BREA Global Crisis and ERM Project feb 18 2009 -- Final Draft · risk insights from the economic crisis, present reasons why ERM provided some financial service and insurance organizations

KNOWLEDGE BRIEFING

The Impact of the Current Financial Crisis

on the Global Business Community

February 2009

AUTHORS

George R. Aldhizer, III, Ph.D., CIA, CPA

PricewaterhouseCoopers Associate Professor for Academic Excellence Calloway School of Business and Accountancy

Wake Forest University

Mark C. Stone Masters of Science in Accountancy Candidate

Calloway School of Business and Accountancy Wake Forest University

i

DISCLAIMER Copyright © 2009 by The Institute of Internal Auditors’ (IIA’s) and The IIA Research Foundation’s (IIARF’s) Global Audit Information Network (GAIN) located at 247 Maitland Avenue, Altamonte Springs, Fla. 32701. All rights reserved. Published in the United States of America.

Except for the purposes intended by this publication, readers of this document may not reproduce, redistribute, display, rent, lend, resell, commercially exploit, or adapt the statistical and other data contained herein without the permission of GAIN or The IIARF.

The information included in this document is general in nature and is not intended to address any particular individual, internal audit activity, or organization. The objective of this document is to share tools, resources, information, and/or other knowledge that is accurate, unbiased, and timely. However, based on the date of issuance and changing environments, no individual, internal audit activity, or organization should act on the information provided in this document without appropriate consultation or examination.

ii

FOREWORD

What began as an altruistic and naive attempt by the U.S. Congress to increase home ownership rates grew into a global economic crisis. The sales pitch to U.S. banks involved drastic reductions in lending standards in exchange for substantial increases in loan origination fees. These same banks would be allowed to repackage these sub-prime loans as securities and sell them to financial institutions throughout the world. By spreading the default risk globally, the belief was that no one bank or country would be affected adversely. Unfortunately, this tactic proved detrimental to the world’s economy. The result: In spite of trillions of dollars in increased government spending, financial institutions continue to collapse and unemployment rates continue to rise dramatically across the globe.

Out of the dust of the global crisis have emerged a few success stories such as Aflac Inc., BB&T Corp., J.P. Morgan, and Wells Fargo & Co., which truly embraced a fully integrated enterprise risk management (ERM) process. Because of their role within the organization, internal auditors are in a unique position as the eyes and ears of the audit committee to learn from these success stories as well as the failures of companies leading up to the collapse of the global economy.

The purpose of this Knowledge Briefing is to provide an overview of the global financial crisis including country-specific risks (refer to Appendix A). In addition, this report will discuss operational and compliance risk insights from the economic crisis, present reasons why ERM provided some financial service and insurance organizations with an early warning signal while others did not have the same luck, address whether organizations are discussing the right external risk questions, and explain how internal auditors can provide value to their organization by promoting ERM best practices.

iii

TABLE OF CONTENTS

FOREWORD ................................................................................................................................................... ii

GLOBAL EFFECTS OF THE ECONOMIC CRISIS ............................................................................................. 1

OPERATIONAL AND COMPLIANCE RISK INSIGHTS FROM THE ECONOMIC CRISIS ...................................... 3

Operational Risks .................................................................................................................. 3

Compliance Risks .................................................................................................................. 5

WHY ERM ALERTED SOME ORGANIZATIONS AND NOT OTHERS ............................................................... 8

The Fannie Mae and Freddie Mac Failures...................................................................... 8

What Went Wrong.................................................................................................................. 8

Examples of Success Stories .............................................................................................. 10

Examples of Positive Trends .............................................................................................. 11

ARE ORGANIZATIONS DISCUSSING THE RIGHT EXTERNAL RISK QUESTIONS? ....................................... 12

M&As .................................................................................................................................... 12

Supply Chain Risks .............................................................................................................. 12

Outsourcing Risks................................................................................................................ 13

Insurance Company Risks .................................................................................................. 13

HOW SHOULD INTERNAL AUDIT ACTIVITIES RESPOND?........................................................................... 15

FINAL THOUGHTS ....................................................................................................................................... 16

APPENDIX A: COUNTRY-SPECIFIC CRISES AND STIMULUS PLANS........................................................... 17

1

GLOBAL EFFECTS OF THE ECONOMIC CRISIS

The current fallout from the global economic crisis includes skyrocketing unemployment, investment and commercial bank liquidations, plunging retail sales, cooperation among previously warring countries to stave off collapse, country-specific central bank bailout and stimulus plans, International Monetary Fund (IMF) bailouts, and deleveraging of corporations and U.S. consumers. For example, U.K. unemployment benefit claims increased in November 2008 at the fastest monthly rate in 17 years, while in the United States, 2.6 million jobs were lost in 2008,I the largest annual decline since 1945.1

In addition, major commercial banks have been collapsing at a rate not seen since the Great Depression. Northern Rock plc, based in Newcastle upon Tyne in England, was taken over by the British government after it became the target of the country’s first bank run in more than a century.2 Iceland's three largest banks — IceSave, Landsbanki Island HF, and Landsbanki Guernsey, which represent three-quarters of the country’s stock market value — have sought IMF relief.3 Seattle-based Washington Mutual and S&L IndyMac, headquartered in Pasadena, Calif., were among the top 25 U.S. bank failures in 2008, and another 200 U.S. banks may be at risk of collapse in 2009.4

Furthermore, U.S. investment banks in New York such as Lehman Brothers have been liquidated, while Bear Stearns was purchased by J.P. Morgan for pennies on the dollar. Global Investment House, the largest Kuwaiti investment bank, recently defaulted on its US $3 billion in debt obligations,5 while U.S. insurance companies such as New York-based American International Group Inc. (AIG) have been bailed out by the government. Goldman Sachs economists estimate that financial institutions will ultimately realize several trillion dollars in global write downs tied to U.S. loans. They contend, however, that we are only half-way through this write-down process.6

In the retail sector, global sales plunged in late 2008 to historically low levels. In England, for instance, December 2008 retail sales volume fell to its lowest level since records began in 1983, causing skyrocketing liquidations.7 It is estimated that 10 percent of U.S. retailers could face significant restructuring, bankruptcy, or liquidation in 2009 as a result of the worst December 2008 sales performance since 1970.8 U.S. household names such as Circuit City, Sharper Image, Lillian Vernon, and Goody’s Family Clothing have already filed for bankruptcy protection in late 2008, and it will be difficult for these companies to avoid liquidation as the U.S.’s largest retail lenders (GE Capital, CIT Financial, and Wachovia Bank/Wells Fargo) tighten their lending policies.9 In fact, Circuit City recently announced it will be liquidating its 567 retail stores and laying off 34,000 employees after failing to refinance its debt or find a buyer.10

In terms of economic growth, the IMF forecasted global growth at only 0.9 percent in 2008, the weakest expansion since the bank began keeping records in 1970.11 J.P. Morgan estimated that the global economy would contract by 3.7 percent in the fourth quarter of 2008 and 2.3 percent in the first quarter of 2009.12 One bit of good news is that initial fears of protectionism have been unfounded for the most part.II

China announced it will allocate US $19 billion in financing for Taiwanese companies on the mainland over the next two years to help overcome longstanding tensions between the two countries. Also, an agreement is expected to be signed by mid-2009 that will allow as many as a dozen Taiwanese banks to begin operating in China.13 Additionally, East Asian nations are forming a US $80 billion currency swap plan for the first half of 2009, while the export and import banks of China and the U.S. announced an additional US $20 billion in trade financing in late 2008.

Finally, from August 2007 to September 2008, the United States was the only developed nation aggressively cutting interest rates to stave off a deep recession. Since September 2008, virtually every other developed nation has joined the United States in dramatically cutting interest rates in some cases to near 0 percent. Canada also has cut its interest rates to its lowest level in 50 years. As a result, 30-year

I An additional 600,000 U.S. jobs were lost in January 2009. II Countries’ unwillingness to cooperate on a global scale contributed to the Great Depression.

2

fixed rate home mortgages in the United States have reached their lowest level since Virginia-based Freddie Mac began its weekly rate survey in 1971. (For a summary of country-specific crises and stimulus plans, refer to Appendix A.)

