Читать книгу Implementing Enterprise Risk Management - Lam James - Страница 15

The economic landscape that emerged following the Great Recession was vastly different from what existed prior to the 2007–2008 period. Regulators demanded that banking institutions increase capital and liquidity reserves, enhance transparency, curb risk appetite, and tighten controls. This had positive as well as negative effects. On the positive side, the regulations provided a basis for forward-looking analysis such as stress testing and scenario modeling. On the downside, however, many companies failed to take these hard-won lessons to heart, focusing exclusively on meeting regulatory requirements without considering ERM in a broader, more strategic context. In addition, many firms effectively overreacted to the economic hardship that followed the crisis. Rather than becoming risk-smart, they became risk-averse. Without risk, of course, there can be no reward, so these companies stumbled on without much of a strategic outlook beyond mere survival.

In all, seven fundamental trends emerged after the financial crisis that together have shaped the practice of risk management for the past decade:

1. Much stricter compliance requirements

2. Increased board-level risk oversight

3. Greater risk management independence

4. Focus on enterprise-wide risk management

5. Improved board and management reporting

6. Creation of objective feedback loops

7. Better incentive compensation systems

Below, we'll take a look at each of these in greater detail.

Much Stricter Compliance Requirements

For better or worse, compliance quickly became a primary driver of risk management. The formalization of heightened regulatory scrutiny in the financial services industry fundamentally increased the scope and responsibility of the risk management function. The same held true in other sectors as well. The insurance industry, for example, implemented the Own Risk and Solvency Assessment (ORSA) in order to determine the ongoing solvency needs of insurance institutions with regard to their specific risk profiles.

Compliance with laws and regulations is an important objective in any risk management program, but we must remember that it is a necessary but insufficient condition for success. Regulations are blunt instruments designed to establish minimum standards for an entire industry, but they don't always represent best practices. For example, banking regulators established Basel II, and more recently Basel III, to link regulatory capital requirements with a bank's risk profile. However, leading banks have developed more sophisticated economic capital models that better represent the risk-return economics of their businesses. Moreover, new regulations often overreact to past problems. The Sarbanes-Oxley Act (SOX), for example, was enacted in the aftermath of accounting frauds at large corporations such as Enron and WorldCom. While accounting controls are important, they are only a subset of operational risk management techniques, and operational risk is itself a subset of enterprise-wide risks. In fact, one can argue that the emphasis on accounting controls in the post-SOX period has been misguided, given that risk is mainly driven by future events, whereas accounting statements reflect past performance. In order to be effective, a risk management program must be forward-looking and driven by the organization's business objectives and risk profile, not by regulatory requirements.13

Increased Board-Level Risk Oversight

These new laws and regulations also shaped risk governance and oversight at the board level. Section 165 of the Dodd-Frank Wall Street Reform and Consumer Protection Act specifies that “FRB (Federal Reserve Bank) must require each publicly traded bank holding company with $10 billion or more in total consolidated assets…to establish a risk committee [of the board]…Risk committee must…include at least 1 risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”14

According to PwC's 2014 corporate directors survey, boards are becoming increasingly uncertain that they have a solid grasp on their company's risk appetite, with 51 % saying they understand it “very well” in 2014, down from 62 % in 2012.15 It seems that boards are beginning to recognize that it's not enough to be the “audience” with respect to risk reporting and updates, but they must become active “participants” in providing credible challenges and setting policies and standards. In the past, boards approved risk policies, reviewed risk reports, and viewed PowerPoint presentations designed mainly to assure them risks were well managed. In order to provide effective oversight, however, boards must be active participants in the risk management process. They must debate risk-tolerance levels, challenge management on critical business and financial strategies, and hold management accountable for the risk–return performance of past decisions. To strengthen their oversight, boards should consider establishing a separate risk committee, especially at risk-intensive companies (e.g., banking, insurance, energy). At a minimum, each board and its standing committees must ensure that risk management is allocated sufficient time and attention. Boards should also consider adding risk experts to their ranks.

Greater Risk Management Independence

During the excesses of the pre-crisis environment, where was risk management? Why didn't we hear about chief risk officers going directly to the board, or quitting out of protest given what was going on under their watch? I believe a central issue was the continued lack of true independence of risk management, which companies are only now beginning to address seriously. Since the trading losses suffered by Barings and Kidder, Peabody in the mid-1990s, companies have worked to ensure that the risk management function was independent relative to trading, investment, and other treasury functions. However, companies are finally going further to ensure that risk management remains independent relative to corporate and business-unit management as well. This is similar to the independence that internal audit enjoys, though to a lesser extent because risk management should function both as a business partner and risk overseer. One organizational solution has been to establish a dotted-line reporting relationship between the chief risk officer (and chief compliance officer) and the board or board risk committee. Under extreme circumstances (e.g., CEO/CFO fraud, major reputational or regulatory issues, excessive risk taking), that independent dotted-line reporting relationship can ensure that the chief risk officer can go directly to the board without concern about his or her job security or compensation. Ultimately, risk management must have an independent voice to be effective. A direct communication channel to the board is one way to provide that.

