Ajax’s credit default swap business exposed both it and Acme to all three types of risk. Market risk arose, for example, because changes in interest rates and housing prices could significantly affect the value of the mortgage-backed securities Ajax’s counterparties were using the swaps to hedge. Credit risk arose, for example, because adverse changes in the credit quality of subprime mortgage-backed securities could lead to Ajax’s counterparties making collateral calls and, in the event of defaults on such securities, Ajax having to pay off on the swaps. Operational risk is pervasive in this context, potentially arising from “inadequate systems, management failure, faulty controls, fraud, and human error”:
[In fact,] many of the large losses from derivative trading are the direct consequence of operational failures. Derivative trading is more prone to operational risk than cash transactions are because derivatives, by their nature, are leveraged transactions. The valuation of complex derivatives also creates considerable operational risk. Very tight controls are an absolute necessity if a firm is to avoid large losses.
Ajax’s losses can be attributed to the lack of such controls at both the parent and subsidiary level. As the facts become public, moreover, it becomes increasingly clear that Ajax’s board failed to ensure that Ajax and its subsidiaries had established effective enterprise risk management programs. The board took no steps to ensure that management had installed the necessary personnel, infrastructure, and policies. Shareholders therefore file a derivative suit against the members of Ajax’s board of directors, alleging that the directors’ inattention to risk management breached their Caremark obligations.
Delaware Chancellor William Chandler has just written a very fine opinion in In re Citigroup Inc. Shareholder Litigation, 2009 WL 481906, addressing Caremark claims premised on the very similar case of Citigroup's massive subprime mortgage losses. He concludes, I think correctly, that Caremark claims based on failures of risk management differ in degree from those involving law compliance or accounting irregularities.
Although these claims are framed by plaintiffs as Caremark claims, plaintiffs' theory essentially amounts to a claim that the director defendants should be personally liable to the Company because they failed to fully recognize the risk posed by subprime securities. When one looks past the lofty allegations of duties of oversight and red flags used to dress up these claims, what is left appears to be plaintiff shareholders attempting to hold the director defendants personally liable for making (or allowing to be made) business decisions that, in hindsight, turned out poorly for the Company. Delaware Courts have faced these types of claims many times and have developed doctrines to deal with them-the fiduciary duty of care and the business judgment rule.
In other words, managing risk inevitably is intertwined with taking risk. This is so because the former entails making choices about how to select the optimal level of risk to maximize firm value. Operational risk management, for example, frequently entails making decisions about whether to engage in risky lines of business and, more generally, whether to take risks justified on a cost-benefit analysis basis. Effective risk management thus can strangle flexibility.
Chandler's point about the hindsight bias is especially well-taken in this context. An institution that suffers a large loss did not necessarily have the risk management failure. Risk management thus differs in degree from loss causation and accounting irregularities because decision makers' analysis of losses inevitably are impacted by the hindsight buttons. If it becomes easy for decision makers to impose liability in cases raising Caremark claims arising out of alleged risk management failures, many directors may be held liable for losses that were not in fact caused by a failure of oversight.
I would add to Chandler's excellent analysis a few additional points. First, risk management is a young discipline. This is another way in which there are differences in degree between accounting irregularities and law compliance, where there are long-standing precedents, and risk management.
Second, best practice with respect to enterprise risk management is still evolving. Imposing liability for failing to adopt some traditional model of risk management may abort this evolutionary process. Accordingly, courts should be extremely leery about rendering opinions perceived as creating a roadmap for approaching risk management.
Law review editors: Want an article on this topic? Strike now!
Update: The opinion can be downloaded here.Cases in which plaintiffs have brought Caremark claims typically involve either law compliance or accounting irregularities. It is fairly easy, however, to imagine a Caremark claim based on a board of directors inattention to enterprise risk management. Consider the following hypothetical: Ajax is a UK insurance subsidiary of Acme, a Delaware-incorporated multinational financial services conglomerate. In 2004, Ajax’s London office began selling credit default swaps that the purchasers used to hedge several billion dollars of asset-backed securities. The majority of the credit default swaps were used to hedge subprime mortgage-backed securities. Ajax management relied on complex mathmateical models to assess the risks associated with insuring such securities. As already noted, however, the models used during the run up to the financial crisis of 2008 to assess risks associated with consumer credit proved inadequate. Ajax’s were no different. When the housing bubble burst and the subprime mortgage crisis began, Ajax’s counterparties began demanding that it post increasingly large amounts of collateral to secure its obligations. When the collateral calls exceeded Ajax’s resources, Acme was obliged to step in and provide the necessary collateral. In addition, as the financial crisis worsened and subprime mortgage-backed securities declined in value, the value of the swaps also declined. As a result, Acme’s consolidated financial statements began to report substantial losses caused by the necessity to write down the value of Ajax’s swaps. Finally, other Acme securities held substantial portfolios of mortgage-backed securities, whose declining value necessitated additional write downs. In response to these various problems, the rating agencies slashed Acme’s bond rating from triple-A to single-A. Under the terms of Ajax’s credit default swaps, this triggered an additional $10 billion collateral call. Unable to raise $10 billion in light of the credit market’s problems in late 2008, Acme was forced into bankruptcy,