The chief executive of a failed corporation says, “I didn’t know what was going on. The chief financial officer made all those decisions. I couldn’t have been expected to understand them.” The collapsed energy merchant had a chief risk officer who had put in place an expensive risk-management system that did not protect the firm. The hedge fund with tight risk-management rules failed because it had violated its own risk rules. What went wrong?
Perhaps the corporate structure became too large and complex for anyone to know what was going on, a risk that deserves, but rarely receives, management attention. Perhaps the directors and managers viewed risk management as an administrative burden rather than as a tool for decision making, a window-dressing procedure to deflect criticism. Perhaps management decided to ignore guidelines because it had in front of it a deal too good to pass up.
Risk management serves a real purpose only if executive officers and directors embrace it as an integral part of business strategy. Otherwise, it is nothing more than a bureaucratic exercise that lulls the management and directors into a false sense of security.1 Those at the top, who oversee the organization, need to determine its rationale for being involved in energy markets, its objectives and the policies and procedures to assure the firm meets its objectives and stays in line with the overall goals regarding strategy and risk.2 If the board of directors and senior management do not explicitly develop and proclaim these goals and explain them to those in charge of executing them, then the policy will evolve by default from the actions of those who are involved in either trading or making the decisions that affect the firm’s exposure to risk.
The board and senior management need to make a priority of enforcing their policies and procedures—and not permitting deviations.3 If the rules are not enforced, then the systematic flouting of the rules will produce a new policy by default—one that most likely will be contrary to the board’s wishes.4 If the rules need revision, that is a job for the board to decide—not the traders on the desk.5
As a start, management must determine the purpose of its activities that require the risk management. Not having a clear notion of business strategy creates risk. Consider the case of energy trading as an example. Firms need to decide why they trade in energy markets.
To simplify the situation, think of the energy-trading function as having three purposes:
1. Trading for profit: Less politely referred to as “speculation,” trading energy for profit is no different than trading common stocks, soybeans, or tulip bulbs. A market exists. It is volatile. The trader hopes to earn a profit by selling a product on the market at a higher price than the purchase price. The trading business is a high-risk, volatile enterprise that requires strict trading rules and supervision to prevent the kind of rogue trading that can bring down the firm.6 It requires a capitalization befitting the risk profile, and a keen awareness of the risks on the part of management and directors.
Hedging: Energy buyers or sellers may have a prosaic use for risk management. They do not intend to make a killing in the energy markets. They just want some assurance of the price at which they will buy or sell energy, or to shift some of the risk that they might contract to buy or sell at too high or low a price. Hedging costs money, but it also lowers risk, which lessens the cost of capital. Businesses or consumers who do not view their primary activity as speculation on energy prices should hedge. Those who hedge should regard the activity as a way to lower risk rather than as a money maker. Risk managers of hedgers have to keep the policy focused on cutting risk, and not allow any eager prognosticator to turn the policy toward speculation, “just this one time.”
2. Using trading to build other businesses: Often called “trading around the assets,” this strategy views energy trading as a means to build up an associated business. For instance, the firm owns power plants and views operation of those plants as its real business. But the power plants have to sell the electricity that they produce. A trading operation might help to market the output from the power plants, and might find ways to reduce the price risks involved in selling that electricity on the markets. This type of trading has a specific goal, to enhance the value of the generating assets. It should operate within risk guidelines that prevent it from engaging in other activities, or it will develop other purposes, and probably, raise the level of risk.
In effect, the organization must align risk management with the priorities of the organization, and then stick to the priorities set. Aligning risk management with priorities does not mean something like looser risk management for speculative ventures in order to let them speculate. It means setting procedures that control the activities undertaken. Changing the priorities leaves the firm operating with risk management procedures designed for the previous priority. In addition, the risk managers must apply their standards throughout the organization, else risk activities shift from risk intolerant to risk tolerant divisions within the enterprise.
The risk manager does not establish the firm’s risk policy. The board of directors does (or should do) that. The risk manager (or the chief risk officer) implements board policy. That means that the board of directors must, consciously, decide the level of risk it wishes the corporation to incur. This willingness to accept or avoid risk sends a message to employees, shareholders, and creditors. The risk manager may have helped the board to formulate the risk policy, but should not have formulated the policy for the perfunctory approval of the board. The risk manager then has to implement the board’s policies throughout the organization. Given that the risk manager may have no line authority, and may have to work through senior executives who have their own agendas for the operations under their supervision, it is essential that everyone understand that risk management policies derive from the authority of the board of directors. Otherwise, the risk manager becomes, in the eyes of the line management, just one more meddlesome bean counter sent in by central staff to harass and annoy those who know what the business really is all about. Brett Friedman and Tim Essaye of the consultancy Risk Capital (recently purchased by Towers Perrin) enunciate the type of authority the CRO needs:
Failure to give the CRO sufficient independence and authority typically results in the business functions ignoring the CRO’s recommendations and marginalizing risk management within the organization. Business unit and trading managers must respect the CRO and his authority for the position to be successful.7
Once policies are in place, the risk manager must monitor activities within the organization—not an easy task in a large firm. Monitoring, furthermore, has to go beyond collecting pieces of paper that claim compliance with the rules. Employees who cheat do not fill out forms explaining what they are doing. Monitoring may require cross-checks and alert supervisors who can spot unusual activities. (Organizations shooting for low risk levels may have to avoid certain activities for no other reason than that they cannot monitor the risks taken with great enough certainty).
