Managing The Curse of Wealth

Just a few days ago, Citigroup revealed that it is experiencing an unusual new problem. It appears to be earning too much money … albeit only in its Phibro trading unit.

Nevertheless, Phibro’s profitability is causing such a headache that Citigroup is seriously considering selling the division. Apparently, at Citigroup, excessive earnings are as much of a risk nowadays as excessive losses.

Interestingly, enterprise risk managers have long been cognizant of the problems that may arise in response to a sudden and significant increase in wealth. Although Citigroup’s problems with its Phibro unit may pose an interesting dilemma, they certainly shouldn’t have taken the banking colossus by surprise.

Money and Politics

In a sense, the Phibro situation is a natural example of the risks that are faced whenever money and politics are mixed together. Early last year, energy companies made huge fortunes when the price of a barrel of crude oil spiked past $147; politicians were then blistered by the angry howlings of American drivers bemoaning the era of $4 per gallon gasoline.

But then, late last year, the economy itself melted down. Crude oil prices plummeted as low as $33, and gasoline prices dipped well below $2. Then Citigroup received a massive, and publicly unpopular, $45 billion government bail-out with TARP funds.

Energy companies suffered during this period as well, but they have subsequently rebounded to profitability as crude oil prices have soared above $70. Phibro, as an energy commodities trading firm, is now once again raking in huge profits; that has meant significant profits for its corporate parent Citigroup as well.

So where’s the problem? What’s the risk? Well, Phibro’s chief trader Andrew Hall is now demanding a $100 million bonus for his superior performance, but Congress is no mood to watch firms that received billions of dollars of TARP funds hand out such compensation awards. So Citigroup may decide to sell the entire division, and surrender the future profits that can be expected from it, instead of risking the wrath of the United States government.

A Familiar Problem

Is this an unusual problem? Of course not! In fact, one doesn’t even need to be the direct recipient of government bail-out funds to experience it. Any organization that transacts directly with government should be concerned by the prospect of excessive profits as well.

Lockheed, for instance, was excoriated during the Reagan Administration for charging the Navy $640 per toilet seat for furnishing the bathrooms on its P-3 Orion aircraft. And state treasurers are often criticized for overtaxing citizens when they run budget surpluses and deposit excess cash receipts in rainy day funds. Such problems are common when dealing directly with governmental officials who are responsible for approving government expenditures.

Nevertheless, many firms maintain no government business and yet are roundly criticized for earning excessive profits. Oil companies, for instance, are often threatened with windfall profit taxes when their earnings soar during times of high energy costs. Health insurers and pharmaceutical firms, likewise, are often criticized for earning profits when Americans are struggling to obtain coverage and purchase drugs. And colleges and universities are often urged to increase tuition grants and fellowships when their endowments climb into the billions of dollars.

So what can be done? How can firms anticipate and manage the risk of earning too much money? This are not complicated questions; in fact, they can be answered through the simple application of enterprise risk management.

Keeping it Simple with Risk Management

How would that be accomplished? Well, the first major task of enterprise risk management is the anticipation and description of potential crises. Adroit consumer polling, coupled by astute lobbying, can help us predict how public annoyance over profits may grow into maelstroms of rage.

The second major task of risk management is an assessment of the likelihood that each potential crisis may occur, and the extent of the harm that would be experienced if it actually happens. Lockheed, for instance, may have blundered here if they believed that their $640 toilet seat would never become a public issue, or – if it did – that they could minimize the damage to their reputation by quietly discounting the price.

Finally, the third and fourth major tasks of risk management are the respective definitions of risk response and internal control activities, with the former designed to reduce likelihoods of occurrence and the latter designed to reduce extents of harm. Citigroup, for example, may have goofed here by overestimating the government’s delight at the prospect of Phibro profits and underestimating their chagrin at Hall’s bonus demands.

So what should firms do to manage the risk of excessive wealth? First, they should anticipate situations where this may occur. Second, they should prioritize and then focus on the highest risks. And third, they should implement plans to prevent and/or manage these high priority crises.

Perhaps Citigroup’s decision to explore a sale of Phibro has actually been a step in its master risk management plan all along. If so, then it may prove to be a very costly step indeed.

