Not surprisingly, fingers are pointing in Washington. For example, in connection with the proposed bank responsibility tax, bank executives argue that they should not have to pay for the bailout of the auto industry, and the administration counters that “major financial institutions were both a significant cause of the crisis and major beneficiaries of the government’s rescue efforts and should thus bear the brunt of the cost.” (For recent blogs on the tax, see here.) Likewise, in their testimony before the Financial Crisis Inquiry Commission, bank executives admitted making some mistakes, but largely blamed other factors for the economic crisis. “In retrospect, many firms were too highly leveraged, took on too much risk and did not have sufficient resources to manage those risks effectively in a rapidly changing environment.” (Quote from the Chairman of Morgan Stanley, John Mack.)
Risk management is a frequently-cited cause of the economic crisis. Commentators and government officials have emphasized the failure of risk management practices in the period leading up to the crisis. For example, Chairman Bernanke stated: “Among other things, our analysis reaffirms that capital adequacy, effective liquidity planning, and strong risk management are essential for safe and sound banking; the crisis revealed serious deficiencies on the part of some financial institutions in one or more of the areas.” Risk management failures alone obviously did not cause the crisis, but the crisis certainly highlighted weaknesses in firms’ risk management practices. I think this focus on risk management is a welcome wake-up call not only for financial institutions, but also corporate America generally.
Part of my enthusiasm for risk management relates to a developing risk management technique called “enterprise risk management” (ERM). ERM is a holistic approach to risk management, integrating risk management throughout the firm and encouraging firms to create a “risk culture.” (For a thorough discussion of ERM basics, see here; for a discussion of ERM failures in the context of the economic crisis, see here.) Many proponents of ERM also encourage more board involvement in setting a firm’s risk appetite and designing, implementing and monitoring the firm’s overall risk management system. (For my recent article on ERM, see here.)
Now, I do not mean to suggest that ERM will solve all of a firm’s problems or prevent the next economic downturn. It will not. I do believe, however, that an effective ERM system can strengthen a firm’s internal governance and help the firm and stakeholders better monitor and manage risk. And I do think the board has an important role to play in ERM. Among other things, the board can help create a risk culture and retain executives who buy into that culture and will be effective risk managers on a day-to-day basis.
That being said, I think convincing firms to adopt meaningful ERM will be challenging. What are the consequences if they don’t? The Delaware Chancery Court dismissed a claim against Citigroup basically alleging ineffective risk management in connection with the crisis. The bank executives generally all testified at Wednesday’s hearing that they had effective risk management; the problem was risk management at other firms. (Although notably, in its written statement, Morgan Stanley did indicate that it worked to strengthen its risk management practices in 2007 and 2008. For all of the testimony from the hearings, see here.) And the SEC’s new rules only mandate disclosure about risk management practices.
Perhaps with more discussion and evidence on the effectiveness of ERM, firms will voluntarily implement more meaningful risk management practices. (In particular, I think studies linking ERM to improved productivity are key; profits talks.) Shareholders and creditors also could have an important voice here. So, hopefully the current focus on ERM will evolve into an ongoing best-practices dialogue and not fade with memories of the crisis.