Risky Business

Not surprisingly, fingers are pointing in Washington. For example, in connection with the proposed bank responsibility tax, bank executives argue that they should not have to pay for the bailout of the auto industry, and the administration counters that “major financial institutions were both a significant cause of the crisis and major beneficiaries of the government’s rescue efforts and should thus bear the brunt of the cost.” (For recent blogs on the tax, see here.) Likewise, in their testimony before the Financial Crisis Inquiry Commission, bank executives admitted making some mistakes, but largely blamed other factors for the economic crisis. “In retrospect, many firms were too highly leveraged, took on too much risk and did not have sufficient resources to manage those risks effectively in a rapidly changing environment.” (Quote from the Chairman of Morgan Stanley, John Mack.)

Risk management is a frequently-cited cause of the economic crisis. Commentators and government officials have emphasized the failure of risk management practices in the period leading up to the crisis. For example, Chairman Bernanke stated: “Among other things, our analysis reaffirms that capital adequacy, effective liquidity planning, and strong risk management are essential for safe and sound banking; the crisis revealed serious deficiencies on the part of some financial institutions in one or more of the areas.” Risk management failures alone obviously did not cause the crisis, but the crisis certainly highlighted weaknesses in firms’ risk management practices. I think this focus on risk management is a welcome wake-up call not only for financial institutions, but also corporate America generally.

Part of my enthusiasm for risk management relates to a developing risk management technique called “enterprise risk management” (ERM). ERM is a holistic approach to risk management, integrating risk management throughout the firm and encouraging firms to create a “risk culture.” (For a thorough discussion of ERM basics, see here; for a discussion of ERM failures in the context of the economic crisis, see here.) Many proponents of ERM also encourage more board involvement in setting a firm’s risk appetite and designing, implementing and monitoring the firm’s overall risk management system. (For my recent article on ERM, see here.)

Now, I do not mean to suggest that ERM will solve all of a firm’s problems or prevent the next economic downturn. It will not. I do believe, however, that an effective ERM system can strengthen a firm’s internal governance and help the firm and stakeholders better monitor and manage risk. And I do think the board has an important role to play in ERM. Among other things, the board can help create a risk culture and retain executives who buy into that culture and will be effective risk managers on a day-to-day basis.

That being said, I think convincing firms to adopt meaningful ERM will be challenging. What are the consequences if they don’t? The Delaware Chancery Court dismissed a claim against Citigroup basically alleging ineffective risk management in connection with the crisis. The bank executives generally all testified at Wednesday’s hearing that they had effective risk management; the problem was risk management at other firms. (Although notably, in its written statement, Morgan Stanley did indicate that it worked to strengthen its risk management practices in 2007 and 2008. For all of the testimony from the hearings, see here.) And the SEC’s new rules only mandate disclosure about risk management practices.

Perhaps with more discussion and evidence on the effectiveness of ERM, firms will voluntarily implement more meaningful risk management practices. (In particular, I think studies linking ERM to improved productivity are key; profits talks.) Shareholders and creditors also could have an important voice here. So, hopefully the current focus on ERM will evolve into an ongoing best-practices dialogue and not fade with memories of the crisis.

You may also like...

2 Responses

  1. Ken Rhodes says:

    I hate to sound cynical, but sadly, that’s what I am on this subject.

    In a 35 year career in IT, I saw the development and sanctification of more buzzwords than I can possibly remember, with layer upon layer of bureaucracy added to the IT organizational structure, in the hope of getting the beast under control. Yet still, the best software is created by the best programmers working hard and ignoring distractions, irrespective of how many bureaucrats invoke how many “enterprise standards.”

    The simple cure for the absurd risk behavior of our too-big-to-fail institutions is not found in “enterprise” buzzwords. Rather, it is to (a) stop laundering the risks the way organized crime launders illicit profits, and (b) put some folks in charge who are more risk-averse.

    Simple? Did I really say that? Oh, well, wishful thinking.

  2. Michelle Harner says:


    I actually love your response; thanks for taking the time. I also am not a fan of buzzwords, and they can be counterproductive. I am, however, cautiously optimistic about the potential benefits of ERM because it is not based solely on risk modeling but actually considers the human component of risk management. What we need (as you suggest) are thoughtful and responsible individuals managing risk, with some accountability if they do not. Now, whether or not firms implement and effectively use ERM is an entirely different issue.

    Best regards, Michelle.