Risk Management: Cubes To Doughnuts

Let’s imagine that your private equity fund is considering a long term investment in an American energy company that ships millions of barrels of crude oil through Philippine waters each year. When Filipino President Duterte unexpectedly calls American President Obama a “son of a whore” while promising to “continually engage China in a diplomatic dialogue rather than anger officials there,” do you change your mind about the investment opportunity?

Under normal circumstances, in order to make an informed decision, you would prepare a valuation analysis that compares the investment’s immediate cost against the present value of its future benefits. But how can you possibly assess its future benefits when massive uncertainty over President Duterte’s evolving foreign policy makes it impossible to render any predictions about the future?

For guidance in managing such risks, we generally turn to the Enterprise Risk Management (ERM) framework that is promulgated by the Committee Of Sponsoring Organizations (COSO) of the accounting profession. The current cube-shaped framework prescribes eight component activities for managing such risks, with Event Identification representing the first of its four central activities.

Indeed, one of the reasons for this framework’s enduring popularity is its reliance on the identification of clearly definable risk events. Thus, when a risk factor can be defined in terms of future discrete events, the COSO cube is a natural choice for risk managers.

Worried about the impact of potential hurricane damage on a waterside property, for instance? A hurricane is a future discrete event. It will either occur or not occur, and the consequences of its occurrence or non-occurrence are relatively easy to estimate. If a hurricane occurs, there will be massive losses. And if not, the status quo will continue unabated.

But what if a risk factor cannot be defined as a discrete event? What if the long term impact of a risk factor depends on slowly evolving circumstances that are extremely difficult to even define, let alone assess? Does COSO have a different framework for such factors?

Yes, it does. A new version of the framework is only available in a draft exposure format at the moment, but it is expected to be finalized shortly. It uses a doughnut symbol, instead of a cube. And although Risk Identification continues to represent an important underlying function of ERM, it no longer appears prominently on the face of its new framework.

Whereas the older cubic framework prescribes a list of eight rigidly defined and sequenced component activities, the newer circular doughnut framework relies on 23 broad principles like “Commitment to Integrity and Ethics” and “Develops Portfolio View.” So, with these two frameworks in mind, let’s think about the political risk that is challenging our private equity investor.

On the one hand, President Duterte’s colorful comments will undoubtedly impact the short term relationship between his nation and the United States. But on the other hand, this relationship will continue to evolve over time, and will be impacted by numerous unpredictable future circumstances. So even though President Duterte’s eventful actions can influence the future Filipino-American relationship, he cannot unilaterally determine it.

That’s why we need a doughnut shaped framework, with its 23 principles, to assess such complicated circumstances. Although the event-centric cubic framework is sufficient for more easily defined risks, the circular framework is required to analyze the complex risks that challenge us in our multi-dimensional environment.

Risk Management, Army Style

Are you a risk manager who is tired of reading hyper-technical, statistically dense manuals of corporate policies and procedures? Are you looking for a conceptually vivid and highly readable alternative?

You might be surprised to learn that the United States Army has just released such a text. Army Tactics, Techniques, and Procedures Publication # ATP 5-19 walks the reader through a wide variety of high risk military scenarios, from: (a) leading troops in heavy vehicles over bridges in enemy held territories (see Figure 3-4 on page 3-6), to (b) planning air assaults with attack helicopters and field artillery on insurgent forces that have seized airfields (see Figures 4-1 and 4-2 on pages 4-4 and 4-5).

The fundamental framework of the risk management function closely follows the COSO cube paradigm that defines the business world’s approach to the discipline. For example, each potential risk event is evaluated and assessed in terms of its probability / expected frequency and its severity / expected consequence (see Table 1-1 on page 1-7).

Nevertheless, there are some intriguing differences between the military model of risk management and its analogous business model. For instance, the business model posits that organizations should plan preventive control activities to reduce unacceptably large probabilities, and should plan crisis response activities to manage unacceptable levels of severity.

The Army framework, though, refers to “controls” in a collective manner (see Figure 1-2 on page 1-4). It doesn’t differentiate between preventive controls and crisis response activities; instead, it simply refers to “controls and risk decisions” in a unified manner (see Figure 1-2 on page 1-4).

Why no distinction between prevention and responsiveness by the Army? It isn’t entirely clear why the Army adopts this approach, though it does distinguish between “deliberate” (i.e. long term, advance planning) and “real time” (i.e. immediate, time constrained) situations.

Although both situations are addressed in the manual, the vivid examples appear to call for more “real time” decisions, when it can be difficult to differentiate between preventive and responsive activities. Indeed, while crises are exploding around us, all we can do is make quick decisions and take immediate actions, while hoping for occasional opportunities to observe outcomes.

