Editor: Following up on our interview from last month relating to Enterprise Risk Management, in this regard what have we learned from the financial crisis?
Mulhare: Every day some new risk area presents itself. For instance, even with a money market account, thought to have been one of the safest havens for funds, investors have underestimated the risk. One basic rule growing out of Enterprise Risk Management is that all of us need to understand what risks we are undertaking with any type of investment or transaction. Investors in money market funds may not have thought through to the conclusion that one money market fund supporting a higher yield than another may have contained riskier instruments with a higher return.
Blaustein: To me it shows that we didn't properly learn all of the lessons of the Tycos, the Enrons and the WorldComs. Maybe they were not comprehensive enough to teach us a lesson. We are certainly going to learn a long-standing lesson based upon what we are experiencing now.
Editor: What were our methods of assessing risk previously in terms of a bottom-up risk approach as identified with COSO?
Mulhare: Looking at COSO and the Sarbanes-Oxley reforms, Sarbanes was clearly much more focused on financial reporting risks. You could potentially still be Sarbanes-Oxley complied and have suffered some massive losses. Sarbanes was not broad enough, which is why an Enterprise Risk Management approach to be effective has to look more across the operational side of the business versus just the financial reporting side.
The COSO model which was the first attempt to try to identify how you really build and maintain a set of internal controls is helpful but probably not as all-inclusive as needed if you are going to deal with the financial services industry and the more sophisticated types of products involved.
Editor: Do you consider that the Asian markets have experienced a downturn as severe as the rest of the world?
Mulhare: I think that they have taken some pretty fair hits. Certainly all the markets have turned down owing to the interdependency of markets worldwide. One has to look at the other parties involved in a transaction to see exactly what exposures there are. For instance, with the credit-default swap situation one cannot be sure who may be the entity who is guaranteeing a debt instrument's exposure to a third party. Blaustein: From an evaluator's perspective we now have problems that we never encountered before. To what extent do we have to change our analytical process before we can express an opinion as to value? Part of the valuation process is assessing risk. As you know, COSO was designed in the '90s for all companies with '90s risks. When we look at a company now, we need to look a bit more carefully at what risks are covered and what risks are not covered. We have always made adjustments in our capitalization rates to account for risk. Perhaps, we should look a little closer at those companies that have international ties in view of their political as well as their currency exposure. One of the former methods of valuation was to use the past to predict the future, but today this method may no longer work.
Editor: People are looking for some instant analog for valuation. Do today's new instruments yield themselves to an easy analytical formula?
Mulhare: The answer goes back to a more fundamental question: should you be taking on large amounts of risks in products which at the end of the day may be so risky that you cannot be assured of recouping your investment? A much more rigorous review of these products must be done before someone would be advised to purchase them.
Editor: I suspect that the accounting profession will see tremendous write-downs on the part of those companies that purchased credit default swaps from AIG or other failed issuers.
Blaustein: You are going to see two things: more disputes between management and the outside accountants who are asking that these adjustments be made; given the valuation issues, you may very well see more going concern opinions in some of the auditors' opinion letters.
Editor: What differences do you expect in governance from the past in regard to the: (1) the Board; (2) the CEO?
Mulhare: Looking toward the future, you are going to see boards becoming much more assertive in making sure that management presents the ways they have evaluated and are monitoring risk and how they are dealing with the valuation of the solvency of counterparts. I believe there will be many lawsuits of boards and management for failure to do the right risk profile. Management will need to prove to its board that it does have an effective risk management system. This will be needed when companies go for credit ratings or undertake any kind of public offering. It will be interesting to see what the SEC does in terms of demanding more disclosure about risk management. You can certainly see that being part of any new regulations.
Blaustein: You are going to see more accountability to the board on the part of top management and much more board responsibility to look into the details of company operations - not only to protect the company from liability, but for themselves as well.
Editor: So what you are saying is that the deficiencies in corporate governance today have been glossed over in many cases?
Mulhare: Yes. No one could have foreseen Lehman Brothers' sudden disintegration or gauged just how extensive Lehman's credit swap business was. But now there is clearly going to be some kind of public market for accessing information as to just how much exposure any one company might have in the marketplace. This information will be factored into a company's ratings, which in turn will lead investors to compare the ratings and the market price for the security to see how well the market has assessed a company's risk profile. Similarly, since the auditors, both internal and external, report to the board or the audit committee, how will the role of the risk officer or the compliance officer change in terms of reporting to the board as well?
Editor: How can an enterprise be certain it has covered all its bases in terms of risks?
Mulhare: There is no methodology that will assure management that it has covered all risks. What you have to do is to make sure that your risk profile process is rigorous enough and continually updated and monitored to do the best you can.
Blaustein: One important step is to bring to the realization of management that risk management is everyone's responsibility. Regardless of management's role it is important to do a true cost/risk benefit analysis because it affects everything from planning new product lines or redesigning products to the role management plays.
Editor: Would it be beneficial to summon outside auditors more frequently to review the risks they see in the business ?
Mulhare: Would it be helpful? Yes. Would they have a broad enough knowledge of all the risks with which a business is concerned? Maybe. However, what we are talking about is a much broader set of risks than financial risks. Clearly, outside consultants are needed to give you that kind of feedback. Have I detected all the risks? Have I put the right value on them in terms of how much potential exposure I have? What do you see other people doing? This is an area where you are going to see more consultants appear who will be of help to a board and management in putting together the right risk profiles and controls.
Blaustein: Today, there are informal discussions between accountants with companies in terms of sitting down and just discussing risks. In this environment the accountants will really need to do some homework and come to their own detailed conclusions before they will be prepared to sit down with the board or management.
Editor: How long should it take a company to uncover major risk areas and then develop strategies to deal with those risks?
Mulhare: I think that every company is going to be different. Let's take some of the larger and more complex financial institutions. Potentially it might take a year of rigorous investigation to put together an inventory of the risks. However, looking at the banks the time would be shorter. They are limited in the investments that they can make and therefore have a good enterprise risk methodology in place. An analysis of their risks could literally be a couple weeks to a couple of months. Looking at insurance companies, especially the P&C companies, because of their regulations, they are limited as to risks they may undertake.
Blaustein: I don't think that the risk picture is static. If you think that you have identified all of the risks today and can relax, that is where you will have problems.
Editor: Whose responsibility within the company should it be to look at the risk areas and uncover them?
Mulhare: It should be everybody's. So first and foremost that means the CEO and the board and the chief officers have to set a strong tone at the top. The role of the risk manager and the compliance manager needs to be elevated.
Blaustein: Once the risks are clear, the chief risk officer should play a major role, the insurance risk manager and the corporate credit manager reporting to him - a risk department so to speak - to assure accountability up and down the line. The scope of what needs to be done on a continual basis is so large that the CFO's office alone is unable to take care of it all.
Editor: Is it a better plan for management to concentrate more heavily on certain bet-the-company risks before spending resources to try to cover all risk areas?
Mulhare: This goes to the point that you can never cover all risks. Management should be able to identify, or try to identify, all those types of risks that put the enterprise or franchise at risk. You definitely have to prioritize. What is needed is a very sophisticated group of professionals to identify these risks and understand them. You may have to reach outside the company for additional resources to help you in the entire process and the timeline to get it done.