JPMorgan Chase & Co. was one of the relatively few big banks to emerge from the financial crisis of the decade of the 2000s in reasonably good shape. However, on April 6, 2012, CEO Jamie Dimon — recognized as one of the most astute bankers and risk managers of the current era — learned that JPMorgan had outsized positions in the credit derivatives marketplace taken by one of its traders.
Dimon supposedly learned of this — not from his bank’s vaunted risk management system — but by reading a page one article in The Wall Street Journal. In response, JPMorgan shut down the trader’s activities four days later, but the positions remained.
It turns out that the London-based trader, Bruno Iksil, aptly nicknamed “London Whale,” was known for his typically huge trading positions, positions he had taken as part of his job with the company’s Chief Investment Office. What he did was apparently acceptable with his management — he was no “rogue” trader such as Nick Leeson of Barings Bank.
Following press coverage of the episode in April, Dimon was dismissive with his “not to worry” statement. “A tempest in a teapot,” he said. Then, in May, JP Morgan reported that losses from the Whale’s positions could total $2 billion, and Congress summoned Dimon for testimony. Throughout the episode, Dimon was apologetic and humble; he explained that the losses were caused by the poor design and execution of hedges and the failure to properly monitor them.
A month later, however, in June, loss estimates as high as $9 billion were being suggested in the press, and finally, in July, the bank reported the actual loss of $5.8 billion.
Early in the affair were calls for Dimon’s resignation or firing, as both his and JPMorgan’s reputations were damaged. The company’s market capitalization declined by 20 percent over the period from early May until the end of August — representing a larger market drop than the actual losses, in perhaps the market’s way of factoring in uncertainty while letting the accountants add up the actual losses.
Alternatively, the losses appear to be more of a punishment by the market for poor risk management and reflect a lack of confidence in management — almost as if poor risk management is directly factored into the stock price.
In the early 2000s, Chase Manhattan Bank (prior to merging with JPMorgan) was viewed as a best-practice ERM company in a major study by the authors here, Making Enterprise Risk Management Pay Off (conducted on behalf of Financial Executives Research Foundation), which studied extensively and in depth the practices of five companies.
At that time, the bank had a strong ERM system and appeared to have its array of risks well covered. This was borne out by the merged company’s relative success in navigating the dangerous currents of the financial crisis. Thus, the company’s subsequent huge unexpected losses — and to be vilified for weak risk management in 2012 — was surprising to many.
In interviews for that study and other research projects, a question that gets asked consistently of the executive team and board members is “What keeps you awake at night,” or “What are the company’s biggest risks?”
Rarely is the response that one mistake will decimate the entire company. Yet, it appears that this specter is the case more often than one can imagine. Leeson’s unauthorized trades brought down Barings Bank. An office in London headed by Joseph Cassano that issued credit default swaps unchecked virtually destroyed American International Group Ltd. (AIG), the largest insurance company in the world. If the United States government had not come to its rescue, AIG would have been wiped out, and many of its counterparties would have suffered massive financial losses, even possible ruin.
More recently, London-based Kweku Adoboli lost £1.4 billion (about $2.3 billion) for UBS in high-risk trades. The prosecutor in the court case argued that Adoboli “was a gamble or two away from destroying Switzerland’s largest bank. In effect [he] was betting the entire bank on the toss of a coin.”
The Barings-Lesson episode seemed to suggest that when a trader is apparently doing very well, some executives may look the other way and not apply a rigorous risk management process, perhaps not wanting to upset the proverbial “applecart.” JPMorgan’s London Whale was reportedly generating $100 million in annual profit for the bank. But at that rate, he would have had to accomplish this for 58 years to only break even on his 2012 trading losses.
The lure of quick and large profits seems to trump concerns for control and risk management at various times in certain organizations. A lesson that organizations should have learned in 1994 from the $350 million of accumulated trading losses of Joseph Jett at Kidder, Peabody & Co. has apparently slipped from memory. That lesson: in an effective enterprise risk management process, management should focus not only on bad performance but also understand how and why exceptional performance is occurring.
Oversight and Fine-Tuning of ERM
The moral of the JPMorgan Chase story is that even strong, capable ERM programs require continuous and robust oversight and fine-tuning. Organizations install these programs with the best of intentions. They want them to work well, be effective and reduce the myriad risks they face to manageable levels. But the programs are generally constructed around conditions, structures and culture as they existed at inception. JPMorgan’s system seemed to serve it well over the years, having stood one of the most difficult tests in surviving the Great Recession. But it failed to understand that an atmosphere of complacency could arise.
Hypothetically, imagine a large organization with tight controls. Inside the organization is a profitable, entrepreneurial unit staffed with bright, aggressive professionals. One could imagine this dialogue: “We did well, even in tough times. We have what it takes to do well all the time. We’re smarter than the others, more astute and better moneymakers. We don’t want our efforts to be dampened by excessive controls. Let the brightest people in the room have the freedom to make the firm a lot of money. They know what they’re doing — full steam ahead.”
This type of attitude can undermine even the best of ERM systems, especially those that have remained in place pretty much unchanged and unchallenged over time. An effective ERM system should be organic and alive. Its leaders should be up-to-date on the latest best practices and scan the horizon for new, dangerous risks as well as fruitful opportunities.
The leaders should know their business well enough to recognize new or growing risks when they arise. It is truly disconcerting that a Jamie Dimon apparently could not recognize the danger in his Chief Investment Office apparatus, generating enormous profits while competitors in the business were calling his head credit derivative trader the London Whale (or “Voldemort,” from the Harry Potter tales). It would seem that senior management would want to keep an extra close watch on a Whale/Voldemort — even a money-making one.
