Global Business

Missing Pieces

How poor risk-management techniques contributed to the subprime mess.
Avital Louria HahnMarch 1, 2008

In early 2007, believing that troubles in the subprime-mortgage industry would worsen, Morgan Stanley’s fixed-income traders built a $2 billion short position on the sector. As protection, they bought $14 billion worth of triple-A mortgage-backed securities. Although there were troubling signs that the credit malaise was spreading to the higher-grade securities, the traders considered the triple-A’s an adequate hedge.

But by December, a perfect storm had gathered: with the credit markets in free fall, investors fled all forms of mortgage-backed securities, including investment-grade. Morgan Stanley’s hedge collapsed, triggering a $9.6 billion fourth-quarter write-down — nearly triple the $3.7 billion that Colm Kelleher, Morgan Stanley’s newly appointed CFO, had forecast a month earlier.

In many ways, Morgan Stanley’s predicament mirrors that of other banks caught in the subprime mess. Errors in judgment, the inability to properly manage risk, and the failure of stress tests have so far resulted in global bank losses of $265 billion. With a few notable exceptions, even bank CFOs seemed willfully ignorant of snowballing risk. “Everyone involved was caught unprepared, given the speed at which liquidity dried up,” says Jess Varughese, managing partner of Milestone Advisory Services.

The question now is how an industry so splendidly adept at making a buck out of risk could get it so wrong, and whether the ritual executive bloodbaths and subsequent reshufflings will help forestall the next meltdown.

One thing is clear: the hardest hit banks, from Merrill Lynch to Citigroup, shared a siloed approach to risk, with insufficient communication among risk, finance, and operations. Unlike other businesses, where the CFO is typically the ultimate risk manager, banks tend to view risk as an advisory role.

But as this crisis demonstrates, such separation is logical only up to a point. Among those banks that have, so far, dodged the bullet, such as Goldman Sachs, Lehman Brothers, and Deutsche Bank, risk has a high profile and the CFO, if not directly in charge, is still closely involved in monitoring and managing risk.

Attaching a high profile to risk management, of course, has not been the trend. Instead of managing risk, banks have been shedding it for years, passing it on to investors through securitizations and syndications. Former Federal Reserve chairman Alan Greenspan praised the resulting dispersion of risk. He claimed it bolstered the safety and soundness of his banking charges. In fact, it may have made them more careless.

After all, bankers are only human. Even when they are not playing with investor money, individuals in large banks don’t have much skin in the game. “Bankers bet with their bank’s capital, not their own,” wrote Council on Foreign Relations scholar Sebastian Mallaby, in a Washington Post editorial. “If the bet goes right, they get a huge bonus; if it misfires, that’s the shareholders’ problem.” It’s no surprise, says Mallaby, “that rational bank employees take as much risk as they can.”

Sidelining caution in favor of potential profit is not particularly difficult in a culture built on producer worship. Traders looking for capital often get their business-unit head to intervene on their behalf. In many of today’s large banks, risk officers and CFOs are cost centers. Morgan Stanley’s new chief risk officer (CRO) is only now answerable to the CFO instead of the co-president. At Citigroup, risk reported to the chief administrative officer before its new CEO Vikram Pandit changed the structure to report to him.

Contrast these examples with Goldman Sachs, where risk reports to the CFO. Or with Lehman and Deutsche, where risk is an independent function that reports to the CEO. At those banks, risk management is vigilant, with frequent communication among business groups. Indeed, though we have not yet felt the full effect of this crisis, examples of how to manage risk (think Goldman) and how not to (Merrill, Citi) are already emerging.

Merrill’s Peril

On paper, at least, Merrill’s risk oversight was robust. According to the firm’s 2006 annual report, the then-CFO, Jeffrey Edwards, headed the risk-oversight committee and was charged with establishing risk-tolerance levels, authorizing changes in the firm’s risk profile, and putting in place proper risk-management processes. But in reality, the risk structure had problems. Risk was not integrated but split between a credit risk officer and a market risk officer, both of whom reported to the CFO, who then reported to the CEO.

That may work at a place like Goldman, where decisions are made collectively among executives. But at a firm with a strong-willed CEO, like Merrill, it can backfire.

People close to Merrill say that even if Edwards saw the risk, contradicting then-CEO Stan O’Neal was a dangerous game. “Either you did what he wanted or you were out,” says a Merrill employee. Ironically, it was O’Neal, a former Merrill CFO, who drove the firm to take more risk with its own capital. Relieved of his job in October, shortly before Edwards (who remains with Merrill as part of the Executive Client Coverage Group), O’Neal also had overseen the $1.2 billion acquisition of subprime-mortgage originator First Franklin in late 2006 as the sector was deteriorating.

