The IRM Chairman’s very interesting article on risk culture in the December 2010 Risk Professional Journal spurred me to pen this piece[i].
It has become something of a cliché in risk management to talk of ‘setting the tone from the top.’ In reality, how many organisations really practice what they preach?
It is quoted that the most remarkable finding of the RiskMinds 2009 Risk Managers’ Survey was that, ‘risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failure in organisational culture and ethics.’[ii]
One would have thought that the crisis would have been an eye opener to many in the financial services sector. Notwithstanding this, fines levied against licensees in 2010 by the FSA more than doubled on 2009 figures![iii]
To what extent is the ERM or GRC tone being set from the top? Are directors, as representatives of the ultimate stakeholders, failing in their fiduciary duties or is executive management failing its directors? Is there a glass ceiling above which information only seeps on a ‘need to know’ basis to the board or its committees?
Background: The Problem in Context
Traditionally risk departments, collectively including compliance, control and risk functions, commanded lower status and pay than revenue generating functions within the financial services sector. [iv]
In November 2009, the Institute of International Finance held a colloquium at the New York University Club, pioneered by the former SEC Chairman Roderick Hills, entitled ‘Governance of Financial Institutions’[v]. Participants representing leading international financial institutions grappled amongst other issues with causes contributing to the financial crisis. There was consensus that the ‘financial crisis was seriously aggravated by lax oversight practices both on the part of management and directors of many financial institutions.’ Implicitly, failure or crisis is the result of various factors acting in tandem but, a recurring common root factors include lax management, governance and/or oversight. Add these to mounting economic pressures compounded by deregulation driven by the need to maintain margins and market presence; something, somewhere was bound to be overlooked or under-estimated in the risk equation. The result was a packaging, aggregation and concentration of risk at a macro level. In other words, a financial catastrophe waiting to happen with directors and management blissfully ignorant of or blinded to its ramifications due to a fundamental lack of or failure in GRC culture and systems.
The 2009 view in many ways echoes the findings of the Council of Lloyds almost two decades earlier[vi]. Between 1988 and 1992 Lloyds lost approximately £ 8 billion to what is notoriously recorded in history as the LMX Spiral. Prima facie events culminating to this loss were the accumulation of hurricanes, maritime catastrophes and US Liability claims. However, the crux of the LMX crisis was a market that ‘negligently failed to either estimate or adequately cover their aggregate exposures.‘ Fraud may also have played a part in the case of some syndicates in the way they attempted to distribute losses on various Names. This event threatened to destroy Lloyds were it not for the reconstruction and renewal project ably driven by Sir David Rowland.
Two events, twenty years apart running a parallel prognosis: i.e. aggregation and concentration of risk with a behemoth GRC failure at its core.
Interestingly, there is also another striking similarity between the two events. Participants in the IIF colloquium concluded that, unlike the Enron and World.com scandals the latest financial crisis was a ‘crisis of competence.’ Not only was there a failure to advice management by asking the necessary, perhaps stinging, questions about liquidity and leverage at Board level but also because Boards, ‘failed to distinguish the forest of franchise risk for an institution from the trees of day-to-day risk measurement.’[vii] Similarly at the heart of the LMX debacle, as mentioned above, was the inability to estimate and, therefore, protect against aggregate exposures. Simplistically, this is core technical competence (whether we call it risk or underwriting) gone wrong!
Directors play a somewhat contradictory role in that, in representing stake-holders, it is there responsibility to ensure maximization of returns while at the same time protecting shareholder value. The relative success of this balancing act is to a great extent dependant on the executive management of the company.
Therefore it is worth asking whether it is the Directors, in cases of crisis or failure, who fail a company or whether their direction and oversight roles would have been hampered by a ceiling of extreme opacity between the Board and its committees on the one hand and company operations on the other. With specific reference to insurance, three cases / studies come to mind:
- Also implicated in the Independent Insurance plc case was the company’s Finance Director who, in delivering judgement in 2007, the presiding judge stated that he lacked the strength of character to say enough is enough and say something about it;
- Ashby et al (2002)[viii] in their paper, ‘Lessons about Risk: Analysing the Causal Chain of Insurance Company Failure,’ discuss the findings of the 2001 EU Insurance Supervisors’ Conference analysing 21 supervisory cases of failures or near failures of insurance companies from 15 different countries. The general conclusions of their work are that, although no cause is singularly responsible for the failure of a company poor management and the inter-related governance / systems lapses are common to all cases. Even in the two cases where initially no lapse of governance was evident, upon further investigation it was revealed that this played a decisive role in the companies’ failure;
- In a Georgia State University study about the failure of 250 property and casualty insurance companies in the USA between 1986 and 1999[ix], the authors build their hypotheses on three main components augmenting insolvency costs. One of these is specifically the moral hazard attached to management decisions and/or behaviour of troubled insurance joint-stock companies.
