What Is Governance?
Governance is ensuring that the control and processes are in place so that the people of the organization, and that the organization as a whole, is doing the right thing. ERM is both a system that needs good organization governance, and also a system that helps to create good corporate governance. In other words, ERM can greatly help create an organization that has great corporate governance, but ERM itself needs good corporate governance. Perhaps it was best put by James Lam in his genre defining book “Enterprise Risk Management: From Incentives to Controls,” when he stated, “We want to operate in an environment in control, not a controlled environment.”1
Good governance does not just happen. Good governance needs to be consciously created and maintained. While it is nice to think that people will always do the “right thing,” the reality is that people will not always know what the right thing to do is, they will not always have the right information to do the right thing, they will not always have the right incentives to do the right thing, they may not always understand or be able to interpret what the right thing to do is, and in a (hopefully very) few cases they may have ulterior motives that incent them to consciously do the wrong thing.
In the context of ERM, governance can often be traced to four key elements: culture, values, self-esteem, and training. These four elements must be in place from the top of the organization (Board of Directors, senior managers), all the way through to the lowest level employee. Often where these four components of good governance are weakest is at the middle management layer—a point we will discuss in more length in a separate section.
When it comes to governance and ERM, it is very much a two-way street. There needs to be processes and controls in place to ensure good governance over the ERM function. However, in a reciprocal fashion, ERM can be a key platform through which good organization governance is implemented, promoted, and maintained. ERM and governance have a symbiotic relationship. Good governance often involves implementing a robust ERM program, while in turn, a robust ERM program is a major catalyst and tool of creating great governance.
ERM provides the objectives, the identification of risks, the measurements of risks, a measurement of the effectiveness of response to risks and a set of dashboards and communication tools and perhaps most importantly a culture that allows for and promotes good governance. If one accepts the view promoted in “Rethinking Risk Management,” the sister book to this book, the conjecture that good risk management is simply good management, and likewise, that good management is simply good risk management, then it could also be argued that good ERM is simply good enterprise governance management.2
The Role of the Board and Senior Management in Good Governance
Good governance begins with the Board. The Board’s distinct role is to act in the interests of the major stakeholders. For the Board of an organization that is a for-profit company with publicly traded shares, this mandate is generally interpreted as acting so as to maximize the value, or equivalently, the share price of the firm. For the Board of a not-for-profit organization, the mandate can sometimes be a little less clear and a lot more subjective, but is usually to maximize the benefits for the intended stakeholders. Regardless of whether the organization is for-profit, or not-for-profit, the Board also has an implicit responsibility to ensure that the organization is a good citizen, or has a high social license to operate as discussed in Chapter 8. In essence, good governance begins with good organizational values.
Creating, implementing, promoting, and acting in accordance to a thoughtful and impactful values statement just might be the most important task that a Board might undertake. In an ideal world it might be argued that a values statement is unnecessary; all organizational members should already come with their own values statement that is more or less in accordance with the common values statement of the organization. As organizations become more diverse and complex, and with unrelenting competitive pressures, such a thought of an ideal world is naive and at worst dangerous and foolish.
While a values statement affects much more than just the ERM policy, an impactful values statement guides ERM implementation and it guides the development of an effective and positive risk culture. The negative connotations that traditionally surround risk have the impact that risk is hidden and risk is avoided. It also means that mistakes are hidden with the result that information and communication is hindered, misleading, skewed and not only unhelpful, but also potentially downright cancerous. (See Barings case study later in this chapter.)
Operating under the accordance of a strong values statement encourages communication, it encourages a positive risk culture, and it is the basis of a strong social license to operate which in turn builds positive reputational risk. All of these factors are cornerstones of effective ERM.
The Board has a role to play in setting and maintaining a proper risk culture. Although the Board is removed from the day to day operations, and thus removed from the day to day culture, the Board certainly can start by setting the tone from the top and ensuring that senior managers communicate the desired tone of the culture throughout the organization. Of course, culture, as highlighted in Chapter 5, is a major component of success in implementing and achieving the benefits of ERM.
