Among the many lessons to be learned, one is immediately clear: The subprime debacle represents a failure in risk management, rather than a failure of risk management.
We are still not out of the woods and there may still be more shoes to drop, but some general views are emerging.
While there are many reasons why we are in this crisis, inadequate risk management practices feature high as a contributory factor.
Clearly, improvements need to be made, and we see three aspects of enterprise risk management implementation that need to be strengthened.
First, far from being a compliance exercise, risk management is a strategic imperative and should be treated as such.
Second, financial managers should urgently reassess the adequacy of their current risk management capabilities in order to do so.
And finally, the greatest shortcoming is cultural--management should improve the engagement of employees, as well as the board and senior executives responsible for risk management.
So, how do you go about strengthening ERM implementation?
Based on surveys and discussions with finance managers in a variety of industries, the commitment to ERM remains strong, and there is increased urgency to strengthen ERM implementation.
Although there are many ways to do this, we have identified three areas of focus and recommend specific actions within each area that require immediate attention.
#1: Treat ERM as a strategic imperative.
If ERM is to be truly integrated with how firms are managed, then implementation must begin with active engagement of the firm's board and senior executives. Try the following steps:
o Reinforce the role of the chief risk officer:
This is the single most important action that a company can take to recognize ERM as a strategic imperative. Many companies have appointed a senior executive (often a chief risk officer, or enterprise risk manager) to oversee risk management for their entire organization.
The current financial crisis has shown us that merely making such an appointment is not sufficient. If--as we believe and our surveys indicate--ERM is viewed as critical to the survival and profitability of a firm, then the CRO's responsibility must be commensurate.
Studies have shown that problems arise when risk management does not have a seat at the management table, or when risk management's warnings are ignored, or when risk management is performed unevenly. No doubt, authors and academics writing the history of the current crisis will find evidence of all three.
The current validation of the risk management function could result in a dramatic improvement in corporate prestige.
Just as a CFO has a specific set of responsibilities, we may soon see a convergence of responsibilities that are aligned with the CRO. Indeed, these new responsibilities may require the establishment of new professional standards and levels of experience for future CROs.
As stakeholders come to realize the importance of risk management, CROs may see their professional and fiduciary obligations increase. And as regulators and the financial industry seek ways to prevent past mistakes, risk managers will likely play an increasingly important public policy role.
o Increase board engagement on risk:
We expect that boards should and will demand better metrics and information about risk management performance. Not only will the board's level of questioning dig deeper and be less satisfied by traditional compliance or audit reports, the questioning will place a premium on verifiable evidence of employee involvement.
We anticipate a significant increase in the number of board-level risk oversight committees, and we expect that their scope of oversight will be broad.
o Align incentives to reflect risk:
Although this has been a topic of discussion for some time, the current crisis has demonstrated that compensation practices can be at odds with managing risk appropriately. We believe that compensation programs will undergo a transformation as companies attempt to rid themselves of inducements to exceed stated risk tolerances.
We expect the scrutiny of incentive compensation programs, historically left to policymakers and investor groups, will come increasingly from boards of directors and fellow managers, who are loathe to share the fate of companies that have failed in the wake of this crisis.
#2: Improve your ERM capabilities.
Companies need a variety of skills, methodologies, tools and processes to manage risk appropriately. Each of these is probably worth reassessing in the current environment to identify and overcome any significant shortcomings.
If one of the aims is to add up all the bits to develop a view of aggregate risk exposure across the firm, then two issues need urgent attention.
o Recognize operational risk as material.
In our experience, there is a fundamental disconnect between the way institutions view operational risk and the way operational risk management should be implemented. To a large extent this may occur because the term operational risk conjures up images of day-to-day processing errors.
These minor operations issues are often only a small part of operational risk, which is driven in large part by catastrophic failures in management (such as, inappropriate sales practices or unauthorized activities).
A significant number of corporate bankruptcies and insolvencies during the past 20 years have been caused by operational failure. Indeed, the current financial crisis can be viewed as a failure of operational risk management at so many levels.
o Fungibility should be stress-tested.
One lesson made clear from American International Group's near-collapse is that capital and cash are not fungible within the different parts of a conglomerate financial institution.
Legal and regulatory restrictions limit the flow of capital and cash between legal entities within an enterprise. Even if the needed funds were available, these restrictions would have prevented AIG from dealing with its problems.
Some type of fungibility testing has been suggested within the European Union's Solvency II framework, and its potential value to risk management is now evident. Understanding the limits of capital and cash flow between legal entities within the same organization is vital.
# 3: Understand and manage your risk culture.
At the end of the day, good risk management results from people doing the right thing. It is not sufficient for ERM to impact only a few people at the top of the organization, nor should it be put on the shoulders of employees without proper guidance. You should:
o Establish clear guidance on accountability.
Much has been said about setting the right "tone at the top" for ERM. Companies still have a long way to go to do that in a way that is clear and engaging to employees.
A starting point may be to articulate a company's mission, vision and values as well as its risk strategy and objectives.
Ultimately, though, it is management's own actions in holding people accountable in a way that reinforces the alignment of interests of employees, management and other stakeholders that will make a difference.
o Assess your risk culture regularly.
To make a difference in employee engagement, management needs to determine whether their impression of the company's risk culture is borne out by rank-and-file opinion.
Employee risk awareness and engagement should be assessed regularly to identify gaps between management expectations and employee understanding, with appropriate measures undertaken to bridge the divide.
These three aspects of risk management and supporting recommended actions were put forth with the view that had such practices been more firmly established, perhaps we might not be in the midst of such a severe financial crisis.
It is the actions we take now that can help us prepare to navigate the complex and inherently risky world of the future.Prakash Shimpi is a global practice leader of enterprise risk management at Towers Perrin in New York. He is a Fellow of the Society of Actuaries and a Chartered Enterprise Risk Analyst. This article is based on his essay written for the Society about the financial crisis. He can be reached at firstname.lastname@example.org