Risk Management: Is Rubin to Blame for Citi?

Have you read Robert Rubin’s retirement letter? Three days ago, he walked away from a Citigroup role that paid him $115 million since 1999. Rubin, of course, is a former co-chairman of Goldman Sachs and Secretary of the Treasury. Here is an excerpt from his statement:

“My great regret is that I and so many of us who have been involved in this industry for so long did not recognize the serious possibility of the extreme circumstances that the financial system faces today. Clearly, there is a great deal of work that needs to go into understanding exactly what led to this situation and what changes, regulatory and otherwise, must now be implemented to reduce systemic risk and protect consumers.”

Rubin previously told the Wall Street Journal that he was not to blame for Citi’s collapse; he asserted that “what came together was … a cyclical undervaluing of risk … a housing bubble and (mis-guided) triple-A ratings … there was virtually nobody who (fore)saw that low probability event …” Nevertheless, he did acknowledge his involvement in a board decision to increase risk in 2004 and 2005, and at least one major Citi investor believes that Rubin is “resigning in disgrace.”

Whether or not you blame Rubin personally for Citi’s collapse, isn’t it a bit disconcerting that he told the Journal “there is a great deal of work that needs to go into understanding … this situation”? Indeed, perhaps Rubin couldn’t foresee Citi’s challenges. But shouldn’t we expect him to understand them by now?

The Four Questions

What exactly do risk managers do, any way? How does risk management work?

The fundamentals are actually quite simple. A competent risk manager comes to work every day and asks himself four questions. If he can supply four reasonable answers, then he is likely doing all he can to manage risk. But if he can’t … watch out! Then he isn’t doing his job.

Let’s run through these four questions briefly:

1. What can go wrong?

This step is called event identification. Risk managers must keep laundry lists of every major potential problem that might occur in the foreseeable future. If a problem isn’t foreseeable, though, it cannot make any lists; then risk managers can’t be blamed for failing to address it.

2. How bad will things get?

Risk managers can’t possibly address every problem on their laundry lists, so they must prioritize and focus on the worst potential problems. This step is called risk assessment; it classifies a problem as high priority if it is relatively likely to occur and relatively costly if not prevented.

3. What’ll be done if it happens?

This step is called risk response. Risk managers focus on the highest priority problems and then work with operations managers to confirm that the organization’s responses will be effective if prevention fails.

4. What’ll we do to prevent it from happening?

This step is called internal control activity. Risk managers confirm that operations managers continually train their employees, test their systems, inspect their products and services, and audit their administrative processes in an attempt to avoid (or, if avoidance fails, to detect and address) the problem.

The COSO Cube

Did we simply conjure up these four questions out of thin air? Of course not! Five major accounting, auditing, and financial executive trade associations have sponsored the development of COSO, an organization that has created an integrated framework for enterprise risk management.

To explore the intellectual origins of our four questions, download COSO’s free Executive Summary (which is available in over a dozen languages — even Finnish and Thai!) and look for an image of a three dimensional cube. You can also find this cube on numerous risk management web sites, such as those maintained by the FDIC in Washington and UCal Berkeley in California.

Have you found one of the cubes? Great! It has eight boxes across its front, four across its top, and four along its right side. Now look at the middle four of the eight boxes across its front: they are labeled event identification, risk assessment, risk response, and control activities. Yes, they represent our four questions that lie at the very heart of risk management.

How About Rubin?

So what does this tell us about Robert Rubin’s level of responsibility at Citi? You are welcome to develop your own opinion, though we encourage you to assess the issue after considering our four questions.

Was this cataclysmic confluence of events foreseeable? If it was, then someone at Citi must be to blame for failing to identify it during their event identification activities. On the other hand, if it was identified but not highly prioritized, then someone must be to blame for misjudging the likelihood that Rubin’s perfect storm scenario would in fact occur.

If Rubin is responsible for these risk management tasks, then perhaps it is best that he has resigned. But if someone else is responsible, then perhaps Rubin’s departure is Citi’s loss. That would also be a loss for the American taxpayers who have placed billions of bailout dollars in Citi’s hands.