1 Evans, Kelly and Kris Maher, “Yearly Job Loss Worst Since 1945,” Wall Street Journal, Jan. 10–11, 2009, A1. 2 Munoz, Sara S. and Carrick Mollenkamp, “Nationalization Fears Grow as U.K. Banks Struggle,” Wall Street Journal, Jan. 22, 2009, A6. 3 Forelle, Charles, “The Isle That Rattled the World,” Wall Street Journal, Dec. 26–27, 2008, A1 and A6. 4 Paletta, Damian and David Enrich, “Banks Told: Lend More, Save More,” Wall Street Journal, Dec. 26, 2008, C1. 5 Klaus, Oliver and Mirna Sleiman, “Default In Kuwait Spurs Worry,” Wall Street Journal, C2, Jan. 9, 2009. 6 Solomon, Deborah, Jon Hilsenrath and Damian Paletta, “U.S. Plots New Phase in Banking Bailout,” Wall Street Journal, Jan. 17–18, 2009, A1. 7 Parkinson, Joe and Nicholas Winning, “U.K. Joblessness Surged in November,” Wall Street Journal, Dec. 18, 2008, A12. 8 Zimmerman, Ann, “Rising Retailer Threat: Liquidations,” Wall Street Journal, Dec. 12, 2008, B1. 9 McCracken, Jeffery and O’Connell, “Wave of Bankruptcy Filings Expected From Retailers in Wake of Holidays,” Wall Street Journal, Jan. 14, 2009, B1 and B4. 10 Bustillo, Miguel, “Retailer Circuit City to Liquidate,” Wall Street Journal, Jan. 17–18, 2009, B1. 11 Barkley, Tom, “Developing Countries Feel Slump,” Wall Street Journal, Dec. 10, 2008, A9. 12 Hilsenrath, Jon, “Global Crisis Resists Central-Bank Moves,” Wall Street Journal, Dec. 18, 2008, A10. 13 “Taiwan Firms to Receive $19 Billion From Beijing,” Associated Press, Dec. 22, 2008.

3

OPERATIONAL AND COMPLIANCE RISK INSIGHTS FROM THE ECONOMIC CRISIS

Consistent with the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management — Integrated Framework, operational risks associated with the global economic crisis are divided into financial and trading operational risks, while compliance risks are divided into debt compliance and reporting compliance and fraud.

Operational Risks ____________________________________________

Because the global economic crisis was triggered by skyrocketing sub-prime mortgage foreclosures and subsequent bank lending limitations, financial risks are the primary focus of this subsection followed by a brief discussion of trading operational risks.

Financial Risks. Financial risks are divided into the following risk categories: capital costs, currency translation, liquidity, commodities, capital availability, and credit ratings. Following is a summary of the major events that have transpired under each financial risk category.

Capital Costs

Because commercial banks are fearful of lending to high-risk entities, U.S. junk bonds are now trading at more than 14 percentage points above comparable U.S. Treasury bonds relative to a spread of less than 6 percentage points in September 2008. Companies such as Texas-based El Paso Corp., one of the largest U.S. natural gas producers, were recently charged a 15.25 percent interest rate to borrow US $500 million for five years. As a result, delaying near-term growth plans may be an appropriate strategy for companies with junk bond status given exorbitant capital costs.14

Capital Availability

Except for GMAC and Chrysler Financial (the financing arms of General Motors and Chrysler), which offer 0 percent financing to near sub-prime U.S. consumers after receiving Troubled Asset Relief Fund Program (TARP) funds, only the highest creditworthy consumers and businesses are receiving loans. Obstacles to obtaining debt financing are compounded by declining consumer credit scores and business credit ratings.

The challenge for financial institutions is to satisfy regulators who want to see more bailout monies lent out, while not making high-risk lending decisions that got them into the current crisis in the first place.15 Thus, credit markets have only partially thawed.

Liquidity Risks

Participants at KPMG’s 2008 Audit Committee RoundtablesIII reported that liquidity risks were their top risk concern. This is especially true for commercial banks and insurance companies as stock sales satisfy about 20 percent of their liquidity needs. The remainder of their liquidity needs normally come from short-term borrowings and commercial paper, two options that are currently limited.

The hedge fund industry also is facing a liquidity crisis that is forcing the selling of billions of dollars in securities to meet investor withdrawal demands and lenders’ increased collateral requirements.16 As a result, many funds were liquidated in 2008, such as London-based Peloton Partners, which collapsed over bad bets on U.S. mortgages; Ospraie Management’s biggest commodity fund; and Citigroup’s Old Lane Partners. It is estimated that half of all hedge funds will either be liquidated or experience severe cash shortages in 2009.17

III KPMG’s Fall 2008 Audit Roundtable series involved more than 2,900 participants who were surveyed in 26 different sessions across the U.S.

4

Currency Translation Risks

The “flight to safety” in U.S. treasuries has caused the euro to weaken against the U.S. dollar by 15 percent since July 2008.18 The Federal Reserve also announced in January 2009 it will not set numerical targets for how much money it will pump into the financial system to mitigate inflation fears in the foreseeable future.19

The yen has appreciated nearly 30 percent against the U.S. dollar in 2008 due to the relative strength of its public companies and its relatively low debt levels. However, Japan’s export volume declined by 26 percent in late 2008. Thus, the appreciation of the yen may cause export-driven profits in Japan to decline further in 2009.20

The worsening recession and dramatic interest rate cuts in England may cause the pound to fall to virtual parity with the euro for the first time — the euro strengthened nearly 18 percent against the pound in December 2008 alone.21 The pound also fell to an all-time low against the yen in January 2009.22

Commodity Risks

Commodity prices and related demand have plummeted in the third and fourth quarters of 2008. For instance, Rio Tinto, the third largest mining company in the United Kingdom, has cut 14,000 jobs and slashed capital spending for 2009 by 56 percent (US $5 billion) to sustain profitability as demand and related prices for iron ore and other minerals have declined dramatically. The company also is struggling under the weight of US $39 billion in debt amassed when it bought Canadian aluminum maker Alcan in 2007.23

U.K.’s Anglo American, the largest producer of platinum and a major producer of copper and nickel, has shelved ambitious expansion plans by dramatically reducing capital spending for 2009 by US $4.5 billion to address declining global demand.24

LyondellBasell Industries — the third largest independent chemical company based in The Netherlands — is seeking bankruptcy protection for its U.S. operations and one of its European holding companies.25 Falling oil and natural gas prices have reduced the value of its inventory, thus making it harder to meet the debt service payments on its US $8 billion bridge loan used to buy out the company a year ago.

Alcoa, the largest aluminum producer headquartered in the United States, announced it was instituting salary and hiring freezes, eliminating 15,000 jobs, reducing capital expenditures by 50 percent in 2009, and cutting aluminum production by 18 percent to reflect declining demand. Alcoa reported a US $1.19 billion loss for the fourth quarter amid a 19 percent decline in sales.26

Credit Rating Risks

Standard and Poor’s (S&P), which has been criticized for not downgrading high-risk entities prior to the global economic crisis, has begun to take seriously the call to downgrade the debt rating of noncredit worthy companies. For instance, S&P lowered its credit rating for AutoNation, the U.S.’s largest auto dealership chain, to junk status amid slumping demand for autos in the country.27

S&P also is considering lowering General Electric’s triple-A credit rating due to capital unit funding concerns.28

S&P recently downgraded Russia’s credit rating resulting in higher rates on government-issued debt instruments to compensate investors for the additional default risk.29 Similarly, S&P downgraded Greece’s sovereign credit rating one notch to A minus30 due to the country’s high-debt to gross domestic product (GDP) ratios and the largest account deficit in the European Union (EU). And Spain, the EU’s former star economy, became the second EU country to suffer an S&P downgrade of its government debt31 as unemployment soared to 13.9 percent.32

Trading Operational Risks. In the area of trading operational risks, the primary issue is the dramatic decline in oil prices due to decreasing global demand in the third and fourth quarters of 2008. Consequently, the Organization of Petroleum-Exporting Countries (OPEC) responded by announcing the largest supply cut on record — 2.2 million barrels a day.33 However, it has had little effect as global oil prices have declined by 70 percent since July 2008.

