The ongoing crisis in worldwide credit marketspoints, in part, to a colossal failure in risk assessmentat a stunning number of companies. The questionson the minds of directors today are, “How can anyboard adequately anticipate and prepare for theunknown? What is the board’s responsibility whensuch failure occurs? What is the role of the auditor?And does risk managementbelong to the fullboard or in a committeeall its own?”
It will be a long timebefore “we understandwhat went wrong andspecifically what theboard risks are goingforward,” said NeilGoldenberg, partner-inchargeof Internal Audit& Risk Management atEisner, a New Yorkbasedaccounting andaudit firm that hosted aDirectorship Roundtable on “Developments in theOversight of Risk Management.” Goldenberg furtheradded, “What we see when there are failures like thisis that there’s a lack of communication and a lack offormality. Directors need to make sure that there is aprofessionalized risk-management structure in place.”
One topic that elicited many viewpoints waswhether boards should consider setting up separaterisk-management committees. Of the 12 largestfinancial companies, only two—Goldman Sachs andJP Morgan—had dedicated risk committees beforethe crisis emerged. Was it cause or effect that thesetitans have so far escaped the magnitude of the billion-dollar-plus writedowns of their competitors?
John Biggs, the former chairman and CEO ofTIAA-CREF who recently stepped down from theJPMorgan Chase board, noted that when he beganserving on that board in 2003, there was some overlapin committee responsibilities. What the risk committeedid was provide a more careful examination ofthe larger enterprise variety risk issues. “The auditcommittee would look at the credit risk, but the riskcommittee took a more wide-angle view of the differentkinds of credit and operational risks, which was abig deal at the time because we had just settled withthe State of New York onEnron,” Biggs said. Oneprecaution that appearsto have served JPMorganwell is a stipulation thatany product with a highprofitmargin be broughtbefore the risk committeeautomatically.
Taking the contra sideof the argument, DavidMeachin, chairman andCEO of Cross BorderEnterprises, a New Yorkbasedinvestment bank,believes that the responsibilityfor risk management rests with the full boardrather than in a committee. “Risk management needsto be factored into every manager’s job internally andthe board as a whole must take into consideration theknowns, the unknowns, and unknowables,” he said.
Risk should no more sit in a committee by itself thandiversity, strategy or innovation, said Allan Grafman,president of All Media Ventures and a director atMajesco Entertainment. “Risk management shouldbe instilled throughout the entire company.”
Some directors and legislators believe the regulatoryagencies need to do a better job of oversight toensure the lending markets are run in a safe andsound manner. Questions have also arisen about thebanks’ relations with credit rating agencies—Moody’s Investors Service, Standard & Poor’s, andFitch Ratings—for not properly evaluating the risks ofbonds backed by the mortgages given to subprimeborrowers. Was this an instance of not questioningwhat seemed too good to be true? That’s one opinion.“The frank answer is we don’t know. There aremany theories that we can speak of…or whether, likeWorldCom, it is another issue of fraud,” said NawalRoy, former Moody’s vice president and member ofthe Professional Risk Managers’ International Institute.“It’s too premature to say.”
Blame to Share
Unlike accounting and GAAP-related risks which hadbeen commonplace, the credit crisis arose out of operationalissues and a sudden change in the credit cycle.“I’m happy for the ratings agencies because for the firsttime in a long time, this has less to do with accountingand more to do with the value of these instruments,”said Bruce Rosen, Eisner partner-in-charge of assuranceservices. “What you’re going to find is that piecesof risk were spread out in such a manner that valuationsare coming into question.”
“This has nothing to do with accounting,” agreedMeachin. “I do not understand how a board in 2007could watch [former Merrill Lynch CEO] StanO’Neal move from $1 billion to $40 billion [in exposure]and not ask about the shift in balance. In myview, the job of boards is to ask the common-sensequestions.”
Concurred Louis Lipschitz, director at New York& Co., Finlay Enterprises, and others: “If you don’tunderstand the transaction, you need to walk away.It’s not the fault of the auditor or the ratings agencies.It’s greedy companies making earnings and then puttingtheir heads in the sand.”
Added Eisner Managing Partner Charles Weinstein:“The credit crisis stems from the complexity ofthe instruments and the spreading of risk across abroad spectrum… those who didn’t have a formalprocess in place to show that it was too good to betrue have really suffered.”
The issue of enthusiasm over skepticism in the faceof growing profits was considered carefully as well.Roundtable participants pondered the issue ofwhether boards should have aggressively questionedcompany performance when an entire sector wasexperiencing similar results. “The board is a consensusorgan,” said Holly Gregory, partner at Weil,Gotshal & Manges, “and I think we’re expecting a lotmore courage than is typical in a consensus body.”The dialogue on risk appetite—as opposed to riskmanagement—is not happening yet in most boardrooms,she added, noting that boards must be moredeliberate in how proactively they assess risk.
So, what can directors do to better prepare themselvesfor risk scenarios that might be lurkingbeneath the surface? Said Weinstein: “As theauditor, I would expect directors to come back tome and ask for an honest assessment, going beyondthe technical details. Just tell me, does this pass thesmell test?”
It is the responsibility of directors to understandthe business of the company which they serve and itis the responsibility of management to explain businessto the board, said Thomas Doorley, chairmanand CEO of Sage Partners and a director at Natrol.“Yes, you can ask auditors questions, but the buckstops with the board.”