In setting the culture, the Board needs to be aware of a values culture as well as a risk culture. The values of an organization are linked to its social license to operate as discussed in Chapter 8. The values statement should be clear, simple, and unambiguous and the firm needs to “walk the talk.” All of this begins with the Board.
Case Study: Wells Fargo
In September 2016, Wells Fargo announced that it would pay $185 million in fines to both the regulators and to Los Angeles to settle a dispute that employees created potentially over two million phony deposits and credit card accounts to unknowing Wells Fargo customers. What was the cause behind this and how did this happen at Wells Fargo? To answer this we need to consider the culture that existed that both caused frontline employees to feel the need to take such extreme actions but also that allowed them to get away with it year over year.
Fortune magazine looked at the company post scandal and found that there were a few core cultural initiatives that set the stage for this to occur.3 The first issues were a high turnover of employees in the branch system left them with very unexperienced employees selling banking services to customers. The second initiative was a strong push to cross sell clients with the idea that the more products the client has with the bank, the more tied to the bank they are and the less likely that they are to leave. The third initiative takes the cross selling a step further when CEO Richard Kovacevich launched the mantra “Go for Gr-eight” which was the sales mantra to urge employees to sell eight banking products per customer. As this mantra grew over time, and pressure at the branch level to meet this goal became harder and harder to achieve, senior executives ignored the limits of the program and the warning signs that things were running afoul. An early warning sign was in 2002 when all of the employees of a Colorado branch gamed the program to meet these extreme sales goals by issuing debit cards to customers who did not ask for a debit card. This culture of no excuses tolerated and “managers constantly hound, berate, demean, and threaten employees to meet these unreachable quotas” implicitly communicated to employees that the only way for them to be successful was to exceed these goals. While the monetary toll in the form of penalties was nothing substantial to a very successful financial institution, they underestimated the impact that the reputational risk would take on the organization. A company that consistently showed up as one of the best companies to work for after this scandal was not on the list at all. The Harris Poll did a survey in 2017 which revealed that Wells Fargo fell from 70 to 99th place as far as the reputation of the company was seen by the general public. Despite this significant monetary and reputational blow-out that Well Fargo experience, five major Canadian banks suffered the same fate in 2017. All had employees expose that there had unrealistic sales targets that pressured them to sell products to did not fit a customer’s needs.
The culture around risk should be positively respectful. Too often, the Board signals an intolerance for risk which in turn sets a negative precedent for the risk culture of the organization. A positively respectful risk culture is one that is much more likely to be successful in maximizing the probability and magnitude of good risk, while minimizing the probability and severity of bad risk. An overbearing and fearful risk culture is likely to incent employees to hide or disguise bad risk, exacerbating its effects, while simultaneously missing or underexploiting good risk opportunities.
The role of the Board in ERM is to; approve (or set) the ERM objectives, approve (or set) the risk appetite and risk tolerances of the firm, ensure policies and processes for accountability, responsibility as well as the necessary checks and balances are in place, ensure that they, as well as other key constituents are being kept properly informed in a timely manner on the risk profile of the firm, have robust lines of communications for the escalation and the dissemination of key risks and to be self-accountable and responsible risk stewards of the firm by asking appropriate questions and keeping themselves risk aware and knowledgeable.
Corporate governance of ERM starts not with risk, but with the strategic plan. The Board approves the strategic plan put forward by management, and that starts the process for determining what the objectives of the ERM plan will be. The objectives of the ERM plan should align with the objectives of the strategic plan. If not, then there will not only be a disconnect, but also a destruction of efficiencies and effectiveness.
As previously mentioned, ERM in many organizations arose out of the need for increased regulatory compliance and reporting. Given this, it needs to be emphasized that compliance and ERM are not the same thing. ERM is certainly in line with compliance, and ERM can certainly assist with compliance, but compliance is not ERM. Regulators have different objectives that managers. Regulators for the most part are concerned solely about downside risk. However, organizations exist in order to exploit upside risk. ERM should be operated to manage the strategic objectives of the firm which are generally quite different from the objectives of regulators. As a close analogy, consider that few organizations of a certain size or certain level of sophistication will use their financial accounting statements to make managerial decisions; they will create and maintain a separate set of managerial financial statements in order to manage the organization. Likewise, an organization may need to keep two sets of risk related statements; one that is in accordance with regulatory compliance, and another set for ERM that is used to manage the risks.
