In Connecticut, Has Risk Management Gone Awry?

Connecticut has always been known as the Land of Steady Habits. Last week, however, it also became known as the Land of Miserably Unhappy Commuters.

That’s because the high voltage feeder cable that powers the New Haven (Connecticut) to Grand Central Terminal (New York City) commuter train line failed last week. Stranded passengers were told to expect little or no train service for up to three weeks.

So why is this a prime example of risk management gone awry? It appears that the Metro-North rail system has always maintained a secondary electrical system. But two weeks before the failure, engineers removed the secondary system from service for maintenance upgrade work without replacing it with any other temporary resource. Thus, when the primary feeder cable failed last week, there was no other system in place to power the train line.

Regrettably, Connecticut Governor Dan Malloy noted that Metro North officials appeared to have been taken by complete surprise. He said that “there appears to have been little plan(ning) for this type of catastrophic failure.”

The discipline of Enterprise Risk Management (ERM) embraces a few key principles. Organizations must identify potential crises before they occur. For crises that are relatively likely to occur, preventive controls must be implemented to reduce the likelihoods. And for events that will be relatively costly if they occur, crisis response functions must be implemented to contain the costs of failure.

Did the folks at Metro North follow these principles? Because a failure of the primary feeder cable could inflict so much damage on commuters, one may question whether the secondary system should ever have been removed without the temporary implementation of another crisis response function. And because the severe aging of the electrical fleet and infrastructure makes such failures relatively likely to occur, one may ask whether the primary system (as well as, or perhaps in place of, the secondary system) should have served as the focus of preventive maintenance work.

In other words, Governor Malloy’s own observations reveal that the public transportation agency was following a risk management plan that was bound to go awry. And now the commuters of Connecticut are bearing the brunt of that failure.

The IRS And The COSO Cube

Have you been following the emerging news story regarding political bias at the Internal Revenue Service (IRS)? Apparently, the agency that regulates America’s federal system of income taxation is now under investigation for purportedly mistreating conservative “tea party” groups during its reviews of tax exemption applications.

If you’re a tax accountant, you can’t help but feel a little embarrassed about the apparent dearth of internal controls at the Service. After all, many accountants are specialists in the field of risk management; they charge significant fees to their clients for advice regarding the development of systems of internal control.

Just two weeks ago, for instance, the world’s leading committee of professional accounting trade organizations issued a new cube shaped framework that defines internal control development activities. Isn’t it unfortunate, and ironic as well, that the accounting professionals at the IRS failed to implement their own profession’s frameworks?

COSO: A Brief History

The tale of these frameworks began thirty years ago, when the five major accounting trade organizations in the United States invited Wall Street veteran James Treadway to chair a Commission to assess the causes of fraudulent financial reporting practices. The resulting report of the Treadway Commission led to the development of the first control framework in 1992, which was then slightly modified two years later.

Developed in response to concerns that were raised during the Crash of 1987 and the financial scandals of the Gordon Gekko era, the paradigm was represented by the shape of a three dimensional cube. The top of the cube displayed the three perspectives (i.e. operations, reporting, and compliance) that affect internal controls, whereas the front of the cube presented the five components (i.e. the control environment, risk assessment, control activities, information and communication, and monitoring activities) that define such controls.

In 2004, in response to concerns that were raised during the financial and corporate scandals of the Enron and Worldcom era, the Council of Sponsoring Organizations (COSO) expanded its cube into a framework of enterprise risk management. They did so by adding a fourth perspective (i.e. strategic considerations) to the top of the cube, and three components (i.e. objective setting, event identification, and risk response) to its front. And then, just two weeks ago, they defined seventeen explicit principles to support a further refined framework.

Control and Risk

So there is certainly no lack of guidance regarding the implementation and maintenance of internal control and risk management systems. But what do these frameworks mean? And how can they help us assess what recently transpired at the IRS?

First and foremost, it is important to keep in mind that internal control and risk management are not synonymous phrases. In fact, internal control is a concept that is embedded within the practice of risk management.

A competent risk manager understands that many internal controls are implemented to prevent the occurrence of troublesome events. And if prevention is impossible, additional controls are employed to detect the existence of such events. Yet there are times when prevention and early detection controls simply fail to provide efffective risk management strategies.

In other words, there are occasions when competent risk managers have no choice but to respond to occurrences of troublesome events without the control benefits of prevention or early detection. Such risk response activities are not components of systems of internal controls per se, but they do play significant roles within systems of enterprise risk management.

