Friday, September 26, 2008
For the sake of completeness, I have transferred most of the previous enties to this new format - the dates won't necessarily be right, but the content is.
Let me know if it works or not.
So what to do? Quite simple really: I argued that what should really matter to acquirers, corporate or private equity (not that we necessarily used that term then) was firstly the risk profile of the company being acquired, and of course how those risks were being managed, and secondly what I might describe as the project risks in the course of the acquisition. While we managed to produce an interesting booklet and some collateral, there was a distinct lack of interest. After all we were making (and I assume the large accounting firms are still making) enormous sums of money at higher than normal rates for producing the traditional due diligence report. You know the sort of thing: a couple of hundred pages including a section on why debtor days had moved by five minutes over the last five years. So that was an idea that was left to fester in the corner although I occasionally used to dust the covers off and wave it around, but I could not even persuade some of the more enlightened partners or private equity houses to have a look.
So blow me down when, as I was researching the Standard and Poor’s material on ERM recently (of which more in a later e-mail – I can’t use it all up in one...) I came across a section entitled “Using Enterprise Risk Management To Evaluate Mergers & Acquisitions Of Financial Services Firms”. Let me quote from their report:
"Two major issues relating to ERM are part of the process to resolve the placement on CreditWatch. The first, and most important, is the project risk management of the integration and implementation project. Second is the impact of the M&A on the risk profile of the acquiring firm, which includes assessing the ability of the firm's risk management system to control risk in the newly created firm. If the resolution of these issues is positive, the M&A is expected to create a fully controlled new entity. If one or both of these issues do not have a favorable resolution, a significant possibility exists that there could be either a poor return from the transaction or an increased possibility of an unexpected loss and a negative rating."
It looked familiar! This was what I had been saying over ten years ago, which all goes to show that a risk prophet is never recognised in his or her own time. But at least I can say “I told you so”, dust the covers down, update the material and say: “now risk based due diligence – that’s a good idea!”
Needless to say, I would be delighted to discuss this further, because I really DO believe that due diligence is more than overdue for a radical overhaul.
Your thoughts welcome!
Interestingly, the article talks about the controlling aspects of risk management: “Lax risk controls, for example, allowed a Société Generale trader allegedly to amass unauthorised positions that cost the bank €4.9bn ($7.2bn), in addition to €4m in fines by French banking regulators.” What it does not do is talk about what I might describe as the enabling facility of risk management. For a long time risk managers in Financial Services have been those in credit or other areas who say “no”. Of course they maybe said “no” to infrequently in the foot-to-the-floor approach to building banks over the long bull run. Of course, as any driver of an automatic car will know, you have to take your foot off the accelerator to brake. And that self-same heavy foot is now pushed firmly down to the metal so that the brakes are squealing and the whole (global) economy is screeching to a standstill.
I like to think of risk management as being the balancing act of four attributes that fall into two pairs of tensions. On the one hand we have good old risk management attempting to stop bad things from happening. And yet (as the credit crunch has graphically illustrated) if you stop taking managed risks, you will stop dead in your tracks. These are different attributes (stopping pitfalls, and taking more managed risk) which tend to operate in contrary directions. The other pair of attributes that influence risk behaviours are the performance culture (who has not just occasionally thought that the bonus culture of the big investment banks might just skew risk taking in one direction or another?) and the corporate ethics and behaviours. Imagine each of these attributes individually mapped against the long term profitability of the organisation, and you will see that the more you do of each of them, the better the long term profitability, until, suddenly you are doing too much: taking so much managed risk, that people cannot manage; avoiding so many pitfalls, real and imagined, that they cannot progress; suffering from a performance culture that forces rile breaking and burn-out; or corporate ethics that becomes so debilitating that it is a question of not treading on egg-shells. Now take those and map them on the same diagram, and suddenly we can see what happened to all of those banks: exorbitant risk taking combined with a noxious performance culture and stunted risk avoidance combined with little regard to the real corporate ethics.
The credit crunch has slammed this into reverse (into what I used to describe as UK plc’s risk profile): very little or no risk taking, combined with redundancies; and total pitfall avoidance combined with a new ethical model (perhaps this is stretching a point, but you get the drift).
To me, the challenge is about working out where you are on these four attributes, where you want to be (the sweet spot) and how you get there. It’s not just about an overall group-wide approach; it’s about each of the businesses and teams and how they interact with one another. This is what I call Balanced Risk. And understanding their own business risk profile might just be what would help organisations to begin, ever so cautiously to take their foot off the brake and to start gently applying pressure to the throttle.
Happy to discuss!