Organizations of all sizes should have their ERM programs reviewed on a periodic basis, a point that even attorneys stress. As a recent Harvard Law Forum noted: “Boards should ensure that the company implements appropriate reporting and monitoring systems tailored to each type of material risk,” and that “the board should periodically review and ask management or outside consultants to assess the system’s adequacy.” Even the best ERM systems need regular maintenance — or tune-ups — as conditions change, internally and externally. Ignoring any warning light can be costly.
Here are some suggestions for avoiding million- and even billion-dollar headaches:
Benchmarking and Best Practices.
The ERM program should be benchmarked against leading ERM frameworks and even against best practices. It is probably best to have an outside consultant review the process and risk reporting structure. The U.S. Securities and Exchange Commission (SEC) in rule 33-98089 suggests the risk report structure is important to investors and even federal sentencing guidelines consider the reporting lines related to compliance.
Organizations should also ensure that their ERM practice is current and up to date. To accomplish, executives should attend events (such as conferences) and stay very current on best practices and approaches used by others. For example the American Productivity and Quality Center (APQC) has published several ERM best practices studies that include examinations of companies such as American Electric Power Co. Inc., Caterpiller Inc., Intuit Inc., Marathon Oil Co., Microsoft Corp. and Textron Inc.
Black Swan/Friday 13th Workshop.
Another way for organizations to measure an ERM process is to conduct a black swan/Friday the 13th workshop that challenges the status quo and risk thinking of ERM teams and executives. The key risks that have previously been identified for the company, as well as potential new risks, can be placed under the microscope in such sessions. Some organizations have had great success with these workshops, but they are not for all, and must be carefully planned, linked to strategy, include the right players and often utilize an outside facilitator to challenge the group.
Organizations can also learn from a study of the risk events that have affected other companies. A deep dive on a risk event using all publicly available information can include a review of the root causes — when the risk was first identified, how well the risk was assessed and how well the risk was monitored.
Companies can classify prior risk events as black swans (potentially unidentifiable risk events), grey swans (risk events that could have been identified if they looked diligently) and white swans (risk events so obvious that they should never be missed).
The markets may be able to forgive black swans, but they are (understandably) less forgiving of grey and white swans. One goal might be to allow only one grey swan per year; any more and the company may not be doing its ERM job very well.
Additionally, an understanding of the type of swan should influence how the organization’s executives respond to shareholders, other stakeholders and the board. If white swans, or grey swans that some perceive to be white, are missed, executives may feel increased pressure.
They should also expect greater attention — even anger — by boards and stakeholders and plan accordingly to immediately restore the lost confidence, perhaps by announcing a review of its ERM program or by hiring an outside monitor for a set period of time to get the ERM program under control.
Even without a challenging black swan or Friday the 13th workshop, organizations can question their ERM process with questions such as: “How comfortable are we that we’ve identified all the risks?” and “How confident are we that the risks that have been assessed properly and are being monitored correctly?”
An ERM review at some companies has revealed that the supposed risk metrics and monitoring are either measured incorrectly or are not clear at all; not even close. For example, recently one organization noted that it was nearly impossible for those overseeing risk to really see how well the company was actually tracking and monitoring the risk.
In Improving Board Risk Oversight through Best Practices, a 2011 study conducted by the authors for The Institute of Internal Auditors, it was noted that boards expected regular reporting of the organization’s top risks, linking those risks to strategy, risk-owner accountability and frequently that the risk owner (not the chief risk officer) present to the board so that the board can have an in-depth discussion of the issues associated with the particular risk.
Companies and boards want to avoid the situation noted in the Freeh Report on Pennsylvania State University, prepared by Judge Louis Freeh, noting that the board meeting is being “scripted.”
ERM Maturity Model.
Just as an organization develops a strategic plan for its operations, an overall strategic plan for implementation, development and sustainability of its ERM initiative can serve as a reminder of tune-ups that are needed. The ERM strategy can be articulated and communicated through an ERM Maturity Model, which serves as a roadmap of the necessary tune-ups that should occur over several years to achieve a mature ERM implementation.
The model might identify phases for the ERM process with specific objectives under each one. At the earliest phase, the focus is on building an ERM foundation with executive-level support, establishing the ERM process appropriate to the company’s culture and engaging the ERM team by drawing on leaders across the organization for a risk committee that would own the process but not the risks identified.
As ERM implementation continues, the model covers executing a consistent risk management framework, applying it across the business segments and demonstrating the value of risk management. At an optimal level of maturity, risk management is linked to strategy and related objectives, the organization’s balanced scorecard, annual budgets and overall corporate governance. Reaching the optimal level of maturity generally involves a number of incremental steps over several years.
Fine-tuning an ERM process must occur constantly because within the organization personnel involved in ERM are constantly changing, as is the business model — all to meet the uncertainties of the dynamic business environment. ERM is a powerful tool in today’s organizations, but it is only as good as its maintenance check-ups.
This article first appeared in the December 2012 issue of Financial Executive magazine.
Thomas L. Barton, Ph.D., CPA, is the Kathryn & Richard Kip Professor of Accounting, Coggin College of Business, University of North Florida; William G. Shenkir, Ph.D., CPA, the William Stamps Farnish Professor Emeritus, McIntire School of Commerce, University of Virginia; and Paul L. Walker, Ph.D., CPA, the James J. Schiro/Zurich Professor of Enterprise Risk Management, St. John’s University.