All the above risks manifest themselves in various manners, mostly as corporate financial losses or, worst, bankruptcy. The losses that have occurred within the corporate jungle during 2000–2002 cannot be said to be novel losses. But, investors and financial experts keep being surprised. During 1980–99 there have been large monthly losses greater than 5 % on several times.
These corporate losses can be entered in a log or loss database under the appropriate category. This has been defined as one element within the new Basel II banking regulation rules.
This is the top-level view of risk. It also gives the underlying reasons for the losses. These can be deduced from detailed analysis of the loss database. But, industrial logic engines are not currently developed enough in the majority of cases to derive such rapid and succinct conclusions from the masses of data.
Total risk also depends upon which investment vehicles and business lines that you choose.
The financial institutions have concentrated on credit risk and market risk. There are two reasons given.
Many risk professionals prefer to enumerate the risk hazards and use quantitative analysis to study them in depth. But, there is considerable unease as to the success of these techniques.
A key business factor must be to understand what business you are in, what risks you face and what sort of risk appetite you have to meet these risks. “What risk percentages do you face; how do these risks combine to hurt you?”
Given that even the experts are unsure about risk quantification and risk interaction, there must be room for doubt in the minds of investors. We need more light in this risk management dark area.
Work goes on at a furious pace to evaluate the nature and extent of these linked risk factors, some of them are:
The scorecard work done at Dresdner bank for logically connecting [business units with location and staff] [processes] [key risk indicators, assessment of operational risk and
losses] so links can be evaluated. Loss database causality modelling to connect risk causes with risk events and the eventual consequences. Loss events are tied to key risk indicators (KRIs) so that benchmarks can be
set as early warning alerts. Business process analysis standpoint with workflows moving between entities and business actors.15 A good case for business process reengineering (BPR) is made to handle risk management requirements, especially for Basel II.
The salient points are that business processes are a collaborative effort by various staff from different work groups. These business participants create a dynamic workflow that has
inherent risk elements. Mathematical modelling and audit control focused upon risk elements within traditional workflows that we believed were well understood, i.e. market and credit risk. Basel II, loss database, operational risk analysis, balanced scorecards and risk maps shed light on other areas that were hitherto rarely emphasised.
Our understanding in this area has improved and it has definitely become more interwoven or holistic since the Basel II initiatives. These encourage a wider enterprise risk management (ERM) view and not a closed one. A lot of good risk management work has been done so far, but much more needs to be achieved.
THE REIGNING INVESTMENT IDEOLOGY
November 4th, 2009Intentional and illegal
October 27th, 2009There are many ways to cause damage or steal from the company. Fraud, rogue trading, arson and theft remain the ones that are best known. Increased monitoring raises the likelihood of catching the criminals, while severe penalties and jail terms serve as some deterrent. The public often focuses a lot of attention on these root causes, but ORM should also point staff to intentional threats originating from within their company.
Whatever the extent of danger (risk events) that we face in the business, risk management is a journey on a potentially rocky road. It needs a good road map.
Unintentional (ostensibly) and legal
October 20th, 2009The short-term nature of a CEO’s tenure is a driver for leaders in the modern economy to remove as much value from the company for themselves rapidly. Executives have been adept at this collusion because regulators and investors have been slow to monitor the company distress, and weak when handing out punishment. Knowing that there are lots of assets to strip, and there is less chance of being caught, serves as a risk catalyst to create the risk-loss event. This will be less likely when regulators implement new warning mechanisms and impose tougher penalties. The investors should not be left out of the investigative process, but should include ORM and forensic accounting measures within their arsenal.
THE CASE FOR ORGANIC RISK MANAGEMENT
October 11th, 2009The process flow outlined in RAMP above is only a small part of the risk management methodology:
1. Analyse 2. Understand 3. Report 4. Mitigate or implement countermeasures 5. Follow up.
Directors of companies fundamentally break companies, not rogue traders or Nigerian fraudsters on a 419 scam.
