Feb 112008

The financial community recently seems to have added a new twist to the advice given in Shakespeare’s Henry VI (Part 2) with regard to lawyers in the wake of the US $130-billion-plus write-offs that are increasing daily due to the subprime mortgage debacle.

The Canadian Imperial Bank of Commerce recently fired its chief risk manager after that bank faced write-downs of CDN $2 billion on top of the previous CDN $978 million quarterly write-offs related to its holdings in subprime mortgage debt in the US. The expectation by financial analysts is that the subprime losses for the bank will continue to grow throughout this year.

The risk management units at Citigroup (which had to take $23.2 billion in write-offs in the past six months) and Merrill Lynch (a firm only one-third the size of Citigroup but which also had to take $24.6 billion in write-offs over the same time frame) are being “revamped”; a nice word meaning “don’t let the door hit you on the way out.”

John Thain, the new chief executive at Merrill Lynch & Co., conceded that risk management at the company is dysfunctional. Thain went on to say that the risks Merrill took were siloed when they logically should not have been, which in turn led to a lack of understanding of the risks that were being taken on. In addition, Merrill’s enterprise risk committee “just didn’t function.” Finally, Thain implied that the risk appetite of the firm was a whole lot bigger than its wallet allowed.

Let’s look at just how deep this “lack of risk understanding” was. Last October, when Merrill Lynch announced that it had to take a US $8.4 billion write-off, most financial analysts thought that Merrill, given its market exposure in the subprime market, would have to take a fourth-quarter write-off as well, but estimated that this would only be in the range of $4 billion. No one at Merrill disputed that estimate. Well, it turned out to be $16.4 billion. Being off by a factor of 400% in fewer than 90 days is some mean feat of risk misestimation, don’t you think?

What CEO Thain also didn’t say was that Merrill Lynch was also passing on its lack of risk understanding in the subprime

mortgage products it sold as investments to its clients, some of whom are more than a bit upset. The US city of Springfield, Massachusetts, for instance, found out that the value of one of the investment funds it purchased from Merrill Lynch fell by 90% due to the fund being made up of collateralized debt obligations: i.e., a grouping of debt that includes subprime mortgages. Merrill didn’t tell the city until months after it bought the fund what the investment fund comprised. Springfield now wants its money back — as I suspect many others do.

The same “lack of risk understanding” that pervaded Merrill appears to have existed at most of the financial firms, which, as of last summer, were still touting themselves as the world’s leading practitioners of enterprise risk management (ERM). After all, weren’t these organizations the first to create the term, “chief risk officer,” and to push the idea of ERM? And who else could claim that they managed risk (and, on the surface, successfully) as their full-time profession? Nevertheless, it appears that the ERM functions at these firms — as well as the claims of enduring profitability that they produced — were little more than Potemkin villages.

Over at the Swiss bank UBS, for instance, its management admitted this month that even after recently writing off $13.4 billion from the bank’s books in response to its holdings in the subprime mortgages, “We cannot, at this time, accurately predict the future development of the US residential mortgage markets and therefore the ultimate impact of our positions in subprime-mortgage-related securities.” In other words, we don’t have a clue as to the risks we took, in either their likelihood of occurrence or their overall consequences. We do know, however, that they have now turned into problems, but we just don’t know where they are or what will be the bill for fixing them.

This is quite an admission for a bank that has been one of the loudest in proclaiming to the world that its approach to ERM has “turned risk control into a competitive advantage.” With risk control like this, who needs competitors?

UBS is also “revamping” its approach to risk management. Of course, using risk managers as scapegoats for not controlling risk is the easy thing to do. It gives executives someone to blame for their poor decisions.

What seems clear is that, at best, firms like Merrill Lynch, Citibank, and UBS, practiced dilettante risk management, and at worst, or maybe as standard practice, they sought profitability at the expense of risk control. In essence, the risk managers at these firms have been killed twice: once to get rid of or intimidate any who might be concerned that the risks being pursued were out of kilter and, after the risks turned into major embarrassments, to take out their compliant replacements, who became convenient fall guys.

The vast majority of companies in the financial community — and their risk management organizations — turned a blind eye toward the risks in the subprime mortgage market because of all the money to be made there. The community focused exclusively on exploiting the “positive risks” (a term I find a repugnant oxymoron) involved, while ignoring the old-time “traditional” risks involved.

This risk blindness — or better, risk arrogance or hubris — proceeded along even as warning flares were going off, like the $10 billion-plus in write-offs the British bank HSBC had to take early last year on its US subprime mortgages rapidly going south. HSBC arrogantly said — before its write-off fiasco — that it had more than 150 inhouse PhDs who were expert in modeling the credit risk subprime loans posed, so there wasn’t nearly as much risk in these loans as everyone was claiming.