5

One bit of good news is that companies such as Southwest Airlines routinely hedge against fluctuations in jet fuel prices that result in offsetting other gains on its income statement when fuel prices increase, as in the first half of 2008, and in offsetting other losses when fuel prices decline, as in the second half of 2008. This hedging strategy substantially reduces earnings volatility. However, Southwest’s hedging strategy may not reap huge rewards in 2009 as the global economic crisis continues and oil prices remain at low levels.

Compliance Risks ____________________________________________

Compliance risks are divided into the following two categories: debt compliance and reporting and fraud risk. Following is a summary of the major events that have transpired under each compliance risk category.

Debt Compliance. It is no longer guaranteed that loan covenant violations will be waived by lending institutions. Instead, higher interest rates and lower credit limits are likely outcomes, while in other situations loans may be called immediately. One entity struggling with debt compliance is German tire maker Continental, which could breach terms on a US $14.3 billion bank loan if earnings decline sharply as expected in the first quarter of 2009.34

Reporting and Fraud Risk. It is common for recessions to cause an increased disclosure of fraudulent financial reporting schemes. The current crisis is no exception with several mammoth fraud disclosures in late 2008 and many more expected in 2009. Examples of reporting and fraud risk events are described below.

Madoff’s Ponzi Scheme

In late 2008, Bernie Madoff made headlines by admitting to a three decade Ponzi scheme (i.e., a scheme that involves paying off early investors with proceeds from later investors). In the Bernie Madoff case, investors wanted to withdraw as much as US $7 billion. However, since Madoff had skimmed most of the proceeds, there were only about US $200 million in cash reserves to cover existing withdrawals. After learning of substantial delays in the process of withdrawing money from the fund, a flood of investors attempted to remove their US $50 billion in investments to no avail.35

Unlike past Ponzi schemes, which have targeted lower income and unsophisticated investors, Madoff’s fraud scheme materially affected European banks from Spain (e.g., Banco Santander and Fairfield Greenwich Group) and Switzerland (e.g., Union Bancaire Privee) to France (e.g., BNP Paribus) and Austria (e.g., Bank Medici). For instance, Banco Santander lost US $3.2 billion of investor assets, while the Fairfield Greenwich Group lost US $7.5 billion of investor assets. In addition, Banco Santander and Bank Medici are under investigation for potential collusion among them, Fairfield Greenwich Group, and Madoff.36 Furthermore, U.S. insurance companies such as Mass Mutual lost US $3.3 billion of investor assets, while many wealthy individuals and numerous Jewish charities lost billions of dollars.37

Because the U.S. government only insures the first $500,000 of Madoff-related losses, many wealthy individuals and charities will lose billions of dollars unless TARP-like funds are used to bail out these individuals and charities. Total government net tax losses may total US $20 billion based on refund requests from approximately US $10 billion in taxes paid on phantom earnings and realized losses that may result in about US $10 billion in tax write-offs against earnings.38

The primary lesson learned from this fraud is that money managers and the U.S. Securities and Exchange Commission (SEC) have an obligation to conduct due diligence, especially because there were credible and specific allegations against Madoff as far back as the early 1990s. Unfortunately, eight SEC investigations of Madoff’s operations since the early 1990s, including at least two direct interviews, did not uncover the fraud. For instance, in 2005 the SEC received a 10-page written report from Harry Markopolos, a certified fraud examiner (CFE), identifying 13 red flags that challenged the legitimacy of Madoff’s firm.39 In response to these allegations, SEC staff

6

relied on Madoff’s voluntary production of statements and reports instead of using subpoena power to conduct an in-depth investigation.40 What’s more, U.S. investment bankers, who conducted appropriate due diligence, privately harbored suspicions about the legitimacy of Madoff’s business, thus, steering clients away from dealing with him. However, they were reluctant to share their concerns with regulators.41

Stanford Investment Fraud

In 2009, Allen Stanford, chief executive officer (CEO) of Caribbean-headquartered Stanford International Bank, was charged with masterminding an US $8 billion investment fraud. He lured investors by offering above market returns on certificates of deposit over the past 17 years. However, he used most of the investments to purchase real estate, including substantial purchases in Florida, a state that has experienced dramatic declines over the past two years. The SEC warned that the vast majority of investor funds have been unaccounted.42

Mortgage Fraud

Due to extremely lax loan origination requirements, mortgage fraud is believed to have skyrocketed over the last few years and contributed to elevated mortgage foreclosures. Estimated annual losses from mortgage fraud range from US $4 billion to US $6 billion since 2006, at least a 100 percent increase since 2005. The U.S. Federal Bureau of Investigation (FBI) stated active mortgage fraud cases increased to nearly 1,600 in 2008 from 400 in 2003 and involve unscrupulous property appraisers, real estate brokers, and accountants, among others.43

A fairly common mortgage fraud scheme in 2005–2007 involved colluding property appraisers, real estate brokers, and accountants willing to draw up fake income statements and tax returns and recruiting low-income individuals to serve as strawIV buyers in a home purchase. The conspirators grossly inflated the value of the property to get the largest loan possible. This was successful only because many loan underwriters did little, if any, due diligence. The conspirators paid the seller the original purchase price and then pocketed the excess loan money. The straw buyer was often bribed with only US $5,000, and the property was quickly abandoned to foreclosure.44 In some U.S. regions, fraud may account for half of all foreclosures.45

Enron-like Indian Fraud

The global financial crisis generated another victim in the form of an Enron-like fraud in India. Satyam Computer Services is India’s fourth-largest software services provider, with IT outsourcing clients such as General Electric, General Motors, Caterpillar, Nissan, Cisco Systems, and Sony. The company’s chairman, founder, and chief financial officer (CFO) resigned after admitting to overstating revenues by US $122 million, overstating cash balances by US $1 billion, and understating liability balances by US $256 million, which resulted in a dramatic overstatement of profits over a five-year period. The company’s stock price plunged by 78 percent on the day that the fraud was disclosed.

With the independence of the board in question, Indian authorities fired all board members and arrested the former chairman and founder.46 The government expanded its investigation to hundreds of other companies linked to Satyam and the founder’s family.47 Red flags that bogus cash balances might have existed, but were not detected by its former external auditor, included a reported net income increase of 20 percent compared with a 61 percent operating cash flow increase in 2007 and ending cash balance increases of 105 percent from 2006 to 2008.48

Similar to the Parmalat fraud that included a bogus US $4.9 billion cash balance at a New York branch of Bank of America, the manual cash confirmation process failed to detect this overstatement. Consequently, Deloitte and KPMG have been appointed as the new auditors to restate the financials and attest to their veracity as quickly as possible.49

IV Straws refer to individuals whose actions unknowingly help fraudsters create a layer of anonymity between themselves and the crime. Often straws will be paid cash sums to open a bank account that is surrendered to the fraudster or in this case to originate a fraudulent home mortgage.

7

Nontransparent Disclosures

Anglo Irish Bank’s chairman switched tens of millions of dollars in personal loans among different banks to try to obscure the extent of his borrowings from the bank. Both the chairman and CEO immediately resigned after this disclosure.

