Goldman began to hedge its long mortgage position in first-quarter 2007. In the second quarter, it reduced some of its long positions and wrote down the positions it retained. By fall, as other banks were stuck holding billions in subprime-related securities, it had already unloaded most of its investments. Defying the Street, it reported an 80 percent third-quarter hike in its profits, to $2.8 billion. "Viniar is an example of an empowered CFO looking at the situation and saying, 'I'm uncomfortable; let's fix this,'" says Milestone's Varughese.

Goldman's call was made in the context of solid corporate governance as well as a culture that encourages dialogue. The structure gives the CFO power as the overseer of all forms of risk. Rules and hierarchy seem to be respected, as seen by Viniar's ability to gather the troops and get them to opt out of a lucrative area at the height of the market. In addition, Goldman's controllers have the authority to prevent traders from making risky bets, providing an early intervention before problems escalate.

Goldman suffered some relatively minor pain — a $1.5 billion hit on loans to private-equity firms in the third quarter, and earlier it had to rescue two of its hedge funds. And it remains to be seen whether Goldman will completely dodge the fallout, which includes lawsuits as well as regulatory probes into the subprime business practices. Already, some have accused it of protecting itself while continuing to peddle risky securities to investors. (Goldman says it sold only high-grade securities once it began to unwind its position.)

A Changed Landscape
As more and more banks evaluate and strengthen their risk-reporting structures, two main patterns are emerging. Some banks that have not had risk report to the CFO are now putting the CFO in charge. Others, like Citigroup, are keeping risk as a separate function but elevating it to the C-suite, making the CRO a peer of the CFO's, with both reporting to the CEO. These also make sure that the CRO oversees all forms of risk, thereby fixing a problem that affected both Citigroup and Merrill — keeping credit-risk and market-risk separate.

Regulatory forces may also return risk to the purview of the CFO. Basel II, for example, was intended to recognize advances in risk management by allowing banks to reduce the amount of capital on their balance sheets relative to their risk position. Now banks are likely to find themselves under renewed scrutiny from red-faced regulators, who could push those capital requirements up. Fair-value accounting is also making CFOs become more involved in day-to-day monitoring of positions.

Viewing risk through a companywide lens and establishing an environment in which the CFO and risk officer communicate regularly could take years, says Prodyot Samanta, an enterprise risk management specialist at S&P. "Developing a risk function," he adds, "is a cultural change, and it takes time to see if these are committed actions or just a form of window dressing."

Banks would do well to commit now, while there is little to distract them. Says Richard Sylla, an economics professor at New York University's Stern School of Business: Banks "will be cautious for a while, and then some other boom will come along and everyone will jump on it."

Avital Louria Hahn is a senior editor at CFO.

To see what CFOs initially said about the subprime fallout — and what really happened to their companies — click here.

The Bailout

Many banks now have new investors to answer to.

Merrill Lynch: $6.2 billion by Singapore's Temasek Holdings and Davis Selected Advisors

Citigroup: $7.5 billion by Abu Dhabi Investment Authority

Morgan Stanley: $5 billion by China's sovereign-wealth fund

Bear Stearns: $1 billion each by U.S. investor Joseph Lewis and China's CITIC Securities

UBS: $9.8 billion by Government of Singapore Investment Corp.; $1.8 billion by unnamed Middle East investor (believed to be either Abu Dhabi or Oman entities)

Internal Controls: The Invisible Link

CFOs may not be in charge of risk management at some Wall Street banks. However, management is responsible for certifying a company's internal control over financial reporting in accordance with Section 404 of Sarbanes-Oxley.

"As CFO, you are signing off that internal control over financial reporting is effective," says Joseph Atkinson, U.S. advisory operations leader for governance, risk, and compliance at PricewaterhouseCoopers. But while internal controls over financial reporting are designed to provide reasonable assurances, he says, "they don't provide absolute assurance." The subprime crisis, he adds, involved "instruments that were complex to value and impacted by market events. While you can definitely see large changes in values, that does not necessarily mean there was a failure in internal control over financial reporting."

Still, the ultimate authority for raising risk questions lies with the board's audit committee, according to Section 303A of the NYSE Listed Company Manual. Of course, it stands to reason that most audit committees would turn to one of their main liaisons — the CFO — for advice in that area. And if that happens at most public companies, why not banks? — A.L.H.

• « previous
• 1
• 2
• 3