"Why has enterprise risk management failed so spectacularly, and is there a need to start over again?"

Opening Statement

Many economists believe that the risks present in the current global economic downturn have the potential to repeat the Depression years of the 1930s. Already, in the US alone, pension accounts have lost $2 trillion; one in six homeowners owe more on their mortgages than their homes are worth; 2.6 million workers lost their jobs in 2008; and the Big Three automakers, even with government bailouts, are at serious risk of declaring bankruptcy, raising the possibility of a further million or more jobs lost.

Furthermore, the economic crisis is not confined to the US, but goes across the globe. For instance, the UK is in a recession for the first time in 17 years, with an unemployment rate expected to reach double digits. The Bank of England has had to slash interest rates to the lowest level in over 300 years in an unprecedented attempt to stimulate the country's economy. Banks are on the verge of being nationalized, and the threat of national bankruptcy is more than mere speculation. Other countries in recession include Russia, Canada, Sweden, Japan, Italy, Germany, and Singapore, with still others expecting to join them soon. Governments everywhere are struggling to stabilize their individual economies from the effects of the financial contagion that started with subprime mortgages in the US, spread to the near prime and prime mortgage markets, and has since extended to the financial credit, corporate credit, and consumer credit markets.

RISK MISMANAGEMENT

Ironically, fingers have been pointing at risk (mis)management as a major cause of the current economic crisis. News reports have indicated that the enterprise risk management (ERM) models and processes used by banks, mortgage companies, and financial institutions to identify and manage their risk exposure -- and by governments to judge the risk exposure of these entities -- were inadequate at best and useless at worst. An article in the New York Times showed that while quantitative risk analysis models such as Value at Risk (VaR) were valuable in many specific financial circumstances, the models could also be highly misleading, especially when used by decision makers who are not risk management experts.¹ And the Wall Street Journal reported that the quantitative risk management models used by the global insurance company American International Group (AIG) contained serious flaws and limitations that encouraged AIG to be more optimistic than it should have been about the level of risk to which it was ultimately exposed.²

AIG was not alone in this regard. The British bank HSBC often boasted that it had more than 150 inhouse PhDs who were experts in modeling the credit risk posed by the subprime loans the bank offered. Unfortunately, all those expert risk modelers didn't keep HSBC from having to take $10 billion-plus in write-offs to cover its losses from those same loans. Poor risk management models at Lehman Brothers, Bear Stearns, and a host of other financial institutions have also been cited as a major cause of their having to write off tens of billions of dollars in bad investments (and, in the case of Lehman and Bear Sterns, of their subsequent demise). Investor Warren Buffet recently summed up the skepticism about complicated quantitative risk management models this way: "All I can say is, beware of geeks ... bearing formulas."³

IGNORING RISK MANAGEMENT

But even where the risk management models were doing what they were supposed to do -- warning decision makers of potential problems -- executives often ignored the warnings given. Daniel Mudd, CEO of the US government-sponsored mortgage giant Fannie Mae, ignored his chief risk officer's warnings that the company was approving too many risky loans. Not only did Mudd not stop the practice, he directed Fannie Mae to make even riskier loans to try to generate even higher profits for the company -- but not before cutting his CRO's budget.⁴ His counterpart at Freddie Mac, CEO Richard Syron, went one better. When his CRO raised concerns over the same practice, Syron simply fired him.⁵ Both Fannie Mae and Freddie Mac are now wards of the US government.

Then there is the case of the Swiss bank UBS, an institution that has for years touted its world-class ERM prowess. In 2008, UBS had to write off over $30 billion to cover poor loans as well. UBS management put this down to an "absence of risk management,"⁶ but "absence" is too gentle a word. In fact, risk management processes and models at UBS were manipulated to allow for more risk to be taken, instead of limiting the bank's exposure.

FAILURE OF GOVERNMENT RISK REGULATORS

I hasten to add that government regulators didn't manage risk any better than executives in the private sector. Even as the financial market started collapsing, US, UK, and other governmental regulators were in essence singing to the public the lyrics of Bobby McFerrin's 1988 song, "Don't Worry, Be Happy."

US Federal Reserve Chairman Alan Greenspan expressed "shock" late last year at the financial turmoil taking place -- even though he himself had warned in 2005 of a growing housing bubble.⁷ Greenspan said in public testimony in February of that year that if Fannie Mae and Freddie Mac were allowed to "continue to grow, continue to have the low capital that they have, continue to engage in the dynamic hedging of their portfolios, which they need to do for interest rate risk aversion, they potentially create ever-growing potential systemic risk down the road. We are placing the total financial system of the future at a substantial risk."⁸ However, Greenspan ignored his own warnings and did little to stop the housing bubble other than to issue even more warnings, which were ignored in turn by the US Congress, the Bush administration, and other federal regulators. Greenspan's successor, Ben Bernanke, followed the same path: warn but don't act.

MANAGING RISK IN DIFFICULT ECONOMIC TIMES

All of this leads to the questions that prompted this issue of Cutter IT Journal: why has enterprise risk management failed so spectacularly, and is there a need to start over again? What, if anything, can be done to manage risk better in this economic downturn?