In any event, the Army manual provides a helpful illustrative guide for all risk management professionals. COSO itself has acknowledged public sentiment that its model is “overly theoretical … overly vague … (and) unnecessarily complicated … (producing a) need for more templates and tools to help with the implementation” of risk management. The Army’s ATP 5-19 publication certainly appears to heed the call for such tools.

The IRS And The COSO Cube

Have you been following the emerging news story regarding political bias at the Internal Revenue Service (IRS)? Apparently, the agency that regulates America’s federal system of income taxation is now under investigation for purportedly mistreating conservative “tea party” groups during its reviews of tax exemption applications.

If you’re a tax accountant, you can’t help but feel a little embarrassed about the apparent dearth of internal controls at the Service. After all, many accountants are specialists in the field of risk management; they charge significant fees to their clients for advice regarding the development of systems of internal control.

Just two weeks ago, for instance, the world’s leading committee of professional accounting trade organizations issued a new cube shaped framework that defines internal control development activities. Isn’t it unfortunate, and ironic as well, that the accounting professionals at the IRS failed to implement their own profession’s frameworks?

COSO: A Brief History

The tale of these frameworks began thirty years ago, when the five major accounting trade organizations in the United States invited Wall Street veteran James Treadway to chair a Commission to assess the causes of fraudulent financial reporting practices. The resulting report of the Treadway Commission led to the development of the first control framework in 1992, which was then slightly modified two years later.

Developed in response to concerns that were raised during the Crash of 1987 and the financial scandals of the Gordon Gekko era, the paradigm was represented by the shape of a three dimensional cube. The top of the cube displayed the three perspectives (i.e. operations, reporting, and compliance) that affect internal controls, whereas the front of the cube presented the five components (i.e. the control environment, risk assessment, control activities, information and communication, and monitoring activities) that define such controls.

In 2004, in response to concerns that were raised during the financial and corporate scandals of the Enron and Worldcom era, the Council of Sponsoring Organizations (COSO) expanded its cube into a framework of enterprise risk management. They did so by adding a fourth perspective (i.e. strategic considerations) to the top of the cube, and three components (i.e. objective setting, event identification, and risk response) to its front. And then, just two weeks ago, they defined seventeen explicit principles to support a further refined framework.

Control and Risk

So there is certainly no lack of guidance regarding the implementation and maintenance of internal control and risk management systems. But what do these frameworks mean? And how can they help us assess what recently transpired at the IRS?

First and foremost, it is important to keep in mind that internal control and risk management are not synonymous phrases. In fact, internal control is a concept that is embedded within the practice of risk management.

A competent risk manager understands that many internal controls are implemented to prevent the occurrence of troublesome events. And if prevention is impossible, additional controls are employed to detect the existence of such events. Yet there are times when prevention and early detection controls simply fail to provide efffective risk management strategies.

In other words, there are occasions when competent risk managers have no choice but to respond to occurrences of troublesome events without the control benefits of prevention or early detection. Such risk response activities are not components of systems of internal controls per se, but they do play significant roles within systems of enterprise risk management.

Prevention controls, detection controls, and response activities are the three proverbial “building blocks” of enterprise risk management. So how can we relate them to the unfolding tale of political intrigue at the IRS?

Likelihood and Impact

The COSO prescriptive framework is a fairly simple one. If a potentially troublesome event is relatively likely to occur, then the organization should develop new prevention (or detection) controls to reduce this likelihood of occurrence to tolerable levels. And if the event is expected to inflict a costly impact, then the organization should also implement new response capabilities to limit its damage.

Now let’s apply this principle to the current IRS controversy. What was the likelihood that an understaffed IRS office, struggling to manage a flood of tax exemption applications, would resort to questionable assessment tactics? This was arguably a relatively likely event, and thus more might have been done to prevent (or detect) its occurrence. For instance, the IRS might have invested in enhanced training and oversight activities.

But how much damage has the controversy actually inflicted on the conservative groups that were inappropriately investigated by the IRS? Even though they appear to have been unfairly targeted for scrutiny, there is no indication that any have lost or been denied their tax exempt status as a result of the investigations.

So an application of the accounting profession’s COSO framework might not necessarily fault the IRS for its questionable response to the controversy. Nevertheless, it might lead one to question whether the Service did enough to prevent (or detect) the occurrence of the problem.

Curing the Economy: We Vote for Common Sense!

Do you know any one whom you consider to be a lackadaisical person? Someone who can’t seem to hold a secure job, even in the best of economic times?

