Primed for Integrated Management

Mortgage crisis leads many organizations to review foundations of risk-management plans

By Tom Connors 

The subprime mortgage crisis has caused many large investment firms to take substantially higher write-downs than they previously estimated. The situation has been a key contributor to the resignations of several high-profile CEOs. The gravity of the crisis has even caused some people to suggest that additional regulation may be necessary.

It is unclear how much more fallout over the subprime crisis will occur in the coming weeks and months. What is clear, though, is that the situation has severely shaken investor and board confidence, because it calls into question the ability of even the largest investment firms to manage risk.

As is the case with most risk-management failures, the boards and executives at the affected companies were apparently at least partially unaware of the risk that they were running. And as commonly occurs when risks become realized losses, investors, boards and—if worse comes to worst—even regulators may question what was known by management and when.

The issues related to the subprime crisis, of course, are complex and highly specific to the financial services industry. But the underlying issue of how to intelligently manage risk is one that concerns companies across the board.

We believe that companies that apply some of the basic principles of integrated governance, risk and compliance (GRC) can help circumvent risk-management failures in the future. Done effectively, an integrated approach to GRC enables transparency and visibility at all levels of the organization as to the organization’s appetite for risk as compared to its actual diet.

To illustrate what integrated GRC can do for an enterprise, consider how an organization may choose to respond to risks it identifies. Four basic types of responses are possible:

• Seek: The organization may seek out additional risk on top of the risks it is already assuming. This response would be appropriate in situations where the organization is being too conservative with respect to risk in a particular area.
• Avoid: The organization can either hedge risk (e.g., by using hedge funds to reduce portfolio risk) or avoid risk in a certain area altogether (e.g., by choosing not to get involved in subprime lending).
• Accept: The organization may accept—that is, do nothing about—the risks it identifies. This response can be appropriate for certain types of external risks such as the climate or the economy. However, it can also be a default response based on ignorance, indecision or simple lack of attention, in which case the organization becomes a poster child for poor risk-management practices.
• Manage: Finally, the organization can proactively manage the risks it identifies, taking steps such as clearly assigning management responsibility, identifying key performance indicators and regularly monitoring the risks.

In theory, this four-response framework seems simple. In practice, however, we often find that an organization’s appetite for risk—its procedures for determining which of these four responses to follow—is poorly defined and/or undocumented in at least some areas.

In other cases, the organization’s risk appetite may be well-defined and documented, but its actual diet of risks may not be consistent with management’s intentions. In other words, the organization’s C-suite and/or board may want the organization to respond to risk in a particular way, but the organization is not executing on that response.

Integrated GRC can help to prevent both the lack of definition/documentation and inconsistencies in execution. In the case of the subprime situation, it is very likely that companies would have mitigated the impact of the crisis if they had had a clear understanding of the risks involved and had mobilized their organizations to at least partially avoid or manage those risks. But because of the lack of clarity around defining an appropriate response to risk, and the lack of translation of board/executive intention into organizational action, some companies may now be paying the price for their inability to manage risk effectively.

Some may argue that certain areas of risk, such as those relating to portfolio, credit and market risk, are too specialized for an integrated approach to GRC to address. However, the subprime crisis will undoubtedly raise the bar of expectations for boards and management in managing risk of all kinds.

These increased expectations will likely include increased requirements for understanding, at the highest levels of the organization, the company’s risk appetite and potential risk exposure. And giving boards and executives that understanding is what integrated GRC is all about.

In summary, defining your organization’s appetite for risk is similar to developing a personal plan for a healthy diet. Organizations, like individuals, can sometimes yield to cravings that expose them to unwarranted risk.

Like a good dietician, integrated GRC can help your organization catch these deviations early and get it back to its healthy ways. Even if yours is not a financial services firm, now might be a good time to revisit your risk-management practices to assess if you have a clear understanding of whether your organization has bitten off more risk than it can chew.

Tom Connors is a partner in the Assur­ance and Enterprise Risk Service (AERS) practice of Deloitte & Touche LLP, where he is one of the national leaders of its Sarbanes-Oxley and GRC initiatives.