This week the Chief Risk Officers of MF Global testified before the House of Representatives Committee on Financial Services Oversight and Investigations Subcommittee regarding the circumstances leading to MF Global’s bankruptcy.
The parallels and lessons to be learned between MF Global and the mortgage crisis are uncannily similar and in ways for this author a bit of deja vu.
The testimony of these CROs underscores how lapses in risk governance and support of the CRO by the CEO and Board can bring down an institution. A few facts about each CRO during his tenure are instructive to consider. Mr. Roseman preceded Mr. Stockman as CRO of MF Global and reported directly to the CEO and had direct access to the Board. As part of this responsibility, Mr Roseman worked with Executive Management and the Board to implement an Enterprise Risk Management capability in the wake of an unauthorized trading incident. At that point it seemed that Mr. Roseman enjoyed the support of senior management. In 2010, Mr. Roseman reported a number of important shifts in risk coinciding with the arrival of the new CEO. Among these were requests from the business units to raise European sovereign position limits, first reset at $1B, then less than 6 months later raised again to $1.5-$2B. At about this same time, the Repo-to-Maturity (RTM) transactions were ramping up in size, this growth justified by their “profitability and the importance of generating earnings.” Astounding as it may sound, only 1 month later the positions grew to $3.5-$4B at which point Mr. Roseman was to request the Board to again raise the limits, this time to $4.75B. At a subsequent meeting in November with the Board, Mr. Roseman laid out his arguments and analysis for his concerns about the risk of these positions. It was at that meeting that the Board including the CEO contended that the CRO’s scenarios were implausible. Two months later, Mr. Roseman was informed that he was being replaced. However, the new CRO would no longer report directly to the CEO, but rather was layered under the Chief Operating Officer. This important change in reporting underscores the shift in risk culture of MF Global and the stature of risk management in that organization following the change in CEO.
Once again, the MF Global experience illustrates how important effective risk management is to an organization. But the authority and support of risk management starts and ends with the CEO and the Board, for it is their responsibility to establish a strong risk culture. In a recent study of risk governance, cognitive biases and incentives, I develop a theoretical model for how risk governance works in relation to inherent biases of senior management and incentive compensation structures.
In that study I note that several biases can undermine the effectiveness of the CRO including something referred to as ambiguity bias. One of a risk manager’s major functions is to help senior management quantify uncertainty of different outcomes for the firm. A variety of tools are at the CRO’s disposal for this including stress tests as used by Mr. Roseman for assessing MF Global’s liquidity risk exposure. However, as illustrated in this case, executive management and the Board may differ with the views of risk management, in part supported by market or firm performance from the recent past that supports a particular view they may hold (confirmation bias) reinforced by weak governance and incentive structures. In the study I go on to also illustrate how these views toward risk by senior management can ultimately undermine the stature and credibility of risk officers in the eyes of the business, eventually leading to greater risk-taking and/or weakening of critical risk processes and controls. Mr. Roseman’s testimony of his experience at MF Global completely aligns with this model which has several implications for public policy.
First, regulation cannot assure a company will adopt a strong risk culture and associated risk management practices. This is the responsibility of the Board and CEO. However, one step that could be taken is to elevate the stature of the position directly in the firm by having it report directly to the Board Risk Committee Chairperson much as the General Auditor position does in most instances to the Board Audit Committee. This should have been included as part of Dodd-Frank’s risk management requirements along with its requirement to establish risk committees and risk expertise on the board outlined in DFA for large companies. In addition, other players could financially incentivize firms to adopt strong risk management practices. These include D&O insurers, rating agencies and even the FDIC as it relates to risk-based deposit insurance pricing. Each of these entities in some fashion includes risk management as a component of the assessment, however, at this time those efforts appear to underweight the importance of the risk management function directly. Finally, the executive compensation of senior management must have a significant component tied to risk outcomes.
MF Global’s demise in October 2011 points again to the importance of risk governance of banks and nonbank financial institutions. The Dodd-Frank Act has attempted to plug a number of weaknesses in the financial sector that led to the greatest financial collapse since the Great Depression, however, for all of its scope, its attention to strengthening how risk management operates within the organization is limited. MF Global will not be the last large failure to occur based on weak risk governance.