The market disasters have come about partly as a mismatch between investors’ bid for an investment that is incongruent with their risk appetite. Investor disillusionment continues. We are likely to have more faith by asking a crystal ball than consulting the investment “experts” for financial advice.
Shareholders in companies hope for the best when they invest. But, it often turns out that there is more to choosing a firm’s equity than mere external market fundamentals: maybe weighted 25 % fundamentals and 75 % good internal management. A study of 1357 companies in seven countries showed UK productivity was critically hampered by inefficient management in comparison to its international rivals. UK workforce days are wasted in nearly 50 %
of the working year. This is a waste that is valued at £111 billion in the year 2001.
Therefore, a good guess is that the success of a corporation depends upon good steering and leadership skills of the board of directors. This makes it a major factor in determining the success of your investment’s value. Selfish executive action can break shareholder value quicker than it takes a business guru to lecture on “Dow Jones 36 000”.
The fear Enron and Worldcom sank was that the CEO and board of directors will attempt to fleece the investors with the benediction of modern corporate capitalism. The losers are many:
fund managers banks that lent the CEOs their money company shareholders pensioners who put their savings for old age et al.
The company leaders need to be checked by ORM investigations. Such checks have usually been unprofessional and shallow up to now. Forensic accounting holds hope for finding truthful information. We take an organic risk management view of this loss among the participant stakeholders. CEO applicants can lie or mislead, that is why we need deeper and more professional interviews.
If we are to hire the best company leader or manager, then we ought to think outside the box and select them based upon their abilities, not their appearance or sales spiel. Closed recruitment can mean a locked mindset that is unreceptive to new ideas. Modern management methods may be one of the casualties. A major survey of corporate respondents shows that UK senior management in companies needs to be good at taking risk and introducing structural corporate improvement. These skills cannot be assumed as given8.
Over half of major change projects are actively managed by the board. With companies typically undertaking 2,666 such projects per year (averaging three major change projects per annum per company) this means that a massive 35 % of senior management and director time is spend managing change.
Not all top-management investment styles work. Certainly, no single one works all the time in all circumstances. It is true that the investment posture has to be tailored to fit the market situation. Modern investment history is littered with the corpses of banks and investment funds that have not succeeded in handling change management. Twenty-first century profitability means being both:
risk conscious risk managed.
The Barings, Sumitomo, AIB banks after their disasters clearly showed the risk-ignorant facet of management creeping up again. Does your top management fit your risk appetite? Thus, from a risk management viewpoint, it would do well to conduct a corporate command and control analysis. Where investor style and management style do not meet, this mismatch means trouble.
There is little come-back for someone who gambles much-needed money in extremely risky “investments” or scams. Like the “419s” scams, it happens all the time. The large trading profits at Barings or Enron or AIB were eventually exposed as false – these were 419s in all but name. There will be more investors who fail because they falsely believe themselves to be less risk-seeking or more informed than they really are.
There are many companies that consider themselves, or advertise themselves as, well risk managed. While banks and insurance companies may feel that they are already adequately risk managed, one can find that many corporate left-hands do not know what their right-hand is doing. HR investment and training are examples where companies put money in, but do not know exactly what they get out of it. The balanced scorecard is a cost-effective progress snapshot analysis. Operational risk assessment can also be conducted using a scorecard to identify corporate areas of weakness by department and by business process. One of the fundamental considerations of integrated risk management is to examine in depth how linked risk initiatives are in reality. Enterprise risk management (ERM) scorecards have been proposed for handling operational risk in Dresdner bank.
We have talked about corrupt CEOs, we have pinpointed examples when executives have lied or misled. There are now two questions:
How to know? What to do?
Forensic accounting can be a way through the fog. Either employ an investigator or do it yourself. Apply for a job in the target under an assumed name with some inconsistencies or lies. Even hiring a John Smith with a criminal record who lists “No previous convictions” in the company application form is one tactic. If he gets through, then it seems that anyone of questionable credentials can get into the company because it has a lax risk management culture. Tabloid newspapers revel in this type of scoop.