S&P talk about recognising a company’s adoption of standards such as COSO or the Australian/NZ risk standard. Presumably, although not yet published, this will also include the new BS31100. This will provide a big impetus for companies that are subject to S&P ratings to review their ERM practices. As they helpfully indicate, they see "ERM as:
- An approach to assure the firm is attending to all risks;
- A set of expectations among management, shareholders, and the board about which risks the firm will and will not take;
- A set of methods for avoiding situations that might result in losses that would be outside the firm's tolerance;
- A method to shift focus from "cost/benefit" to "risk/reward";
- A way to help fulfill a fundamental responsibility of a company's board and senior management;
- A toolkit for trimming excess risks and a system for intelligently selecting which risks need trimming; and
- A language for communicating the firm's efforts to maintain a manageable risk profile."
Also of relevance is what they feel that ERM is not, namely:
- A method to eliminate all risks;
- A guarantee that the firm will avoid losses;
- A crammed-together collection of longstanding and disparate practices;
- A rigid set of rules that must be followed under all circumstances;
- Limited to compliance and disclosure requirements;
- A replacement for internal controls of fraud and malfeasance;
- Exactly the same for all firms in all sectors;
- Exactly the same from year to year; nor
- A passing fad.
We could not agree more wholeheartedly.
So what is this going to mean? Helpfully S&P set out in some detail what this will address:
“Our industry-focused rating analysts will incorporate an ERM discussion into the regular credit reviews on each company, emphasizing risk-management culture and strategic risk management, which are the most broadly comparable and critical of the four areas outlined in our original proposal. In the risk-management culture analysis, discussion topics will include:
- Risk-management frameworks or structures currently in use;
- The roles of staff responsible for risk management and reporting lines;
- Internal and external risk-management communications;
- Broad risk-management policies and metrics for successful risk management; and
- The influence of risk management on budgeting and management compensation.
"In addition, we will incorporate our existing review of governance, accounting policies and issues, and derivatives into this much broader analysis of a company's risk-management culture.
"Under strategic risk management, our analysts will explore:
- Management's view of the most consequential risks the firm faces, their likelihood, and potential effect on credit;
- The frequency and nature of updating the identification of these top risks;
- The influence of risk sensitivity on liability management and financing decisions; and
- The role of risk management in strategic decision making.”
Does this represent the death knell for the overview Turnbull approach to risk management which has merely scratched the surface, and in our view often undermined more wholehearted approaches to risk management? Nigel Turnbull’s suggestion that risk management needed no more than a conversation at the board about the top-10 risks does not look like it will fit comfortably with the approach adopted by S&P.
All of this of course will need some review by S&P. They say: “While we cannot audit assertions by company managers about their ERM procedures, we will closely examine the consistency between their statements and historical performance. We will specifically inquire about how they handled actual risks in the past. A discussion of ERM will become a regular part of our follow-up after significant drops in earnings or losses, significant restatements of past financial results, or material impairment losses and write-downs. Our discussions with managers about ERM will be to understand how consciously they have taken and retained risks and why they are comfortable with their net risk positions.”
So how much change will this represent? As S&P themselves conclude:
“Just as the introduction of ERM for a company is unlikely to radically change extant decision-making processes, we do not see ERM analysis radically altering our existing credit rating opinions. Its value will be incremental in most cases, negligible in a few, and eye-opening in some others. We expect that ERM analysis will drive some rating and outlook changes, but not before we have been able to benchmark companies against each other and over time.”
SO IS THIS THE BIGGEST DRIVER FOR RISK MANAGEMENT THAT WE HAVE SEEN? and will it help to address the questions that were being discussed below???
Thursday, September 25, 2008
My view is that much that goes for Enterprise Risk Management these days is overly prescriptive and focussed on process rather than culture. But more than that it also has to have something to say to the managers in the business. So the challenge is to create an Enterprise Risk Management framework that has the right processes, but which goes with the grain of the culture and also is built into the context of the business.
In summary I see this as being a requirement to create a risk intelligent organisation. To me risk management is about bringing a perspective to the management of complicated issues in complex organisations. It is about the management (and not the avoidance) of risk. It helps to prioritise your work and that of others in a fast moving context with an approach that is better than simple intuition and which facilitates communication between people. It is a style of thought, and is definitely not a paper chase.
So where to start? I suggest (but I would wouldn't I) a review of the maturity of your organisation vis-a-vis risk management. I have found that powerful in that it can help management to see where their and their peoples' blind spots are, it can help people to see where they are in relation to their peers and it can help to define very effectively where the initial efforts are required.
But I am going to stop at this point and invite others to contribute (please...)
- The potential saving of Fannie Mae and Freddie Mac continues to spook the markets with falls in share prices around the globe (
And the thought piece? Daniel Finkelstein writes about the tipping point as behavioural sciences begin to impinge on the national consciousness and policy-makers (http://www.timesonline.co.uk/tol/comment/columnists/daniel_finkelstein/article4339756.ece). Well there is a thought!
