAR) assessment provides independent review of the capital plans for banks and bank holding companies with assets in excess of $50 billion. Additionally, the adoption of Dodd-Frank mandated that all banks with greater than $10 billion in assets must conduct stress testing on an annual basis. The Office of the Comptroller of the Currency (OCC) published final rules in 2014 to meet the stress-testing requirement. Known as DFAST (Dodd-Frank Act Stress Test), the rules require all banking institutions with between $10 billion and $50 billion in assets to conduct and report results of formal stress testing exercises.
Improved Board and Management Reporting
It would be difficult if not impossible to implement ERM while companies continue to measure and report risks in silos. There is a general sense of dissatisfaction among board members and senior executives with respect to the timeliness, quality, and usefulness of risk reports. About a third of respondents to a 2016 Corporate Board Member survey felt information flow between their board and management could be improved through a higher frequency of updates (36 %), more concise reporting (31 %), or more time to review materials prior to a meeting (34 %).17 Many companies still analyze and report on individual risks separately. These reports tend to be either too qualitative (risk assessments and heat maps) or too quantitative (financial and risk metrics). Risk reports can also focus too much on past trends and current risk exposures. In order to establish more effective reporting, companies should develop forward-looking, role-based dashboard reports. The risk team should customize these reports to support the decisions of their target audience, whether the board, executive management, or line and operations management. Dashboard reports should integrate qualitative and quantitative data, internal risk exposures and external drivers, and key performance and risk indicators. Moreover, risk analyses should be reported in the context of business objectives and risk appetite.
Creation of Objective Feedback Loops
How do we know if risk management is working effectively? This is perhaps one of the most important questions facing boards, executives, regulators, and risk managers today. The most common practice is to evaluate the effectiveness of risk management based on the achievement of key milestones or the lack of significant risk incidents and losses. However, qualitative milestones or negative proves should no longer be sufficient. I made this point when I was interviewed by the Wall Street Journal on the rise of chief risk officers in the aftermath of the financial crisis. In the article,18 I emphasized the need for an objective feedback loop for risk management, and was quoted as saying, “AIG and Bear Stearns were doing fine until they weren't.” My point was made in jest but boards and management should not rely on the absence of a bad situation as evidence that effective risk management is in place.
Organizations need to establish performance feedback loops for risk management that are based on defined objectives, desired outcomes, and data-driven evidence. Other corporate and business functions have such measures and feedback loops. For example, business development has sales metrics, customer service has customer satisfaction scores, HR has turnover rates, and so on.
While various types of feedback loops can benefit an ERM program at every level, one that should be considered by all for-profit companies incorporates ex-ante analysis of earnings at risk followed by ex-post analysis of earnings attribution. Over time, the combination of these two analyses would provide a powerful performance measurement and feedback loop. (I offer a complete description of this feedback loop in Chapter 20.) This would help the board and management ensure that risk management is effective in minimizing unexpected earnings volatility – a key goal of enterprise risk management. Finally, I believe this type of analysis should be provided alongside the earnings guidance of publicly traded companies. Relative to the current laundry-list and qualitative approach to risk disclosure, earnings-at-risk and earnings-attribution analyses can provide much higher levels of risk transparency to investors.
Better Incentive Compensation Plans
The design of executive incentive compensation systems is one of the most powerful levers for effective risk management, yet companies have so far paid insufficient attention to how incentive compensation systems influence risk-return decisions. For example, if executive compensation is driven by revenue or earnings growth, then corporate and business executives might be motivated to take on excessive risks in order to produce higher levels of revenue and earnings. If executive compensation is driven by stock price performance via stock options, decision-makers might also be motivated to take
Mollenkamp, Carrick, Serena Ng, Liam Pleven, and Randall Smith. “Behind AIG's Fall, Risk Models Failed to Pass Real-World Test,”
Nolen, Melanie. “Half Empty: What Directors Think,”
Davy, Peter. “Cinderella Moment,”
