Posted tagged ‘Governance’

Too Much Logic

March 13, 2018

Someone recently told RISKVIEWS that before a company could start a project to revitalize their risk governance structures they MUST update their Risk Appetite and Tolerance.  Because everything in an ERM program flows from Risk Appetite and Tolerance.  That suggestion is likely to be too much logic to succeed.

What many organizations have found is that if they are not ready to update their Risk Appetite and Tolerance, there are two likely outcomes of an update project:

  1. The update project will never be completed.
  2. The update project will be completed but the organization will ignore the updated Risk Appetite and Tolerance.

An organization will make a change when the pain of continuing on the existing course exceeds the pain of change.  (paraphrased from Edgar Shein)

So if an organization is not yet thoroughly dissatisfied with their current Risk Appetite and Tolerance, then they are not likely to change.

So you can think of the ERM program as the combination of several subsystems:

  • Governance – the people who have ERM responsibilities and their organizational positions – all the way up to the board.
  • Measurement – the models and other methods used to measure risk
  • Selection, Mitigation and Control – the processes that make up the every day activities of ERM
  • Capital Management – the processes that control aggregate risk including the ORSA.
  • Risk Reward Management – the processes that relate risk to prices and profits

When management of an organization is dissatisfied enough with any one of these sub systems, then they should undertake to revise/replace/improve those sub systems.

These sub systems are highly interconnected, so an improvement to one sub system is likely to increase dissatisfaction with another sub system.

For example, if the Governance sub system is not working.  People are not fulfilling their ERM related responsibilities which they may not really understand.  When this subsystem is set right,  people are aware of their ERM responsibilities and then they find out that some of the other sub systems do not provide sufficient support for them.  They get dissatisfied and urge an upgrade to another sub system.  And so on.

This might well result in a very different order for updating an ERM program than the logical order.

However, if the update follows the wave of dissatisfaction, the changes are much more likely to be fully adopted into ongoing company practice and to be effective.

WaveBy Malene Thyssen – Own work, CC BY-SA 3.0,

Reviewing Board Level Engagement and Commitment to ERM

November 26, 2013

[The material following is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]


Make a seat at the table

July 5, 2013

The report of the Parliamentary Commission on Banking Standards titled “Changing banking for good” makes many bold statements about what is wrong with banking but stays very much in the area of timid when making recommendations for changes.  Most of which seem very much like the exercize of “rearranging the deck chairs on the Titanic”.  Take, for instance, the recommendation for changing from an Approved Persons Regime to a Senior Persons Regime.  You will need to read this carefully.  It seems just like the purposeless retitling that has been applied to the FSA.

So what sort of change could make a difference?  How about this:

Banks have been found guilty of taking advantage of a one sided option.  This option grants huge gains to shareholders and employees if risky behavior pays off and has limited downside in the case of a blow up of the risks undertaken.  Much energy has gone into seeking to make sure that there is going to be ANY downside in the future, since in the recent past, governments around the globe tended to rescue the investors and many of the employees of the banks that lost the worst.

One of the reasons that banks have become so very risky can be summed up in one word, LEVERAGE.  So a simple step that would cause the whole culture at the bank to immediately swing around towards the caution that seems desired would be to give the providers of debt capital a seat (or several) in the board of directors.  Then number of seats going to bondholders would be proportionate to the proportion of capital provided by the bondholders.  The bondholder seats on the board could be capped at 1 less than a majority for a bank that was leveraged at a higher level.  Or they might be set according to the percentage of net income before the cost of debt servicing that is theirs.  That perhaps makes the most sense, since the riskiest firms are pledging the highest percentage of their income to their debt servicing.

The risk committee of the board could be chaired by one of these bondholder directors.  For firms above a certain percentage of debt financing (perhaps half way to the 49% position described above) the Risk Committee chair could have the power of the Veto as wielded by the Tribune of the Plebs in ancient Rome.

The bondholders would not want to harm the company, but they would have a very strong interest to keep the bank from making any of those highly risky decisions that would wipe out the debtholders stake in the firm.  It only makes sense that if the majority of the earnings of the firm are going to service debt, that the debtholders should be calling the shots.

The idea that a company exists only to enrich the shareholders is a fiction created by university writers in the last 50 years, and has no basis in law or custom.  It was created because it simplified the mathematical models that the financial economists wanted to build.  The model caught on because company management found it to be a convenient way to justify increasing their compensation.

Because, for the large part, bondholders were protected by government bailouts, they have largely continued to fund banks.  But the only way to rationally justify the continual funding of the opaque, highly risky banking enterprises via debt with almost no upside and plenty of possible downside is with a belief that bailouts will continue and will continue to protect bondholders.

If however, bondholders ever became convinced that their money really was at risk, and with the current structure, they would never learn how much at risk (see London Whale and MF Global stories and see if you can find any material disclosures of these risks), then they would either require a much higher spread that actually represented a risk premium for the uncertainty involved in bank risk or a seat at the table.

