Did ERM Fail AIG, Or Vice Versa?

After I hailed the benefits of enterprise risk management in my Feb. 9 blog, suggesting that a chief risk officer might have helped AIG avoid some of the systemic exposures that nearly destroyed the company (and our economy along with it), readers took me to task for failing to note that such an individual actually was on the case, and what that might mean for ERM's validity.

As it turns out, AIG did indeed have in place a vast ERM oversight structure, led by a CRO–for all the good it did the firm and those of us paying to bail them out.

In any case, I apologize for failing to do my homework before spouting off about how ERM might have saved AIG, and us taxpayers, a lot of money and grief.

Still, my fundamental question remains: Does the fault for AIG's financial crisis lie with ERM, or with AIG's failure to properly implement the concept?

The company's 2007 10-K makes clear that ERM was in place–at least in theory. Yet reckless derivatives trading–in the form of credit default swaps, covering those who blindly bought collateralized debt obligations backed by worthless subprime mortgages (or who were speculating in that Wild West market with naked trades)–still nearly drove AIG out of business, and prompted Uncle Sam to throw the company a life preserver, costing tens of billions in public bailout funds.

On page 166 of its 10K, AIG notes that its “major risks are addressed at the corporate level through ERM, which is headed by AIG's Chief Risk Officer.” It goes on to say that “an important goal of ERM is to ensure that once appropriate governance, authorities, procedures and policies have been established, aggregated risks do not result in inappropriate concentrations.”

A few paragraphs earlier, AIG acknowledged the potentially catastrophic risk of ignoring ERM principles. “Failure to manage risk properly,” the company conceded, “exposes AIG to significant losses, regulatory issues and a damaged reputation.”

I would certainly say that credit default swaps exposed AIG to “significant losses, regulatory issues and a damaged reputation,” wouldn't you?

On paper, AIG seemingly took all the proper ERM steps. The 10K notes that senior management established “various oversight committees to monitor the risks attendant to its businesses.”

Indeed, on page 178, the company reports that “both AIG's ERM department and [AIG Financial Products] have conducted risk analyses of the super senior multi-sector CDO credit default swap portfolio of AIGFP. There is currently no probable and reasonably estimable realized loss in this portfolio” as of Dec. 31, 2007.

Talk about famous last words!

So what went wrong? Why didn't the CRO and the Financial Risk Management Committee on which he served spot the potentially overwhelming exposures being assumed by AIG's Financial Products unit, sound the alarm and see to it that a meltdown was averted?

I'd certainly like to ask CRO Robert E. Lewis, who has served in that post since July 2004, and who sits on AIG's Financial Risk Management Committee, “established in 1993 to oversee and approve all financial transactions, investments and credit exposures,” a company press release explained.

But that's not possible for the moment, as I'm told by AIG's communications department that the firm has entered its regulatory “quiet period” prior to reporting year-end earnings, and thus cannot respond to press inquiries about such internal matters.

You can bet I'll be asking for an interview with the CRO as soon as that quiet period is lifted. Stay tuned!

In the meantime, we can only speculate about why ERM failed so miserably at AIG.

Some readers responding to my blog and NU magazine column on the subject believe that ERM itself is a flawed, utopian concept doomed to failure.

One reader scoffed openly at the ability of ERM to withstand internal pressures to produce higher profits:

“Sam, do you honestly think that some poor undermanned staff officer like an Enterprise Risk Officer could have stood up against the tide and the (short-term) profits, and the CEO, and the political winds, and the quants with their mathematical models that fed this bubble and led to its collapse? Especially one who is dependent on the CEO for his job and his pay?”

Another e-mailed to put in their “two cents worth,” stating that “the lesson in this is that ERM sounds great in theory, but it is extremely difficult in practice. It is likely that most, if not all, of the failing financial institutions had ERM departments.”

However, this reader added, “for the concept to work, the ERM has to have the following:

–”First, a great deal of power in the organization. (Likely, most are advisory in nature and walk on egg shells to ensure their corporate survival.)”

–”Two, be experts at everything. All the transactions of a corporation are too complicated for most people to understand fully. Most ERMs rely on information from other departments, which aren't going to provide info that makes them look bad.”

These are all excellent points, and I cannot argue with the fact that the proof is in the pudding. AIG apparently had multiple layers of enterprise risk management in place and a CRO in charge, yet none of those internal controls kept the Financial Products unit from driving AIG off a cliff, with the taxpayers forced to hop on for the ride in mid-air!

I have not lost faith. I still believe, as Shakespeare so brilliantly observed in “Julius Caesar,” that “the fault lies not in our stars, but in ourselves.” If organizations merely pay lip service to enterprise risk management, or if those charged with ERM are not up to the task–if CROs are either powerless or clueless–then ERM is just window dressing.

Corporate America needs full-blooded ERM–backed unwaveringly by senior management, with those on the case fully engaged and prepared to tackle their critical overview responsibilities–or else we are doomed to endure more financial debacles and economic catastrophes down the road.

What do you folks think?