AIG announced US $10 billion in speculative trade losses in December 2008. However, no past disclosure indicated AIG had been gambling with its own capital. The lesson learned is to carefully study corporate risk-based disclosures for reasonableness.50

Retail Shoplifting

As global unemployment is on the rise, retail shoplifting has increased at the vast majority of U.S. and European retailers.51 For instance, Scotland’s law enforcement agencies reported a 14 percent increase in retail shoplifting between April and December 2008 compared to the same period in 2007. Within one Scottish district, retail shoplifting increased 30 percent in 2008.52

14 Derby, Michael and Liz Rappaport, “Safety Trumps Yield in Bill Sales,” Wall Street Journal, Dec. 10, 2008, C1 and C2. 15 Lipton, Eric and Ron Nixon, “In Michigan, Bank Lends Little of Its Bailout Funds,” New York Times, Jan. 13, 2009. 16 Strasburg, Jenny and Gregory Zuckerman, “Hedge Fund Selling Puts New Stress on Market,” Wall Street Journal, Nov. 7, 2008, A1. 17 Zuckerman, Gregory and Jenny Strasburg, “For Hedge Funds, No Escape,” Wall Street Journal, Jan. 2, 2009, R7. 18 Staler, Joanna and Joellen Perry, “On Euro’s 10th Birthday, No Music,” Wall Street Journal, Dec. 16, 2008, C1. 19 Hilsenrath, Jon, “Fed Likely to Keep Focus on Rates, Loans,” Wall Street Journal, Jan. 23, 2009, A4. 20 “Will Yen Intervention Be Holiday Surprise?,” Wall Street Journal, Dec. 18, 2008, C1. 21 Norman, Laurence, “Quid Pro Euro? U.K. Pound Nears Parity,” Wall Street Journal, Dec. 31, 2008, C14. 22 Slater, Joanna, “Troubles for British Sterling Serve As Warning for Dollar,” Wall Street Journal, Jan. 22, 2009, C1. 23 Ansberry, Clare, “Rio Tinto Slashes Jobs, Speeds Up Restructuring,” WSJ.com, Dec. 11, 2008. 24 “Anglo’s Cut Shows Slump May Endure,” Dec. 18, 2008, Wall Street Journal, C12. 25 Campoy, Ana and Marie Beaudette, “Lyondell’s U.S. Arm in Chapter 11,” Wall Street Journal, Jan. 7, 2009, B2. 26 Matthews, Robert G., “Alcoa Loss, $1.19 Billion, Starts Season On Sour Note,” Wall Street Journal, Jan. 13, 2009, B1. 27 “S&P Cuts Ratings on AutoNation,” Wall Street Journal, Dec. 26, 2008, C2. 28 “S&P Considers Downgrade of GE,” Wall Street Journal, Dec. 9, 2008, C1. 29 White, Gregory, “S&P Downgrades Russia, Citing Falling Reserves,” Wall Street Journal, Dec. 9, 2008, A6. 30 Walker, Marcus, Alkamn Granitsas and Joellen Perry, “Greek Credit Downgrade, German GDP Drop Intensify Europe’s Woes,” Wall Street Journal, Jan. 15, 2009, A6. 31 Perry, Joellen, “Euro-Zone Highflier Spain Gets Credit Downgrade,” Wall Street Journal, Jan. 20, 2009, A6. 32 Catan, Thomas, “Spain’s Jobs Crisis Leaves Immigrants Out of Work,” Wall Street Journal, Jan. 24-25, 2009, A5. 33 King, Neil, Jr., “OPEC’s Drastic Measures Fail to Counter Oil-Price Free Fall,” WSJ.com, Jan. 15, 2009. 34 Cimilluca, Dana and Mike Esterl, “Tire Maker Continental Pursues Debt Overhaul,” Wall Street Journal, Dec. 12, 2008, C11. 35 Fox Business News, Dec. 27, 2008. 36 Cohen, Sabrina, “Vienna Banker is Scrutinized As Madoff Fallout Spreads,” Wall Street Journal, Jan. 16, 2009, C1 and C2. 37 Laise, Eleanor and Dionne Searcey, “Firm Ran Vast Options Game; Charities Are Hit Hard,” Wall Street Journal, Dec. 16, 2008, A1 and A19. 38 Hirsch, Daniel, “Madoff Scam Will Hit the Feds Too,” Wall Street Journal, Dec. 26, 2008, A12. 39 Patterson, Scott, “The King of Ponzi Schemes,” www.acfe.com, Jan. 8, 2009. 40 Lattman, Peter and Aaron Lucchetti, “Losses in Madoff Case Spread,” Wall Street Journal, Dec. 15, 2008, A1 and A16. 41 Sener, Henny, “Wall Street red light’on Madoff,” Financial Times (www.FT.com), Jan. 7, 2009. 42 Scannell, Kara, Miguel Bustillo and Evan Perez, “SEC Accuses Texas Financer of Massive $8 Billion Fraud,” Wall Street Journal, Feb. 18, 2009, A1&A13. 43 www.fbi.gov/hq/mortgage_fraud.htm, Jan. 10, 2009. 44 www.reuters.com/article/inDepthNews/idUSN1246626320071113?feedType-RSS&feedName=inDepthNews&rp c=228sp=true, Jan. 10, 2009. 45 Corkery, Michael, “Fraud Seen as a Driver in Wave of Foreclosures,” Wall Street Journal, Dec. 21, 2007, A1&A14. 46 Guha, Romit, “Satyam’s Chairman Resigns After Inflating Profit, Revenue Figures,” WSJ.com, Jan. 7, 2009. 47 Bellman, Eric and Jackie Range, “Satyam Probe Could Ensnare Others,” Wall Street Journal, Jan. 17–18, 2009, B5. 48 Range, Jackie and Scott Patterson, “Pricewaterhouse Defends Its Audit Procedures,” Wall Street Journal, Jan. 9, 2009, B4. 49 Choudhury, Gauray, “New Auditors on Board, PwC Backs Out,” Hindustan Times (New Delhi), Jan. 15, 2009. 50 Ng, Serena, Carrick Mollenkamp and Michael Siconolfi, AIG Faces $10 Billion in Losses on Trades,” Wall Street Journal, Dec. 10, 2008, A1. 51 “Economy’s problems reflected in thefts,” Washington Post, Dec. 27, 2008, A1. 52 Nutt, Kathleen, “Recession Sees Theft Rise 30%,” The Sunday Times (London), Jan. 25, 2009, p. 9.

8

WHY ERM ALERTED SOME ORGANIZATIONS AND NOT OTHERS

Managing risks across all organizational functions is nothing new. However, a unifying process was not documented until COSO released its ERM framework in 2001. Although the financial services and insurance industries have the highest COSO ERM framework adoption rates, these two industries were the most adversely affected by the global economic crisis. As a result, critics are asking why ERM saved some companies within these industries — such as Aflac, Wells Fargo, BB&T, and J.P. Morgan — while others did not have the same luck. These issues are discussed in more detail below.

The Fannie Mae and Freddie Mac Failures ____________________________________________

Fannie Mae and Freddie Mac may be the two quintessential examples of failed ERM programs. Both companies employed chief risk officers (CROs), which is often viewed as a signal of a formal ERM program.53 However, Fannie Mae’s and Freddie Mac’s top management team failed to take seriously their CROs’ suggestions for improving their company’s ERM process. For example, former CRO Enrico Dallavecchia wrote in a July 2007 e-mail that Fannie Mae had one of the weakest control processes he had ever witnessed in his career. His e-mail was in response to being informed that the risk management budget would be cut by 16 percent. In addition, executives knew, because of CRO guidance, that many of their loans (i.e., sub-prime and Alt-AV) would be susceptible to loss if home prices declined, and there was concern that the rating agencies might not be properly assessing risk.54

What Went Wrong ____________________________________________

Fannie Mae and Freddie Mac have experienced a crisis of confidence in spite of implementing a formal ERM process. But, according to The Institute of Internal Auditor’s (IIA’s) and IIA Research Foundation’s Global Audit Information Network (GAIN) 2008 ERM Benchmarking Survey, only 40.4 percent of private-sector survey respondents have implemented a formal/written or informal ERM program. In addition, only 27.9 percent of these respondents felt either “satisfied” or “highly satisfied” with their organization’s overall risk management efforts. Many reasons exist for this low satisfaction level. Following is a description of the main reasons.

Barriers to Full Integration. Only 29 percent of respondents admitted their organizations have reached a “sustainable risk management maturity level” while nearly one-third of respondents indicated their ERM program has “lost momentum since its inception.” A lack of top management buy-in is the primary factor contributing to these responses because it is associated with a lack of resources devoted to the ERM effort. This includes a limited investment in ERM automated tools that can more efficiently capture and report key risk metrics, a limited investment in educating middle management on ERM’s strategic benefits, and a limited number of full-time staff to support the risk management effort.VI

One risk is that former top managers may be passionate about a fully integrated ERM process, but their replacements may not be as passionate. This may be a difficult situation to overcome unless the board of directors remains committed to sustaining the ERM program through hiring equally passionate new senior managers.