All of these are grist to the mill for risk maangers. I can't help but feel that this (almost) recession has in part been brought about by a woeful failure of risk management, originally in US financial services, where, I am led to believe, risk management as we understand it is generally very immature. And we are feeling the consequences of that right round the rest of the globe. My reading is that unethical mortgage brokers spotted a fast buck in selling mortgages to customers who had to lie on their applications and did not have a cat's chance of paying them back if the economic conditions tilted ever so slightly against them. Combine that with what can only appear to have been poor product analysis and inadequate governance over the product innovation that went by the name of CDO's, where these lying application forms were piled one on top of the other by mathematicians with brains the size of a jumbo jet, but zero experience of human behaviour. Then factor in a rather large dose of the emperor's new clothes (remember Hans Christian Andersen?) and before you can say "default" you have a credit crunch that brings down Northern Rock, IndyMac and possibly many, many more, including, in the fullness of time perhaps Gordon Brown... How's that for the law of unintended consequences?
And of course, in all of this, businesses are suffering. Not just the mortgage banks, but run of the mill organisations. Many could go under. So Cameron's thoughts on the insolvency laws are coming at the right time of the (potential) recession, even if they are unlikely to be acted on for years to come. It is just worth remembering that this was the whole point of of Sir Kenneth Cork's proposed reforms many years ago, although Administration (the major innovation of the last insolvency act) does not seem to have done the trick in the way that Chapter 11 does. Talking of Sir Kenneth, who remembers his top ten pointers to a failed company? I can only remember:
- Company flag on company flagpole
- Fish tank in the atrium (was an atrium itself one? That would be an indictment of many organisations...)
- Chairman's Rolls Royce with personalised number plate
Can anyone remember the others, and is there a more relevant new batch? Perhaps we could create the ERMA list of pointers to failing companies.
So it was a bright light in the gloom to see the BT story. Although there is the vaguest resonance with 3G - "we don't yet know what people will do with all that bandwidth, but we are sure they will come up with ideas" (my interpretation - not their words exactly). Let's just hope that Alastair Darling doesn't see the resonance with 3G as well, otherwise BT will be in for an auction of 3G proportions, which, you will recall, virtually brought BT to its knees (and which is why O2, its mobile operator, is now owned by a Spanish company). Anyway, isn't it a pleasure to see a company set out its stall to take a managed risk in an adverse economic environment.
So this then brings me back to Mr Finkelstein's comments. In the risk world it has long been recognised that culture is a fundamental part of "embedding" (horrible word!) risk management. Proces alone is not enough. Likewise, in policy terms regulation and law-making alone will not suffice to stop knife murders, drunken behaviour and the rest of it. Personally I have borrowed heavily from diverse academic disciplines:
- Geography (Professor John Adams)
- Law (Professor Rob Baldwin)
- Economics (Professor Martin Cave)
- Psychology (Professor Gaskell)
- Anthropology (Mary Douglas and many others)
- History (Professor Gwyn Prins)
- and many many others...
Long may we be able to inter-weave wide ranging thinking into mainstream risk management. And perhaps we can show the way to policy makers... Or was that where Professor Lord Giddens came in to the story with Tony Blair? Oh well!!!
Anyone want to join me in pushing the thought leadership forwards?
Do speak to me! A response, any response makes it worth writing this blog.
The aim is still to get a standard out in late September/early October. I expect the standard to be of interest to those who have only ever played with risk management so far, and potentially to those in a sophisticated supply chain where you want to know that others in that chain are reasonably sophisticated in risk management.
I should add of course that this is a Code of Practice, and not a mandatory standard. Although claims of compliance will have to based on proper compliance and deviation from the standard would have to be justified.
The intention is that in due course there will be various practice guides, for example for SME's or perhaps for specific industries.
BSi will run an introductory conference. Together with another organisation, we will also run introductory workshop sessions - if anyone is interested in hearing more, let me know.
I set up the Enterprise Risk Management Association on LinkedIn to see if there were other people itnerested in sharing information on risk management, either as professionals in enterprises or those who provide consulting to enterprises. After a slow start, people have started to join in increasing numbers - you should be able to see the membership on LinkedIn.
At the moment this is all a bit free form and I will see what people want to do. In the short term I am planning on setting up some form of blog/discussion arena, an area where we can share war stories and perhaps an area where suppliers (like myself!) can put cross-references to their websites.
However, I am keen that this should not just become an advertising space, and if it does we might look at some charging mechanism in due course. Rather I want it to become a genuine discussion forum for mutual assistance.
Let me know what you think.