Risk Management: Is Rubin to Blame for Citi?

Have you read Robert Rubin’s retirement letter? Three days ago, he walked away from a Citigroup role that paid him $115 million since 1999. Rubin, of course, is a former co-chairman of Goldman Sachs and Secretary of the Treasury. Here is an excerpt from his statement:

“My great regret is that I and so many of us who have been involved in this industry for so long did not recognize the serious possibility of the extreme circumstances that the financial system faces today. Clearly, there is a great deal of work that needs to go into understanding exactly what led to this situation and what changes, regulatory and otherwise, must now be implemented to reduce systemic risk and protect consumers.”

Rubin previously told the Wall Street Journal that he was not to blame for Citi’s collapse; he asserted that “what came together was … a cyclical undervaluing of risk … a housing bubble and (mis-guided) triple-A ratings … there was virtually nobody who (fore)saw that low probability event …” Nevertheless, he did acknowledge his involvement in a board decision to increase risk in 2004 and 2005, and at least one major Citi investor believes that Rubin is “resigning in disgrace.”

Whether or not you blame Rubin personally for Citi’s collapse, isn’t it a bit disconcerting that he told the Journal “there is a great deal of work that needs to go into understanding … this situation”? Indeed, perhaps Rubin couldn’t foresee Citi’s challenges. But shouldn’t we expect him to understand them by now?

The Four Questions

What exactly do risk managers do, any way? How does risk management work?

The fundamentals are actually quite simple. A competent risk manager comes to work every day and asks himself four questions. If he can supply four reasonable answers, then he is likely doing all he can to manage risk. But if he can’t … watch out! Then he isn’t doing his job.

Let’s run through these four questions briefly:

1. What can go wrong?

This step is called event identification. Risk managers must keep laundry lists of every major potential problem that might occur in the foreseeable future. If a problem isn’t foreseeable, though, it cannot make any lists; then risk managers can’t be blamed for failing to address it.

2. How bad will things get?

Risk managers can’t possibly address every problem on their laundry lists, so they must prioritize and focus on the worst potential problems. This step is called risk assessment; it classifies a problem as high priority if it is relatively likely to occur and relatively costly if not prevented.

3. What’ll be done if it happens?

This step is called risk response. Risk managers focus on the highest priority problems and then work with operations managers to confirm that the organization’s responses will be effective if prevention fails.

4. What’ll we do to prevent it from happening?

This step is called internal control activity. Risk managers confirm that operations managers continually train their employees, test their systems, inspect their products and services, and audit their administrative processes in an attempt to avoid (or, if avoidance fails, to detect and address) the problem.

The COSO Cube

Did we simply conjure up these four questions out of thin air? Of course not! Five major accounting, auditing, and financial executive trade associations have sponsored the development of COSO, an organization that has created an integrated framework for enterprise risk management.

To explore the intellectual origins of our four questions, download COSO’s free Executive Summary (which is available in over a dozen languages — even Finnish and Thai!) and look for an image of a three dimensional cube. You can also find this cube on numerous risk management web sites, such as those maintained by the FDIC in Washington and UCal Berkeley in California.

Have you found one of the cubes? Great! It has eight boxes across its front, four across its top, and four along its right side. Now look at the middle four of the eight boxes across its front: they are labeled event identification, risk assessment, risk response, and control activities. Yes, they represent our four questions that lie at the very heart of risk management.

How About Rubin?

So what does this tell us about Robert Rubin’s level of responsibility at Citi? You are welcome to develop your own opinion, though we encourage you to assess the issue after considering our four questions.

Was this cataclysmic confluence of events foreseeable? If it was, then someone at Citi must be to blame for failing to identify it during their event identification activities. On the other hand, if it was identified but not highly prioritized, then someone must be to blame for misjudging the likelihood that Rubin’s perfect storm scenario would in fact occur.

If Rubin is responsible for these risk management tasks, then perhaps it is best that he has resigned. But if someone else is responsible, then perhaps Rubin’s departure is Citi’s loss. That would also be a loss for the American taxpayers who have placed billions of bailout dollars in Citi’s hands.