Article

Navigating a Crisis with ERM

The subprime lending crisis, which has brought down some of the biggest names on Wall Street and across the globe and has transformed into a worldwide financial crisis, is raising many questions. Not least of which are questions as to how the boards of directors and management of these venerable institutions could have permitted these risky subprime investments to so severely damage their companies.

Board members and management of companies from across the financial spectrum are being heavily criticized for their failure to recognize the degree of risk which they were assuming and are being asked to explain if they engaged in enterprise risk management and analysis prior or subsequent to making such investments. Occasionally, such criticisms unfairly use 20/20 hindsight. Nevertheless, the business reputation of these directors and executives has been severely damaged.

All companies today should be engaged in enterprise risk management on an ongoing basis. This is currently a best practice. However, it may become a legal requirement in the future.

Enterprise risk management (ERM) is a process that requires each organization, whether public, private or not-for-profit, to examine its business or activity from the viewpoint of identifying and managing risk. The management of every organization owes a duty to each of its stakeholders, as a matter of good corporate governance, to identify and manage the major risk to the organization’s business or activities. Regulators, shareholders and other stakeholders expect the board of directors and management to perform ERM. The failure to perform ERM is not only embarrassing but may result in attempts by activist shareholders and regulators to change the board and management, institutional failure and legal liability.

The ERM process consists of the following four steps: Risk identification; risk prioritization; critical risk analysis; and implementation, including integration of the ERM into daily operations of the company.

Risk identification requires assembling necessary specialties to perform ERM. Companies should use a combination of internal executives and external consultants, including industry specialists, accountants and attorneys. All major risks should be identified and categorized as operational, financial, technology, accounting, and so on.

The first layer of risk amelioration is insurance. Therefore, the company must separate insurable from non-insurable risks. Insurance policy terms must be reviewed by an attorney specializing in this area. Unfortunately, the insurance managers of most large organizations are incentivized to provide insurance at the lowest possible cost and this results in insurance coverage which may not be adequate for the organization’s needs.

It is important, therefore, to have an attorney specializing in insurance to review the policy coverages and look for significant loopholes. The review should include business interruption insurance, D&O insurance, general liability and other major policies. The reviewing attorneys must collaborate with insurance brokers to determine what additional coverage is available at reasonable prices and should identify all available policy endorsements that a company’s insurance manager elected not to obtain.

Finally, the financial strength of the insurance company must be carefully evaluated and this evaluation should not rely solely upon rating agency scores.

Non-insurable risks should be identified by analyzing the company’s operations and also by identifying problems that have occurred to other companies in the same or related industries. 

Special insurance policies may also be available for certain risks which are normally viewed as non-insurable, like litigation risks. Most executives do not realize that such specialized insurance is available – albeit at a significant cost.

Let us hypothetically assume that ERM was performed in 2006 by the board or management of a bank which failed in 2008. There would have been conflicting evidence of a housing bubble at that time, with so-called ‘experts’ taking contradictory positions. This would have least alerted the board of directors and management of these institutions that there was a risk that, if the housing bubble burst, the subprime mortgage securities which they held might significantly depreciate in value, which could adversely affect their net worth and liquidity.

Each identified risk must be analyzed to determine the impact of each risk. Both insurable and non-insurable risks should then be prioritized by considering both the likelihood of occurrence and the potential impact on the company.

There are many consultants who help companies to perform ERM and come up with 30 potential risk factors. No organization is going to be able to effectively handle the remediation of 30 risk factors. The key is to prioritize the most likely risk factors and attempt to remediate them.  This is not an easy task since it requires substantial analysis of the likelihood of the risk factor occurrence.

Although many risks would have been identified in 2006 if ERM had been performed by our hypothetical bank, including the risk of the alleged housing bubble bursting, this risk should have been prioritized at a high level assuming that a significant percentage of the net worth of that bank could have been affected by the bursting of that housing bubble or its institutional liquidity could have been materially degraded. This would have required an analysis of the relationship of the subprime investment securities which they held to the net worth of the bank and a liquidity analysis. This is not to say that such an analysis was in fact not performed by the bank and, of course, everything is much clearer by using hindsight.

Critical risks analysis requires the evaluation of various risk/ reward strategies to mitigate major risks. A risk mitigation strategy should be recommended for each of the major risks. Both short-term and long-term mitigation strategies should be identified for each major risk.

A critical risk analysis by our hypothetical bank in 2006 would have weighed the benefit of the higher returns from its investments in subprime securities against the risk that the housing bubble might burst and what effect that might have on its net worth and liquidity.

Primary risk mitigation responsibility should be assigned to a particular person or group for each of the major risks.  The company must develop an effective monitoring process for each risk being mitigated and automate such process to the extent feasible. All risks which are not being currently mitigated should be labeled as ‘remote’ to legally protect the board of directors and management in case a remote risk is realized currently.

Using the ERM analysis in 2006 by the hypothetical bank, the board of directors or management of the bank could have implemented a limitation on the amount of subprime securities in which it invested. For example, the board of the bank might have directed that the investments in subprime securities may not constitute more than 10 percent of its net worth or working capital. 

The effectiveness of the risk mitigation strategies should be annually evaluated. The enterprise risk analysis should be updated annually for new developments. The entire ERM analysis procedure should be repeated at least every 3 to 5 years.

ERM is the wave of the future. Boards of directors and management will be subjected to severe criticism by the stakeholders of the organization for failure to perform ERM if enterprise risk analysis would have revealed risks which substantially harmed the organization. Currently ERM is a best practice.  Ultimately, the law may subject directors and officers to personal liability for failure to take ERM seriously.

Reprinted with permission from the November 2008 edition of the Corporate Secretary © 2008 by Cross Border Ltd.  All rights reserved.  Further duplication without permission is prohibited.