When Assessing Risk, Don’t Forget the People

The Conference Board released a report today about the need for stronger integration of human capital risks into a company’s overall enterprise risk management program.  Too often, these risks are left to the human resources department to manage alone with little understanding of the potential impact to a company’s entire operation.  After surveying 161 leading companies worldwide, here is what the researchers discovered.

At most companies, human capital accounts for at least half of operating costs and can have a significant impact on business results. However, the study finds that human capital risk (HCR) — which can range from unionization/labor relations to offshoring and outsourcing to staffing in a pandemic — tends to be siloed in human resources departments, away from the companywide assessment and mitigation processes of enterprise risk management (ERM). This arrangement prevents information about HCR from having a role in the comprehensive, aggregate view of risks, root causes, interactions, and impacts through which leaders set priorities and determine overall strategy.

Out of eleven risk categories, executives ranked HCR as having the fourth highest impact on business results, ahead of financial, reputational, supply chain, and IT risks. This high ranking is evidence that HCR should be taken seriously as an enterprise risk.  However, less than one-third (31 percent) of companies believe they effectively assess human capital risk, and 24 percent believe they do an ineffective job.

During an economic crisis such as the one we have experienced, many companies lose sight of what really drives a business – people.  Understanding the risks associated with the primary business driver is certainly a no-brainer.

Added Stress in the United Kingdom

Last week, the Wall Street Journal reported that financial institutions in the UK are being subjected to even more stringent stress testing requirements than their US counterparts. The Financial Services Authority (FSA) is requiring the largest financial institutions to conduct what it calls “reverse stress testing”. These tests are designed to determine what an institution will need to recover from a catastrophic operational risk event such as a natural disaster or pandemic. Evidently, the UK bankers are none too pleased with the request according to the following report.

Bankers call it the latest example of regulatory overkill. Executives protest that they are wasting countless hours dreaming up outlandish doomsday scenarios. The chief executive of a major U.K. bank said the tests are predicated on “a massive confluence [of] absurd scenarios” in which executives passively watch events unfold rather than trying to stabilize the situation. Bankers are especially worried that the process could result in them being forced to hold more capital. The FSA said in a planning document that the tests “may result indirectly in changes to the levels of capital held by firms” if the exercise “identifies business model vulnerabilities that have not previously been considered.”

An FSA spokeswoman defended the exercise. “It might seem outlandish to them, but the point is that it pushes the business model to the point it collapses,” the spokeswoman said. She said the banks also should be evaluating relatively mundane situations like what they would do in the event of a major internal fraud.

What is somewhat surprising by this report is the fact that these financial institutions should have already conducted similar scenario planning and testing as part of the Basel II Capital Accord requirements. However, since the Basel II requirements were largely self-regulated, it appears that the banks did not do their homework the first time around. For those bankers in the US who did not do their homework as well, you might want to get started before the teacher asks for it.

Is This Just the Tip of the Iceberg?

The Congressional Oversight Panel released its November report today and it focused on the continued foreclosure crisis. The panel is calling for additional investigation by regulators and is also requesting that the U.S. Treasury provide additional evidence of their claim that the crisis has been averted.  Below is an excerpt from their report as well as video commentary from the chairman of the panel, Senator Ted Kaufman.

At this point the ultimate implications remain unclear. It is possible, however, that “robo-signing” may have concealed much deeper problems in the mortgage market that could potentially threaten financial stability and undermine the government‟s efforts to mitigate the foreclosure crisis. Although it is not yet possible to determine whether such threats will materialize, the Panel urges Treasury and bank regulators to take immediate steps to understand and prepare for the potential risks.

In the best-case scenario, concerns about mortgage documentation irregularities may prove overblown. In this view, which has been embraced by the financial industry, a handful of employees failed to follow procedures in signing foreclosure-related affidavits, but the facts underlying the affidavits are demonstrably accurate. Foreclosures could proceed as soon as the invalid affidavits are replaced with properly executed paperwork.

The worst-case scenario is considerably grimmer. In this view, which has been articulated by academics and homeowner advocates, the “robo-signing” of affidavits served to cover up the fact that loan servicers cannot demonstrate the facts required to conduct a lawful foreclosure. In essence, banks may be unable to prove that they own the mortgage loans they claim to own.

Only time will tell whether the foreclosure issues are merely the tip of the iceberg.  However, if the issues are real, then the financial institutions and other involved parties will be best served to proactively address the problem now rather than hoping it goes away on its own.

The Need for ERM is Crystal Clear

Unlike the waters of the Gulf of Mexico, the need for companies to have robust enterprise risk management (“ERM”) programs became crystal clear during an interview of former BP CEO Tony Hayward aired this week by the BBC. Here’s some of the highlights from the interview.

Former BP PLC chief Tony Hayward has acknowledged that the company was unprepared for the disastrous Gulf of Mexico oil spill and the media frenzy it spawned, and said the firm came close to financial disaster as its credit sources evaporated.

In an interview with the BBC to be broadcast Tuesday, Hayward said company’s contingency plans were inadequate and “we were making it up day to day.”