Seven Issues from 18 Crises

August 9, 2011

AIRMIC has recently published a study “Roads to Ruin” performed for them by the Cass Business School (CBS). They had asked CBS to identify lessons that could be learned from 18 high profile corporate crises of the last decade.  CBS found seven main causes for the 18 crises:

  1. Inadequate board skills and inability of board members to exercise control
  2. Blindness to inherent risks, such as risks to the business model or reputation
  3. Inadequate leadership on ethics and culture
  4. Defective internal communication and information flow
  5. Organizational complexity and change
  6. Inappropriate incentives, both implicit and explicit
  7. ‘Glass Ceiling’ effects that prevent risk managers from addressing risks emanating from top echelons
The full report goes through the 18 crises in detail.
Of the 18, 7 were finance related:
  • Enron
  • Arthur Anderson
  • Independent Insurance
  • HSBC / Nationwide / Zurich Insurance
  • Northern Rock
  • Société Générale
  • American International Group

All 18 occurred between 1999 and 2008.

In that time period, there were quite a few other firms that had major crises.  Such as:

  • Yamaichi Securities
  • The Equitable
  • HIH
  • Parmalat
  • WorldCom
  • The Accident Group
  • Terra Securities
  • Lehman Bros
  • Wachovia Bank
  • Bear Sterns
  • Merrill Lynch
  • Countrywide

These firms were also challenged by the same 8 problems.   The first of those 8 is key.   Board skills and ability of the board to effect change.

The centrality of this issue is troubling to risk managers because the board skills and authority are almost always outside the risk manager’s control.

Just as troubling for the sponsors of the study, AIRMIC, an organization largely of insurance brokers, was that insurable risks payed a very small part in any of the 18 crises.  This is a problem for their ideas of expanding from their current roles managing insurance programs to managing ERM programs.

ERM in most firms has not embraced the idea of managing Strategic Business Risk.  That is natural because CEO’s usually see that as their personal jobs.  Not likely to be delegated to a risk manager.

So ERM will usually be defined as managing ALL of the risks of the firm except the Strategic Risks.

10 ERM Questions from an Investor – The Answer Key (2)

July 6, 2011

Riskviews was once asked by an insurance sector equity analyst for 10 questions that they could ask company CEOs and CFOs about ERM.  Riskviews gave them 10 but they were trick questions.  Each one would take an hour to answer properly.  Not really what the analyst wanted.

Here they are:

  1. What is the firm’s risk profile?
  2. How much time does the board spend discussing risk with management each quarter?
  3. Who is responsible for risk management for the risk that has shown the largest percentage rise over the past year?
  4. What outside the box risks are of concern to management?
  5. What is driving the results that you are getting in the area with the highest risk adjusted returns?
  6. Describe a recent action taken to trim a risk position?
  7. How does management know that old risk management programs are still being followed?
  8. What were the largest positions held by company in excess of risk the limits in the last year?
  9. Where have your risk experts disagreed with your risk models in the past year?
  10. What are the areas where you see the firm being able to achieve better risk adjusted returns over the near term and long term?

They never come back and asked for the answer key.  Here it is:

2.  One of the large banks that is no longer with us had, on paper, a complete ERM system with a board risk committee that they reviewed their risk reports with every quarter.  But in 2007, when the financial markets were starting to crack up, their board risk committee had not met for more than six months.  The answer to this question is the difference between a pretend ERM system and a real risk system.  The time spent should be proportionate to the complexity of the risk positions of the firm.  For the banks with risk positions that are so complex that they feel that they cannot possibly find enough paper to disclose them, there needs to be much more board time spent, since investors are relying on board oversight rather than market discipline to police the risk taking.  Ask Bernie what you can get away with if there is no disclosure and no oversight.

Many CEOs will tell you that the board has always spent plenty of time talking about risk.  This might be true.  But the standard now is for boards to have a formal risk committee.  Boards that have simply added risk to the Audit committee’s agenda ends up short changing either audit or risk or both.  The Audit Committee had a full plate before the Risk responsibility was added.

And for a larger complex firm, a single annual risk briefing on risk is definitely not sufficient.  For a firm with an ERM program, the board needs to review the risk profile, both actual and planned for each year, approve the risk appetite, approve the ERM Framework and policies of the firm, review the risk limits and be informed of each breach of the limits or policies of the firm.  If the firm has an economic capital model, the model results need to be presented to the board risk committee each year and updated quarterly. Risks associated with anything new that the company is doing would be presented as well.

Does that sound like anything other than a full committee?  So your follow up question, if the CEO gives a vague answer is to ask about whether the board reviewed each of the items listed in the preceding paragraph in the past year.

Back to that former bank.  Their risk reports showed a massive build up in risk in violation of board approved limits.

And the board risk committee saved time by not meeting during the period of that run up in risk.