The independence of the Board of directors is enshrined in legislation and their ability to function effectively has been strengthened considerably over the years by various regulations in different companies. For example, in the United Kingdom these are witnessed in the development of the role and duties of non-executive directors since the Cadbury Report in the early 1990s all the way through the Combined Code and its revisions in more recent years. Furthermore, rating agencies, who are often in the line of fire post-crisis, build investigative triggers in their analysis methodology focusing, for example, on Board expertise in addition to executive competence and capabilities, Board independence as well as its ability to exercise pro-active judgement.
Conclusion: Do we think the unthinkable?
I started with a reference to Mr. Hindson’s Dec 2010 article.
One of diagrams in the said article succinctly encapsulates four organisational governance culture types, i.e. cultures of strategic governance, control governance, tactical governance and minimalist governance. The fulcrum swaying in between these four cultures is, arguably, the extent of control or centralisation exercised by executive management (or, conversely, the extent of a principle-driven culture of operational freedom within a framework of governance). If this is the case, control or concentration of power lends itself to opacity directly hindering governance, risk and compliance effectiveness within an organisation.
In the case of the more fortunate ones this will come back to haunt the company time and again in a seemingly endless round of Russian roulette. As for the less fortunate, the references to this article contain examples of close to 300 insurance companies (not counting banks and/or quasi-banking organisations in the recent crisis) that did not live to tell the tale. Little do we realise that it is not the storm but the proverbial sand foundation that generally brings down the house.
All of this highlights the importance of the risk management or GRC function to operate independently, free from executive duress, and at times in an adversarial role to executive management, at Board or Board Committee level.
At a time when technological sophistication, even more so maybe as a result of the looming Solvency II implementation, is at the forefront of risk management practice, I would like to end with a quote from Gillian Tett’s award winning ‘Fool’s Gold’ when talking about JP Morgan’s Jamie Dimon, “The only safe way the use VaR (Value at Risk) … is alongside numerous other analytical tools – including the human brain.”
When we give precedence to intelligence (the capacity to acquire and apply knowledge) over intellect we risk doing away with reason and understanding.
James Portelli is a Chartered Insurance Practitioner, a Fellow of the Chartered Insurance Institute and a Fellow of the Institute of Risk Management. Working in insurance since 1990 he has been active in the Middle East since 1998. James is the regional coordinator of the IRM Middle East Regional Groups’ Network.
[i] Hindson A., ‘Analysis | Risk Culture’, Risk Management Professional (Dec 2010), 28 – 29
[ii] RiskMinds 2009 Risk Managers’ Survey, Moore, Carter & Associates and the Cranfield School of Management
[iv] Tett, Gillian, Fool’s Gold’, Little, Brown Publishing Group (2009), 135
[v] International Institute of Finance, ‘ Governance of Financial Institutions’ (Nov, 2009), in association with Hills Programme on Governance and the American Assembly, Columbia University, 13
[vi] Walton S., ‘Lloyds: Current Developments and Challenges Ahead’ (1996) Lloyds of London Publication, 54
[vii] International Institute of Finance, ‘ Governance of Financial Institutions’ (Nov, 2009), in association with Hills Programme on Governance and the American Assembly, Columbia University, 7
[viii] Ashby S, Sharma P & McDonnell W (2002), ‘Lessons About Risk: Analyzing the Casual Chain of Insurance,’ Financial Services Authority, U.K.
[ix] Grace M.F., Klein R.W., Phillips R.D. (October, 2003), ‘ Insurance Company Failures: Why do they Cost so Much?’, Centre for Risk Management & Insurance Research, Georgia State University, USA.