Prevention controls, detection controls, and response activities are the three proverbial “building blocks” of enterprise risk management. So how can we relate them to the unfolding tale of political intrigue at the IRS?

Likelihood and Impact

The COSO prescriptive framework is a fairly simple one. If a potentially troublesome event is relatively likely to occur, then the organization should develop new prevention (or detection) controls to reduce this likelihood of occurrence to tolerable levels. And if the event is expected to inflict a costly impact, then the organization should also implement new response capabilities to limit its damage.

Now let’s apply this principle to the current IRS controversy. What was the likelihood that an understaffed IRS office, struggling to manage a flood of tax exemption applications, would resort to questionable assessment tactics? This was arguably a relatively likely event, and thus more might have been done to prevent (or detect) its occurrence. For instance, the IRS might have invested in enhanced training and oversight activities.

But how much damage has the controversy actually inflicted on the conservative groups that were inappropriately investigated by the IRS? Even though they appear to have been unfairly targeted for scrutiny, there is no indication that any have lost or been denied their tax exempt status as a result of the investigations.

So an application of the accounting profession’s COSO framework might not necessarily fault the IRS for its questionable response to the controversy. Nevertheless, it might lead one to question whether the Service did enough to prevent (or detect) the occurrence of the problem.

The Newtown Shootings: A Risk Management Perspective

On December 14th at 9:30 am, after shooting and killing his own mother at home, a heavily armed resident of Newtown, Connecticut forced his way into the Sandy Hook Elementary School. He killed twenty young children and six adults before committing suicide.

The global news media, of course, voraciously covered the tragedy itself, as well as the ensuing police investigation … and the funeral processions … and school security policies … and gun laws … and the violence that is embedded in American culture. All of these topics were debated relentlessly by commentators, pundits, politicians, and celebrities.

Interestingly, though, the press dedicated relatively little coverage to the government’s initial response to the immediate needs of the families of the victims. Was this response an appropriate one?

Delivering The News

At 3:00 pm on that fateful day, more than five hours after the shooting incident occurred, some of the parents of the slain children were still waiting in ignorance for news about their fate. Were their children taken to a hospital? To a morgue? Or were they still missing and unaccounted for?

The Connecticut authorities knew that the children had been taken to the local morgue, but no one had yet conveyed the heartbreaking news to all of the parents. So Governor Dan Malloy decided to speak to the families himself.

Some people have subsequently criticized the Governor for using “cold and callous” language while performing that emotionally wrenching task. Others have commended him for making the humane decision to assume the grievous responsibility of informing parents of the murders of their children.

Lost in this debate, though, is the fact that qualified human service professionals are specially trained to perform such tasks during times of crisis. Why weren’t such professionals already on the scene, communicating with the parents, by the time that Governor Malloy made his fateful decision at 3:00 pm that day?

CISM Teams

For more than fifteen years, the National Association of Social Workers and the American Red Cross have maintained a partnership “to deliver mental health services to the victims of disaster, rescue workers, military personnel and their families, and refugees.” Specifically, the partnership involves the maintenance of “a national network of … trained, licensed, or certified social workers to be mobilized in times of disaster.”

Although the network can be mobilized for “natural disasters such as hurricanes, floods, tornadoes, (and) fires,” it is also explicitly available for “school shootings, bombings, and biochemical threats.” And the Red Cross has developed crisis-specific functions as well, such as Aviation Incident Response teams to address the unique circumstances of airplane crashes.

These Critical Incident Stress Management (CISM) teams are available to work with people who are affected by natural catastrophes and other crises. Are mass shootings in public places now occurring at a level of frequency that would necessitate the development of specialized Firearms Incident Response Teams across the nation?

Enterprise Risk Management

The discipline of enterprise risk management identifies two primary considerations regarding prospective future crises. One is the anticipated frequency of such events; the other is the anticipated harm or damage that the events might wreak on society.

The general process of risk management is a simple one. If a potential crisis is a priority because it may frequently occur in the future, then society should strengthen the preventive control activities that may reduce its intolerably high frequency. Gun control laws might be strengthened, for instance, to reduce the future frequency of mass shootings.

However, if a prospective crisis is a priority because it may cause great harm or damage in the future, even though it may not occur frequently at all, then society should strengthen the crisis response activities that contain and minimize the harm. An Incident Response Team might represent one such response strategy.

Although any single mass shooting is indeed “one too many,” such incidents (thankfully) remain statistically rare events. New York City Police Commissioner Ray Kelly, for instance, has stated that he has “never seen anything” like the Newtown tragedy. A risk management analysis may thus conclude with a recommendation for the development of such Incidence Response Teams.

