ProfessorBainbridge.com

"A crisis is a terrible thing to waste." For the last couple of years, that's been the basic subtext of everybody with a regulatory proposal. Case in point, plaintiff's securities lawyer Chad Johnson's water carrying for institutional investors on the Harvard Governance blog:

The ... world has begun to deal with the complicated web created by the financial markets’ collapse, and to determine how to prevent future market catastrophes. One clear preventative measure is to ensure that companies create and support strong, independent and accounting-savvy boards of directors and executives charged specifically with risk management and control. ...

[Citing an OECD report, he argues that we] need to examine and propose board-level corporate reforms in order to strengthen market integrity and restore shareholder confidence. Immediate reforms are needed with respect to key corporate governance principles which failed to serve investors’ interests during the recent market turmoil; namely, risk management oversight and enforcement, consistent application of enhanced accounting standards, and executive remuneration tied to long term shareholder interests.

As an initial matter, investor advocates must demand direct board-level oversight of corporate risk management and the development of acceptable risk policies. Risk management breakdowns in the current financial crisis were not due to a lack of sophisticated modeling or technology; rather, they were attributable in large part to boards of directors’ limited access to, and understanding of, relevant risk exposure information. Substantial corporate risks were simply ignored or not communicated to boards of directors.

Indeed, the current crisis has made clear that boards of directors of investment banking firms recklessly, or at least negligently, failed to understand that increased exposure to subprime assets exceeded acceptable risk limitations until it was too late.

The argument reflects a fundamentally flawed understanding of both risk management in general and, in particular, the board's role. As I explained in my article, Caremark and Enterprise Risk Management:

Best practices with respect to enterprise risk management are still evolving. Indeed, while there are a number of widely used risk management frameworks, none has emerged as a dominant best practice. Basel II, for example, is a set of international regulatory guidelines for determining the minimum acceptable levels of capital financial institutions need to protect themselves from market, credit, and operating risk. Despite having been designed for banks and similar financial firms, the Basel II framework has become extremely influential in the risk management industry generally. Alternatively, many firms have adopted COSO’s 2004 recommendations, even though they in fact provide “little guidance on how to design and execute an effective enterprise risk management framework.” The problem of choosing among competing proposed best practice regimes is compounded by—or, perhaps, attributable to—the fact that different firms have different appetites for risk and face different types of risk, which means they have differing enterprise risk management needs.

Attempts to mandate specific risk management systems and programs either by government fiat or shareholder activism (such as using Rule 14a-8 to make bylaw changes) threatens to abort the nascent process by which best practices continue to emerge.

Risk management necessarily overlaps with risk taking because the former entails making choices about how to select the optimal level of risk to maximize firm value. Recall that there are only four basic ways of managing risk: avoiding it by avoiding risky activities, transferring it through insurance or hedging, mitigating it, and accepting it as unavoidable. All of these overlap with risk taking. Operational risk management, for example, frequently entails making decisions about whether to engage in risky lines of business and, more generally, determining whether specific risks can be justified on a cost-benefit analysis basis. As a result, it is becoming increasingly “difficult to draw a line between corporate governance and risk management.” 

The fuzzy line between risk-taking and risk management is nicely illustrated by how corporations use derivatives. On the one hand, they can be used to hedge risk. On the other hand, they can be used as speculative investments. In many cases, they can be used as both simultaneously.

The business and affairs of the corporation are assigned by statute t the board of directors, not to government regulators, shareholders, or plaintiff lawyers. Mandating specific risk management systems and programs is the sort of direct micromanagement by institutional investors that those of us who believe in director primacy have warned against for years:

[I further explained that] board decisions with respect to the nature, scope, and content of risk management programs are themselves business decisions of the sort protected by the business judgment rule. The levers a board can pull when supervising the company’s risk management include, for example, the human capital resources devoted to the task. The board might ask such questions as: To whom do risk management officers report? How are they chosen? How much are they paid? How is their performance evaluated? Personnel decisions like these are core business judgments protected from judicial review by the business judgment rule. Likewise, managing operational risk by choosing among possible business activities is a basic business judgment that should be protected by the rule.

These sort of decisions likewise should be insulated from regulatory and shareholder oversight, as I explained in my book The New Corporate Governance in Theory and Practice.

Hand-in-hand with an increased board level understanding of risk exposure is the need for more meaningful corporate disclosures. Again, this is a board responsibility that has suffered in recent years. As more and more complex securities entered the marketplace and appeared on corporate balance sheets, boards improperly delegated risk disclosures to others without fully investigating and disclosing the true exposure associated with novel financial instruments such as collateralized debt obligations and credit default swaps tied to toxic mortgage assets.

The already massive disclosures required by federal law were hugely compounded by Sarbanes-Oxley just a few years ago. A fat lot of good they did us. There is simply no reason to think more disclosure will do anything except make it less likely that ordinary investors will read corporate disclosure documents by making them longer and more complex.

Citigroup essentially created a liquidity “put” associated with its collateralized debt obligations that allowed buyers to sell back the faltering securities at their original value to Citigroup. This strategy only worked if the value of the assets remained healthy; once the assets’ value tanked because they were tied to subprime mortgages, Citigroup was forced to bring back approximately $25 billion worth of toxic assets on to its balance sheet in November 2007. In essence, by moving liabilities off balance sheets, investors were never informed of the immense risk posed by faltering mortgage assets. Clearly, in such instances, the audit committee was missing in action, thwarting transparency and failing investors.

It almost impossible for a court, in hindsight, to determine whether the directors of a company properly evaluated risk and thus made the “right” business decision. … In any business decision that turns out poorly there will likely be signs that one could point to and argue are evidence that the decision was wrong. Indeed, it is tempting in a case with such staggering losses for one to think that they could have made the “right” decision if they had been in the directors’ position.