Enterprise risk management is the process by which a business organization anticipates, prevents, and responds to uncertainties associated with the organization’s strategic objectives. It is well accepted that systemic risk management failures by major corporations, especially but not limited to financial institutions, was a root cause of the financial crisis of 2008. Boards of directors and corporate managers failed adequately to identify, prevent, prepare for, and respond to the numerous risks the faced the financial system in the years prior to the crisis.
Given that the stock market lost $6.9 trillion in 2008, shareholder losses attributable to absent or poorly implemented risk management programs likely are enormous. Will shareholders be able to recoup some of those losses by suing boards of directors of companies with lax risk management programs? In my article, Caremark and Enterprise Risk Management, 34 J. Corp. L. 967 (2009), I argued that the business judgment rule generally should insulate directors from such claims.
The risks corporations face can be broadly categorized as operational, market, and credit. Operational risk encompasses such concerns as inadequate internal controls, faulty accounting systems, management failure, fraud, and human error. Market risks are those associated with potential changes in firm valuation linked to asset performance. Credit risk is defined as the possibility that a change in the credit quality of a counterparty will affect the firm’s value. All three types of risk played important parts in the financial crisis.
To be sure, some argue that even top risk managers could not have anticipated the financial crisis that struck in 2008. Risks fall into three broad categories: known problems, known unknowns, and unknown unknowns. As the argument goes, the financial crisis was an unknown unknown, which by definition was unpredictable and therefore could not be managed.
In fact, however, there were warning signs of an approaching crisis in the housing market, including rapidly accelerating home prices that had characteristics of a classic asset bubble, which was fueled in large part by easy mortgage terms combined with lax credit standards. It should not have taken a savant to foresee the risks the housing bubble posed for the financial services industry and then the economy as a whole.
Admittedly, evaluating extremely low probability but very high magnitude risks is challenging because the outcomes associated with such risks do not follow a normal distribution. As a result, quantifying the probability and magnitude of such risks poses an extreme problem for risk managers. Yet, as the financial crisis proved, it is simply unacceptable for firms to dismiss such risks as being unmanageable. We must learn how to do better. Having said that, however, I hasten to add that liability to shareholders is an inappropriate tool for incentivizing director to do better.
Just because a firm has the ability to reduce risk does not mean that it should exercise that option. As the firm’s residual claimants, shareholders do not get a return on their investment until all other claims on the corporation have been satisfied. All else equal, shareholders therefore prefer high return projects. Because risk and return are directly proportional, however, implementing that preference necessarily entails choosing risky projects.
Even though conventional finance theory assumes shareholders are risk averse, rational shareholders still will have a high tolerance for risky corporate projects. This is so because the basic corporate law principle of limited liability substantially insulates shareholders from the downside risks of corporate activity. The limited liability doctrine, of course, states that shareholders of a corporation may not be held personally liable for debts incurred or torts committed by the firm. Because shareholders thus do not put their personal assets at jeopardy, other than the amount initially invested, they effectively externalize some portion of the business’ total risk exposure to creditors.
Accordingly, as Chancellor Allen explained in Gagliardi v. Trifoods Int’l, Inc., 683 A.2d 1049 (Del. Ch. 1996), shareholders will want managers and directors to take risk:
Shareholders can diversify the risks of their corporate investments. Thus, it is in their economic interest for the corporation to accept in rank order all positive net present value investment projects available to the corporation, starting with the highest risk adjusted rate of return first. Shareholders don’t want (or shouldn’t rationally want) directors to be risk averse. Shareholders’ investment interests, across the full range of their diversifiable equity investments, will be maximized if corporate directors and managers honestly assess risk and reward and accept for the corporation the highest risk adjusted returns available that are above the firm’s cost of capital.
Id. at 1052. In turn, the business judgment rule encourages directors to take appropriate risks by insulating them from the danger of being held liable if such a decision turns out badly. Put simply, it eliminates the possibility that hindsight bias will color judicial review of board decisions.
Shareholder litigation alleging that a board failed adequately to manage risk raises precisely the same concerns as shareholder litigation challenging the riskiness of a board decision. Risk management necessarily overlaps with risk taking because the former entails making choices about how to select the optimal level of risk to maximize firm value. In general, firms have four tools for managing risk: (1) transferring risk to third parties through hedging and insurance, (2) avoiding risk by choosing to refrain from certain business activities, (3) mitigating operational risk through preventive and responsive control measures, and (4) accepting that certain risks are necessary to generate the appropriate level of return. All of these overlap with risk taking. Operational risk management, for example, frequently entails making decisions about whether to engage in risky lines of business and, more generally, determining whether specific risks can be justified on a cost-benefit analysis basis. As a result, it is becoming increasingly difficult to draw a meaningful distinction between the ordinary corporate governance decisions protected by the business judgment rule and risk management. The business judgment rule therefore should protect the latter, just as it does the former.