Prevention vs. Response

Many individuals are now focusing on new strategies for preventing school shootings in the future. California Senator Dianne Feinstein, for instance, is introducing new gun control legislation to ban certain weapons from society. Conversely, Wayne LaPierre of the National Rifle Association is proposing to increase the prevalence of such weapons by stationing armed guards in every school building in the United States.

Thus, on the one hand, there appears to be widespread agreement about the desirability of enhancing prevention activities. And yet, on the other hand, there is little or no agreement about the specific activities that should be implemented to achieve this goal.

The strengthening of the crisis response function would admittedly do nothing to prevent the recurrence of such tragedies. Nevertheless, it may indeed ensure that victims and their families, as well as first responders and other citizens who are directly affected by such events, are treated in a more humane manner during times of crisis.

Thinking Ahead: BP’s Risk Management Challenge

Environmentalists, oceanographers, and commercial fishermen were deeply worried this past week about an ominous side effect of BP’s chemical dispersal strategy to manage its catastrophic oil spill. Apparently, although the chemicals are helpfully dispersing the crude oil over a wide geographic area so that it can be more easily devoured by microbial bacteria, they inadvertently pose a threat to coral reefs and other undersea life.

Furthermore, although concentrated masses of bacteria are indeed digesting the crude oil, they are also draining the Gulf waters of the oxygen that is required to support undersea life. And the oil spill itself is apparently spreading eastward, where it threatens to enter the Loop and Gulf Stream Currents on a path around Florida and up the eastern coastline of the United States.

Fingers of blame are now being pointed among BP and its subcontractors Transcean and Halliburton. But is BP truly negligent for failing to implement an effective system of enterprise risk management?

A Simple Model

Enterprise risk management, as defined by accountants, engineers, and actuaries, relies on a fundamentally simple model of analysis and action. Competent risk managers must begin by defining and listing potential catastrophes before they occur and inflict any damage. Then they must prioritize each catastrophic scenario on the basis of: (a) its probability of occurrence and (b) its potential damage level. Finally, they must take action to implement preventive internal control systems that reduce intolerably high probabilities of occurrence, as well as crisis response systems that reduce unacceptably high potential damage levels.

But what should energy firms do with production sites that are so risky that such systems cannot possibly reduce probabilities of occurrence and potential damage levels to tolerable standards? In that case, the only rational plan of action is to simply walk away from the energy fields. In fact, this is why the United States has decided against relying more heavily on its estimated 100 to 250 year domestic supply of coal to serve its energy needs; it has determined that the environmental damage that would be generated by such a strategy simply cannot be managed in a prudent manner.

In the case of the Gulf oil spill, though, where did BP go wrong? Did it fail to implement any control systems at all, which would indicate that it managed its operations in a grossly negligent manner? Or, as Kentucky Senatorial candidate Rand Paul speculated last week, did BP take reasonable actions to manage this risk and simply fell victim to random chance?

Accidents Happen

Last week,  Rand Paul tersely declared that “accidents happen” and then vigorously defended BP’s business practices. And Paul’s perspective is indeed worthy of consideration; BP has been known, for instance, to stage global simulation exercises that require its managers in training to address critical challenges and make difficult decisions in virtual reality settings.

BP has also installed anti-spill switches on its at-risk equipment in the Gulf of Mexico, although the blowout preventer switch on the damaged field that caused the current spill failed to respond to activation commands. BP has also attempted to activate this switch with technologically advanced remote control submarines, although these efforts did not prove successful.

Nevertheless, BP has indeed performed the requisite analyses to identify and implement these risk management activities. Its manager training sessions, in fact, represent valuable primary crisis response capabilities, and its switch technologies likewise represent primary preventive control activities. But if this is true, then why hasn’t BP been able to control and contain the catastrophic Gulf spill, one that now threatens the entire Eastern coastline of the United States?

Thinking Ahead

The most successful Masters of the game of Chess share a specific critical skill: they are capable of thinking many moves ahead at any given time during a match. In fact, one reason why IBM’s Deep Blue computer program can now defeat the world’s finest Chess Masters is because software algorithms can assess and compare multiple potential future scenarios far more quickly than human minds.

BP, though, may have only planned its risk management strategy a mere two moves beyond its initial catastrophic spill. What should it do if crude oil begins to pour into the Gulf? Activate the preventer switch on the defective equipment. And what if the switch itself fails to halt the spill of oil into the sea? Disperse the spill with chemicals and allow bacteria to do nature’s work.