Risk management has gone through two major epochs, the first of which started in the 1950s and lasted into the late 1980s. This era was characterized by the initial rise of formal risk management practice in corporations, starting first in the insurance departments and then spreading into other parts of the organization, especially the CFO's office.

In the late 1980s, corporations realized that corporate risk management efforts were operating in independent, departmental silos. This silo approach created duplicative risk management efforts, which meant that some risks were being overmanaged while others were being ignored. The need for an integrated approach to risk management became apparent, and thus enterprise risk management was born. The financial institutions were among the first to implement ERM, which took an integrated, highly quantitative, model-driven approach to managing financial risk. These institutions believed that nearly all financial risk could thus be effectively and profitably hedged. Obviously, they believed wrong.

Which brings us to the core question: is it time for a major reformulation of what enterprise risk management means and how it is practiced? Corporations' current approaches to ERM are obviously wanting -- if not thoroughly discredited. What is not obvious is what, if anything, to do about it. For example, are there fundamental flaws with the current risk models and methods that underpin ERM? Or are the models perfectly fine within their limits, and it is their implementation -- especially in terms of creating a supportive, risk-aware organizational culture -- that has caused the problems?

In this month's issue of Cutter IT Journal, we have five articles that address these questions. The first is by Barbara Quinn, who argues that enterprise risk management has been an unmitigated failure and that "all of our risk management models, frameworks, theories, and templates will continue to fail, no matter how elegant, sophisticated, integrated, or beautifully drawn they are." She argues that risk management has fallen short not because of process or technique, but because of human failings. What's needed, Quinn says, is nothing less than a complete examination of what went wrong and why it went wrong, especially with regard to the motivations that drove "normally intelligent people to make horribly wrong decisions."

Our next article is by Payson Hall, who wonders why effective risk management seems to encourage poor risk management. Do the intellectual demands of effective risk management exceed human capability, or do competing forces challenge our efforts to build and sustain good risk management practices? Hall explores these questions in the light of human decision biases and organizational behaviors and concludes with suggestions for stabilizing what he calls the "boom-and-bust" risk management practice implementation cycle.

Next, Rick Brenner looks at the problems of ERM through the prism of organizational politics. Brenner defines organizational politics as "what happens when people in an organization contend for power, control, or dominance, or when they encounter differences of opinion when resolving specific issues using organizational resources." Brenner describes how organizational politics interferes with effective risk management and offers mechanisms for controlling it.

Darren Dalcher then offers a very thought-provoking article that asks whether risk management has paradoxically increased the level of risk we face, in the same way that safety engineers have learned that adding safety devices can actually contribute to failures and accidents. Dalcher argues that we require a new "design" culture that actively engages with risk, especially the emerging types of risk and uncertainty created by the very process of managing risk.

In the final article, my colleague Brian Hagen and I argue that enterprise risk management does in fact need reforming. We identify three gaps in current ERM practice: (1) improper definition of what should be considered the true risk management "system of interest"; (2) the fact that members of almost all enterprises are not empowered to manage risk effectively; and (3) the lack of understanding that an enterprise's problems, risks, and opportunities all must compete for the same limited resources. If these gaps can be reduced, we argue, ERM can takes its place once more as an effective organizational practice.

Each of the five articles discusses in essence what the risks of enterprise risk management are and offers different ways to think of them as well as mitigate them. I encourage you to read all the articles -- I think they will challenge your views on risk, its management, and the value of ERM.

ENDNOTES

¹ Nocera, Joe. "Risk Mismanagement." New York Times, 2 January 2009 (www.nytimes.com/2009/01/04/magazine/04risk-t.html?_r=1&pagewanted=all).

² Mollenkamp, Carrick, Serena Ng, Liam Pleven, and Randall Smith. "Behind AIG's Fall, Risk Models Failed to Pass Real-World Test." Wall Street Journal, 31 October 2008 (http://online.wsj.com/article/SB122538449722784635.html).

³ Buffett, Warren. "I Haven't Seen as Much Economic Fear in My Adult Lifetime: Interview with Warren Buffett." By Charlie Rose. Charlie Rose Show, 1 October 2008 (www.cnbc.com/id/26982338/page/2).

⁴ Waxman, Henry. Chairman Waxman's Opening Statement. US House of Representatives Committee on Government Oversight and Reform, 9 Dec 2008 (http://oversight.house.gov/story.asp?ID=2285).

⁵ Waxman. See 4.

⁶Shareholder Report on UBS's Write-Downs. UBS AG, 18 April 2008 (www.ubs.com/1/ShowMedia/investors/shareholderreport?contentId=140333&name=080418ShareholderReport.pdf).

⁷ Andrews, Edmund. "Greenspan Concedes Error on Regulation." New York Times, 23 October 2008 (www.nytimes.com/2008/10/24/business/economy/24panel.html).

⁸ Greenspan, Alan. Testimony of Chairman Alan Greenspan. US Senate, Committee on Banking, Housing, and Urban Affairs, 16 February 2005 (www.federalreserve.gov/boarddocs/hh/2005/february/testimony.htm).

ABOUT THE AUTHOR