OVERLOOKING THE OBVIOUS
Have technology and math blinded companies to the dangers at their feet?
By Bennett Voyles

In a better world, corporate risk management would resemble an old episode of Star Trek. Every CEO would have his Scotty, a man in the engine room who would call up periodically and cry, she can’t take it anymore, cap’n! Then the guy in the gold tunic would lean back in his chair, grit his jaw, and turn up the force field.

After spending untold sums on the latest in risk management technology, CEOs at some of the world’s most sophisticated companies, from Bear Stearns to Société Générale, might be forgiven for thinking they had that kind of a system in place. Yet in some of the recent financial disasters, the officer in the gold tunic reportedly didn’t learn the bad news until he saw the financial equivalent of smoke pouring out of the control panels.

Essentially, these CEOs discovered too late that they had traded their old-fashioned blind spots for a new kind of blindness: one induced by the comfort of new technology and elaborate quantitative models.

Take the case of Société Générale’s record-breaking US$7 billion loss. As someone who had worked in back-office security, accused rogue trader Jérôme Kerviel knew how to evade all the high-tech security systems designed to keep traders from making oversized trades. In other words, goes the conventional wisdom, the lights on the panel never blinked. But, says Dane Chamorro, regional general manager of greater China for Control Risks, Kerviel’s trades had raised alerts in the risk management department no fewer than two dozen times—each time, officials at the bank had ignored red flags or granted exceptions rather than investigate.

Further, many of Kerviel’s actions as an employee were those of someone with something to hide. He reportedly never took vacations and frequented his workplace at unusual hours, among other things. Such behavior should put managers on alert, says Chamorro—for one thing, someone committing a fraud can’t ask anyone to take over for him during a holiday.

Yet such signs, so obvious in retrospect, went overlooked, at least in part because bank managers assumed that no large scale scam would get past its technology and procedures. Big problems often do slip by undetected—think of the piles of subprime loans that appeared safe enough according to some credit models, but which common sense should have indicated were outrageously risky.

Back to Basics

With such disasters as a backdrop, many risk management experts say it’s time for companies to revisit the fundamentals. It may be a useful exercise—while some complex risks certainly demand technology and sophisticated models, most threats confronting a business can be dealt with using humbler means. It’s particularly important to do so now, given the intention of credit agencies to begin evaluating companies on their risk management procedures (see “No Cakewalk”).

“We don’t even think about computers or IT or software solutions,” says Dr. Alan Waring, chief executive of Asia Risk in Hong Kong. “Those are just technical instruments…it’s just creating an illusion of things being joined up.”

“A lot of this is not necessarily capital-intensive,” Waring continues. “There may be some expenditure, but it’s much more in terms of thinking, organizing, establishing various systems and business processes.”

One company that has followed this line of thinking is April, an Indonesian pulp and paper manufacturer. “We have tried not to take a book approach,” says Ratnesh Bedi, the company’s Singapore-based CFO. “We have taken a very hands-on approach.” A few basic steps have taken April and a number of companies a long way in improving their risk profiles without a major investment:

1. Tackle the biggest risks first. It’s helpful for managers to think through the risks facing their company and determine which ones are both likely and potentially lethal. Such prioritization can help a company focus scarce resources.
Some of those risks, such as an event that depletes cash reserves, are common to every company. Others will be specific to the industry or the market. One Western MNC operating in Japan, for instance, conducts earthquake readiness assessments two or three times a year.

In China, some companies keep a closer eye on their own private fault lines—the government. Yan Jin, controller for greater China for Eaton Fluid Power, warns that in China, at least, it’s extremely important to keep an eye on the government. Provincial and national rules are changing constantly. But it’s not enough to just get any kind of interpretation—sometimes, the interpretation of a new rule by a provincial official may well be different than central government officials intended, and Beijing’s interpretation will eventually trump the local.

“You have to find out who is the final decision maker for the policy,” Yan advises. “Doing business in China, you need to know where to go.”

2. Align the incentives. One lesson of the recent debacles is that incentives need to be aligned in ways that reward caution. In the recent subprime fiasco, for instance, one of the main problems was that at some firms there were no systems in place to encourage prudence. “Everyone was making money on this model,” says James Lam, president of James Lam & Associates, a Boston-based risk consultancy. As long as home values rose, everyone from the mortgage broker to the institution that bought the securitized loan made money, creating strong internal pressure to keep the deals moving.

