The Sub-Prime Mess: Inadequate Enterprise Risk Management
By Thomas A. Player
With the 20-20 vision of hindsight in analyzing the sub-prime fallout, it is painfully obvious that many seemingly well run organizations were deep in a risky business. For example, those risks involved in sloppy underwriting, over-valued assets, tenuous accounting practices, unreliable guarantors, and shaky counterparties.
Looking back on my last article about Enterprise Risk Management (“Not Just Another Industry Y2K”, Player’s Point, Fall 2006), the problems cited in that article regarding Reliance and Conseco are child’s play compared to today’s sub-prime problems. In this crisis, the likes of Bear Stearns, Citigroup, Lehman Brothers, Bank of America, and UBS, to name but a few, have been hard bitten by the risk flu. This does not include our brethren in the insurance business, including MBIA, AMBAC, and AIG.
Practical Experience
The most comprehensive insight to date as to the anatomy of risk management failure following the sub-prime meltdown has been the UBS Shareholder Report1. Because of the staggering U.S. sub-prime losses, the Swiss Federal Banking Commission requested that UBS make a report to it on the key factors relevant for understanding the principal root causes leading to the sub-prime losses. The Shareholders Report is a by-product of that dialogue. Although somewhat lengthy, the Shareholders Report is an excellent discussion of a very complicated business model and what went wrong. Many times in the Report, mention was made of a failure to demand a holistic risk assessment. In particular, one section of the Report puts the cause of problems in the investment banks’ governance as a “Failure to Demand a Holistic Risk Assessment: it appears that the focus of the investment bank was revenue growth and filling the gap to competitors.”
At AIG, a similar experience was playing out. Management was unaware of its growing risk profile, especially in the trading of sophisticated investments known as credit default swaps.
There is no question but that it is extremely difficult to evaluate the types of sophisticated business models being undertaken by the likes of UBS and AIG. Assessing the risk profile of each such business initiative is daunting. Understanding the risk profile of the relationships among these sophisticated and risky investment strategies is extremely challenging.
However, one must conclude that no matter how challenging, there must be devised a better way to assess the overall risk levels of enterprises and to inform managers, both Boards of Directors and officers, of the quantity and quality of enterprise risk. For example, a Board of Directors needs to know whether its enterprise is taking on more risk or less risk. If more risk, is the premium or profit commensurate with the risk? This would seem to be a fundamental obligation of oversight.
Role of the SEC
It is predictable that there is a great hue and cry as to whether the Securities and Exchange Commission was adequately minding the store on oversight of investment banks. The stress of the sub-prime meltdown has revealed flaws in the regulatory system showing that the SEC may not have all the tools necessary to regulate either investment banks or rating agencies. This article will not address the effectiveness of the SEC, nor touch on any of the several reorganization suggestions. However, we would urge the SEC to take a leadership role in calling for Enterprise Risk Management to step up to a higher level of responsibility within the public company governance scheme. In my view, blaming or relying on the SEC side-steps the issue.
Management Responsibility
Responsibility for sub-prime mistakes falls squarely on the shoulders of directors and officers of the companies. It was on their watch that reckless business practices and excessive risk appetites flourished. It was on their watch that a race for earnings caused prudent management and diligent risk oversight to be ignored. It was on their watch that large management bonuses were generated from record earnings, while the underlying basics of the business were getting more risky.
What does this crisis teach us about Enterprise Risk Management? First, ERM is not yet a mature process influencing management actions. Second, ERM is viewed more as a secondary discipline than a primary management tool. Third, to be effective, ERM must be given peer respect.
A Recommendation
Perhaps ERM should either become a separate Board Committee on the same level as the Audit Committee, with both reporting directly to the Board of Directors; or, the ERM Committee should be a sub-committee of the Audit Committee. There should be standards requiring risk management experience for the chairman of the ERM Committee much like the elevated standard for chairman of the Audit Committee. The Corporation should either publish a risk management report annually which accompanies the annual audit, or there should be a separate attachment to the audit report. For example, the format of such a report could include an overall assessment of the level of risk affecting the Corporation, and whether that risk level has increased or decreased since the last reporting period.
The SEC could provide invaluable assistance by urging such an analysis. If these standards were adopted by public companies, history has shown private companies would soon follow suit.
Thomas Player is a senior partner in the insurance and reinsurance group. His areas of expertise include insurance and reinsurance, mergers and acquisitions, complex regulatory issues and dispute resolution. Tom received his bachelor’s degree from Furman University and his law degree from the University of Virginia.
1 See, http://www.ubs.com/1/e/investors/agm.html, and find Shareholder Report on UBS’s Write-Downs, under “Annual General Meeting 2008.”
Return to the Review table of contents