The objectives of ERM should be to support the strategic plan and in doing so add value to the firm. If it cannot be determined that ERM is adding value to the firm, then the Board has a responsibility to either work with management to develop an ERM system that does add value, or to make the decision to abolish ERM and support a different form of risk management. While we are obviously strong advocates for ERM, it is not for everyone or for every type of organization. Some organizations may be better served by having siloed risk management functions, while some organizations might be better served by having minimal risk management. In the ideal, risk management would be so naturally ingrained in management that it would not be needed at all! Admittedly we have not come across an organization that has that level of risk awareness and enlightenment yet, but that would be the ideal.
In setting or approving the ERM function, the Board also needs to approve and allocate the proper funding and resources to ERM. To reemphasize, this should be seen as a value-adding investment for the organization, and just like any capital expenditure, ERM needs an appropriate level of resources in order to be successful, but the Board also needs the measures to reassure themselves that the ERM system as implemented is value-added to the organization.
The next responsibility of the Board is to approve the risk appetite and the risk tolerance of the firm. Different organizations, and different risk commentators spend a lot of time arguing the definitions of risk appetite and risk tolerance. We simply state that risk appetite is what risks, and the levels of the various risks that the firm is willing to accept. Risk tolerance is what risks the organization refuses to accept.4
Recall from Chapter 7 that there are a range of acceptable responses to risk extending from eliminate to embrace. For each of the major categories of risk, (i.e., financial risk, strategic risk, etc.), the Board should approve the level of risk acceptable based on some predetermined level as well as the response to those risks. These policies and limits should be revaluated on a periodic basis to ensure they are consistent with the strategic direction, and also consistent with the tools and experience that the organization has in dealing with these risks.
The Board should also approve and set a measure of the overall risk of the firm. In essence, set a desired level on the aggregate amount of risk that the firm should be managing. Note, that too little risk should be seen as being as sub-optimal as too much risk for this measure.
One of the difficulties of setting an overall desired risk level is the frequent disconnect between actual level of risk and the perceived level of risk; particularly the perceived level of risk from the point of view of external stakeholders. This becomes an issue of communication. Increasingly, companies are dealing with this matter (risk?) by opening the lines of communication with stakeholders by publishing periodic risk reports, and including a detailed summary of ERM policies and activities in the annual report. Note that for organizations that are in competitive industries, the disclosure of ERM risk reports, may by competitive necessity, need to be muted as the ERM plan, and the risk appetite levels may be key components of the competitive advantage that the firm is developing.
The next obligation of the Board is to be satisfied that the ERM plan is being appropriately implemented and maintained. This includes components such as ensuring that the appropriate levels of accountability and responsibility have been assigned along with the appropriate checks and balances. Additionally, it is having the confidence that the appropriate levels of communication have been set up for the necessary communication of risk information flows both up and down the command chain of the organization. Part of this is ensuring that the escalation processes are clear, well-defined and frictionless. Many risk debacles occurred because of miscommunication caused by either inadequate lines of communication, or deliberate miscommunication. Perhaps the most famous example of deliberate risk miscommunication is the example of Barings Bank which is profiled in the following case study.
Perhaps the most important function of the Board in regards to ERM specifically is to ask questions. Furthermore, to ask questions and demand answers that are acceptably understandable. Too often for it to be comfortable, we have dealt with Board members who were afraid to expose their ignorance by asking a question or asking for a clarification. This lack of self-esteem is perhaps the biggest governance failings of Boards. Often it is the case that the Board will ask a question, and receive an answer they do not understand, or an answer that confuses the issue rather than clarifies. In such cases it is critically important that the Board demand better and clearer answers. Often a confusing or incomplete answer is because the messenger does not clearly understand the issue themselves, or worse, they are intentionally trying to avoid providing a clear direct answer to hide a messy problem or a misguided decision. Better questions mean better answers and better answers lead to better communication and understanding of risk. Various commentators have commented that if you cannot explain something to someone in grade six, then it implies that you do not understand the issue yourself. Board members should be skeptical of managers who cannot communicate risk issues clearly, completely, and understandably. Lack of good questions and lack of appropriate answers should be taken as early warning signs of a very bad risk situation.
