Monday, April 22, 2013

Three Lines of Defense Part 5

"Three Lines of Defense," Part 5

Presenter 5: Sean Lyons, Principal at R.I.S.C.
Lessons to Be Learned from Corporate Defense Management Failures

This presentation is broader in scope than the others. Rather than the simple 3LD model focused on banks and insurers, he uses an approach he calls "corporate defense." He spent a great deal of time going over this theory, most of which is easy to follow either from the presentation (which can be found here: http://www.ermsymposium.org/2013/seminars.php) or from his video (on YouTube.) The key aspect is that there are many, many dimensions of risk management, and they must go top-to-bottom over the entire firm *and* horizontally across business functions. He also encourages viewing stakeholders in an incredibly broad way (to the point that the definition almost becomes meaningless); he includes shareholders, employees, management, regulators, customers, suppliers, and society at large.

He spent some time recapping the well known problems with AIG, JPM/Chase, and BP. He characterizes the problem at AIG as "only Hank Greenberg knew the big picture" when it came to the risks of the firm. As a result, AIG had lots of small failures that had big consequences. [KR: By the way, I highly recommend The AIG Story, especially for you hard-core capitalists out there.]

I question his analysis of BP. His assumption is that, since the report following Deepwater Horizon contained suggestions, it meant BP had total deficiencies or failures in those areas. However I can't imagine someone be sent in to analyze what went wrong with Deepwater coming back with "nothing, everything was fine." Obviously *something* went wrong, but there are such things as freak accidents. As far as I can tell, there were no obvious failures that lead up to the disaster, just a highly unfortunate series of events.

Honestly I failed to see the point of much of this presentation. There was no real explanation as to what could have actually prevented these disasters. How do you engage in corporate defense when you don't know what you're defending against? This is a recurring question for ERM, in my opinion. Are we supposed to just sit down with everyone in the firm and try to list all the risks? That is literally the approach we currently take, but it seems doomed to failure: the risk that kills you will end up being the one you didn't see coming. What about the alternative idea of trying to build an organization that is flexible and responsive, so that when risks emerge, it's essentially able to either dodge them or lessen the effects?

End Part 5.

No comments:

Post a Comment