V An Alt-A loan, also called an alternative documentation loan, is a loan that holds borrowers with good credit to different approval standards than traditional loans. Those applying for an Alt-A loan need not provide income verification or documentation of assets. Instead, the approval for an Alt-A loan is based primarily on an individual’s credit score. People who are likely candidates for Alt-A loans include the recently divorced, entrepreneurs, the self-employed, and those who are paid on commission. VI Nearly two-thirds of GAIN survey respondents indicated their organization’s risk management program is supported by less than four staff members.

9

Risk Identification and Assessment. Another limiting factor includes the primary techniques used by respondents to identify and assess business risks. Although two-thirds of respondents use one-on-one management interviews to help identify key risks, only 38 percent use facilitated workshops that normally bring together multiple levels of management and internal audit to identify and assess key risks.VII Also, 60 percent of respondents use “guided judgment” by an insular top management and board as a primary method for assessing risk. Without input from business process owners and internal auditing, guided judgment may cause an organization to miss critical risks during the identification stage and subsequently dismiss risks having a low-likelihood or a low-dollar impact during the assessment stage, such as the risk of heightened sub-prime loan default rates. Several techniques for identifying and assessing enterprise risks were noted by GAIN survey respondents. However, less than half of all respondents answered these survey questions because they could not identify any internal channels that could be leveraged to identify key organizationwide risks.

Risk Response. To employ a uniform strategy for avoiding, accepting, reducing, and sharing critical business risks, an agreed-upon risk appetite or risk tolerance level must be documented and communicated clearly throughout the organization. Unfortunately, only 28 percent of respondents have a clearly documented and communicated risk appetite that defines the amount of risk the organization is willing to accept in pursuit of its objectives.

Reporting. Fragmented ERM reporting mechanisms result in only 9.7 percent of respondents reporting ERM activities to parties other than senior management and the board and its related committees. Normally, an effective risk management program is not possible without the involvement of business process owners who are more intimately aware of the day-to-day changes in existing business risks and emerging risks than top management is. As a result, nearly 50 percent of respondents were either moderately or highly dissatisfied with organizationwide risk management communications.

Monitoring. Subsequent monitoring of existing and emerging business risks on a frequent basis is critical to ERM success. However, 68 percent of respondents do not use any form of technology to monitor risks. In fact, only 18 percent of respondents monitor all identified risks with technology. One reason why technology is seldom used in risk management processes is because there are few viable third-party tools and techniques available. One exception appears to be offered by MethodWare, a New Zealand-based company. Their Enterprise Risk Assessor tool is the only ERM technology used by more than one GAIN respondent.55

According to Insiders. In recent interviews conducted on Dec. 17, 2008 and Jan. 19, 2009 with a top 10 U.S. bank controller and senior vice president, opinions were provided as to why ERM failed some of the largest U.S. banks. One major problem appears to be over reliance on standard QUANTVIII models. While exclusive use of these models has lost favor, QUANT models enjoyed great prestige in the 1990s and early 2000s. For instance, Monte Carlo simulations — a form of QUANT model — concluded material sub-prime loan losses had an extremely “low likelihood” of occurrence.

Unfortunately, the scenarios the models predicted to be once in a lifetime events occurred in rapid succession. In addition, these models rest on assumptions about normal, rational economic activities. Models assume stock prices are based on predictable logic and are not the result of random events occurring in succession. Furthermore, the models’ assumptions are not updated frequently enough to adapt to dramatic changes in the business environment such as the ones seen in 2008.56 As a result, it is critical to combine QUANT model results with in-depth, face-to-face business risk discussions with all levels of management. One bit of good news is that most GAIN respondents are not using QUANT modeling exclusively to assess key business risks.

VII Since GAIN survey respondents were allowed to select more than one primary method for identifying and assessing business risks, the summation of the percentage use of one-on-one management interviews, facilitated workshops, and guided judgment exceeds 100 percent. VIII QUANT models use complex mathematical equations to assist management in predicting market behavior and the likely magnitude of related gains and losses resulting from the occurrence of certain events.

10

The bank controller and senior vice president also stated that investment banking units had an adverse effect on more conservative commercial banking units after the repeal of the U.S. Glass Steagall Act.IX In other words, the investment banking units had an excessive risk appetite that caused them to acquire many sub-prime tranches and encourage the commercial banking unit to originate many sub-prime loans. Thus, the repeal of the act in 1999 appears to have contributed to the current mortgage crisis.

Bruce Caplain, managing director of internal auditing at New York-based Blackstone Group, explained that ERM problems stem from three primary issues. In addition to addressing a lack of top management buy-in, boards of directors should establish risk committees that meet on a frequent basis and include individuals with meaningful risk management experiences. For instance, Lehman Brothers established a risk committee, but it proved to be ineffective as its members met only two to three times per year and lacked practical risk management experience.

Second, inferior organizational governance contributes to an ineffective ERM program. In other words, companies fail to strike a balance between managing risk in a way that is either too rigid or formal or too informal. Either extreme may cause a company to miss the identification of key existing and emerging organizationwide risks.

Third, Caplain explains that even if the ERM framework is sound, its implementation may be flawed due to a lack of a common risk management definition. For instance, if 100 different employees were asked to define risk management, there might be 100 different answers. Not only is it critical to define and communicate a uniform definition of risk management throughout the organization, but also uniformly define the events posing the greatest risk to the organization’s ability to achieve strategic objectives.57

Unfortunately, one-quarter of GAIN respondents do not use uniformly defined event categories (e.g., strategic, operational, and compliance risks) to help consolidate similar potential risks that may adversely affect their company.

The Herd Mentality. One additional reason why ERM processes may have failed to prevent the global economic crisis is that too many organizations were tempted to follow others who engaged in high-return, high-risk investments. For instance, Bruce Bent, co-founder of the first money market fund, espoused for decades an ultra-conservative investment philosophy. However, in 2006 and 2007 he was tempted to invest billions of dollars in Lehman Brothers’ commercial paper among other investment banks. Bent paid dearly for this decision — in late 2008, 21 of his 26 funds were liquidated with total investments approaching US $89 billion dollars.58

Examples of Success Stories ____________________________________________

Despite all the problems, some companies are realizing the benefits of a solid ERM program. These companies, because of sound risk-management decisions, stand to excel far beyond their peers once the dust of this economic crisis settles.

Aflac. Aflac, a top-five U.S. insurer, adopted sound ERM strategies allowing it to avoid many AIG-related hardships. Aflac’s board adopted a philosophy that if they could not understand a new financial instrument with relative ease, they would not insure it. As a result, Aflac opted not to insure complex instruments such as collateralized debt obligations and high-risk mortgage-backed securities against default.

Wells Fargo and BB&T. Two large commercial banks that did not fall into the sub-prime loan trap were Wells Fargo and BB&T. Fully integrated ERM analyses by the board, CRO, CAE, audit and risk committees, and business process owners at both banks concluded that the potential long-term costs of

IX The Glass Steagall Act was passed in 1933. Among other things, the act mandated the separation of commercial banks and investment banks. Many provisions of the act, including this one, were reversed in 1999 with the passing of the U.S. Gramm-Leach-Bliley Act.

11

sub-prime investments exceeded the short-term origination fees and higher interest revenue benefits. Because of these sound strategic decisions, these banks are buying other financially distressed banks for pennies on the dollar. For instance, Wells Fargo recently purchased Wachovia Bank, while BB&T recently purchased some local banks in Florida.

J.P. Morgan. The company’s audit committee chair meets with the CFO two to three times per week and travels the world looking into events that may pose a substantial risk to the bank. Due to his dedication, J.P. Morgan’s relatively strong financial condition has allowed it to acquire Bear Stearns and Washington Mutual for a fraction of their 2008 market caps. The audit committee chair believes most audit committees are overly confident management has a solid understanding of key business risks. Instead, audit committees should employ a “trust but verify” mentality when assessing the level of management’s understanding of key business risks.

