Enterprise Friction: A Mandate for Risk Management

Today, the goal of enterprise risk management should be to define and deliver the right level of friction. Too little friction, and a company could slip into dangerous scenarios; too much friction and a company could just get stuck. In this article, we examine three key principles for delivering robust enterprise risk management.

Striking a Balance

Enlightened enterprises promote creative tension between strategy and risk management, and put in place a set of checks and balances to guard against the exploitation of short-term opportunities at the expense of long-term viability. Failure to strike this balance can have devastating consequences as evidenced by Countrywide's demise in 2009—in 2005, it was the largest mortgage originator, however, 19 percent of its loans were option ARMs, and of those 91 percent had low documentation.

More specifically, strategic considerations and risk assessments need to be made in tandem. There must be a dynamic—even symbiotic—interaction between these two perspectives. They should be seen as the two sides of the same coin—like the classic yin-yang balance principle.

In order to effectively integrate risk considerations into the critical strategic decision-making processes, organizations should incorporate the following principles into every aspect of their management philosophy.

Promote a Culture of Resistance

Executives may well consider revisiting many of the major pillars of their organization and refine critical processes by integrating risk considerations into their enterprise architecture. Resilience and agility should be primary goals and should address foundational elements such as data, as well as derived capabilities, including analytics, and feedback loops driven through reporting.

Often, organizations conduct risk assessments as a bolt-on activity. But organizations that integrate resilience (and risk management in general) into their culture in a granular manner stand a better chance of not only mitigating risks more effectively—but also more cost efficiently. The agile software development process adopted by high-tech organizations has demonstrated that integrating quality assurance into the development process results in both higher-quality and less expensive final products. Checking for mistakes after the fact is always more expensive.

Robust enterprise risk management (ERM) needs to leverage formal structures—data, processes and technology used for creating, storing, sharing and analyzing information—as well as informal networks represented by the communication and relationships both within and outside the risk management organization. Informal networks have repeatedly shown their usefulness in identifying and mitigating fraud, and often provide early warnings of potential tail events.

The interplay between formal structures and informal networks are important because they allow risk managers to compensate for shortcomings in one by using the other. But this requires the right culture to be in place; one that encourages staff to ask tough questions without fear of being seen as inhibitors to growth—risk identification should not have punitive consequences. A culture of appropriately calibrated enterprise friction should be fostered and would allow critical elements of the organization to accelerate their pursuit of opportunities knowing they have the perspective—and operational ability—to slow down, accelerate, or change course because of an appropriate sensitivity to risk parameters.

Data as a Foundation for Risk Management

There is a growing consensus among risk managers across industries—from government, to financial serves, to manufacturing and healthcare—that the data upon which key organizational decisions are made represent the foundational layer for ERM. Bad data can have an immediate and negative impact at any point of the organization. Downstream impacts of bad data can snowball out of control. Some data challenges, such as completeness and timeliness, are harder to overcome than others.

However, incorporating a risk management perspective on the design of a robust data model can help reduce inconsistency and inaccuracy, and drive overall efficiency. This can help address the challenges that result from the fact that data often exists in silos, making it difficult to get an accurate view of a related set of information across these silos. Wachovia's write-down of the Golden West financial portfolio, which stemmed largely from over-reliance on poor data, offers an example of disproportionate emphasis being placed on valuations rather than borrower income and assets.

Analytical Risks

Analytical frameworks help translate data into actionable information. However, analytics should not just be simple characterizations of data. They should be timely and insightful so that analysis can enable appropriate actions. In the financial services industry, the credit crisis demonstrated how neglected—or inappropriate—analytical frameworks prevented organizations form identifying knowable risks (e.g., flawed model assumptions) and illustrated why key decision-makers were unable to break through the opacity of others (e.g., lack of transparency into the risk of underlying assets being traded in secondary markets, especially when it related to second-order derivatives.)

All too often, analytical frameworks emerge as simplistic characterizations of the "real world" that may not be able to convey a complete risk profile. This is evidenced by the over-reliance on value-at-risk as a key risk metric in the recent financial crisis. The dissolution of Lehman and the near collapse of AIG offer good examples of the shortcoming of traditional analytics, which were unable to adequately account for dramatic increases in leverage, counterparty risk, and capital impacts as markets and ratings deteriorated.

Reporting Deficiencies

Reporting is a multi-dimensional concept that does not necessarily capture the dynamic nature of information presentation. Typically, reporting has at least four major stakeholders—two external (regulators and investors) and two internal (senior management, including the Board of Directors, and line management).

A strong risk-information-architecture is crucial to delivering the right information to the right audience in a timely manner. It should present salient information as a snapshot as well as provide the ability to drill down into the detail. Well defined business usage will help drive overall requirements, while integrated technology platforms can help deliver the processing efficiency needed to manage the volumes and timeliness of information presentation.

Reporting has often been segmented into regulatory reporting and management reporting, directed towards specific compliance requirements for the former and financial statements for the latter. The financial crisis highlighted the need for organizations in many industries to develop ad-hoc and dynamic reporting, which not only meet compliance requirements, but also—and more importantly—improve the decision-making process.

Many organizations are coming to the conclusion that current architectures and infrastructures may not necessarily facilitate easy achievement of these requirements. For example, a March 2007 statement to investors by Bear Stearns represented that only six percent of one of its hedge funds was invested in sub-prime mortgages, however subsequent examination revealed that the number was closer to 60 percent.

Governance Imperatives

Governance has many definitions and flavors, which span the strategic as well as the tactical. It is probably simplest to think of governance as the way that an enterprise steers itself. This involves using key conceptual principles to define objectives as well as monitor the performance of processes to ensure that objectives are being met.

Reporting, or information presentation, is the mechanism that enables governance. Governance relies on this function to provide timely and insightful information that allows executives to take preventative and corrective action so that they can avoid imbalance and tail events. For example, executives from Bear Stearns and the SEC, which was providing regulatory oversight, failed to recognize that risk managers at Bear Stearns had little experience with mortgage-backed securities, where the greatest risk was concentrated. Defining and facilitating the integrated management of different risk types should become a primary activity for enterprise governance.

Conclusion

The good news is that companies do not need to scrap what they've got. Instead, firms need to enhance and buttress current risk management infrastructures. In summary, three components are critical to deliver enterprise friction:

• Enterprise risk management should have a strong voice at the management table and should work in tandem with enterprise strategy across all enterprise activities.
• Formal risk management structures must be buttressed across data, analytics, reporting, and governance in order to help the enterprise achieve the appropriate level of resilience.
• Informal networks should be encouraged. These networks can evolve to fill the white space left uncovered by formal structures.

Sandeep Vishnu is a partner with Capco and works in the firm's Finance, Risk, & Compliance group.