|
The Panic of 2008: How the financial crisis will affect risk management and corporate legal departments Economic climate change in a nutshell: § 2004-2006: The rate of subprime loans issued increases from 9 percent of total mortgages issued to 21 percent. Mortgage lenders begin aggressively pushing subprime loans to people by fraudulently overestimating the value of the homes or overstating the lender’s income. § 2004- 2006: Bundles of subprime debts, called “tranches,” were repackaged and sold as attractive investment vehicles or securities to banks, traders and hedge funds on the U.S., European and Asian markets. § Late 2006: When recipients of subprime loans couldn’t pay, a steep rise in the rate of subprime mortgage defaults and foreclosures caused more than 100 subprime mortgage lenders to fail or file for bankruptcy. The failure of these companies caused prices in the $6.5 trillion mortgage-backed securities market to collapse, threatening broader impacts on the U.S. housing market and economy as a whole. § 2007-2008: With market paranoia setting in, banks reined in their lending to each other and to business, leading to rising interest rates and difficulty in maintaining credit lines. As a result, ordinary, healthy businesses across the world with no direct connection whatsoever to the US sub-prime industry suddenly started facing difficulties or even folding due to the banks' unwillingness to budge on credit lines. § 2008: The institutions that funded the lenders went bankrupt. Collapses and arrests followed. o Bear Stearns, Lehman Brothers, Merrill Lynch and AIG all got caught up in the mess. That's led to government bailouts. § 2008-beyond: Legislation aimed at preventing a future financial crisis is introduced. New rules around corporate governance, risk management and compliance, are enacted. Corporate legal departments take on expanded roles within organizations including process management and implementation, necessitating the development of tools to effectively and efficiently manage and mitigate risk. | | Note: This is part two of a three-part series about how the financial crisis will affect governance, risk management and compliance, and the role of corporate legal departments in the post-crisis era. This paper addresses the changes risk management will likely face. Introduction On October 6, 2008, an attorney testified at a hearing about the causes and effects of the Lehman Brothers bankruptcy. Gregory W. Smith, general counsel for Colorado Public Employee Retirement Fund (PERS), was asked by the United States House of Representatives Committee on Oversight and Government Reform to discuss the regulatory mistakes and financial excesses that led to the bankruptcy, and the causes and effects thereof. Smith made a strong, clear case for stringent, transparent regulation of not just financial reporting, but of all public corporations. He advocated, “A return to genuine transparency within a regulatory environment where investors set priorities and have a voice that is heard and acted upon.” Martin Hutchinson, editor for Money Morning, came to a different but parallel conclusion about the Lehman Brothers’ catastrophic failure: “Lehman, the latest Wall Street investment bank forced to the brink of failure, may have put itself out on that precipice with its own risk-management strategies.” General Counsels are not immune from the imminent increased expectations in the form of regulations, stepped-up internal controls and risk management strategies. The question now becomes: How can forward-thinking general counsel, in concert with internal corporate departments, proactively address risk management issues, before they become catastrophes? What is risk management? The idea of risk management has until recently been the unassuming cousin of more charismatic management practices – while always an essential process within the business world, it hasn’t gotten much attention from anyone but bookish insurance types. Risk and risk management, however, have been pushed to the forefront by recent events within the financial world, namely the collapse of the subprime mortgage and financial markets. Poor risk management in the last few years, where good judgment and prudence gave way to greed, played a major role in the decisions that led to the current dire global straits in which we find ourselves. This is driving interest in both recovery from and prevention of future missteps within the realm of risk. At its most basic, risk management can be broken down into three deceptively simple processes: · Risk Assessment § Identification and evaluation of risks and their impacts, both good and bad § Recommendation of risk-reducing measures · Risk Mitigation § Prioritization and implementation of recommended risk-reduction approaches · Evaluation and Assessment § Continual evaluation process § Assessing opportunities for business growth against associated risks § Keys for implementing successful risk management program It is important to keep in mind that all business ventures and organizations must deal with risk on at least some level. Without taking some risks, few businesses would be profitable. In fact, it could be argued that many a corporation, country and even society has been built on a few well-calculated calculated risks. It is, however, in an organization’s best interest to use the above steps to calculate its risk tolerance, and properly mitigate undesirable risks based upon that calculation. Indeed, throughout history, it is partly through successful – or unsuccessful – risk management that effective organizations have been separated from failed ones. How does the financial crisis affect risk? By any name – panic of 2008, market meltdown, financial or subprime mortgage crisis – the troubled economic times in which we find ourselves will have widespread effects. New regulations are almost certain to affect not just the financial sectors, but the entire business world as we know it. How businesses interact, both with each other and internally, will change fundamentally in the coming months and years, particularly when it comes to assessing and mitigating risk. “The majority of reports have characterized the crisis as a financial crisis, and clearly on one level it is,” said Prakash Shimpi, Towers Perrin Principal and head of the firm’s Enterprise Risk Management practice. “On another level, however, this crisis exposes material gaps in risk management … and … companies … will need to retool their risk management practices.” Many experts share Shimpi’s opinion, and some go even farther: "This financial mess is one colossal example of poor risk management," Art Coviello, president of EMC's RSA Security division, one of the largest and most respected data security companies in the world. According to Stephen Walker, senior associate for Aberdeen Group, a business research firm, there will be enhanced focus on what experts term “enterprise” risk management, or ERM, in the coming months and years. At its core, ERM is an approach to managing risks by taking an integrated view of the various uncertainties involved across an organization. ERM is the process whereby an organization optimizes the manner in which it manages risks and seizes opportunities related to its objectives. New regulations may prevent future financial jugglers from performing the particular brand of trickery that’s at the heart of this financial crisis again, but they won’t be able to stop organizations from circumventing future regulations, says Walker. The key to preventing future failures – not just in financial markets but in any business exposed to risk – and by default future economic crises, lies in integrating risk management across business units. Regulations alone are not enough to prevent future crises – successes in proactively managing and integrating risk are necessary to create a more stable world for businesses of the future. What will be the corporate lawyer’s role? While legal departments’ role in corporate risk management has traditionally been relegated to very specific areas of legal risks such as contractual, regulatory, and employment risks, today’s dynamic corporate world requires innovative legal departments to take on an expanded, proactive role. Indeed, areas of risk faced by other departments within corporations often overlap areas of risk faced within the legal department. Additionally, many current – and likely, future – regulations require legal departments to assess risks on a regular basis. It’s common for health and safety employment codes to require risks to be assessed and managed to protect people from harm. For example, the Management of Health and Safety at Work Regulations 1999 require management to make a suitable and sufficient assessment of the risks created by (the undertaking of employment duties) for the purpose of identifying the measures they need to have in place to comply with their health and safety legislation. For corporate legal departments, this means that not only must general counsel interpret new risk-related legislation; they must also play a leading role in managing risk itself. Many general counsel predict that state government regulatory oversight will rise with more attorney general probes, and federal oversight will expand in step with the next presidential administration. Company risk management committees will generally be forced to have more regular and uniform reporting to their corporate boards and will be asked to provide more in-depth assessments of risk, predicted Carol Ann Petren, general counsel and executive vice president at the health insurer Cigna Corp. Not only will legal departments play a lead role in interpreting new legislation, but they will also implement changes in risk management and mitigation, as well as overseeing compliance with new regulations and internal procedures. Creating a compliant corporate culture may traditionally reside with C-suite executives, but it is within the power of legal departments to convey the need and meaning of policies, which are just as, if not more, important to individual-level staff as edicts from above. The increasingly complex nature of risk has led to the development of a relatively new way of managing risk, known as Enterprise Risk Management, or ERM. Enterprise risk management frameworks have become the standard for financial services companies to leverage risk for financial gain and prevent loss. General counsels, who comprehend possible risks throughout their organizations, can use risk to help create value for the company and prevent costly legal events. Enterprise Risk Management (ERM) strategies encompass legal, financial, operational and market risk. The General Counsel who understands such potential risks throughout an organization can prevent costly legal events and use risk to create value for the company. Thus, adopting the principals of enterprise risk management could prove extremely beneficial for general counsels and their organizations. Conversely, ERM, while often primarily handled within corporate C-suites, would benefit from a legal perspective. The National Law Journal, for example, is reporting that many large corporate failures, such as the failures of Lehman Brothers, Fannie Mae, and Washington Mutual, have led to increased expectations on the part of general counsels regarding oversight. At a minimum, this means more