Hayward said BP had found itself unable to borrow from international investors during the spill crisis, threatening its finances. He said that before a meeting with President Barack Obama at the White House in June, “the capital markets were effectively closed to BP.” “We were not able to borrow in the capital markets, either short or medium term debt at all, ” he said. “It was a classic financial crisis issue.”

Hayward’s successor, Bob Dudley, told the program that “these were frightening days” for BP. “With a company the size of BP, its reputation, what it does — you almost can’t quite believe how close you are” to financial disaster, he said.

This interview demonstrates the catastrophic impacts of a risk event not only to the environment at large, but also to every corner of the company responsible for the event occurring. BP obviously did not have a comprehensive ERM program at the ready that resulted in improvisation and ultimately a full-blown crisis. Only a company of BP’s size and resources could weather this type of event. So, how effective is your ERM program?

SEC Seeks to Shed Light on Foreclosure Crisis

The U.S. Securities & Exchange Commission (“SEC”) has entered the foreclosure fray by requiring publicly traded financial services companies to disclose their estimated risk of foreclosure related losses. Here’s what Bloomberg Business Week reported on the recent SEC actions.

Lenders must disclose circumstances that they “reasonably expect” to have an “unfavorable impact” on financial results, the SEC said in a letter posted on the agency’s website today. The letter was sent because of “concerns about potential risks and costs associated with mortgage and foreclosure-related activities,” the SEC said. Federal regulators and attorneys general from all 50 states are investigating whether loan-servicing companies used improper procedures during foreclosure proceedings, including so-called robo-signers who didn’t check documentation. Investors such as Pacific Investment Management Co. have demanded that banks buy back faulty loans that were bundled into bonds.

These forced disclosures will shed more light on the potential dollar impact of an operational risk that was neither fully anticipated nor proactively managed.

Obfuscating Operational Risk Management

Operational Risk Management is continuing to evolve as a key component of an Enterprise Risk Management (“ERM”) program. However, it continues to be an area of great debate as a formal discipline due to its broad focus and impact across the business. One area that confuses and frustrates many businesspeople when confronted with operational risk is the notion of risk appetite vs. risk tolerance. In some cases, the two terms are used interchangeably. However, in other cases, risk appetite refers to the total amount of risk to be taken to achieve a given business objective and risk tolerance refers to specific risk limits associated with a given business activity. The Institute of Operational Risk has developed guidance that is practical and useful for risk practitioners in dealing with these terms. Here’s their view.

In simple terms, expressing Operational Risk Appetite is a question of defining what is acceptable to an organisation and what is not. This could be achieved by deciding, for each type of risk, what is acceptable, what is unacceptable, and the parameters of the area between those two (i.e. what is tolerable).

Regardless of the way these terms are used, the key for operational risk managers is to help businesspeople understand risk in their own terms rather than in risk management vernacular. Otherwise, the focus will remain on terminology rather than what is really important – creating value for the business.

Lessons Learned from the Foreclosure Crisis

The recent foreclosure crisis is just another chapter in the financial meltdown that began in 2007.  As a result of the frenzy to securitize mortgage loans back in the middle of the decade, the required paperwork to foreclose on a property is difficult, if not impossible, to retrieve. Now, financial institutions are finding that the outsourced foreclosure work is faulty at best and fraudulent in many cases. Here’s what the Wall Street Journal reported today.

In recent days, some lenders named in the foreclosure inquiries have said they would no longer use the services of some of these law firms for new foreclosures. Ally Financial Inc.’s GMAC Mortgage has pulled business and dispatched executives and a new team of lawyers to Florida to ensure foreclosure cases are being handled correctly, according to a person familiar with the situation.

The law firms and a Lender Processing unit, Docx LLC, which did work at a suburban Atlanta office, handled the nitty-gritty paperwork necessary to verify key document batches, including ownership transfer of a loan, known as an assignment, and the amount owed by a borrower losing his home. That paperwork processing at the law firms and lenders allegedly didn’t review all information needed, such as who owned the loan or borrower financial information, the Florida attorney general claims. The Florida attorney general’s office is looking at possible use of “fabricated documents” used in foreclosure actions in court, according to the attorney general.

This situation provides a few lessons in risk management. First, it demonstrates the lingering effects of poor controls when dealing with massive amounts of transactions complicated by a highly complex securitization process. Second, it also shows that the operational risks to a given company extend well beyond its walls to its outsourcing partners’ ability to properly control its business.  Finally, with the crisis today clearly rooted in the actions of the past, it demonstrates the need for more forward-looking risk management programs.