Examples of Positive Trends ____________________________________________

Eighty-five percent of participants at the 2008 KPMG Audit Committee Roundtables indicated the current financial crisis has caused them to reconsider the adequacy and effectiveness of their company’s governance processes for managing business risks. This percentage is much higher than two years ago when audit committee and board members were not engaged enough in ERM-related issues. Thus, most audit committee members plan to begin asking top management questions such as:

What are our company’s primary risk issues?

What are the primary dimensions of governance and risk management?

What are the tools used by our company to address risk management?

Participants at the 2008 KPMG Audit Committee Roundtables also stated the largest U.S. banks are finally beginning to bring senior management, the board and its committees, and business process owners together to discuss the universe of potential risks and objectively assess their likelihood and potential dollar impact. This has greatly enhanced ERM communication throughout these organizations in late 2008. Similarly, 75 percent of CFOs who responded to a recent CFO research survey indicated that ERM now outranks long-term and short-term debt financing, equity financing, relationships with financial institutions, and pension-plan asset allocation in relative importance.59 Hopefully, this mindset will continue after the global crisis ends.

53 Liebenber, Andre and Hoyt, Robert, “The Determinants of Enterprise Risk Management: Evidence From the Appointment of Chief Risk Officers,” Risk Management and Insurance Review, 2003 Vol. 6, No. 1, 37–52. 54 Hagerty, James, “Fannie, Freddie Executives Knew of Risks,” Wall Street Journal, Dec. 10, 2008, A2. 55 www.methodware.com/solutions/solutions_erm.shtml; accessed Jan. 20, 2009. 56 Urstadt, Bryant, "The Blow-Up; The Quants Behind Wall's Streets Summer of Scary Numbers," Technology Review, November/December 2007: 36–43. 57 Caplain, Bruce, “Risk Management: Why it Failed, How to Fix it” Internal Auditor Online, www.theiia.org/intAuditor/free- feature/risk-management-why-it-failed-how-to-fix-it-ii/. 58 Stecklow, Steve and Diya Gullapalli, “A Money-Fund Manager’s Fateful Shift,” Wall Street Journal, Dec. 8, 2008, A1 and A15. 59 Plourd, Kate, “Rethinking Risk,” CFO.com, Jan. 1, 2009.

12

ARE ORGANIZATIONS DISCUSSING THE RIGHT EXTERNAL RISK QUESTIONS?

Results from the 2008 GAIN ERM Benchmarking SurveyX indicate less than one-quarter of respondents rely on industry publications and data from industry-affiliated groups as an input into their ERM analyses, while less than 10 percent of respondents consider recommendations from external audit reports as an input into their ERM analyses. Thus, most respondents rely almost exclusively on internal data for assessing business risks, which may cause them to overlook key external risks. External risks such as the failure to consummate mergers and acquisitions (M&As), the health of supply chains, outsourcing partners, and insurance companies are ever-present in the global crisis. Following is a discussion of each area.

M&As ____________________________________________

Global M&A activity declined by 29 percent in 2008 relative to 2007 including an almost nonexisting fourth quarter.60 For instance, in the fourth quarter the largest proposed leveraged buyout failed when a private-equity consortium backed out of an offer to acquire Canadian-based Telecom for US $41 billion. Also in the fourth quarter, Australia’s BHP Billiton Ltd.’s offer for rival Rio Tinto, at one point valued at US $144.5 billion, unraveled as demand for iron ore and other minerals declined dramatically.61

Private-equity firms, which have consummated some of the largest global deals in the past decade, are now at great risk. It is estimated that 20 percent to 40 percent of these firms may fail over the next 18 months because of excessive debt levels and reduced cash flows due to limited new deal prospects.62

For instance, Cerberus Capital Management in New York signaled a willingness to sell part of its ownership in Chrysler to salvage the value of its ownership interests in GMAC and Chrysler Financial.63

The Middle East also is no longer a safe haven for deal making. The Kuwaiti government recently pulled the plug on a multibillion dollar joint venture with Philadelphia-based Dow Chemical that would have provided billions of dollars necessary to finance the purchase of Michigan-based Rohm & Haas, a specialty chemical manufacturer and a big part of Dow’s effort to overhaul its operations and increase profits. The Kuwaiti government bailed out of the joint venture amid fears that plunging oil prices made the deal less attractive. The result: Dow’s stock has declined more than 50 percent since September 2008, and S&P lowered its debt rating to only two notches above junk status.64 After reporting a US $1.55 billion loss in the fourth quarter of 2008, Dow announced it is considering slashing its dividends, closing more plants, and possibly selling dozens of businesses.65

One bright spot for global M&A activity is Japan, where deals increased by 231 percent in 2008 relative to 2007, because healthy firms are flush with cash while potential competitors are sidelined by excessive debt and limited cash reserves. The stronger yen also makes overseas purchases cheaper, even though it also makes Japanese exports more expensive.66

Supply Chain Risks ____________________________________________

Companies that rely on key suppliers to provide high-quality raw materials on a just-in-time basis in exchange for price concessions may be exposed to the devastating effects of a key supplier’s bankruptcy or liquidation in 2009. For instance, many of the Big Three U.S. car manufacturers’ (i.e., General Motors, Chrysler, and Ford) and Toyota’s major parts suppliers are on the verge of bankruptcy. This is especially problematic because auto makers tend to provide sole-source contracts for individual parts.

X The GAIN 2008 ERM Benchmarking Survey was sent to 1,400 chief audit executives (CAEs), of which 240 completed the survey. However, only 165 of the responding companies had a formal (e.g., written) or informal ERM processes. Thus, references to this survey are based on these 165 companies referred to as the “respondents,” of which approximately two-thirds are U.S. parent companies and one-third are non-U.S. parent companies.

13

Therefore, if a key supplier goes out of business it may take months to shift procurement to another supplier, especially for highly engineered parts. General Motors is struggling with this issue as they sue a recently liquidated Chevy Camaro parts manufacturer that has been slow to return their tooling equipment so that General Motors can allow a new supplier to produce comparable parts in the near future. The damage caused by this single former parts provider may cause a shutdown of several General Motors assembly plants, disrupting not only the company’s business but also the operations of countless suppliers and dealers.67

Another supply chain risk for the Big Three U.S. auto makers has been the health of their lending arms. GMAC, Ford Motor Credit, and Chrysler Financial are crucial to the survival of the Big Three U.S. auto makers because they historically provide the majority of the auto makers’ customer financing. However, in 2008 the lending arms began focusing on protecting their own profits at the expense of the auto makers by eliminating customer leases and tightening lending standards. With banks limiting their loans to only the highest credit worthy consumers, many dealerships could not consummate sales.68

To help ease matters, the Federal Reserve recently stepped in and allowed GMAC to become a bank-holding company creating access to US $5 billion in TARP funds. As a result, GMAC has slashed its loan rates and lowered its lending standards to the edge of sub-prime territory to help dealers sell more cars.69

The Federal Reserve also extended funding to Chrysler Financial resulting in similar lowered lending standards and loan rates. However, unlike the other two companies, Ford Motor Credit chose not to accept TARP funds. As a result, the company is struggling to offer comparable loan rates to consumers and is now in negotiations with the Federal Reserve to potentially obtain similar funding.

Outsourcing Risks ____________________________________________

The previously discussed Satyam Enron-like fraud may have dramatic effects on the IT outsourcing industry if clients take their business elsewhere. For instance, other reputable IT outsourcing providers may successfully attract former Satyam clients but struggle to provide comparable service levels to existing clients. Thus, organizations who have engaged in IT offshoring should consult their current provider to assure they will provide the same level of service even if they acquire new clients in the near future.

Also, organizations should consider assessing their IT outsourcing provider’s current financial condition to help ensure they are not experiencing Satyam-like financial distress. One bit of good news: 10,000 job losses at Satyam may put downward pressure on industry salaries. Thus, now may be an ideal time to renegotiate IT offshoring contracts at lower rates.70

Insurance Company Risks ____________________________________________

Many global organizations have relied on AIG for their insurance needs. Unfortunately, after insuring billions of dollars of high-risk mortgage-backed securities against default, AIG has had to accept US $40 billion in direct government assistance and obtain a US $45 billion government line of credit in exchange for a 50 percent government ownership interest. Since the line of credit charges an annual 9 percent interest rate, AIG is desperate to sell off business units to raise the needed capital to repay these loans. However, it is estimated AIG may have to sell virtually all of its assets to repay these government loans. The lesson learned is that organizations should mitigate their exposure to a single insurer by cultivating closer relationships with multiple insurers to understand their key risks more effectively as a basis for deciding whether or not to conduct business with them.XI

XI A similar risk mitigation strategy should be taken with banks.

