17 February 2009

Published in: Risk governance, Regulation - supervision

Why we need to redefine the “e” in ERM

In this interview, leading risk consultant James Lam argues for much more effective risk management and a radical expansion of the ERM concept.

How do you explain the failure in risk management so glaringly exposed by the current financial crisis?

Risk management at some companies performed quite well, but many more didn't meet expectations. I would group companies with significant failures into two camps.

In one camp I would put firms that didn't know what they didn't know. I call these firms "risk ignorant." They outsourced risk management to the rating agencies and relied solely on debt ratings. Or they may have used credit risk models with six or seven years of benign default data and didn't stress tested default rates and/or housing prices, and they didn't evaluate the interdependencies across business, market, credit and liquidity risks.

In the other camp I would put firms that knew their risk exposures but didn't do enough with that knowledge. I call these firms "risk incompetent." They may have had more detailed and accurate analyses of their risks, but because of adverse cultures and incentives, they simply didn't do the right things for their shareholders.

What are the lessons?

This financial crisis, call it an once-in-a-lifetime event or "black swan" if you like, represents the ultimate stress test. In this context, I think every company should evaluate the effectiveness of their risk management program during this period. Otherwise, critical lessons learned and improvement opportunities will be lost with the passage of time.

Can you be more specific?

Based on my experience, I've identified five key areas of failure:

1. lax board oversight of risk management
2. lack of risk policies with explicit risk tolerance levels
3. ineffective performance and risk reporting to the board and management
4. poorly designed executive compensation systems, and importantly
5. absence of an objective feedback loop on risk management effectiveness.

What do you mean by "an objective feedback loop on risk management effectiveness"?

Perhaps one of the most important questions facing boards, executives, regulators, and risk managers today is: how do we know if risk management is working effectively? The common practice is to evaluate the effectiveness of risk management based on the achievement of implementation milestones, or the lack of policy violations, losses or surprises.

However, these are no longer sufficient. We need to establish performance metrics and feedback loops for risk management. Other corporate and business functions have such measures and feedback loops. For example, business development has sales metrics, customer service has customer satisfaction scores, human resources has turnover rates, etc.

So how do you establish a feedback loop for risk management?

Its objective must first be defined in measurable terms, i.e. minimizing unexpected earnings volatility. In other words, the objective of risk management is not to minimize absolute levels of risks or earnings volatility, but to minimize unknown sources of risks or earnings volatility.

Based on this definition, companies can perform earnings-at-risk analysis at the beginning of each reporting period. This analysis would identify the key risk drivers and quantify potential earnings impact (e.g., a 1% increase in rates would reduce earnings by 5%, or a 2% decrease in market share would reduce earnings by 12%, etc.) At the end of each reporting period, companies can perform earnings-attribution analysis, in which they can identify the actual earnings drivers and sensitivities. Over time, the combination of these two analyses can provide a powerful performance measurement and feedback loop.

"Based on the lessons learned from the financial crisis, there will be a lot of attention given to effective leverage and liquidity risk management."

How will all this help?

Such a feedback loop can help the board and management to ensure that risk management is effective in terms of minimizing unexpected earnings volatility. This type of analysis should be provided with the earnings guidance of publicly-traded companies. Relative to the current laundry-list approach of risk disclosure, earnings-at-risk and earnings-attribution analyses can provide much higher levels of risk transparency to investors.

Where does this leave enterprise risk management?

The concept of ERM will be expanded very significantly in the future. The key question is how "enterprise" should be defined. In the past, ERM meant analyzing risk exposures across the company, and to coordinate risk strategies with various business units.

In the future, the "e" in ERM will include the entire value chain, including counterparties, customers, shareholders, suppliers, distributors, regulators, special interest groups, and other key stakeholders. The practice of risk management must take on a more external focus instead of an internal orientation, as well as be more forward-looking rather than analysing past results. In the final analysis, risk is always about the future and how external variables can impact internal operations.

How should regulators be responding to the crisis? Should their priority be market instruments and practices or corporate governance?

I think the main focus will, and should, be on corporate governance, risk management, and greater transparency in terms of public disclosure. Products and services evolve and it would be difficult if not impossible for regulations to keep up.

Based on the lessons learned from the financial crisis, there will be a lot of attention given to effective leverage and liquidity risk management. For example, in the past the leverage of a financial firm might look like 8-to-1 on the balance sheet, but when you incorporate off balance entities and items, the effective leverage was really 30-to-1. Similarly, the collateral and downgrade provisions of financial contracts can have a significant impact on contingent liquidity requirements that is not obvious from financial statements. Regulators will likely require financial firms to stress-test their core risks, including leverage and liquidity impacts, and also disclose that kind of information.

