The risk management paradox

It is argued that corporate scandals, in the newspaper headlines, most likely will continue to unfold as further attention is paid to internal controls and formal risk reporting as prevalent elements of current risk management practice, which is at the detriment of good risk governance. Risk governance is pivotal in accomplishing effective risk management outcomes. It starts at the top of the organization, and accounts for how the board of directors and the executive management board discuss, determine and communicate the company’s risk appetite. It is argued that proper decision-making processes that can compensate for the distortions ingrained in the human mind as well as establishing decision-making forums with a broader range of personal characteristics can avoid a uniform mind-set. However, the effectiveness of risk management and governance depends heavily on the organizational climate in which they take place. It is reasoned that effective risk governance must encourage risk awareness throughout the organization. This includes appropriate training to impart knowledge and confidence around the applied risk methodology fostering a common understanding of the company’s risk management norms. Incentives and sanction structures should be designed to encourage sound risk assessment in a risk-aware organization. It is argued that proper risk governance can lead to more effective risk management practices. Accordingly, regulators and other stakeholders are encouraged to consider qualitative rather than quantitative checklist-oriented controls in the risk management practice and evaluate the quality of the company’s risk management system to reduce the propensity for corporate scandals in the future.

Risk management has long been a standard management activity, although the risk focus generally has been limited to those exposures that can be observed, measured, and mitigated through various controls, insurance contracts, and other financial hedging products aimed at protecting the company against the adverse economic effects of potential risk events.

However, there has been a growing public pressure for more systematic and comprehensive approaches to risk management as the news about corporate scandals have hit the newspaper headlines over the past decades. These events have also paid much attention to the integrity and personal accountability of corporate executives. The examples of corporate scandals (see 84 Appendix 5.1) include excessive trading practices in Barings Bank (1995), Société Générale (2008), and UBS (2011), where traders took unauthorized positions in various financial contracts, falsified documents, kept trades hidden by booking the transactions on unused error accounts, and/or made unauthorized use of the bank’s computer systems. The collapse of the American energy company Enron (2001), the American telecommunication company Worldcom (2002), the Italian dairy product company Parmalat (2003), and Bernard Madoff’s wealth management arm (2008) revealed that reported profits were sustained by a planned and systematic use of forgeries and accounting fraud.

As a result, new enhanced risk management approaches were introduced commonly known under the general heading of enterprise risk management (ERM) frameworks. For example, the German Control and Transparency in Business Act (KonTraG) was imposed in 1998, setting new standards of corporate governance for German publicly listed companies; while the Turnbull Report was published in the UK in 1999 (and revised 2005), and focused on directors obligations with respect to good internal controls. The Enron scandal was a key factor behind the creation of the Sarbanes–Oxley Act in the US in 2002, probably the most notable legislative initiative, holding boards, CEOs, and other senior executives accountable for potential corporate risk outcomes. Finally, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the US, which originally was formed in 1985 to inspect, analyze, and recommend on fraudulent corporate financial reporting, developed the COSO ERM framework in 2004 with a new set of principles to manage corporate risks.

The financial crisis in 2008 had a severe societal impact and was to a large extent caused by failures in organizational cultures and ethical principles including remuneration practices that encouraged excessive risk exposures and showed severe shortcomings in the engagement of the board in overseeing risk management. All the while, organizational cultures often inhibited effective challenges to the excessive risk-taking where easy access to capital and inadequate accounting and regulatory standards led to pervasive asset overvaluation. ¹

As a result of the financial crisis, new and comprehensive regulatory measures were considered and are currently introduced via Basel III ² aimed at increasing the banking industry’s resilience to absorb various shocks from different sources, improving management and governance practices, and strengthening transparency and disclosure. In addition to formally meeting the Basel III requirements, global systemically important financial institutions are imposed a higher loss absorbency capacity to reflect the significant influence they pose to the financial system. The enhanced requirements to formal risk management and governance entail among other things official requirements for managerial duties with a vastly increased workload on elaborate sign-off and documentation schemes. For example, it is not uncommon to see board material in financial institutions well in excess of several hundred pages per meeting, of which much is material that board members must approve in accordance with the regulatory requirements. The magnitude of this documentation means that there might not be sufficient time for evaluation and discussion on relevant risk issues for the organization.

Ideally, an ERM framework should support managers in efforts to limit the potential for downside losses from major exposures while helping them to think more systematically about opportunities that represent future upside potential (e.g., Henriksen and Uhlenfeldt, 2006). However, the new formalized risk management practices imposed on the business community serve to ensure that the company maintains a stringent internal control framework to circumvent potential risks as well as to enhance corporate accountability for the consequences of their occurrences. As a result, the risk management process in many organizations has become a stale checklist drill, which serves as a convenient tool to satisfy regulators and other stakeholders as well as convincing executives and board members that they have done their duty if things should 85go wrong. The risk management perception evolves with a predominant focus on routine system errors, operational malfunctions, uncontrolled employees, and the personal accountability of corporate executives that can be managed by a central corporate risk management function (Power, 2007). Such an approach often promotes a defensive mentality that works against the development of a proper risk-awareness culture, and worse, potential changes in the risk landscape might not be identified in a timely manner because it is forgotten in formal reporting practices. For example, the use of certifications and standards within information security and general IT controls are endemically focused on having formal controls in place that cater to the external and internal environments, while focusing less on establishing awareness about information security risk associated with social engineering and so forth.

Although it is undisputable that the financial crisis in 2008 and the many reported corporate failures have had severe repercussions for society as they exposed organizations and their stakeholders, the imposition of comprehensive, resource demanding, and control-oriented risk management frameworks on corporate business activities will hardly prevent the advents of severe corporate scandals in the future. Hence, the Bernard Madoff (2008), ³ Société Générale (2008), and UBS (2011) ⁴ issues happened after the introduction of more extensive ERM practices. ⁵ While the various ERM frameworks relate to risk governance, the attention given to internal controls and formal risk reporting has been pronounced, to the detriment of proper risk governance that deserves more attention.

Risk governance was pivotal in the discussions and recommendations in the UK in light of the financial crisis (The Walker Report, 2009). It is pinpointed that “the most critical need is for an environment in which effective challenge of the executive is expected and achieved in the boardroom before decisions are taken on major risk and strategic issues” and “board-level engagement in risk oversight should be materially increased, with particular attention to the monitoring of risk and discussion leading to decisions on the entity’s risk appetite and tolerance” (The Walker Report, 2009: 12).

Whichever business model a company pursues it entails risk, and accordingly strategic decisions cannot be taken without considering the exposures such decisions may give rise to. Consequently, risk management is not a box-ticking exercise that can be delegated to be managed by a central corporate risk management function, but is a core activity that should be considered an integrated part of the strategic decision-making process to ensure that an appropriate risk-reward trade-off is established when major resources are committed. For example, most companies outsource part of their noncore activities and/or move production to cheaper geographical locations, and have formal checklist risk management procedures in place to consider the risks associated with the handover. However, while such an approach is correct from a narrow strategic point of view, the interests of and potential reactions from key stakeholders including employees, unions, nongovernmental organizations (NGOs), and local and federal governments should also be evaluated, which requires nonroutine evaluations and assessments engaging various expert views (The Walker Report, 2009: 12). Thus, higher dedication and engagement from members in the boardroom as well as the executive management board is needed as a prerequisite for a more prudent risk culture in the organization that will be paramount in establishing a risk-resilient and responsive organization.