would be difficult if not impossible to implement ERM while companies continue to measure and report risks in silos. There is a general sense of dissatisfaction among board members and senior executives with respect to the timeliness, quality, and usefulness of risk reports. About a third of respondents to a 2016 Corporate Board Member survey felt information flow between their board and management could be improved through a higher frequency of updates (36 %), more concise reporting (31 %), or more time to review materials prior to a meeting (34 %).17 Many companies still analyze and report on individual risks separately. These reports tend to be either too qualitative (risk assessments and heat maps) or too quantitative (financial and risk metrics). Risk reports can also focus too much on past trends and current risk exposures. In order to establish more effective reporting, companies should develop forward-looking, role-based dashboard reports. The risk team should customize these reports to support the decisions of their target audience, whether the board, executive management, or line and operations management. Dashboard reports should integrate qualitative and quantitative data, internal risk exposures and external drivers, and key performance and risk indicators. Moreover, risk analyses should be reported in the context of business objectives and risk appetite.
Creation of Objective Feedback Loops
How do we know if risk management is working effectively? This is perhaps one of the most important questions facing boards, executives, regulators, and risk managers today. The most common practice is to evaluate the effectiveness of risk management based on the achievement of key milestones or the lack of significant risk incidents and losses. However, qualitative milestones or negative proves should no longer be sufficient. I made this point when I was interviewed by the Wall Street Journal on the rise of chief risk officers in the aftermath of the financial crisis. In the article,18 I emphasized the need for an objective feedback loop for risk management, and was quoted as saying, “AIG and Bear Stearns were doing fine until they weren't.” My point was made in jest but boards and management should not rely on the absence of a bad situation as evidence that effective risk management is in place.
Organizations need to establish performance feedback loops for risk management that are based on defined objectives, desired outcomes, and data-driven evidence. Other corporate and business functions have such measures and feedback loops. For example, business development has sales metrics, customer service has customer satisfaction scores, HR has turnover rates, and so on.
While various types of feedback loops can benefit an ERM program at every level, one that should be considered by all for-profit companies incorporates ex-ante analysis of earnings at risk followed by ex-post analysis of earnings attribution. Over time, the combination of these two analyses would provide a powerful performance measurement and feedback loop. (I offer a complete description of this feedback loop in Chapter 20.) This would help the board and management ensure that risk management is effective in minimizing unexpected earnings volatility – a key goal of enterprise risk management. Finally, I believe this type of analysis should be provided alongside the earnings guidance of publicly traded companies. Relative to the current laundry-list and qualitative approach to risk disclosure, earnings-at-risk and earnings-attribution analyses can provide much higher levels of risk transparency to investors.
Better Incentive Compensation Plans
The design of executive incentive compensation systems is one of the most powerful levers for effective risk management, yet companies have so far paid insufficient attention to how incentive compensation systems influence risk-return decisions. For example, if executive compensation is driven by revenue or earnings growth, then corporate and business executives might be motivated to take on excessive risks in order to produce higher levels of revenue and earnings. If executive compensation is driven by stock price performance via stock options, decision-makers might also be motivated to take on excessive risks to increase short-term stock price appreciation. Unethical executives might even be tempted to manipulate accounting rules.
Traditional executive compensation systems do not provide the appropriate framework for risk management because they motivate excessive risk taking. Moreover, the corporate structure creates potential conflicts between management and investors. In essence, executives are betting with “other people's money”: Heads they win, tails investors lose. To better align the interests of management and investors, long-term, risk-adjusted financial performance must drive incentive compensation systems. Boards and management must consider not only what business performance was produced, but also how. Companies can achieve this by incorporating risk management performance into their incentive compensation systems; establishing long-term risk-adjusted profitability measurement; and using vesting schedules consistent with the duration of risk exposures and/or claw-back provisions.
THE WHEEL OF MISFORTUNE REVISITED
In my previous ERM books I introduced the Wheel of Misfortune, which illustrates that risk management disasters can come in many different forms and can strike any company within any industry. Beyond purely financial losses, the mismanagement of risks can result in damage to the reputation of the companies, or a setback for the careers of individual executives. The Wheel of Misfortune is the response I use to those managers and executives who aren't swayed by the potential pain of ineffective risk management. These doubters will often express the sentiment that “it couldn't happen here” or “if it isn't broke, don't fix it.” In these cases, it is worth reminding the skeptics that history has repeatedly demonstrated how bad things can and do happen to good companies.
When my first ERM book was published in 2003, the direst illustration of how negative events can quickly escalate was the cumulative losses suffered by U.S. thrifts in the mid-1980s. These losses not only bankrupted individual companies, but also threatened the entire industry. There were other examples as well. Important spokes of the Wheel included accounting fraud, trading losses, and misrepresented revenue.
Now, however, risks are even more diverse and unpredictable. They can start anywhere in the world and quickly ripple across the global economy, affecting industries that on the surface had little in common with those at the epicenter of crisis. Figure 2.1 represents the new Wheel of Misfortune.
FIGURE 2.1 Wheel of Misfortune
A close examination of these disasters underlines the importance of risk management, including how the nature, velocity, and impact of risks have evolved. Here's a brief, woeful look at the some major corporate disasters, many of which are shown in the new Wheel of Misfortune. Take note that those caught up in the Wheel represent some of the world's best-known and most highly regarded brands.
Operational Risk involves any event that disrupts normal business operations. Losses resulting from operational risk may stem from inadequate or failed processes, people, systems, or external events. It includes employee errors, fraud, or criminal activities, as well as the failure of information, manufacturing or other systems:
• In 2012, UK-based drug maker GlaxoSmithKline paid a $3 billion fine for illegally marketing the depression drug Paxil. The company was found to have deceived and bribed doctors into prescribing the drug for children, with whom it has been shown to increase the likelihood of suicide.19
• Pfizer, the world's largest drug company, reached a $2.3 billion settlement with U.S. federal prosecutors in 2009 for promoting the painkiller Bextra for unapproved uses that endangered patients' lives.20
• In 2014, auto manufacturer Toyota, often lauded for its Toyota Production System intended to reduce error and waste, agreed to pay $1.3 billion to avoid prosecution for covering up severe safety problems with “unintended acceleration” and continuing to make cars with parts the FBI said the company “knew were deadly.”21
Bribery