Merrill may have also become addicted to the enormous fees it collected from underwriting collateralized debt obligations (CDOs), which reached nearly $1 billion in 2006 and 2007 combined. Because CDO investors demanded the lower-credit, higher-yielding slices of the securities, Merrill did not have enough of a market for the investment-grade tranches and began keeping them on its books. Its pre-crisis holdings peaked at an only partly hedged $41 billion. As with Morgan Stanley, Merrill apparently felt those tranches were reasonably safe. And that may have made Merrill reluctant to pay the high cost of such insurance, says Tanya Azarchs, banking analyst at Standard & Poor’s. “But by the time people realized what was happening, it was too late to do anything,” she says.

In December, Merrill appointed former Goldman president and NYSE head John Thain as CEO. He has since hired CFO Nelson Chai, also a former NYSE executive, and integrated market and credit risk under two co-CROs — former Goldman global risk officer Noel B. Donohoe and Edmond N. Moriarty, formerly Merrill’s chief credit officer. Both report to Thain. In addition, Thain has instituted weekly risk meetings and changed the compensation structure from one that encouraged risky bets to one that reflects “firm results first,” according to a January presentation.

Big Isn’t Always Better

For Citigroup, the subprime crisis simply accelerated a downward slide. With investors calling for the bank’s breakup long before the crisis, Citigroup’s $20 billion subprime-related losses and its battered structured investment vehicles (SIVs) further exposed the difficulties of managing this complex institution. In fact, in addition to taking onto its balance sheet as much as $43 billion in CDOs, Citi had close to $100 billion in SIVs.

Internally, the finance function has been in flux for some time. Two consecutive CFOs — Todd Thomson and Sallie Krawcheck — were replaced in short order. It wasn’t until last March that the bank hired what one corporate-governance scholar calls a “professional CFO,” American Express’s Gary Crittenden, but by then it was too late. Indeed, in an analyst call in October, Crittenden conceded that Citigroup’s massive CDO losses had to do with failure to properly monitor the value of the bank’s CDO holdings until it was too late to hedge or sell them. Collaboration “between the credit-risk team and the market-risk team was not as strong as it needed to be,” he said. “We have to have more integration between the way those teams operate.”

Like Merrill’s, Citi’s CDO losses were disclosed gradually. (Ironically, Thomson had been in charge of risk as CFO, but that structure was dismantled during Citi’s struggles to overcome a series of crises over reputation risk.) A $5.9 billion third-quarter hit predicted in November mushroomed to $11 billion in December. CEO Charles Prince, who in the summer said that Citi would “keep dancing” as long as the music played, resigned. The bank named Pandit as CEO in December and split the role of CEO and chairman. But those and other corrective steps did not prevent a fall in the bank’s capital ratio to 7.3 percent from its 7.5 percent target, triggering a downgrade from Moody’s Investors Service.

Overall, the risk function at Citi lacked visibility or direct lines to the top. Former CRO David Bushnell reported to Citi vice chairman Lewis Kaden, who had been a chief administrative officer, an ineffective organizational structure, according to corporate-governance gurus. Just prior to his retirement in November, Bushnell served as both risk officer and chief administrative officer, reporting to Prince. In November, the bank named Citigroup risk veteran Jorge A. Bermudez as CRO, reporting directly to acting CEO Sir Win Bischoff. Citi also formed an advisory committee of senior leaders from across the company that will provide input on ways to strengthen risk-management processes. The group meets weekly, with the CEO often present.

Crittenden, meanwhile, has said he would centralize the treasury functions to “facilitate the allocation of capital to our highest growth and return opportunities.” He is also in charge of conducting an ongoing review of the bank to increase efficiencies, including head count. A second, one-time review of all the bank’s businesses is under way and is headed by Pandit. That review will yield results that may include a breakup — a scenario under which Crittenden might be tapped to head a division.

What’s Luck Got to Do with It?

Still, not every bank CFO considers 2007 a disastrous year. JP Morgan Chase, Credit Suisse, and Deutsche Bank all emerged relatively unscathed from the crisis. Lehman Brothers, a big player in mortgages, with an estimated inventory of $80 billion in mortgage-related securities, also avoided major pain, returning 16.6 percent on capital in 2007 — largely thanks to revamping its risk-management system after the 1998 Asian crisis.

It was Goldman, however, that got Wall Street’s attention. In December 2006, the bank’s controller group alerted CFO David Viniar to mortgage-related losses that had occurred for 10 days on the firm’s P&L. (Goldman has not disclosed the exact amount, but says it was “in the millions.”) In response, Viniar called a meeting that included the controller division, the mortgage traders, and the senior risk managers. Discussions revolved around the firm’s long subprime holdings and ended with the conclusion that “we’d rather be short than long,” says a person close to Goldman.

