Boards Must Take On Risk Management

The frustration of Federal Chairman Ben Bernanke over a fourth AIG (AIG) bailout is shared by the vast majority of Americans—and rightly so. With the financial industry bailout growing daily, Americans, both publicly and privately, seek culprits for the downward spiraling economy. While this may assuage popular sentiment, it neither provides a solution to the current situation nor offers a way to prevent what occurred with AIG and the rest of the financial services industry from happening in the future.

Failed risk management is at the heart of Wall Street's malaise. The Fed has already suggested stricter regulatory oversight. We believe this is not enough. It is time for corporate leadership to consider a disciplined approach to risk management at the highest level: the board. This top-down approach is the only blueprint for preempting tomorrow's catastrophes.

Over the past 18 months, the decline in global financial markets has been like a massive chain reaction that started out in slow motion and accelerated into convulsive warp speed. The fallout among financial institutions has included worldwide asset writedowns estimated at $1 trillion and the disappearance of legendary names such as Lehman Brothers and Bear Stearns.

The missing link in this story is a clearer understanding of a board's responsibility for managing risk. Loosely defined, risk management is at the core of any board member's charter—what is now clear is this broad function failed at many companies. This refers to both internal risk management and, subsequently, to boards' ability to act as shareholder watchdogs.

Unprepared Directors

In most cases, it's fair to state that directors were not equipped with the information necessary to understand the nature, quality, and type of assets and liabilities under their watch—and could not grasp the implications of how their balance sheets were being overleveraged and incorrectly valued.

If the importance of managing risk wasn't clear before, there is no question that it should take first priority now.

While boards may have been largely absent from most discussions about this crisis, their input is clearly necessary. Casting blame is easy, and can most obviously fall on a wide spectrum that includes overzealous mortgage brokers, profit-driven bankers, ratings agencies, regulators, and narrow-minded investors with very high-risk/reward structures driving their actions. Of critical importance now is that boards take a more aggressive stance as we face the yet undefined challenges of today.

Outrage about the Enron and WorldCom accounting abuses in the 1990s drove Congress in 2002 to pass the Sarbanes-Oxley Act (SOX), which shook up the world of corporate governance.

SOX significantly strengthened the importance and independence of the corporate internal audit function at public companies and put its oversight squarely in the hands of the board. Among other things, SOX required that a designated board member be a "Qualified Financial Expert" and defined the knowledge that a QFE must possess. In practice, the QFE typically heads the board's audit committee and is a former top-level accountant, chief financial officer, or corporate controller.

Risk Management Leaders Needed

The financial crisis has prompted a psychological shift toward reregulation, suggesting that boards may soon find themselves with increased risk-focused responsibilities mandated by law. Even if a latter-day SOX does not materialize, boards should take it upon themselves to create a QFE-equivalent role for risk management: Let's call it a "Qualified Risk Expert" (QRE).

At financial companies, the QRE director ideally should be a former senior executive in a sophisticated financial organization—an investment bank, commercial bank, or insurance company—with a complicated balance sheet. He or she should have a deep understanding not only of the entire spectrum of financial instruments and trading strategies but also of the asset-liability management process.

The most likely QRE candidates will already have run a large-scale risk management operation or served as a chief financial officer.

For any number of financial companies—regardless of their relative condition—the lack of a QRE director's oversight has had a painful impact. At Lehman, for example, the board did not stop the fatal practice of borrowing short via commercial paper and lending long via big concentrations in illiquid mortgages and real estate. At Bear, there was no one to question either the firm's outsize commitment to the mortgage market or management's failure to address the liquidity concerns that ultimately scarred the firm's reputation and buried it in Wall Street's graveyard.

Among surviving firms, Citigroup's (C) directors stayed on the sidelines even as the company's exposure to structured investment vehicles and other off-balance-sheet holdings mushroomed in size and murkiness. And Merrill Lynch, long considered to be among the healthiest and best-run financial companies, reported a third-quarter 2008 loss of $5.1 billion before its integration with Bank of America (BAC).

More generally, there has been no QRE director anywhere to understand or be held accountable for the toxic combination of balance-sheet concentrations, plummeting asset valuations, and vanishing trading liquidity that has created an ocean of red ink.

Although the financial industry is the most obvious source of candidates for the QRE role, we think there should be a QRE at every public company in any industry. Industry-specific factors affecting risk management will vary, but the role is universal.

Before it's here, it's on the Bloomberg Terminal.