The risk manager, then, has to compare activities underway with the policy guidelines, make necessary changes in risk management procedures to assure compliance with the guidelines, and report back to the board on a regular basis.
The risk manager might, instead, report to one of the top executives, such as the chief financial officer. That chain of command might work well in an organization that, as a matter of policy, engages in minimally risky activities. The indirect line of command, however, may remove the board from active discussion of risk management, and may not make clear to the board that some seemingly low-risk activities really involve high risk to the corporation. Risk management, probably, requires explicit discussion by the boards. In addition, the compensation of the risk management staff needs to be independent of, and not tied to, the performance of the energy trading business or market operations.8 Otherwise, the trading organization can hold the risk managers hostage by controlling compensation, advancement, or allocation of resources.
In designing a corporate structure for a trading operation, it is essential to separate the operation and oversight of the front, middle, and back offices.
The front office executes the firm’s strategies with respect to trading and managing risk through the purchase and sale of energy and related derivatives. The role of the front office consists of executing deals, initial recording of the specific terms and conditions of a transaction, and related transaction support roles (e.g., scheduling and nominations). Because of the potential trouble the front office can get the firm into, the infrastructure to control it—usually the middle office—needs to be totally separate.
The middle office polices and controls the front office, and needs to be independent of it. Its function is to assure that the front office complies with policies and risk limits as well as validating the models that are used to place a value on elements of the trading portfolio. (At Enron, traders often valued their own deals, which did not create transparent reporting.) The middle office functions fit well within the corporate risk management function.
The back office plays a vital role in controls by taking care of the accounting and financial reporting (reconciliation of trades, accounts receivable and payable) related to the settlement of trades. It is important that the back office be separate from the front office. All too often problems build up because, when a trader who has losses can take care of his own accounting, he can make sure trades go into a drawer rather than into a trading system that reveals his losses. The back office plays a vital role in preventing this from happening.
In conclusion, the term “risk management” may conjure up visions of corporate law enforcement types reining in free-wheeling traders and investigating fraud, and of directors deciding to get the firm out of “risky” activities. Risk management, in reality, is about all sorts of business decisions in the face of uncertainty—that is, risk—and asking these questions:
1. Should we avoid the risk? The glib answer is, “No risk, no reward.” Avoiding risk altogether will produce the same return as a Treasury bond. At the same time, the firm might want to avoid exposing itself to certain hazards.
2. Should we bear the risk? The organization that can should choose to do so as a result of a conscious decision, though, not simply as a default choice.
3. Can we reduce the hazard? That means implementing policies and procedures that enforce the risk-management goals, and careful attention to corporate governance.
4. Do we have policies in place that will reduce or contain the loss? Any large organization faces perils that will cause losses. It needs policies that keep those inevitable losses to a minimum.
5. Can we shift the risk? Passing on the risk to someone else costs money (insurance premiums and purchase of financial derivatives). Just because the other side of the transaction sees a profit in the deal, though, doesn’t mean that shifting the risk is a bad business deal.
6. Can we reduce the risk? Portfolio theory shows how to reduce risk through diversification, which means more that being in several different businesses that you don’t know anything about.
Ultimately, being in the energy business requires the energy supplier to face risk, and to do something about that risk, whether through action or inaction. Every action requires an answer to those six questions. Inaction means ignoring the questions, not knowing that the risk exists, or not knowing about the risk-management tools that are there for the asking. Lack of knowledge is not an excuse for those who have a fiduciary duty to safeguard a company, because techniques have evolved to do something about those risks—and none too soon, because concerns about declining oil supplies, location of energy resources in unstable parts of the world, and uncertainty about energy prices will not go away, and may increase in the future.
The real business of risk management starts at the top. Although risk management often is portrayed as some highly mathematical and arcane practice, ultimately the risk-management policies and procedures are designed to help the energy company meet its financial and operational goals. Although the senior level managers and boards do not need to be mathematicians, it is important that they understand the basics of risk management and set the direction that it needs to follow—and make sure that the policies and procedures are followed. Otherwise, their decisions about the company’s direction will be invalidated, with potentially disastrous consequences.
1. The risk management staff at Enron routinely was ignored and was quite ineffectual in pressing its case, according to Bethany McLean’s and Peter Elkind’s book The Smartest Guys in the Room: The Amazing Rise and Scandalous Fall of Enron (New York: Portfolio. 2003).
2. This process is discussed in great detail in the Committee of Chief Risk Officers Organizational Independence and Governance Working Group’s white paper on governance. Committee of Chief Risk Officers. Governance and Controls. Volume 2 of 6. 19 November 2002. p. 3.
3. The collapse in 2005 of China Aviation Oil occurred because traders persistently flouted risk controls.
4. In the case of China Aviation Oil, that new policy led to bankruptcy and the jailing of the CEO.
5. Traders are known to be very aggressive and will push limits in search of trading profits, without always considering risk. When they are trading with their own money that is one thing, but if they are risking the company’s resources, that means they need to hew to the rules.
6. Peter Thal Larsen, “Today Leeson Would Work for a Hedge Fund,” Financial Times, 21 February 2005. p. 16.
7. Brett Friedman and Tim Essaye, “Corporate Risk: What Does Management Really Know?” Public Utilities Fortnightly. Volume 143. No. 2. February 2005. p. 56.
8. Committee of Chief Risk Officers. Introduction and Executive Summaries of CCRO Recommendations. Volume 1 of 6. 19 November 2002. pp. 9-10.