14

60 “Global Merger Activity in 2008 Fell 29 Percent,” Wall Street Journal, Jan. 2, 2008, R8. 61 Vaughan, Liam, “Deal Spreads Widen as Investors Grow Fearful of Prospects,” Wall Street Journal, Jan. 12, 2009, C3. 62 “Buyout Firms Face Massive Failures,” Wall Street Journal, Dec. 22, 2008, C6. 63 Moore, Heidi and Jeffrey McCracken, “GM and Chrysler Reopen Talks on Merger,” WSJ.com, Dec. 18, 2008. 64 Johnson, Keith, “Dow Chemical Takes Credit Hit as Kuwait Deal Unravels,” Wall Street Journal, Dec. 30, 2008, B1. 65 Eaton, Leslie, Ana Campoy and Margaret Coker, “Big Loss Raises Heat on Dow Chemical,” Wall Street Journal, Feb. 4, 2009, A1. 66 Hayashi, YU.K.a, “Japanese Firms, Flush With Cash, Step Up Deals,” Wall Street Journal, Jan. 6, 2009, B1. 67 Terlep, Sharon, “GM Sues for Access To Parts for Camaro,” Wall Street Journal, Dec. 27–28, 2008, B5. 68 Kellog, Alex, “Chrysler Is Hobbled by Former Finance Arm, Wall Street Journal, Feb. 2, 2009. B1. 69 “Hank’s Deals on Wheels,” Wall Street Journal, Dec. 31, 2008, A8. 70 Lebeaux, Rachel, “Action Steps for Non-Satyam Customers,” SearchCIO.com, Jan. 22, 2009.

15

HOW SHOULD INTERNAL AUDIT ACTIVITIES RESPOND?

Internal auditors have a historic opportunity to use the lessons learned from this Knowledge Briefing to promote the creation of newly integrated ERM processes or to enhance existing ERM processes within their organization. The global crisis has caused the majority of audit committee members and CFOs to reconsider the adequacy and effectiveness of their company’s processes for managing business risks. These audit committees may be persuaded by the success stories of companies such as Aflac, BB&T, J.P. Morgan, and Wells Fargo, which have truly embraced a fully integrated ERM process, thus, standing to excel far beyond their peers in the future.

Internal auditors also can persuade boards and their audit committees that the risk of fraudulent financial reporting and asset theft is skyrocketing, in part, because many organizations have not adequately identified, assessed, and mitigated key external or strategic, operational, and compliance risks over the past few years. For instance, unmitigated business risks, such as poor M&A decisions that generate huge losses, puts increased pressure on top management to engage in fraudulent reporting to help buy a few additional quarters to try and turn around the company. Middle managers who fear losing their jobs in the midst of the global economic crisis also are more likely to rationalize asset theft schemes.

As both business advisors and the eyes and ears of the audit committee, internal auditors are well positioned to make the following recommendations for improving ERM processes:

Primary ERM leadership should be within a board-level risk committee or CRO that has substantial practical risk management experience. The risk committee or CRO should have an adequate full-time support staff to implement an enterprisewide initiative effectively. (The results of the GAIN survey indicate that a support staff of less than four full-time members appears inadequate to support an effective ERM process.)

Promote a common definition of risk management throughout the organization and a uniform definition of events posing the greatest risk to the organization’s ability to achieve strategic objectives such as distinct event categories (e.g., strategic, operational, and compliance risks).

To identify and assess critical risks more effectively, promote regular interviews and self-assessment workshops attended by top management, internal auditing, and business process owners. Excluding middle managers from these brainstorming sessions will yield suboptimal decisions, such as:

o Promoting the consideration of ERM technology (e.g., MethodWare’s Enterprise Risk Assessor, which is used by nearly 1,700 companies) to enhance the organization’s ability to capture and report critical ERM risks throughout the organization.

o An insular approach that does not consider data from industry publications, industry-affiliated groups, external risks (e.g., supply chain components), and IT outsourcing partners will likely exclude critical business risks from consideration.

o A risk identification and assessment method that focuses exclusively on QUANT models will not be successful. These models are one of several methods that, when used in combination, can yield optimal results.

An agreed-upon risk appetite or risk tolerance level must be documented and communicated clearly throughout the organization. Otherwise, uniform strategies for avoiding, accepting, reducing, and sharing critical business risks will not be possible.

Leverage ERM as a means to enhance the efficiency and effectiveness of compliance efforts with Section 404 of the U.S. Sarbanes-Oxley Act of 2002. Otherwise, organizations might be unable to know when it has the right internal controls in place to help mitigate key business risks and whether it has allocated scarce internal control resources to the highest business unit and account areas.

Warn organizations about the dangers of “following the herd” when its direction is not consistent with ERM cost versus benefit analyses. For instance, BB&T established a sub-prime loan committee to investigate the possibility of entering this lucrative market, but it never generated a compelling proposal that persuaded management it could be profitable in the long term.

16

FINAL THOUGHTS

On the surface, there appears to be no near-term solutions to end the current global economic crisis. Unfortunately, the longer this crisis lasts, the more companies and consumers will be forced into bankruptcy. Common fears include how high unemployment numbers and low consumer demand will be for goods and services 12 months from now.

Efforts to end the global crisis through skyrocketing government-debt levels and incredibly loose monetary policies might sow the seeds for increasing inflation and the crowding out of private-sector growth, resulting in slow GDP growth for years into the future. However, companies that committed to a fully integrated ERM program are in the best strategic position to take advantage of investment opportunities now and in the future. Hopefully, the importance of ERM will not fade in the minds of top management and board members as the global crisis recedes.

17

APPENDIX A: COUNTRY-SPECIFIC CRISES AND STIMULUS PLANS ____________________________________

Global fiscal stimulus and tax cut plans now total more than US $2 trillion, excluding the U.S., after being nonexistent outside the country for most of 2008. Following is a summary of the main crises and stimulus plans by country.

China. Rising bankruptcies and layoffs in China have resulted in skyrocketing labor strikes to levels not seen since 1998. An estimated 60,000 labor arbitration cases are expected in 2008, twice the rate in 2007.71 In response, China recently announced a US $590 billion infrastructure and investment stimulus plan that will begin in 2009.72

Japan. Export volume declined by 26 percent in late 2008 relative to late 2007, the sharpest decline on record. Toyota, the country’s flagship exporter and corporate bellwether, projected its first annual operating loss since 1950 (US $3.8 billion) due to declining auto demand in the Unites States and Europe and the strengthening yen.73 In response, the Japanese government announced it will buy back US $30 billion in short-term business debt, provide US $140 billion in bank rescue funds, and spend US $73 billion on government stimulus programs.

Temporary workers, who represent one-third of the country’s work force, also have been laid off in record numbers. In response, the government has initiated a loan program for laid off temporary workers who were hired in mass the last few years to keep labor costs low amid intense global competition.74

Iceland, Ukraine, and Hungary. Developing countries are suffering the most from the global economic crisis because they rely extensively on developed nations to consume their products and services and to finance their business expansion. For example, the economic crisis is so severe in Iceland, Ukraine, and Hungary that they have requested and accepted multibillion dollar IMF loans. Public protests by the citizens of Iceland over the government’s ineffective handling of the crisis resulted in the recent collapse of its government.75

Turkey also is in discussions to obtain IMF loans since it could face difficulties in rolling over its US $280 billion of foreign-debt obligations.76 Additionally, Kazakhstan — Central Asia’s greatest economic power — holds 50 percent of its total borrowings from U.S. banks. When liquidity and credit are ample, developing countries thrive. However, when developed nations experience a recession, the developing world suffers more than developed countries.

