If an organization's
- employee welfare & attitude
- credit sources
- market value (stocks, bonds)
are "in scope" for the Enterprise Risk Management (Business Continuity/COOP) practitioner, why not the organization's financial concerns that, after all, impact everything on the bulleted list - and more?
I'm thinking of the financial crisis du jour.
Banks belly up.
Insurance company bailed out with a federal loan in the billions.
All somehow laid at the feet of mortgage brokers who, it is claimed, allowed too many too-risky mortgages to be approved.
No organization or person is immune from some impact of this money crisis. Even if you don't have money in The Market, you are spending money at the (super)market, and prices there have crept - in some cases, leapt - up.
'Course fuel prices must share some of the blame.
But the real crunch seems to be due to the number of "bad" loans.
Many of the mortgages were issued with minimal collateral - the lender figured, with some justification, that the value of the property would go up and therefore protect the loan. When values dropped, the loan-to-collateral ratio was reduced.
That might not have been so bad, but at the same time, people started losing their jobs.
With no income, mortgage payments stopped.
Since the property value was less than the loan . . .
The results are obvious.
I understand the mortgage business is complicated.
I took a mortgage on a property and before the first payment it had been sold to another company.
Actually, it may have been sold several times before I got my payment coupon book.
As the paper traveled from hand to hand, I have to wonder if there was "full disclosure" about the loan. Did the organization that "packaged" my loan with others package it with similar-collateral loans or was mine tossed into a "pot" of loans of various "creditability."
Did the organization - apparently the AIGs of the world - know the true loan risk when it bought the mortgage packages?
In the "real world" of personal finance, my Financial Manager (a/k/a The Spouse) insists that we diversify our limited funds. I am in full agreement.
I am inclined to take a bit more risk in the market; she is more conservative, but we both agree that diversification is the best way to protect what we have.
The market's decline HAS hurt us, but because we are diversified, we are surviving better than some.
AIG, as big as it is, apparently put too many "eggs" into one basket.
Lehman Bros., ditto.
Just two of the recent headline names.
I wonder if these organizations had a comprehensive enterprise risk management program, if the management had been honest and candid with the risk management practitioners, if the practitioners had recommended greater diversity, and - finally - if management had listened to and followed the practitioners' advice, would they be as deeply in financial trouble.
Too often, the books are "out of scope" for the practitioner.
Too often, working with qualified financial auditors is "out of scope" for the practitioner.
OK, I'll concede that there have been some less than above board auditors, but "in general."
The risk manager must be privy to ALL the organization's interests. The risk manager need not be an expert in anything (other than risk management); the risk manager depends on specific-discipline Subject Matter Experts (SMEs) such as the aforementioned auditors.
I've worked with CPAs; they know a lot more about accounting that this scrivener can ever hope to know.
I've worked with police who know physical security inside out.
I've worked with data security folks who protect my bits and bytes from miscellaneous dangers I've never heard about.
Most of my career as a risk management practitioner and as a writer before that has required that I identify and turn to SMEs.
Enterprise risk management must be allowed to look into all the organization's corners and closets.
Still, even when the practitioner ferrets out a risk - in today's exercise, over-exposure in the mortgage market - management has to listen and act.
Could the current financial melt-down have been prevented if risk managers had access to all of an organization's information?
One risk manager at one organization would not have prevented this debacle, but many risk managers at many organizations . . . maybe.
John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @ JohnGlennMBCI.com