Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim DeLoach offers tips on digging to reveal these potential pitfalls.
Risk transparency is vital to every company. When Mary Barra became CEO of General Motors in 2014, she had no idea her first order of business would be to preside over a faulty ignition switch problem that had festered in the organization since as early as 2004. In 2005, the company’s engineers met to discuss the problem and decided against a fix because it would take too long and cost too much money. This issue was not escalated to the highest levels of the company.
Long story short, Barra was called before the Senate to testify, the company announced 84 recalls involving 30.4 million vehicles in her first year, and new policies were implemented to encourage a “speak up” culture in which workers report problems they encounter. Facing a tough first year for any CEO, Barra is to be commended for her decisiveness. But the interesting side story is the large risk exposure that lurked within the company long before she got the top job. In her Senate testimony, she said, “We in the past had more of a cost culture, and we are moving to more of a customer culture that focuses on safety and quality.”
In January 2008, a global financial institution reported that a trading loss had occurred, resulting in a $7 billion loss when the unauthorized positions were closed. While larger trading losses have occurred since, this incident was a head-turner of a loss at the time. It raised questions about the bank’s control procedures, particularly when an internal report concluded that bank officials failed to follow up on dozens of warnings about questionable trades.
Examples of this nature are reminders that severe penalties result if large risk exposures are not identified, escalated promptly and effectively monitored and addressed — for example, reputational damage and brand erosion, a market capitalization haircut, a credit rating downgrade and impaired stakeholder relations. Losses can drain cash flow as the crisis unfolds and make capital and financing harder to obtain, resulting in increased liquidity risk. If firings occur, the management team can be weakened. A downward spiral can spawn intensive regulatory reviews and even make the firm an acquisition target. Indeed, the cost of surprise is high. As one high-profile CEO once said, “Change, before you have to.”
Here are some practical approaches for building increased risk transparency into an organization’s culture with the objective of minimizing the risk of unwanted surprises.
Understand why you make money
The internal report regarding the aforementioned bank’s trading disaster stated that “no initiative was taken to check the truth of affirmations” provided by the trader, “even when they lacked probability.” The signals weren’t always flagged to superiors, and “when the hierarchy was warned, they didn’t react,” the report said. The trader claims his superiors must have known what he was doing but looked the other way because he was making a lot of money.
“How did this happen?” is a question many board members, senior executives, shareholders, regulators, policy makers and auditors often ask. While we cannot corroborate the trader’s claim that superiors looked the other way because of the money he was making, we can say that the premise of which he speaks is not isolated.
It is the fascinating saga about how success creates blind spots. The familiar refrain is often, “The stars were making money, so we left them alone.” When circumstances change, the losses stockpile and finger-pointing begins, it is also interesting how often we hear a statement of plausible deniability: “We didn’t know what they were doing or what risks they were taking.” That statement alone suggests a governance failure. The impact of compensation in contributing to this theme is also a governance issue.
Historically, this theme is quite durable. Founded in 1762, Barings Bank was the oldest merchant bank in London until it collapsed in 1995 after Nick Leeson, one of its employees, lost $1.4 billion speculating primarily on futures contracts. Leeson, based in Singapore, operated without supervision from the bank’s London headquarters. Not only was he the floor manager for Barings’ trading on the Singapore International Monetary Exchange, but he was also the head of settlement operations and charged with ensuring accurate accounting for the unit, an operating process that violated all traditional segregation of duties safeguards.
After the collapse, blame was placed on the bank’s deficient risk management practices. The rogue trader, Leeson, later wrote a book in which he stated, “People at the London end of Barings were all so know-all that nobody dared ask a stupid question in case they looked silly in front of everyone else.” One reason Barings chose to ignore the internal audit reports on the need for segregation of duties in Singapore, as well as other warning signs, was that the brass in London thought the foreign operation was doing extremely well. No one wanted to rock the boat.
The lesson is deceptively simple. If specific business activities are generating unusually high rates of return, it behooves directors and executive management to understand why. When the accounting rules are not black and white, or the nature of certain transactions and activities is overly complex, or the organizational structure is so opaque that it is difficult to see the forest for the trees, directors and management should insist on clarity.
If the picture is so complex that no one understands it, someone has to ask, “What are we doing, and why are we doing it?” The advice to directors and executives: If you do not understand the risks, ask the necessary questions until you do. Taking a closer look could entail bringing in independent experts to assist and advise directors and executives with respect to understanding the underlying substance of these matters.
Know and manage your ‘trust positions’
Safeguarding assets and protecting enterprise value can be just as important over the longer term as creating enterprise value. For sure, the spectacularly large losses companies experience as a result of unauthorized or improper use of financial derivatives have commanded the headlines over the years. In many of these cases, neither the board of directors nor the CEO nor, in some cases, even the CFO, understood, much less authorized, the large risk exposures leading to the losses. Therefore, we often hear the phrase “We didn’t know.” So, why didn’t they — and how could they have learned?
The answer begins with knowing who the people are who make the critical judgments every day in areas that are affected by volatile markets, are environmentally sensitive or are susceptible to a disruptive effect on the company if mismanaged. These employees occupy what we might refer to as “trust positions” because their actions or inaction can expose an organization to large risk exposures. While competent people are an important aspect to managing risk, relying on them without independent monitoring and reporting is as ill-advised as not understanding the risks inherent in their activities.
Following are 10 relevant questions to ask about employees who function in these so-called trust positions:
- What processes and functions in our business are particularly exposed to the risk of large financial losses if mismanaged?
- Do we know who is managing these areas and where they are located?
- Do we know what they do and why they do it?
- Do we know who supervises them?