Russia. In Russia, government gold and U.S. dollar reserves have declined by US $225 billion, the ruble has lost 35 percent of its value since August 2008,77 and hundreds of thousands of government employees have experienced delays in salary payments. As a result, S&P downgraded Russia’s sovereign debt rating for the first time since 1998.78 In response, the Kremlin has begun bailing out some of its largest companies in exchange for minority interests in these institutions. However, many business leaders fear that Kremlin bailouts may result in the renationalization of many companies.79

The EU. The EU may be facing its deepest recession since World War II in part because the least competitive and most indebted economies, such as Greece and Italy, have been hamstrung by high European Central Bank interest rates until quite recently. There also is global concern that these countries may default on their sovereign debt due to extremely high-debt to GDP ratios and the largest current-account deficits in the EU, which makes these countries especially reliant on external financing.80

The German government recently announced the largest fiscal stimulus and tax cut package in Europe — US $80 billion — after criticizing other EU countries for their ballooning budget deficits. Germany also created an additional US $130 billion business loan guarantee fund for those companies who can not raise vital financing from the troubled banking sector.81

18

United Kingdom. In October 2008, the British government announced a US $758 billion bank rescue plan. To date, however, the plan has failed to revive bank lending as domestic banks have not been able to fill the void left by foreign banks such as Fortis NV, a Dutch-Belgian concern, and Icelandic banks that have pulled out of the British market. Over the past decade, foreign banks have accounted for half of all corporate lending and almost half of all home-loan lending. Thus, in mid-January, the British Prime Minister dedicated an additional US $30 billion in loan guarantees to small and mid-size companies.82

Additionally, on Jan. 20, 2009, the British government announced an asset protection plan that will insure a majority of losses banks face from toxic commercial and residential mortgage loans in exchange for specific lending commitments and the absorption of initial losses. The purpose of this plan is to reduce fears of nationalization of the most financially distressed institutions, such as the Royal Bank of Scotland (RBS) and Lloyds, in which the government already has an ownership interest of 70 percent and 43 percent, respectively. Analysts at Bank of America’s Merrill Lynch estimate that the government may end up insuring US $158 billion in troubled bank assets. The alternative, bank nationalization, may saddle taxpayers with US $4 trillion in additional liabilities, an amount far exceeding the country’s annual GDP.83

United States. The median sales price of existing homes was 13.2 percent lower in late 2008 relative to late 2007, the largest yearly drop in the four-decade history of home price surveys. It is estimated that 45 percent of existing home sales in late 2008 were linked to foreclosures,84 and U.S. mortgage foreclosures are expected to remain at record levels including estimates of 8.1 million additional foreclosures over the next four years.85

The mortgage crisis also has greatly affected the banking sector. For instance, in spite of receiving direct government assistance of US $45 billion and toxic real estate loan guarantees of US $250 billion, Citigroup announced a US $8.3 billion fourth quarter loss. With its stock at a 16-year low,86 Citigroup plans to sell off about one-third of its assets, including spinning off its Smith Barney retail brokerage into a joint venture with Morgan Stanley, to reduce its debt load.87

Even companies with relatively benign debt-to-asset ratios are hesitant to implement their growth strategies by assuming additional debt for fear that the global recession will further weaken demand for their goods and services in 2009. U.S. government proposed tax cuts and stimulus plans now exceed US $6.5 trillion, including more than US $2.5 trillion in approved Federal Reserve and U.S. Federal Deposit Insurance Corporation (FDIC) spending and loan guarantees.

Besides the approved Federal Reserve and FDIC spending and loan guarantees outlined above, other stimulus and bank bailout plans totaling nearly US $4 trillion include: US $160 billion in stimulus checks sent during the spring of 2008 and US $200 billion in Federal Housing and Financial Authority funding to bail out Fannie Mae and Freddie Mac in September 2008. Under TARP, US $700 billion is being spent

to further rescue the banking industry and consumers and businesses near bankruptcy. Unfortunately, similar to the United Kingdom, the U.S. plan has not been successful. For instance, US $350 billion of TARP funds were used to provide direct monetary assistance to the largest U.S. banks and the auto industry.

However, instead of using most of these funds to increase consumer and commercial lending, U.S. banks have shored up their weak financials and purchased distressed community banks for pennies on the dollar when a relatively modest TARP investment would have kept them afloat.88 In 2009, remaining TARP funds are expected to be used to help bail out consumers and small businesses that are on the verge of bankruptcy.

In response to the failed TARP program, the U.S. Treasury announced a US $2 trillion plan to repurchase toxic bank assets. However, critical details of the plan remain unanswered.89 Finally, President Barack Obama was successful in passing a US $790 billion welfare, state government bailout, infrastructure, health-care, and tax cut program. Whether it will stimulate the economy remains uncertain.

19

Finally, the Federal Reserve recently announced that Bank of America will receive an additional US $20 billion in government funding to help close its Merrill Lynch acquisition,90 in part because the bank’s inadequate pre-acquisition due diligence caused it to understate Merrill’s sub-prime loan exposure.91

71 Oster, Shai, “China Faces Unrest As Economy Falters,” Wall Street Journal, Dec. 22, 2008, A8. 72 Areddy, James, “China Cuts Rates, as Rare Reserve Decline Reported in Press,” Wall Street Journal, Dec. 23, 2008, A5. 73 Murphy, John and Yoshio Takahashi, “Toyota Flags $3.84 Billion Full-Year Loss,” WSJ.com, Feb. 6, 2009. 74 Tabuchi, Hiroko, “Japan Unveils Stimulus As Economy Gets Worse,” Wall Street Journal, Dec. 13–14, 2008, A8. 75 Forelle, Charles, “Iceland’s Leadership Collapses as Ire Over Crisis Continues,” Wall Street Journal, Jan 27, 2009, A6. 76 Barkley, Tom, “Developing Countries Feel Slump,” Wall Street Journal, Dec. 10, 2008, A9. 77 Slater, Joanna and Gregory White, “Russia Faces Tough Fight on Ruble,” Wall Street Journal, Feb. 4, 2009, C1. 78 “Ruble Is Down 18.6 Percent,” Wall Street Journal, Dec. 30, 2008, A5. 79 White, Gregory and Dana Cimilluca, “An Oligarch’s Struggle,” Wall Street Journal, Dec. 22, 2008, A1. 80 Walker, Marcus, Alkman Granitsas and Joellen Perry, “Greek Credit Downgrade, German GDP Drop Intensify Europe’s Woes,” Jan. 15, 2009, Wall Street Journal, A6. 81 Walker, Marcus, “German Sets Out Stimulus Plan,” Wall Street Journal, Jan. 14, 2009, A6. 82 Mollenkamp, Carrick and MacDonald Alistair, “U.K. Widens Stimulus Plan but Still Faces Lending Gap,” WSJ.com, Jan. 14, 2009. 83 Munoz, Sara S., Carrick Mollenkamp, “Nationalization Fears Grow as U.K. Banks Struggle,” Wall Street Journal, Jan. 22, 2009, A6. 84 Reddy, Sudeep, “Recession, Tight Credit Compound Housing Woes,” Wall Street Journal, Dec. 24, 2008, A3. 85 Corkery, Michael, “Mortgage Cram-Downs Loom as Foreclosures Mount,” Wall Street Journal, Dec. 31, 2008, C1. 86 Kessler, Andy, “The End of Citi’s Financial Supermarket,” Wall Street Journal, Jan. 16, 2009, A11. 87 Enrich, David “Citi Sets Dramatic Plan to Shrink Itself,” Wall Street Journal, Jan. 14, 2009, A1 and A14. 88 Fox Business News, Happy Hour, Dec. 23, 2008. 89 Randall, Maya Jackson and Michael Crittenden, “Geithner Unveils Rescue Plan, but Details are Scarce,” WSJ.com, Feb. 10, 2009. 90 Fitzpatrick, Dan, Damian Paletta and Susanne Craig “Bank of America to Get Billions in U.S. Aid,” Jan. 15, 2009, A1 and A8. 91 Fitzpatrick, Dan and Susznne Craig, “Bank of America Goes on Offense,” Wall Street Journal, Jan. 17–18, 2009, B3.

20