There is the checking of previous jobs, professional and academic qualifications. Other character references not on the CV would be worth contacting too. Based on all this accumulated forensic data, you should be in a position to make a better-informed decision on how to proceed. Otherwise, you could be hiring or handing over your investment mandate blindly.
Many companies do not bother undertaking all this workload. Those that do may wish to take a more jaundiced eye when it comes to examining sparkling accounts or glowing CVs and job applications. A healthy dose of cynicism is good for the corporate soul.
Our operational risk management is composed of more flexible techniques that are designed to be balanced and achievable. It explicitly takes business processes data as being subjective and open to machinations and poor performance of human beings. We call this methodology “organic risk management”.
Let us examine organic risk management in more depth. We have seen how the wish to limit damage to public prestige is the great industrial motivator. There are two forms of corporate damage that hurt investors:
unintentional (ostensibly) and legal intentional and illegal.
FUTURE FOR RISK MANAGEMENT
October 4th, 2009The future for financial risk management looks bright with every additional market shock. When these business shocks are high impact, or the directors’ risk precautions have been poor, then the hazard can get uncontrollable. This means that risk management experts will be hastily called in post facto, and that can only be good for their fees.
There seems genuine surprise when another bank or fund loses large sums from an error. This can only help the industry where it provides an essential risk catalyst for instigating effective risk management. Basel II has been another catalyst to spark life into risk-ignorant dodos. If the reality check is soon forgotten, then our misjudged investor perceptions remain unchanged. Risk management is a continuous process.
Successful risk management is predicated upon:
1. Appropriate investor perception, especially at top management strategic level. 2. Mandate for board level commitment of resources. 3. Accurate risk analysis. 4. Appropriate risk management implementation.
5. Follow-up and continuous monitoring.
RAMP is one management methodology that structures these steps in great detail. It could bind the complex mix of people, their skills, finance and technology into a successful risk management project. Regulatory compliance and the craze for mathematical modelling in risk management has led to a burgeoning supply of technology in the middle office. The Basel II Loss Database is just one example. Introducing new risk management technology backed with large-scale funding does not guarantee a successful project.
SEPARATING REPUTATION FROM RISK MANAGEMENT
September 26th, 2009One problem in detailing reputational risk within the financial industry is that many cases are still unknown or unpublicised. We are subject to the dissemination of cleaned-up annual reports, and a charm offensive from the investor relations department. Many corporations do not encourage the bad news regarding adverse financial or operational conditions, even less so to lay the blame at their own door.
Reputational risk is the risk that the public image of the firm will suffer damage in the eyes of stakeholders, resulting in a lower credit standing. Any CEO faced with this risk event will meet more difficult conditions, and will be tempted to cover up embarrassing facts and figures. Another desire is to preserve their marketability for the next executive job.
Reputational risk has more in common with burglary risk, when your organic risk management countermeasures prevent the hiring of a magpie CEO, he enters another company as a hallowed saviour. Reputational risk analysis, coupled with “Kalashnikov” organic risk management, can put the company shoe on the other foot.
Reputation analysis can successfully be carried out by good old-fashioned interviewing techniques. Too few people at the top of the corporate pyramid are either adept or trained for this task. Our experience with the FBI, KGB, police and security firms shows that there is an untapped resource waiting to be utilised by the hiring and remuneration committees. One tough and structured interview can solve future large-scale company executive problems.
One powerful forensic-type procedure available to those responsible for detecting fraudulent activity is interviewing. Effective interviewing is a function of both a well-prepared interviewer and a well-structured interview. Successful interviewers typically have extensive interviewing experience and are proficient in identifying the verbal and nonverbal cues of deception.
Thus, a top executive level calculus of risk will be made: cover up or not to cover up. If the deceit fails, the total risk impact will double, added by the embarrassment of the subsequent cover-up breaking. If not, then the CEO may just get away with a handsome pay-off and a pension.
The traditional corporate excesses came about because CEOs and top executives had to keep their reputations and their jobs. The top business security driver was to prevent “damage to image”. Doing so would give them enough time and prestige to get as much pay and benefits from the company before the inevitable departure in a few years. Their reputation risk management was to go after big mergers and acquistons (M&A).