But what if the monstrous size of the spill itself, as well as the intense toxicity of the dispersal chemicals, threaten the entire environmental eco-system of the Gulf and the Western Altantic? That scenario requires a tertiary level of analysis, one that obviously has not been completed in advance by BP’s management team. And that’s why BP’s current array of ad hoc tertiary responses, ranging from the Top Hat to the Junk Shot, has exposed the firm to such withering attacks from so many different sources.

Goldman Sachs’ Risk: The Press Hates Us!

If you were Goldman Sachs CEO Lloyd Blankfein, what would you be doing right now?

No, this is not a personal question, though you might enjoy speculating about how you’d spend the $53.4 million bonus that Blankfein earned in 2006. This is a business question: how would you spend your time?

Considering the overwhelming levels of instability and volatility that percolate throughout the world of global finance, you would probably spend a lot of time worrying about risk. But what type of risk would you focus on?

The risk that Goldman’s investment portfolio might (once again) plummet in value? Or that a critically important external party doing business with Goldman, like AIG, might (again) collapse? Or that the global economy might lurch into a double dip recession and drive up losses?

All of these risks are undoubtedly high on Blankfein’s list, but Goldman surprised the financial world last week by publicly acknowledging a different concern. Namely, they proclaimed that bad publicity represents one of the most significant critical risk factors they confront today.

A Long History

In a sense, Goldman’s pronouncement about bad press places them squarely within in a longstanding tradition of blame the messenger, a game that numerous people and organizations have played over decades of mass media coverage. For instance, General Motors spent years complaining that the press refused to cover news about their improving product lines, even as they blindly fell through their fiscal black hole towards bankruptcy. And President Richard Nixon once bitterly proclaimed that the press “won’t have Nixon to kick around any more” after he lost the 1962 election for Governor of California.

Nevertheless, public relations specialists have long (and accurately) noted that mass media strategies are often highly effective mechanisms for managing risk. Nixon himself once sidestepped calls for his resignation from the Vice Presidency of the United States by making a national televised speech about Checkers, his family’s pet dog. And firms like McDonald’s have skyrocketed to global dominance on the strength of mass media campaigns that feature McDonaldLand characters like Ronald McDonald, Mayor McCheese, and the Hamburglar.

So it’s no surprise that a global firm like Goldman Sachs, one that epitomizes the type of aggressive Wall Street investment house that made billions of dollars on risky trades and then received billions more in government bailout funds, would worry about bad publicity. But why would they publicly acknowledge their concerns about such a risk?

Going Public

Goldman’s decision to “go public” in a media sense with their concerns about poor publicity can actually be traced back to its 1999 decision to “go public” in an ownership sense. It was then, at the peak of the Clinton era bubble in technology and finance, that the private partnership of Goldman Sachs decided to launch an Initial Public Offering of its shares to public investors.

At the time, that decision was perceived as a brilliant feat of financial timing and engineering, considering that Goldman received top dollar for the sale of its own stock near the peak of a stock market bubble. But by becoming a publicly traded firm, Goldman voluntarily agreed to accept a wide range of disclosure requirements that are imposed by the U.S. Securities and Exchange Commission on all public corporations.

One particular disclosure requirement involves the need for publicly traded firms to issue periodic financial statements to the public, accompanied by a retrospective management discussion and analysis of historical trends and a prospective assessment of significant risk factors. As a public company, Goldman was required to file its annual report (known as a Form 10-K) last week, and thus was compelled to disclose the risk of bad press in the section that contained their assessment of risk factors.

The COSO Cube

Of course, the simple disclosure of a risk in a Form 10-K does not necessarily shed insight about why a firm is compelled to disclose it in the first place. In other words, firms are not necessarily required to reveal their internal risk management deliberations, nor to describe how they reached a decision to “go public” with certain concerns by adding specific issues to their disclosures of significant risk factors.

To glean some insight into how such decisions are made, it is necessary to understand the integrated framework of Enterprise Risk Management that has been developed by the American accounting profession. COSO, a consortium of five major accounting trade organizations, has developed a three dimensional cube that describes this decision making process.

The process doesn’t contain any surprises. It simply emphasizes the need to understand one’s internal environment and business objectives before identifying specific risk factors, and then to prioritize and focus on factors that cannot be addressed easily through crisis prevention or response activities.

Thus, Goldman must now believe that its internal people and priorities will inevitably continue to place them at risk of incurring public enmity; they must also believe that there is relatively little that they can do to prevent or address such events. In other words, Blankfein himself must be looking forward to many more days of bad publicity in the future.