If that person decides to march down to his local community bank tomorrow to apply for a small business start-up loan, he will likely be rejected. “No collateral,” the banker might declare, “no credit history, and no experience in a business setting.” Unless a far more responsible family member agrees to co-sign the loan document and guarantee repayment, our friend would not have a chance.

And yet, as recently as two years ago, he would have been able to finance his start-up venture anyway by using a stack of zero-percent “teaser rate” credit card loans. And his credit card companies would have sliced and diced his debt balances into thousands of investment vehicles, which would then have been graded “AAA” by the major ratings agencies. Conservative investors would have purchased his loan balances for their pension and retirement accounts. Frankly, the president of the community bank himself – the very same person who would have rejected the lackadaisical person’s loan application outright – might have purchased bits and pieces of the credit card loans and placed them in his retirement portfolio to secure his family’s future.

It defies common sense for the president of a community bank to reject a person’s loan application because he knows him well, and yet to purchase his loan balances afterwards because a ratings agency (that doesn’t know the borrower at all) bestows a AAA rating on them. And yet this is how we, as a society of supposedly rational investors, have been structuring our financial investment strategies.

Irrational, aren’t we? Perhaps we act this way because we aren’t creatures of logical analysis at all; perhaps, instead, we are actually behaviorally disinclined to trust in our own common sense.

Your Lying Eyes

The legendary stand-up comic Richard Pryor once drew howls of laughter by telling a story about a man who cheated on his wife in his own bedroom. When caught by his wife “in the act,” how did he react? By denying the obvious … or, as Pryor would exclaim, “Who you gonna believe? Me, or your lying eyes?”

To the frustration of marriage counselors everywhere, too many women choose to ignore their own senses and believe the denials of their cheating spouses. And yet this is not uncommon behavior; a willful disregard of common sense permeates other areas of society as well. For instance, if you ask any physician what people can most easily do to prevent the transmission of serious illnesses, most will respond that the most effective weapon against common disease is the simple washing of one’s hands. Yet, even in public bathrooms, large numbers of users resolutely refuse to do so.

The credit crunch has often been described as a financial virus. By extending the metaphor, we can conclude that financial risk managers were assigned the task of isolating this virus and preventing it from poisoning the global economy. Why did they fail to do so? Considering all of the resources, levels of experience, and educational credentials that existed (and that still exists) on Wall Street, why weren’t they able to maintain the health of their patient?

In Search of the Magic Elixir

To understand our positions regarding these questions, it is important to remember that it is simply human nature to make the assumption that a catastrophe (as well as the solution that might have prevented it) must have been terribly complex if it was not in fact prevented. Ask ten people who have contracted the flu why they fell ill, and they are bound to respond with a comment like “I heard that the new Asian flu strain is particularly resistant to the human body’s natural defenses this year.” You’ll hardly ever hear them admit “I guess I should have washed my hands after touching the flush lever in the train station’s restroom.”

Similar attitudes permeate our federal government’s crisis control activities regarding the global banking quagmire. Although a few voices have complained that it defies common sense to continue entrusting hundreds of billions of dollars to the very financial professionals who have driven our economy off a cliff, others continue to assert that our magic elixir is an extremely complex three-sided Treasury / Federal Reserve / FDIC Purchase Facility that will provide funding to purchase real estate-related legacy assets. These experts believe that such costly and complicated plans will do more to help the average unemployed American than simple, traditional solutions such as the expansion of unemployment insurance, vocational training services, public health care programs, and other components of our social safety net.

At a series of online graduate and post-graduate level seminars co-sponsored by Suffolk University and the Maryland Association of CPAs, expert after expert from the financial services industry emphasized common sense solutions to what ails our economy. And yet, in an anonymous feedback survey, one attendee complained that “The guest speakers provide little in terms of unique perspectives or unique situations related to risk management. The content is predominantly ”common sense” approaches to risk management – e.g. the guest speaker talking about diversifying investments is not a useful or productive exercise for a capstone course.”

Hmm. Common sense, according to the attendee, is not a useful or productive exercise for a capstone seminar in risk management. But how can any useful or productive discussion of risk management be otherwise conducted when all of the guest speakers assert that our failure to apply common sense is the common denominator that explains the failings of our global economic system?

COSO: A Similar Criticism

In all fairness to this anonymous attendee, he is certainly not the only educated professional who criticizes certain risk managers who espouse the application of simple common sense. The Enterprise Risk Management model that has been developed by a COSO, a consortium of every national professional accounting trade association in the United States, has been similarly criticized for being long on common sense generalities and short on complex specifics.

Nevertheless, professionals who are struggling to adapt to the volatile global business environment do need to select and apply a risk management model that can address the financial challenges that are plaguing our global economy. What model should they use?