If Board members are not comfortable in their ability to ask good risk questions, then they should seek training. Admittedly some risk issues, measures, and concepts can be confusing to the uninitiated lay person, but a Board member has a responsibility to get to a base level of knowledge on the key risk issues. Hopefully this book has served some measure in accomplishing this task.
Case Study: Barings Bank
The well-known story of the collapse of Barings Bank serves as an ideal case study of what not to do as a Board. The Board of Barings Bank basically ignored or failed to implement almost every element of good Board oversight of ERM.
The debacle of Barings Bank begins with Nick Leeson, a 28 year old Brit was working as a trader in Baring’s Singapore office. Leeson had been very successful for several years, generating profits of £10 million in 1993, 10 percent of the bank’s total earnings. The first sign of Board ineffectiveness is that no one asked how this lone trader was managing to make such huge profits in what was essentially a minor office for the institution. Perhaps they were afraid of the answers they might have received.
Things continued to go well for a while, but then a trading error led to losses. Given the perceived risk culture at the firm, Lesson did not report the losses, but instead took on more risk trying to recoup his losses. To do so, Lesson had to start trading an inordinate number of futures contracts, putting the bank’s capital at greater risk. Normally these trades would have been flagged by the bank’s risk department, but Lesson was in essence in charge of risk for his own trading activities, and being knowledgeable in how to circumvent the bank’s systems, he was able to effectively hide his trading activities in unauthorized accounts.
If there had been a more positive risk culture, then Lesson would have been more likely to report his initial losses without fear of negative consequences. Given the perception that doing so would have grave consequences, and given the incentive structure at the firm, Lesson concluded his better alternative was to try and trade his way out, which of course only compounded the situation. The fact that the appropriate checks and balances were not in place allowed him to easily do so. More appropriate communication channels also would have been effective in detecting that something was amiss. Again, questions were not being asked, or if they were asked, appropriate answers were not being demanded.
Lesson’s high risk attempt to earn back his losses backfired and eventually the losses came to light. Ironically it was the Singapore exchange on which Lesson was trading that flagged the abnormal trading and the mounting losses, and not anything in the bank’s risk or reporting systems. The size of the losses basically swamped the bank’s available reserves and the bank was declared insolvent and sold to the Dutch bank ING for £1.
The Role of Middle Management in Governance
Middle management is the link between senior management and the Board, and where the “rubber meets the road.” Middle management is also where the greatest amount of slippage between what the Board has approved and is expected to be implemented, and what actually occurs.
Middle management is the information conduit as well as the implementation arm. It is where the structure of risk management as put into place by the Board and senior management becomes a dwelling.
Middle management has five key tasks in terms of risk governance. They are: to efficiently and accurately be the information conduits between the senior management and the front line employees, implement the ERM framework and procedures, create and foster a positive the risk culture, develop risk talent, and prevent risk complacency.
Acting as the information conduit, middle management has a key role to ensure that information is received by senior management and the Board in a timely, accurate and transparent manner. A danger is that in matters of risk management, the middle manager has a skewed incentive to only report positive risk news and avoid negative news, particularly when the negative risk news is perceived as coming from a mistake or a failure in management. This was potentially the situation in the case of Nick Lesson and Barings Bank. Middle management must have the wisdom and intuition to know when an issue is worthy of escalation, with a bias toward escalation when it comes to matters of risk. This very important task is much easier said than done. The difficulty is also why many organizations have whistleblower protection practices to encourage the timely escalation of issues; both the negative issues and not just the positive issues.