July 11, 2010

By Jean-Pierre Berliet

The MBO (Management By Objectives) process translates business objectives into performance targets and drives incentive compensation awards. Certain weaknesses of MBO processes make companies more vulnerable to crises. .

The MBO process is central to crisis prevention.  Weaknesses in the MBO process of an insurance company must be corrected to ensure that management action do not unwittingly exacerbate risk and magnify the impact of crises.

Senior management often takes pride in its tough and disciplined approach to managing performance. This involves setting stretch objectives, rewarding managers who deliver, and punishing those who fall short. It is argued that a “greed and fear” approach is necessary to motivate managers and align their interests with those of shareholders. It is not widely recognized, however, that this approach can increase moral hazard and induce managers to make decisions that reduce the resilience of their company to crises.

In such performance management cultures, managers are incented to exceed management expectations by using all means available.  This may include:

  • Reducing or postponing spending on product or service quality, product leadership, process productivity, or customer service responsiveness
  • Under-pricing risks to increase business volume and earnings
  • Taking on higher investment risks to increase current investment yields
  • Under investing in market growth, thereby increasing short-term earnings but losing market share.

Actions like these can enhance short-term earnings, but they can also undermine a company’s competitive capabilities and value creation potential. This, in turn, can reduce the company’s ability to raise capital and thus its resilience. The introduction of risk adjusted performance metrics into a company’s control framework can help reduce the incidence of actions taken inappropriately to “game” the incentive compensation system. However, it is hard to detect moral hazard because the effects of actions taken can remain latent for years to come.

Moral hazard of this type tends to affect decisions where senior management focuses on reported financial results rather than on underlying operating success factors. Excessive, and sometimes exclusive, emphasis on financial results gives operating managers overly broad discretion to “make the numbers”. In many instances (e.g. AIG, Bear Stearns, Citigroup, Lehman Brothers) such an approach to oversight invited moral hazard with serious consequences. When combined with financial leverage and risk leverage, decisions tainted by moral hazard can result in enormous shareholder losses.

Insurance companies need to revamp their MBO frameworks to reduce the risk of moral hazard.  They need to establish corporate cultures in which discussions about objectives, strategies, and results, while never informed by perfect knowledge and foresight, are guided by “high road” values of trust and loyalty. Revamped MBO frameworks should explicitly include consideration of risk insights produced by ERM and verification of the alignment of actions taken with approved plans and strategies.

To accomplish such a transformation of their cultures, insurers may need to link their ERM and MBO processes through the implementation of:

  • Risk-adjusted financial performance metrics
  • Risk-adjusted performance benchmarks, related to expectations of capital market investors
  • Incentive compensation awards linked to long-term measures of business value, including indicators of operational performance, and current profits.

Since no company operates with perfect foresight, Boards of Directors need to grant adequate discretion and flexibility to senior management for performance management.  Adjusting objectives and targets can be of critical importance when business conditions change unexpectedly. In an uncertain world, rigid enforcement reinforces greed and fear elements of corporate cultures, undermines trust, breeds cynicism and “gaming the system”, and increases moral hazard by inducing behavior that can, in time, fatally weaken an insurance company.

©Jean-Pierre Berliet

Berliet Associates, LLC

(203) 247-6448

Monty Python on governance, risk, and compliance

November 10, 2009

Guest Post from Riskczar

I read too much about what GRC needs or what ERM needs but far too often suggestions read like my favourite Monty Python skit (a lot of easier said than done steps):

Alan Well, last week we showed you how to become a gynecologist. And this week on ‘How to do it’ we’re going to show you how to play the flute …but first, here’s Jackie to tell you all how to rid the world of all known diseases.
Jackie Hello, Alan.
Alan Hello, Jackie.
Jackie Well, first of all become a doctor and discover a marvellous cure for something, and then, when the medical profession really starts to take notice of you, you can jolly well tell them what to do and make sure they get everything right so there’ll never be any diseases ever again.
Alan Thanks, Jackie. Great idea. How to play the flute. (picking up a flute) Well here we are. You blow there and you move your fingers up and down here.

So when I read very articulate comments like these from the blog Corporate Integrity, it makes me think of how you play the flute:

Risk management does not happen in a vacuum … The board and management have to clearly define and communicate the culture of risk taking, acceptance, tolerance, and appetite. … Once a proper culture of risk management is defined – including risk tolerance, and appetite – this gets established and communicated through policies and procedures.

… organizations need to establish an enterprise committee to initiate a collaboration on defining, communicating, and managing a culture of risk in their environment. The goal is to define and communicate a culture of risk, establish it in policy and procedures, and monitor adherence to staying within boundaries of risk tolerance and appetite.

Again, easier said than done. I am not criticizing this approach, I actually agree 100% with what he writes, it’s just very difficult to execute.

Telling someone how to play the flute is not the same as teaching him or her how to play the flute, which take a lot of time, patience and practice. And telling business leaders or organizations what boards and committees need to do is not the same a getting buy in, getting them to do it and being successful at it.

%d bloggers like this: