How far can risk management be taken? For example, should a company with a superstar risk manager have been able to predict, two years ago, a recession so deep that it was marked by the implosion of Wall Street investment banks, massive layoffs, and plummeting consumer demand?
Risk managers on a panel at the CFO Rising West conference in Las Vegas Tuesday agreed that some outlying events cannot be predicted. But they didn’t relieve risk departments of responsibility for making sure companies can respond well to those events when they do happen.
Bill Bojan, former chief risk officer at United Health Group and now CEO of consulting firm Integrated Governance Solutions, said he always tells company executives and boards that “risk management is not a silver bullet and not a crystal ball.” While he pinned part of the blame for the financial crisis on a lack of checks and balances and poor governance at the top of many financial-services firms, he added that no risk-assessment process could have actually predicted the crisis.
But while some elements of risk management help prevent bad things from happening, Bojan said, a good risk-management culture also helps companies respond when the unforeseeable does happen.
Even in the recent economic climate, when most companies were taking few chances, some opportunities that involved risk presented themselves. That, to Bojan, is the key to a good risk culture: cultivating an awareness at the top levels of the company that businesses are in business to take risks intelligently, and that opportunities can either be leveraged or missed. Organizations that managed risks with that in mind “are responding better right now — they’re agile and adaptable, as opposed to being on their heels trying to figure out what to do,” said Bojan.
Gary Germeroth, chief risk officer at Calpine Corp., a big power company, agreed that he didn’t believe anyone could have predicted the broad economic meltdown. But the same wasn’t true, he added, for some of the risks that contributed to the crisis.
“You have to be really careful not to be too much in love with your own math. When you’re looking at an event like [the financial crisis], it’s really scenario testing that could have given you some heads ups.” — Calpine Chief Risk Officer Gary Germeroth
Before Bear Stearns collapsed in March 2008, Calpine was supplying energy to a subsidiary of the investment bank, Bear Energy, a natural-gas distributor and broker. Calpine, Germeroth claimed, was the first supplier to cut off credit to Bear Energy. Other parties, including rating agencies, were relying on complex mathematical models that concluded Bear Stearns never would go under, he noted. Calpine, however, factored in some additional market information on Bear Energy and saw a huge risk in continuing credit.
“You have to be really careful not to be too much in love with your own math,” said Germeroth. “When you’re looking at an event like [the financial crisis], it’s really scenario testing that could have given you some heads ups. Scenario testing is mor common-sensical than high-powered math, and people at all levels of the company can get their head around it more easily.”
Indeed, it was support for the risk-management department by company brass and the board — which Germeroth said he had painstakingly cultivated — that saved the day when all the top Calpine executives and directors started getting urgent calls from Bear Energy. “If one of those people had said no, that’s OK, go ahead and keep selling to Bear, our risk-management process would not have anywhere near the bite that we now have.”
Similarly, Bojan told conference attendees that keeping the company engaged in risk management is one of the five areas where corporations fall short in fully integrating risk-management processes into an organization. The key to driving that engagement is approaching risk assessment in a way that adds value to line businesses.
For example, Bojan said, United Health Group had been on an acquisition path when the CEO of the company’s largest segment called on him to discuss how to balance growth with profitability. While the company was extremely profitable and growing fast, there was significant risk that at some point acquisition opportunities would dry up and growth would stall.
So Bojan organized an analysis of business risks and opportunities that brought together the company’s underwriting, actuarial, analytics, and finance groups, which “weren’t really talking to each other as well as they should have been,” he said. The analysis resulted in some key decision-making by the CEO. “He didn’t mind so much when we did our annual and quarterly work because we had added so much value to his business. If the risk process isn’t getting out into the business helping solve business problems, it’s not going to get a lot of engagement.”
The other four areas in which Bojan said companies could use improvement with regard to the integration of risk management are:
• Addressing all aspects of risk in concert with one another by factoring in risk interrelationships and interdependencies. In that way, executives understand their exposure from all angles. “As companies get larger and more sophisticated, it’s very important to look at risk as a portfolio,” said Bojan. “I think that’s where we’ve seen some failures, even from the largest and most sophisticated financial institutions. They really lost sight of risk as a portfolio and made some very siloed decisions.”
• Connecting the risk process to other key management processes. Strategic development, capital spending, quality assurance, and performance management are “all areas in which risk plays a very important role. If the risk process is disconnected from them, you lose a lot of value,” said Bojan.
• Connecting the risk process to other key monitoring disciplines, such as ethics, social responsibility, audit, and compliance. Bojan called this “seeing things whole.” Many organizations have no real coordinated system of monitoring those things, he said. “Unfortunately, the board has to pick and choose from a lot of data fragments and doesn’t get the full monitoring picture of the organization.”
• Enhancing risk oversight by the board. Governing effectively means addressing potential pitfalls. “In many instances,” said Bojan, “the board is really missing the boat.”