Of course, having 150 PhDs modeling risk is useless if much of the information used to model the risk is wrong. The HSBC mess revealed a huge, hidden problem of fraudulent subprime loans the bank had underwritten, for example, driven in large part by the ease with which you could get an HSBC subprime mortgage. Again, because of the money to be made from fees involved in writing mortgages, and the ability to package and sell these mortgages to third parties, thus off-loading your risk to someone else, HSBC wasn’t interested in looking too closely at who actually was getting the loans. That is, until it was burned. Fraudulent subprime mortgages are now appearing as the cause of many of the current loan defaults in other banks as well, which says a whole lot about the banking industry.

You would think that HSBC’s problems would have sparked detailed reviews at other financial institutions that also had major positions in the subprime market, but remarkably (or maybe not), it did not. Only a few, like Goldman Sachs, started to unwind their position in late 2006 after HSBC’s problems started to become known (they still had to write off $1.3 billion in the third quarter of last year), and I know of only one major hedge fund manager, John Paulson, who decided that the subprime risks were going to outstrip its rewards, and made a tidy $4 billion betting that it would collapse.

This risk arrogance was shared and abetted by folks who should have known better, like US Federal Reserve Chairman Ben Bernanke, who said in May 2007, “The effect of the troubles in the subprime sector on the broader housing market will likely be limited.” This was more a political hope than solid risk analysis, since the Federal Reserve, especially Bernanke’s predecessor, Alan Greenspan, was enthusiastic about subprime mortgages, even praising them in 2005 as “innovative financial instruments.”

As the saying goes, the Federal Reserve was for subprime mortgages before it was against them. Since last autumn, Bernanke has been trying to cobble together bailout plan after bailout plan to reverse the Federal Reserve’s massive misreading of risk. It has had to drastically lower interest rates to stem investor panic, which in turn may cause both greater investor panic (by so rapidly and deeply cutting interest rates, which you only do if you are yourself in a panic) and risk arrogance on the part of banks (by bailing them out).

There are other actors in this drama. Housing activists and politicians of both Republican and Democratic parties also ignored the risks involved in subprime mortgages, because to acknowledge them would have been detrimental to their political agendas. Investors and speculators, too, were more than happy to ride the straight-line curve of rising housing prices and to pretend that it would never change. People also bought houses that they couldn’t afford, but the deals offered were “once in a lifetime” and “too good to be true” to pass up.

Throughout all this, risk became a nonentity, an abstract notion that existed only in textbooks and among those who “didn’t understand” the “new risk as opportunity” paradigm. I guess old-fashioned risk is real now.

One could very easily be tempted to say, given what has transpired over the past few months, that enterprise risk management is a crock. And, to be honest, it is — at least the way it was being marketed and practiced at the world’s leading companies, which are supposed to manage risk as a way of life, as well as, I suspect, in other companies that have bought into the Wall Street approach to ERM as their model. In a small bit of defense, few corporate ERM practices or practitioners can stand up to “gold fever” (a term that should be used in the place of “positive risk”), and those who do will likely find themselves marginalized or replaced by those who are not so “negative” in their views.

I hope this little episode brings ERM practice under scrutiny and creates a rebirth of what risk and opportunity are all about, although decades in the risk management business tell me not to be too optimistic. Practicing true risk management is like diet and exercise: why do it when someone can offer you a pill to lose weight instead?

You are also courting disaster the moment you disconnect risk from ultimate performance. In this subprime mess, the benefits accrued before the risks could take effect — not a bad deal if you can find it. However, the risk doesn’t go away. Too often companies set their internal incentive plans in just this way. When that happens, you don’t need risk managers; instead, you’d better start hiring a lot of lawyers.

Yes, let’s kill all the risk managers today if it makes you feel better — but just remember, it will be your second murder.


Robert Charette

Robert N. Charette is a Fellow with Cutter's Business Technology Strategies practice. He is also President of ITABHI Corporation, a business and technology risk management consultancy. With 35 years’ experience in a wide variety of international technology and management positions, Dr. Charette is recognized as an international authority and pioneer regarding IS, IT, and telecommunications risk management.


  5 Responses to “The First Thing We Do, Let’s Kill All the Risk Managers — Again”

  1. Commerce is nothing more than mere wild swings between greed and fear. Successful commerce is walking that tightrope between greed and fear without falling. Unfortunately, the equation tends to be:

    Greed + Fear > Risk Management

  2. Maybe it is Greed – Fear > Risk Management

  3. avatar

    Merrill Lynch decided that discretion is the better part of valor. It agreed to pay Springfield, Massachusetts back the initial $13.9 million that Springfield had paid for the collateralized debt obligations that Merrill sold the city, as well as Springfield’s outside legal fees. No word on who else is getting their investments made whole again by Merrill.

  4. The first thing we should know that what is the exact duty of chief risk officer in the field of risk management.

    The chief risk officer (CRO) or chief risk management officer (CRMO) of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CRO’s are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization’s Enterprise Risk Management(ERM) approach.



 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>