By Jay Tikam, Managing Director of Vedanvi
Long Term Capital Management (LTCM) in 1998, almost caused the collapse of the entire global financial system. Ten years later, complex derivatives almost brought the global financial system to near meltdown, wiping out global conglomerates including Lehman Brothers, Merrill Lynch, and parts of AIG. Unfortunately, financial services failures continue in 2012:
-
In May, J P Morgan recorded massive losses amounting to $5.8 billion in a portfolio of credit derivatives. The CEO, Jamie Dimon, blamed “errors, sloppiness and bad judgment” for the loss.
-
In June, UK and US authorities fine Barclays a record £290 million for fixing LIBOR (London Interbank Offer Rate). Several Board members are forced to resign, with seven other global banks now facing regulator investigations in the US.
-
In June, a “technical failure” disrupts banking services for millions of customers of Royal Bank of Scotland, NatWest and Ulster Bank as new systems were being implemented, causing widespread disruption to the payment system.
-
In July, a US Senate investigation found that lax controls allowed the Mexican Drug Cartels to launder billions of dollars through the US Division of HSBC, opening HSBC to a record fine of potentially $1 billion. According to the investigation, the problem persisted for seven years.
All of these firms had sophisticated risk management infrastructure, so did ERM fail, or was it implemented and embedded incorrectly?
Certainly many insurers have remained resilient throughout the crisis due principally to careful underwriting, and their prudent approach to risk. Did ERM work for them?
A 2009 white paper by Risk and Insurance Management Society (RIMS), entitled “The 2008 Financial Crisis: A Wake Up Call for Enterprise Risk Management” contends that the ERM framework is in fact sound, and that the financial crisis resulted from:
-
System-wide failure to embrace appropriate enterprise risk management behaviour or attributes;
-
Apparent failure to develop and reward internal risk management competencies; and
-
A failure to use ERM to inform management’s decision making for both risk taking and risk-avoiding decisions.
Effective implementation of ERM is therefore the key to avoiding losses or catastrophic failure of firms.
Three key failures of ERM implementation are usually:
1. The stature and role of the risk function – the need for a partnership approach
Independence of the risk function over effectiveness has been the key focus, and the three lines of defense model may well be flawed. Imagine the watchman of the Titanic seeing the iceberg approaching, yet sitting back and reviewing the actions of the captain and his team, rather than shouting out to change course. Assuming all parties survive, the watchman then goes on to tell the captain’s team where they went wrong.
The role of the risk function (in such a structure) has been reduced to that of a policing role. Risk management has become a mere reporting and control activity with the focus on supervision, rather than giving constructive and timely advice.
Like legal advisors, risk managers must gain the respect of the business through their competence, knowledge of the business, and valuable advice focusing equally on opportunities and risks. They should be in constant contact and communication with the business; building trust, relationships and a sense of partnership. If their advice is valued and truly makes a difference to business performance, then the risk function will no longer need to rely on enforcement authority, but will naturally secure a seat at the business table as a valuable member of a team, bringing a sense of balance in a world that’s only driven towards short term excess profits.
2. Risk management has become a mathematical exercise with over-reliance on models.
Actuaries, financial managers, consultants and indeed regulators, advocate a primarily “scientific” and quantitative approach to enterprise risk management, according to RIMS. Financial models rely on expected distribution of losses based on past experience. Risk management efforts focus on a moderate deviation from the expected norm, ignoring tails in the financial models as being insignificant and unlikely.
History has shown that any scenarios, even low frequency and high impact ones, are now likely and firms need to be prepared for worst case scenarios with robust mitigation and contingency plans.
Models are useful input to understanding and managing risks, only when combined with judgment, experience and questioning of the outputs.
3. Risk management has become a capital and compliance exercise – it needs to move towards becoming a business imperative.
The boundary between ERM and compliance has been blurred, especially since many of the initiatives to strengthen risk management has been driven by major regulatory change programmes such as Basel II, III and Solvency II.
Minimum compliance is the goal of some ERM frameworks, and some businesses devise their own means to understand and manage risks in isolation and out of line with the very frameworks put in place for sensible risk taking. This is not helped by the fact that regulations sometimes deviate from accepted business norms, making it difficult for businesses to use the regulatory based ERM frameworks to make business and risk decisions, despite the “use test” dictating so. Many firms have to keep dual systems such as a regulatory and economic capital model.
It is imperative that regulatory change programmes are implemented with significant business involvement, if not entirely driven by them. Typically these programmes (especially in large organisations) start out in the risk or finance functions and, realising the enormity of the task, then start to be driven by external consultants who work in isolation of the business in order to - in the end - hand them a framework by which they are required to manage their business.
|