The second task is to implement the risk management framework and ensure that the ERM strategy is being properly followed, including having the appropriate checks and balances. One of the most efficient ways to do so is to view the ERM system as being part of the value-added structure of the organization. In essence, communicating and believing that the ERM function is a partner in the business, rather than a brake. As previously discussed at length, this is most naturally done by creating a positive risk culture. While the Board and senior management might set the tone on risk culture, it is through the middle management team that the culture actually comes to life. Culture is not set by edict; it must be created by managers, and it is the role of middle management to see to it that a positive risk culture is set.
Middle management has the role of developing and nurturing all types of talent within an organization. The same holds for the risk talent of the firm. Part of nurturing risk talent is training, part of it is hiring for certain risk attitudes, and part of it is walking the talk when it comes to the importance of risk within the firm. The role of nurturing risk talent begins with the middle manger seeking out resources to ensure that they themselves are first and foremost nurturing their own risk talent and knowledge.
The final major risk task of middle management is protecting against risk complacency. When an organization has strong risk frameworks and practices in place it can be easy for the organization to become risk complacent. This is a phenomenon known as risk homeostasis. Risk homeostasis means that the stronger the perceived strength of the risk practices, the more risky the firm is actually likely to become. A classic example of risk homeostasis is comparing rugby and American football, two similar sports with similar levels of physical contact, except the amount of safety equipment and padding differs widely, as do serious injury rates. Rugby, which has minimal safety equipment, has far lower incidence of serious injuries than American football where the players are heavily padded. Risk homeostasis would explain this as since the football players are heavily padded, they play with more reckless abandon than they would if they wore less padding. Risk homeostasis exists in a variety of different guises and is prevalent in business.5 The role of middle management is to be vigilant against it creeping into the activities of the firm.
The Role of Regulators in Governance
Regulation is often confused, either explicitly or implicitly, as risk governance; it is not! The goal and motivations of regulators is very different from the goals and motivations of organizations. This has been discussed at various places in this book, but it is a point worth repeating in this chapter on governance. Confusing regulation for governance is outsourcing risk management to a third party that has a very different agenda.
Regulators do however have a very important role to play in risk governance. To start with, regulators should promote healthy risk governance practices. In part this was an objective of the Sarbanes Oxley Act (SOX) in making the Board and senior managers responsible for the veracity and transparency of the financial activities of the publicly traded firm. No longer would a so-called “Ken Lay” excuse, that the activities of the firm were too complicated for the CEO to understand, be an acceptable excuse. Nor would “I didn’t know” be an acceptable excuse. These regulations are a start to the promotion of good risk governance. However, after that, the objectives of the regulators and the objectives of the firm frequently start to diverge.
Boards, senior managers, industry associations, and other stakeholders should be working in concert with regulators to promote the adoption or ERM and good risk governance. ERM, and in particular the social responsibility aspect of ERM has a key role in developing good regulation. In turn, good regulation has a role in developing good ERM. It is a two-way street that requires dialogue and understanding and the willingness, on both sides, to let common sense for the common good dictate policy. Much easier said than done, but with ERM still in its relatively early stages of development and acceptance, there is hope for ERM to be a catalyst for such dialogue to begin.
Concluding Thoughts
The best of practices without good governance is a wasted effort. This is particularly true of ERM which should be a truly holistic exercise for any organization. ERM, if it is appropriate for the scope and scale of the organization, should be a high priority. As such it needs and deserves a quality endorsement of good organizational governance.
1 Lam, J. 2014. Enterprise Risk Management: From Incentives to Controls, 2nd ed. Wiley Finance Series.
2Nason, R. 2017. Rethinking Risk Management: Critically Examining Old Ideas and New Concepts. Business Expert Press.
3http://fortune.com/2017/06/1/wells-fargo-scandal-culture/
4Some commentators, including most notably the Committee of Sponsoring Organizations of the Treadway Commission (COSO), use the definition that tolerance is the allowed deviations from the risk appetite.
5For more on risk homeostasis. See Chapter 8 Is your risk system too good? In Nason, R., ed. 2017. Rethinking Risk Management: Critically Examining Old Ideas and New Concepts. Business Expert Press.