Risk Blindness at BP

In the pursuit of profit, sometimes a company becomes blind to risk.  This is most evident in the latest debacle of British Petroleum (“BP”) with the oil spill in the Gulf of Mexico. While their recent offshore deepwater drilling posed great environmental risk, BP experienced the results of poor risk management onshore as well.  According to the New York Times, BP’s current CEO faced similar challenges in 2007.  Here is what happened back then:

In 2007, when Mr. Hayward first took over as chief executive, BP settled a series of criminal charges, including some related to the explosion of BP’s Texas City, Tex., refinery, and agreed to pay $370 million in fines. Admitting that the company’s operations had failed to meet its own safety standards and requirements of the law, Mr. Hayward pledged to improve BP’s risk management. Following the Deepwater Horizon explosion, Mr. Hayward conceded that the company had problems when he took over in 2007. But he said he had instituted broad changes to improve safety, including setting up a common management system with precise safety rules and training for all facilities.

Some analysts say the safety problems indicate that BP has not yet reined in the culture of risk that prevailed under Mr. Hayward’s predecessor, who transformed BP from a sleepy British oil producer into one of the world’s top explorers through the acquisitions of Amoco and Atlantic Richfield.

A strong culture dedicated to risk management is essential for companies who are looking to succeed in the long run. BP’s current crisis is a prime example of the perils of ignoring the importance of strong risk management practices.

ERM Helps Avoid Risk Miscalculations

A recent article in the New York Times discusses the inherent failings in estimating risks in our society today.  As our environment becomes more complex, people are faced with ever-increasing amounts of risk that are difficult to quantify until it is too late.  Here is an excerpt from the article that explains the challenge very well.

But there also appears to have been another factor, one more universally human, at work. The people running BP did a dreadful job of estimating the true chances of events that seemed unlikely — and may even have been unlikely — but that would bring enormous costs. Perhaps the easiest way to see this is to consider what BP executives must be thinking today. Surely, given the expense of the clean-up and the hit to BP’s reputation, the executives wish they could go back and spend the extra money to make Deepwater Horizon safer. That they did not suggests that they figured the rig would be fine as it was. For all the criticism BP executives may deserve, they are far from the only people to struggle with such low-probability, high-cost events. Nearly everyone does. “These are precisely the kinds of events that are hard for us as humans to get our hands around and react to rationally,” Robert N. Stavins, an environmental economist at Harvard, says. We make two basic — and opposite — types of mistakes. When an event is difficult to imagine, we tend to underestimate its likelihood. This is the proverbial black swan. Most of the people running Deepwater Horizon probably never had a rig explode on them. So they assumed it would not happen, at least not to them. Similarly, Ben Bernanke and Alan Greenspan liked to argue, not so long ago, that the national real estate market was not in a bubble because it had never been in one before. Wall Street traders took the same view and built mathematical models that did not allow for the possibility that house prices would decline. And many home buyers signed up for unaffordable mortgages, believing they could refinance or sell the house once its price rose. That’s what house prices did, it seemed. On the other hand, when an unlikely event is all too easy to imagine, we often go in the opposite direction and overestimate the odds. After the 9/11 attacks, Americans canceled plane trips and took to the road. There were no terrorist attacks in this country in 2002, yet the additional driving apparently led to an increase in traffic fatalities.

The best way to avoid miscalculating risks is to develop a disciplined enterprise risk management program with a solid framework to help quantify the level of risk.  Wheelhouse Advisors can help.  To learn more, visit www.WheelhouseAdvisors.com.

Taking a Hard Look at Risk Management

The Mortgage Bankers Association just issued an insightful report into the risk management practices at financial institutions leading up to the financial crisis of 2008.  The report is entitled “Anatomy of Risk Management Practices in the Mortgage Industry: Lessons for the Future” and is authored by Clifford V. Rossi from the University of Maryland. The findings in the report are very candid in their criticism of the financial institutions and their reluctance to acknowledge the risks being taken.  Here is one of the reported lessons to be learned in the aftermath of the crisis.

Risk managers may have been effective in identifying risks, however, many firms appeared tone deaf to these subject matter experts. If senior management had elevated the risk officer position to one that had direct or even indirect reporting to the risk committee on the board of directors, it may have helped staunch some of the risk taking that occurred. Further, executive management must inculcate a culture of risk management where all employees actively are on guard for risks that exceed the risk appetite of the company. One way to incent depository institutions to build strong risk functions and culture is for FDIC to strengthen risk-based assessments on deposit premiums reflecting the strength of the risk management organization and quality of the firm’s risk infrastructure. By blindly following the herd, the largest mortgage originators effectively competed themselves out of business. Reliance on information gathered from brokers and sales staff regarding the competition can be valuable to firms, however, the information obtained needs to be carefully vetted against specified corporate objectives. A clear vision of what risks the firm is willing to take must be part of the strategic roadmap, and deviations from that plan must be accompanied by sound analytics and information even if short-term losses of market share and key individuals are likely. A corollary to this recommendation is that risk vision and therefore business strategy must take a long-run view into account in shaping risk direction.

It is refreshing to see an organization like the Mortgage Bankers Association taking a hard look at what went wrong and how we can work to prevent a similar crisis in the future.  However, the report also reminds the reader that a similar crisis occurred only 20 years ago during the Savings & Loan debacle.  So, it is crucial for companies to take the necessary steps this time around or we could be having a similar conversation in the very near future.


Get every new post delivered to your Inbox.

Join 46 other followers