Focus on Enterprise-Wide Risk Management

A key lesson from the latest financial crisis as well as those preceding it is that major risk events are usually the consequence not of one risk, but of a confluence of many interrelated ones. Historically, companies managed risk within silos, with each organizational division handling its own, but, in 2008, it became glaringly obvious that this approach could lead to catastrophic failure. Even as the crisis was unfolding, the Wall Street Journal reported that the risk model used by AIG to manage its credit derivatives business only considered credit-default risk, but not the mark-to-market or liquidity risks associated with the business.16 Companies should implement ERM programs to analyze multi-risk scenarios that may have significant financial impact. For banks, that means integrating analyses of business, credit, market, liquidity, and operational risks. Insurance companies must also assess the correlations between investment, liability, interest-rate, and reinsurance risks. All companies must manage strategic risks and the critical interdependencies across their key risks on an organization-wide basis.

In the United States, the Federal Reserve implemented a series of formal stress-testing requirements for banks to quantify their vulnerability to various risk scenarios. The Fed's Comprehensive Capital Analysis and Review (CCAR) assessment provides independent review of the capital plans for banks and bank holding companies with assets in excess of $50 billion. Additionally, the adoption of Dodd-Frank mandated that all banks with greater than $10 billion in assets must conduct stress testing on an annual basis. The Office of the Comptroller of the Currency (OCC) published final rules in 2014 to meet the stress-testing requirement. Known as DFAST (Dodd-Frank Act Stress Test), the rules require all banking institutions with between $10 billion and $50 billion in assets to conduct and report results of formal stress testing exercises.

Improved Board and Management Reporting

It would be difficult if not impossible to implement ERM while companies continue to measure and report risks in silos. There is a general sense of dissatisfaction among board members and senior executives with respect to the timeliness, quality, and usefulness of risk reports. About a third of respondents to a 2016 Corporate Board Member survey felt information flow between their board and management could be improved through a higher frequency of updates (36 %), more concise reporting (31 %), or more time to review materials prior to a meeting (34 %).17 Many companies still analyze and report on individual risks separately. These reports tend to be either too qualitative (risk assessments and heat maps) or too quantitative (financial and risk metrics). Risk reports can also focus too much on past trends and current risk exposures. In order to establish more effective reporting, companies should develop forward-looking, role-based dashboard reports. The risk team should customize these reports to support the decisions of their target audience, whether the board, executive management, or line and operations management. Dashboard reports should integrate qualitative and quantitative data, internal risk exposures and external drivers, and key performance and risk indicators. Moreover, risk analyses should be reported in the context of business objectives and risk appetite.

Creation of Objective Feedback Loops

How do we know if risk management is working effectively? This is perhaps one of the most important questions facing boards, executives, regulators, and risk managers today. The most common practice is to evaluate the effectiveness of risk management based on the achievement of key milestones or the lack of significant risk incidents and losses. However, qualitative milestones or negative proves should no longer be sufficient. I made this point when I was interviewed by the Wall Street Journal on the rise of chief risk officers in the aftermath of the financial crisis. In the article,18 I emphasized the need for an objective feedback loop for risk management, and was quoted as saying, “AIG and Bear Stearns were doing fine until they weren't.” My point was made in jest but boards and management should not rely on the absence of a bad situation as evidence that effective risk management is in place.

Organizations need to establish performance feedback loops for risk management that are based on defined objectives, desired outcomes, and data-driven evidence. Other corporate and business functions have such measures and feedback loops. For example, business development has sales metrics, customer service has customer satisfaction scores, HR has turnover rates, and so on.

While various types of feedback loops can benefit an ERM program at every level, one that should be considered by all for-profit companies incorporates ex-ante analysis of earnings at risk followed by ex-post analysis of earnings attribution. Over time, the combination of these two analyses would provide a powerful performance measurement and feedback loop. (I offer a complete description of this feedback loop in Chapter 20.) This would help the board and management ensure that risk management is effective in minimizing unexpected earnings volatility – a key goal of enterprise risk management. Finally, I believe this type of analysis should be provided alongside the earnings guidance of publicly traded companies. Relative to the current laundry-list and qualitative approach to risk disclosure, earnings-at-risk and earnings-attribution analyses can provide much higher levels of risk transparency to investors.

Better Incentive Compensation Plans

The design of executive incentive compensation systems is one of the most powerful levers for effective risk management, yet companies have so far paid insufficient attention to how incentive compensation systems influence risk-return decisions. For example, if executive compensation is driven by revenue or earnings growth, then corporate and business executives might be motivated to take on excessive risks in order to produce higher levels of revenue and earnings. If executive compensation is driven by stock price performance via stock options, decision-makers might also be motivated to take on excessive risks to increase short-term stock price appreciation. Unethical executives might even be tempted to manipulate accounting rules.

Traditional executive compensation systems do not provide the appropriate framework for risk management because they motivate excessive risk taking. Moreover, the corporate structure creates potential conflicts between management and investors. In essence, executives are betting with “other people's money”: Heads they win, tails investors lose. To better align the interests of management and investors, long-term, risk-adjusted financial performance must drive incentive compensation systems. Boards and management must consider not only what business performance was produced, but also how. Companies can achieve this by incorporating risk management performance into their incentive compensation systems; establishing long-term risk-adjusted profitability measurement; and using vesting schedules consistent with the duration of risk exposures and/or claw-back provisions.