The bigger you are, the better you are. Actually, the bigger the company, the larger the salary bonus for the CEO who now takes a percentage cut of a much expanded revenue base under an M&A mania. Corporate public relations have been going into overdrive in recent years, expressing cliche ́s including a combination of the two phrases: “synergistic benefits” or “win-win”.
Corporate prestige is an age-old selling line that is based on the traditional elitism. Hence: “snob value = quality”. “The bigger company = a better reputation”. You cannot question a company with good credentials and a top reputation. Like Enron.
There is no magical “silver bullet” that would stop such future corporate abuse. Large corporations determined to use complexity to confuse shareholders and taxpayers will still continue to look for get-outs. The legal changes alone will not change company behaviour. Rather, a potentially hostile investment climate with forensic accounting procedures, armed by vitriolic publicity, will help prevent another Enron. But current corporate practice is still way off this mark.
The depth and truth of risk management systems and operational procedures may not be consonant with this risk-ignorant arrogance. Traffic lights indicating company green, amber or red status are better forms of evaluating the company’s vulnerability to business stress or risk.
Company structure is an operational risk organism, in which animals interact, the success of one part is taken as the success of the whole. A company is a creature that breeds (merges) and seeks risk.
Unfortunately, many companies (creatures) do not improve their risk-return structure within their selection of projects in its business portfolio – many projects or products are just ‘inherited’ and continue to consume labour and resources. A review across the corporation’s projects of the value-added and risk in a Balanced Scorecard is often not done, mainly for historical or political reasons. When conducted properly, a Balanced Scorecard offers great benefits for the corporation.
ORGANIC RISK MANAGEMENT
September 19th, 2009Organic risk management (ORM) aims at improving the lack of progress made in four investment areas within the modern corporation:
Corporate responsibility Command-control Accountability Corporate transparency.
This ORM control issue has already been addressed in part by integrating the investment manager selection factors of: alpha, sigma and theta.
Alpha is the active return contribution by the manager. Sigma has been defined as the tracking error of performance, using the standard deviation of alpha.
Theta are the non-financial behavioural factors that contribute to the resultant manager selection and control structure.
Too few companies are focused only on alpha; fewer still manage to link all three contributing factors together to derive optimal manager performance.
ORM recognises that people at work present risks of their own, and the drive to create wealth brings risk catalysts into play. Business processes need people to work together in an orderly and predictable fashion. The Basel II view of OpRisk is very focused upon banks, omitting the significant role on OpRisk played by insurance or non-bank financial companies. It is ironic since non-bank institutions compete by providing core banking services and products.
Another way to design ORM structures is to link risk-return offer with risk-return demand or appetite.
Therefore, the ORM approach is focused on integrating operational risk from different areas, rather than concentrating upon risk silos only within banks. This separation is spurious as operational risk stems from the business processes that connect different groups. The Loss Database has to face this tough fact. Extensive research from Basel bears this out.
The most frequent combinations of two business lines contributing to a single loss event were: Retail banking/Corporate banking.
Retail banking/Asset management. The most frequent combination of three business lines contributing to a single loss event was:
Retail banking, commercial banking and Asset management.
ORM takes a more integrated and holistic view of the corporation. Forensic accounting provides benefit within ORM by checking the likely truth content of a target individual, and to map his probable value to the company. The media have often concentrated upon the actions of a person within the company, namely the CEO. But, this individual was hired by the company structure. A single person damages the whole company because the corporate structure is fundamentally risk seeking. Few companies take the trouble and expense to run full ORM background checks on the job applicant. This lax staff-screening process transforms the entire company into an entity with medium-probability events that have high negative-impact results.
Organic risk management attempts to examine and conduct damage limitation to stop one infected part hurting the whole corporate entity. There are no Lazarus come-backs for a dead company.
Risk management is not a pure defence mechanism, it allows an individual or an institution to meet risk threats by taking offensive action.