April makes sure executives actually follow through on risk-reduction recommendations by linking them to employee incentives—all the way up into the executive suite. Bedi says that one year, while working on the oil and gas side of the company, he hadn’t managed to get the two potential successor candidates in place that the company requires to reduce its succession risk, and the company docked some of his bonus. When he got to the pulp and paper side, he says, he didn’t make that mistake again, but started from day one to develop his successors.

3. Don’t ignore complexity. One risk event has a way of triggering others, making it important to understand the possible connections. “All major disasters are a confluence of a number of risk factors,” Lam says. “For the subprime issue, it was a combination of market risk, credit risk, and liquidity risk, compounded by leverage on leverage.”

The use of off-balance-sheet structures and the creation of multilayered derivatives such as collateralized debt obligations (CDOs) made it easy for players to overlook the shakiness of some of the underlying cash flows. The lack of transparency led many banks to overlook some basic questions: “Why would you want to give mortgages to people who don’t have jobs?” asks Craig Paterson, head of enterprise risk management, Asia Pacific, for Marsh.

Nor is this kind of complexity an issue only in the financial world. Asia Risk’s Waring points to the 2005 PetroChina disaster in Harbin. The disaster began as a fire and explosion in a chemical plant, then developed into a spill, and ended up polluting a river. The spill ended up running up all the way into Russia, causing international tension. At the same time, major U.S. institutional investors started dumping their stock and threatening lawsuits.

What had been a simple operational risk rapidly grew into a risk that engulfed the whole company, including marketing and investor relations. “Before you know it, you have a major environmental disaster on your hands, as well as big diplomatic and political problems,” he says.

4. Listen to everybody. Such links, says Waring, mean that the challenge is often less about understanding individual risks deeply—individual department heads usually do a fairly good job at tracking basic risks within their silo—than making sure that there is a firm-wide understanding of those departmental risks. “Things are interconnected. If you put false boundaries on things, you’re asking for trouble,” he says.

After looking for the obvious things at the executive level, April then goes back to front line managers and asks them to rate their risks. “If you make them take one step back and take a look at the whole thing, their eye is better than your eye,” says Bedi.

The effort has helped the company identify some threats that might have gone unmanaged. One is the risk of supply chain disruptions in an around-the-clock work environment. To minimize the chance that supplier problems could cause April to stumble in its operations, the company has chosen to pull much of its supply chain in-house. Bedi calls this a “nursery-to-port” approach, whereby the company owns its own tree farms, truck fleet, and even ports. Further, 98 percent of the chemicals used in production are formulated on site.

Looks Like a Job for a CFO

Companies also need to think about who’s best positioned to drive the risk management effort. Assuming Scotty’s not available, who should you put in charge?

Many of the world’s biggest companies—particularly those with large trading or lending operations—have had chief risk officers for years. But the position is still relatively rare in Asia. Lam, the very first CRO—he coined the phrase while CRO of GE Capital in the early ‘90s—says that the lack of risk expertise is a key problem at many Asian companies.

“I think the biggest challenge for Asian companies is the acquisition of the appropriate human resources, whether that is a board member or an advisor to the board or chief risk officer,” Lam says. There just aren’t that many people in Asia yet who have that kind of background.

Beyond the need for expertise, there are different schools of thought about who should direct the risk-management effort. Some say it’s a natural extension of the audit committee. Others say that if there is a CRO, the CRO should report directly to the CEO. Others say the COO is where the buck should stop.

But in Asia, particularly in smaller companies that might not have a CRO or a COO, some experts believe that the CFO may be the best person to place in charge of risk management.

Although April is large enough to support a CRO, the CRO reports to the CFO and not the CEO. April’s Bedi says he thinks this is a good model. CFOs typically have experience with insurance issues. They’re also good at quantifying risks. Finally, even though COOs have more time to listen to the CRO, the CFOs typically have enough political heft to make sure things get done.

“As CFO, you are number two in the command line, and therefore you carry weight, and that helps the risk management department,” he says. Ironically, a structure where the risk officer reports directly to the CEO might have a harder time getting the CEO’s attention.

Of course, even a well considered reporting structure isn’t enough if you aren’t looking at the right things. Looking back at the practices of banks such as Northern Rock and Merrill Lynch that produced the subprime fiasco, the real problem, says Lam, was that banks and brokers relied too heavily on their control panels, when risk management is more art and science. “Too much attention was focused on the science part,” he says, not enough on simply analyzing the risks of the system.

Bennett Voyles is a Paris-based business writer