Goldman began to hedge its long mortgage position in first-quarter 2007. In the second quarter, it reduced some of its long positions and wrote down the positions it retained. By fall, as other banks were stuck holding billions in subprime-related securities, it had already unloaded most of its investments. Defying the Street, it reported an 80 percent third-quarter hike in its profits, to $2.8 billion. “Viniar is an example of an empowered CFO looking at the situation and saying, ‘I’m uncomfortable; let’s fix this,’” says Milestone’s Varughese.

Goldman’s call was made in the context of solid corporate governance as well as a culture that encourages dialogue. The structure gives the CFO power as the overseer of all forms of risk. Rules and hierarchy seem to be respected, as seen by Viniar’s ability to gather the troops and get them to opt out of a lucrative area at the height of the market. In addition, Goldman’s controllers have the authority to prevent traders from making risky bets, providing an early intervention before problems escalate.

Goldman suffered some relatively minor pain — a $1.5 billion hit on loans to private-equity firms in the third quarter, and earlier it had to rescue two of its hedge funds. And it remains to be seen whether Goldman will completely dodge the fallout, which includes lawsuits as well as regulatory probes into the subprime business practices. Already, some have accused it of protecting itself while continuing to peddle risky securities to investors. (Goldman says it sold only high-grade securities once it began to unwind its position.)

A Changed Landscape

As more and more banks evaluate and strengthen their risk-reporting structures, two main patterns are emerging. Some banks that have not had risk report to the CFO are now putting the CFO in charge. Others, like Citigroup, are keeping risk as a separate function but elevating it to the C-suite, making the CRO a peer of the CFO’s, with both reporting to the CEO. These also make sure that the CRO oversees all forms of risk, thereby fixing a problem that affected both Citigroup and Merrill — keeping credit-risk and market-risk separate.

Regulatory forces may also return risk to the purview of the CFO. Basel II, for example, was intended to recognize advances in risk management by allowing banks to reduce the amount of capital on their balance sheets relative to their risk position. Now banks are likely to find themselves under renewed scrutiny from red-faced regulators, who could push those capital requirements up. Fair-value accounting is also making CFOs become more involved in day-to-day monitoring of positions.

Viewing risk through a companywide lens and establishing an environment in which the CFO and risk officer communicate regularly could take years, says Prodyot Samanta, an enterprise risk management specialist at S&P. “Developing a risk function,” he adds, “is a cultural change, and it takes time to see if these are committed actions or just a form of window dressing.”

Banks would do well to commit now, while there is little to distract them. Says Richard Sylla, an economics professor at New York University’s Stern School of Business: Banks “will be cautious for a while, and then some other boom will come along and everyone will jump on it.”

Avital Louria Hahn is a senior editor at CFO.

To see what CFOs initially said about the subprime fallout — and what really happened to their companies — click here.

The Bailout

Many banks now have new investors to answer to.

Merrill Lynch: $6.2 billion by Singapore’s Temasek Holdings and Davis Selected Advisors

Citigroup: $7.5 billion by Abu Dhabi Investment Authority

Morgan Stanley: $5 billion by China’s sovereign-wealth fund

Bear Stearns: $1 billion each by U.S. investor Joseph Lewis and China’s CITIC Securities

UBS: $9.8 billion by Government of Singapore Investment Corp.; $1.8 billion by unnamed Middle East investor (believed to be either Abu Dhabi or Oman entities)

Internal Controls: The Invisible Link

CFOs may not be in charge of risk management at some Wall Street banks. However, management is responsible for certifying a company’s internal control over financial reporting in accordance with Section 404 of Sarbanes-Oxley.

“As CFO, you are signing off that internal control over financial reporting is effective,” says Joseph Atkinson, U.S. advisory operations leader for governance, risk, and compliance at PricewaterhouseCoopers. But while internal controls over financial reporting are designed to provide reasonable assurances, he says, “they don’t provide absolute assurance.” The subprime crisis, he adds, involved “instruments that were complex to value and impacted by market events. While you can definitely see large changes in values, that does not necessarily mean there was a failure in internal control over financial reporting.”

Still, the ultimate authority for raising risk questions lies with the board’s audit committee, according to Section 303A of the NYSE Listed Company Manual. Of course, it stands to reason that most audit committees would turn to one of their main liaisons — the CFO — for advice in that area. And if that happens at most public companies, why not banks? — A.L.H.

Understanding Which ERP Modules Your Business Needs – And When