We at Enterprise Man may not have all the answers; who among us does? Nevertheless, we do believe wholeheartedly in the “common sense” COSO model. We also cast our lot with such legendary investment professionals as David Swensen of Yale and John Bogle of Vanguard, who are renowned for advocating the simple solution of investment diversification to address the twin problems of industry and firm risk. In other words, we cast our vote with the risk management professionals who avoid overly complex decision models and opt instead to build their programs on sturdy foundations of common sense.

Risk Management: Is Rubin to Blame for Citi?

Have you read Robert Rubin’s retirement letter? Three days ago, he walked away from a Citigroup role that paid him $115 million since 1999. Rubin, of course, is a former co-chairman of Goldman Sachs and Secretary of the Treasury. Here is an excerpt from his statement:

“My great regret is that I and so many of us who have been involved in this industry for so long did not recognize the serious possibility of the extreme circumstances that the financial system faces today. Clearly, there is a great deal of work that needs to go into understanding exactly what led to this situation and what changes, regulatory and otherwise, must now be implemented to reduce systemic risk and protect consumers.”

Rubin previously told the Wall Street Journal that he was not to blame for Citi’s collapse; he asserted that “what came together was … a cyclical undervaluing of risk … a housing bubble and (mis-guided) triple-A ratings … there was virtually nobody who (fore)saw that low probability event …” Nevertheless, he did acknowledge his involvement in a board decision to increase risk in 2004 and 2005, and at least one major Citi investor believes that Rubin is “resigning in disgrace.”

Whether or not you blame Rubin personally for Citi’s collapse, isn’t it a bit disconcerting that he told the Journal “there is a great deal of work that needs to go into understanding … this situation”? Indeed, perhaps Rubin couldn’t foresee Citi’s challenges. But shouldn’t we expect him to understand them by now?

The Four Questions

What exactly do risk managers do, any way? How does risk management work?

The fundamentals are actually quite simple. A competent risk manager comes to work every day and asks himself four questions. If he can supply four reasonable answers, then he is likely doing all he can to manage risk. But if he can’t … watch out! Then he isn’t doing his job.

Let’s run through these four questions briefly:

1. What can go wrong?

This step is called event identification. Risk managers must keep laundry lists of every major potential problem that might occur in the foreseeable future. If a problem isn’t foreseeable, though, it cannot make any lists; then risk managers can’t be blamed for failing to address it.

2. How bad will things get?

Risk managers can’t possibly address every problem on their laundry lists, so they must prioritize and focus on the worst potential problems. This step is called risk assessment; it classifies a problem as high priority if it is relatively likely to occur and relatively costly if not prevented.

3. What’ll be done if it happens?

This step is called risk response. Risk managers focus on the highest priority problems and then work with operations managers to confirm that the organization’s responses will be effective if prevention fails.

4. What’ll we do to prevent it from happening?

This step is called internal control activity. Risk managers confirm that operations managers continually train their employees, test their systems, inspect their products and services, and audit their administrative processes in an attempt to avoid (or, if avoidance fails, to detect and address) the problem.

The COSO Cube

Did we simply conjure up these four questions out of thin air? Of course not! Five major accounting, auditing, and financial executive trade associations have sponsored the development of COSO, an organization that has created an integrated framework for enterprise risk management.

To explore the intellectual origins of our four questions, download COSO’s free Executive Summary (which is available in over a dozen languages — even Finnish and Thai!) and look for an image of a three dimensional cube. You can also find this cube on numerous risk management web sites, such as those maintained by the FDIC in Washington and UCal Berkeley in California.

Have you found one of the cubes? Great! It has eight boxes across its front, four across its top, and four along its right side. Now look at the middle four of the eight boxes across its front: they are labeled event identification, risk assessment, risk response, and control activities. Yes, they represent our four questions that lie at the very heart of risk management.

How About Rubin?

So what does this tell us about Robert Rubin’s level of responsibility at Citi? You are welcome to develop your own opinion, though we encourage you to assess the issue after considering our four questions.

Was this cataclysmic confluence of events foreseeable? If it was, then someone at Citi must be to blame for failing to identify it during their event identification activities. On the other hand, if it was identified but not highly prioritized, then someone must be to blame for misjudging the likelihood that Rubin’s perfect storm scenario would in fact occur.

If Rubin is responsible for these risk management tasks, then perhaps it is best that he has resigned. But if someone else is responsible, then perhaps Rubin’s departure is Citi’s loss. That would also be a loss for the American taxpayers who have placed billions of bailout dollars in Citi’s hands.