work. Most likely, there will be an increase in regulatory work, compliance issues, and governance, risk and compliance oversight. Dan Fitz, Group General Counsel of Cable & Wireless plc, President of the European Chapter of the Global Corporate Counsel Association, and a previous Counsel To Counsel forum co-chair, said, “The survey (wherein Martindale-Hubbell conducted a study of the largest corporate buyers of legal services in Europe) has confirmed what many of us have felt: The world of business has changed significantly in the past twelve months and the priorities of in-house counsel must change with it.” “Risk management is a primary theme for 2009 and beyond,” Walker said. “ERM has got to stem from a cross-functional team, with primary ownership of initiative from top-level executives, but the process needs input and feedback from organizational units, absolutely including legal.” “Legal will play an important role because compliance is rolling up into risk management issues, the operational risk management and quality control as well as corporate governance,” Walker said. Challenges One of the biggest challenges sound risk management faces lies within organizational structure itself. Many companies still consider risk management a unique discipline, and one to be handled by unique individuals and departments. In other words, they have silos of information which are nearly useless as they are. They key to managing risk effectively is gaining a company-wide perspective of goals and objectives, which by definition requires the participation of not only interdepartmental risk management teams, but the tacit participations of every employee. The ability to map departmental processes back to overarching objectives is essential to managing the unmanageable.
Unless each department has free and easy access to all of the information available on customers, both singly and as a group, they're operating in silos, and that's not efficient. Worse, it's frustrating for everybody involved – customers and employees alike. Breaking down information and communication silos reduces the likelihood of error and needless duplication of efforts. A sound approach to interdepartmental communications and information sharing ensure multidirectional synchronization between departments.
Preparing for an uncertain future: A proactive approach Managing risk can and should be a transparent and rational process. With the right tools, general counsel can make decisions using cross-unit insights to produce an enterprise-wide solution to risk management. Setting an agenda, mapping goals within departments to overall business objectives and prioritizing communication are all keys to good risk management. Below, some essentials to keep in mind as you build your organizations’ risk management plan: · Determine your organization’s risk tolerance · Identify and map risks and their corresponding impacts and opportunities o Determine how to balance opportunities with risks · Develop a prioritization process whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order · Ensure your risk management plan is both comprehensive in scope and attainable o Create risk metrics o Set progress monitoring tools to gauge progress; set and monitor progress milestones o Create a timeframe for goals, but keep in mind that risk management is an ongoing process · Map risk management program(s) to overall business goals · Build interdepartmental communication bridges to avoid duplication of efforts, and integrate risk management plans to best address overall business goals · Aggregate and form comprehensive risk management program that everyone can follow · Facilitate organizational culture around concrete risk management principles o Foster a sense of ownership over risk management for ALL employees, ensuring a culture where risks are taken into account on a daily and continual basis o Create open forum within your organization · View cross-departmental issues to see the interaction of how risks affect each other · Ensure the methods you use to assess risk are in line with industry best practices · Create a data map for your organization to easily locate and update data locations, record types and data sources Conclusion In light of the catastrophic failures of past risk management processes and procedures, it’s in the best interests of any organization to create a new enterprise risk management paradigm. Regulation will prevent a future crisis with the parameters of the Panic of 2008, but they won’t fix the root of the problem. Corporations and their respective departments need to be equipped to provide their stakeholders, department heads and employees with the tools – and motivation -- to implement effective and proactive risk management procedures. Fostering a sense of employee ownership over the risk management process is key to proactively implementing an efficient risk management plan. Without continual employee participation from department heads through the employees that oversee the company’s daily operations, any plan, no matter how high-level, will be without teeth. Corporate legal departments need to work effectively with other departments to create an enterprise-wide, comprehensive, scalable approach to risk management that emphasizes full-circle communication, and provides organizations with the ability to map all risk management programs back to business goals. A reasonable, easy-to-understand and implement approach to risk management that incorporates and utilizes the knowledge base from key departments will keep companies on the track to success.
Deleted: At its most basic, enterprise risk management includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.
|