- Are we satisfied that appropriate policies, procedures and controls are in place to manage their activities?
- Are appropriate checks and balances, including segregation of duties, in place to prevent or detect unauthorized activities?
- Are our policies and procedures effective in monitoring these activities — for example, are we satisfied with the reliability of the reporting we receive on them?
- How are we rewarding these employees? For example, are we satisfied that our compensation system is not incentivizing decision makers to undertake unacceptable risks or adopt a short-term focus that will lead to risky actions that are not in the company’s long-term interests?
- Is there a timely early-warning process so issues can be escalated promptly and the brakes applied if necessary?
- Is there a crisis response plan in place to handle an unexpected surprise should one arise?
Trust positions are not limited to volatile financial risks. They also include positions that involve decisions and activities affecting the enterprise’s customers, suppliers, physical assets, impact on the environment and reputation. Managing trust positions starts with identifying them and then designing the appropriate policies and procedures to manage, monitor and oversee them.
Ask ‘what if’ questions
If the enterprise is taking unusually significant risks or is following a strategy designed to leverage, for example, times of economic growth, declining interest rates, stable commodity prices or strong housing markets, business leaders should be aware that abrupt changes in the fundamental variables underpinning their strategy can be highly disruptive. For that reason, stress testing, sensitivity analysis or scenario analysis can facilitate an understanding of these variables and their impact. To illustrate:
- Sensitivity analysis determines the aggregate variation in financial performance by assessing the impact attributable to a small differential change in one or more underlying key risk factors on individual exposures at a given point in time.
- Stress testing takes a given “base case” portfolio or forecast and modifies its value to reflect the effects of a hypothetical, extraordinary but highly unlikely situation or extreme event that will result in severe financial stress if it were to occur over the planning horizon.
- Scenario analysis determines the aggregate variation in financial performance by assessing the impact of large risk factor changes, as defined by a specific scenario, on individual exposures. Like sensitivity analysis, scenarios and their earnings impact are evaluated in a deterministic manner — that is, no assessment is made of the probability that the events will actually occur. However, scenario analysis is a more robust measurement methodology than sensitivity analysis because it involves multiple variables and correlations that can change dramatically over time. It also uses intricate economic forecasts and models to reprice exposures and portfolios based on assumed changes and forecasts.
When new market, business and product opportunities arise, a robust “what if” analysis informs management’s decisions to commit capital and resources to the opportunity pursuit. It helps decision makers understand how much a negative change in a given variable might hurt.
Understand your risk profile
An enterprise risk assessment (ERA) is a systematic and forward-looking analysis of the impact, likelihood and velocity of potential future events on the achievement of an organization’s business objectives within a stated time horizon. The ERA process encompasses an evaluation of available data, metrics and information as well as the application of judgment by the stakeholders it engages. There are several key points to keep in mind.
First, the ERA should delineate the most critical enterprise risks. These are the risks that threaten the company’s strategy and the viability of its business model. They may include large risk exposures.
Second, every business has myriad operational, financial and compliance risks embedded within its day-to-day operations. These are the so-called ongoing business management risks. Many trust positions could be present among the activities creating these risks that may not be considered critical to the enterprise in the ERA process. They may include activities involving internal operating processes, information technology, customer service activities, procurement, hazardous materials handling and, of course, use of exotic financial instruments.
Finally, pay particular attention to “white elephants” and “gray rhinos.” I discussed these risk categories in another article.
Beware of Danger: In the Zoo of Risk, Organizations Must Prepare for Anything — Especially Disruptors
In the zoo of risk, there are many kinds of animals to see in the normal course of managing a business day-to-day. There are also creatures we do not want to
Read moreDetailsFoster a ‘speak up’ culture
As GM’s Barra recognized, culture is an important aspect to creating transparency. A risk-sensitive and risk-aware culture is one in which managers are encouraged to portray the full picture regarding potential outcomes of prospective transactions, deals, investments and projects. Managers should look at the downside and the upside relative to taking advantage of an opportunity — for example, how bad would it hurt if things didn’t go as planned and does the potential upside opportunity adequately compensate the organization for taking on the downside risk?
Say an operating unit is trying to get a major transaction completed, or is under significant earnings or budgetary pressure to reduce costs, or is trying to make a lot of money in a noticeably short period of time. Capital is available, competition is stiff and a “warrior culture” and an entrepreneurial “can do” optimism abounds in the hallways and meeting rooms of the unit. This profile of managers can get enamored very quickly with an opportunity. Likewise, they can be tempted to cut corners that could compromise safety. They may ignore the downside risk and focus solely on the upside opportunity.
In such cases, the organization ends up “owning” the resulting risks. If the risk/reward profile is not properly vetted, the enterprise may not be appropriately compensating itself for the risks it is undertaking. That can get managers, not to mention their organizations, into trouble in a relatively short period of time.
A risk-sensitive and risk-aware culture is one that enables people to speak up and then be listened to by decision makers. It gives the people in the organization — preferably all key personnel and not just the smartest people in the room — an opportunity to speak up about something that the enterprise is attempting without fear of repercussions to their compensation and career. If people don’t feel able to freely articulate what they really think about a particular transaction, an acquisition, a new product or a certain behavior or omission, they’re not going to say anything. While some filters are needed, getting ideas out on the table and discussed in a positive and proactive environment is what a risk-sensitive and risk-aware culture is all about.
Summary
If a company is overdosing on risk and doesn’t know it — either due to turning a blind eye or through neglect — a failure in governance and risk management has occurred. The successful prevention of severe losses from the inevitable unexpected events and surprises begins with transparency. Leaders should know where their largest risk exposures are. That way, they can act on them.