Will the US tighten the Sarbanes-Oxley Act?

I certainly hope not. Instead of tightening the act, I would rather see meaningful enforcement and prosecution based on the provisions already in Sarbox. In my opinion, Sarbox is already overcooked. It was enacted in the aftermath of accounting frauds at large corporations such as Enron and WorldCom. While accounting controls are important, they are only a subset of operational risk, and operational risk is a subset of enterprise-wide risk. Over the past five years, accounting controls have consumed too much board attention and management resources.

You're saying there should be less emphasis on accounting controls?

One can argue that this emphasis on accounting controls over the past several years has been misguided given that risk is mainly driven by future events whereas accounting statements reflect past performance. In order to be effective, a risk management program must be forward-looking and driven by the organization's business objectives and risk profile, not by regulatory requirements. Boards are wising up to this. Recent surveys indicate that risk management has replaced accounting issues as the top concern for corporate board members.

"Over the past five years, accounting controls have consumed too much board attention and management resources."

Do you expect to see more chief risk officers being created?

I do expect to see companies establishing much more powerful and independent risk management officers and functions, and many will have direct reporting lines to the board. The push will come from multiple sources, including more risk-aware CEOs, boards, regulators, rating agencies, and institutional investors.

Shouldn't board members themselves be more risk-aware?

Yes. More boards will establish risk committees because they realize that the risk committee charter can and should be very different than the audit committee charter. Boards will also add risk experts to their ranks because it would be difficult to provide effective risk oversight without having board members with sufficient risk management experience and expertise.

Is there a danger a regulatory clampdown on certain instruments or markets will make it more difficult for companies to carry out some legitimate hedging operations?

I certainly hope that the regulatory backlash won't be that severe or irrational, but there is always a risk of overreaction after a crisis. While I expect that legitimate risk management products will continue to be accepted by capital markets participants and regulators, highly leveraged and opaque products, such as CDOs-squared and structured investment vehicles, will face much greater scrutiny and restrictions.

But some in Congress have called for all derivatives to be traded only on exchanges.

It is unreasonable to expect all derivatives to be traded on exchanges. While it does make sense to standardize some plain vanilla contracts and offer them on exchanges, there will always be unique risk management requirements. It is the classic trade-off between standardized versus customized transactions.

I do expect more attention will be given to ensuring adequate reserves, capital, and liquidity stand behind OTC derivatives. From my work with derivatives markets, I've observed that insufficient reserves, capital, and liquidity resources were allocated to the business. In other words, profitability measures and bonuses were inflated.

"It is unreasonable to expect all derivatives to be traded on exchanges."

What's the future now for principles-based regulatory regimes?

In the risk management community, there is an ongoing debate on the effectiveness of principles-based versus rules-based regulations. In my opinion, they are not mutually exclusive but complementary, and it is a matter of desired balance. If you take the US Constitution as an example, including the Bill of Rights and other amendments, it is a mixture of principles and rules. Furthermore, state and local laws provide more granular and enforceable laws.

I think all regulations, as well as corporate risk policies, should begin with a set of agreed principles. From the framework established by the principles, one can develop specific standards and rules. However, regulators should be careful not to establish rules that are too rigid relative to the desired principle or goal.

But haven't you made the point elsewhere that principles tend to grow into rules?

Yes. Take Basel II as an example. The core principle that capital is explicitly tied to risk underpins Pillar I. The initial goal was to provide regulatory capital relief as an incentive for banks to develop economic capital models and advanced risk management practices. However, Pillar I morphed into hundreds of pages of granular rules. Those rules are so rigid that some global banks ended up maintaining separate staffs, databases, and models to support Basel II versus their internal economic capital analyses.

In the light of all that you've said, should Solvency II be rethought?

There are three critical implications for Solvency II and Basel II.

First, capital requirements for various risks should not be determined separately without consideration for interdependencies. For example, credit and market risks, and related liquidity requirements, should be modelled on an integrated basis. This will call for more emphasis on stress testing.

Second, insurance companies and banks require capital beyond what is included in Pillar I. Specifically, they should allocate capital for strategic risk in terms of supporting future growth, and business risk with respect to the profit margin volatility embedded in their business portfolio.

Finally, there are critical interrelations between Pillar I and Pillar II that should be considered. For example, how much capital a firm requires is driven not only by the risk profile of its portfolio, but also the effectiveness of its governance and risk management. Take two firms with identical portfolios: I would argue that the one with superior governance and risk management requires less capital if you want to assign them the same probability of default. These dynamics should be incorporated into regulatory capital requirements, as well as regulatory examination and public disclosure processes.