Speaker 1: That's right, thank you. We live in an increasingly complex world and one of the results of that complexity is that a number of organizations are surprised when risks emerge that actually take them down. On the private sector side, you can think of the BP Gulf oil spill where complexities led to a huge disaster in the Gulf of Mexico. You can think of the GM ignition switch problem and in those cases, of course, people fire the CEOs, they fire people, companies are hurt seriously. In the case of the Takata airbags, you may actually see a company go out of business. On the government side, you see the same problem. The Veterans Administration had a series of veterans hospitals and it turned out that overstretched hospitals had long wait times, but the head of the VA had let it be known he didn't want to hear about long wait times. He wanted to hear that everybody was being dealt with within two weeks. If you tell me that's what I got to say, that's what I'll say. It turned out that VA hospitals, in fact, had such long wait times that veterans were dying before they got their healthcare. When that finally came to light, once again, they fired the secretary, they fired people down the organization and Congress started to do surgery on civil service protections in the VA. The same thing happened with the IRS where people were looking at exempt organizations and decided, not very bright, to look at organizations that all had the name Tea Party in it. When that came to light, the resulting explosion led to firing people from top of the organization down and Congress again did surgery on the IRS. The common element in all of this is that people at the top sit there thinking that everything is great and if you were to talk to people down in the organization, what you'd find is, gee, we got problems, we got problems, but there seems to be a layer of cork that stops the information from rising from the bottom to the top. I first learned about this when I was on the staff of the Financial Crisis Inquiry Commission and we would have all these officials from failed companies telling us how nobody could foresee the drop in housing prices. Well, it turned out in the midst of all the companies that failed, there were a number of companies that navigated the crisis and I began to understand the difference between successful companies and unsuccessful companies. And the answer, in my mind, had to do with information flow, that in the successful companies, you had a flow of information from bottom to top and top to bottom and across the silos so the barons would talk to each other. So in JPMorgan Chase, all of a sudden, their mortgage side realized that they were having serious delinquencies and the news immediately went up to the operating committee at the very top of this multi-trillion dollar organization. And there was a food fight among the executives, what's going on here? And they realized their delinquencies were better than their competitors' delinquencies. So the instructions went down, get rid of subprime mortgages. And that was in October of 06, well before the crisis. The same thing happened with Goldman Sachs in December of 06, where somebody reported, the head of their mortgage desk reported that where their model said they were supposed to make money for two weeks, they had lost money. Immediately the news went up and Goldman hedged their subprime portfolio. Those were the successful companies. So the lessons I took from that are that information flow is essential, but also warning signs are there. If you look at the post-mortem on the BP Gulf oil spill, or on Massey Mining where 29 miners were killed, or any number of disasters, the NASA space shuttle disasters, it is so clear in retrospect that there's a problem. Enterprise risk management is a way to deal with that. And it asks a simple question, what are the major risks that could stop us from achieving our mission? And the whole point is, you want to look at the big risks. Government particularly, but also the private sector, are always distracted by all these little risks that they're worried about that they tie up in red tape. And in fact, what you want to look at are the really big risks. And if you can build that into your culture, you can have a much more robust capacity to understand the vulnerabilities that you're otherwise going to run into without appreciating them. So one of the failed companies in the financial crisis, the chief credit officer went to his executive vice president and said, we got problems, we're not pricing for the mortgages we're buying. And the executive vice president said, how come you're the only person in the company who believes in your models? Well, that was really stupid. By the way, the chief credit officer is still there and the executive vice president is long gone. But in the case of Goldman Sachs, when we interviewed the head of the mortgage desk, we said, why did you report the bad news to the top? And he said, part of my job is to make sure that the people at the top of the organization know what they need to know to make good decisions. And that was a successful company. So what you need to make enterprise risk management work is, first of all, support from the top. I've just been inserted into a government agency, actually about six months ago, with support of an undersecretary. And she had us gather all of the senior executives and talk to them, talk about the big risks. And what you've got to do is overcome the tendency of barons to say, there are no risks. I run a good department. And instead, to understand everybody's got risks. We're not blaming you. What we want to do is solve problems. And if we can hear about these risks early, we can deal with them before, rather than after something bad happens. And the earlier you hear about it, the easier it is to deal with an emerging risk. And what we did over time was infuse the culture of the organization so people understood we're not playing gotcha. What we're trying to do is help you solve problems that otherwise may be too big for you. And by the way, we're all in this together. In today's complex world, with the kind of reputational risk that besets all organizations, we're all in this together. And we had better work on it together. So that's enterprise risk management. And I really hope you look into it, because it is a really powerful management tool. I'd like to finish with one of the, actually the best quote from the whole Financial Crisis Inquiry Commission study. And that's from a guy named John Reed, who was head of Citigroup back in 2000 and was eased out at that point, before Citigroup got into all of its trouble. And he asked the question, why does a car have brakes? A car has brakes so it can go fast. If you didn't have brakes, you'd creep around at two miles an hour. If you've got brakes, you understand what the problems are, and you can really go forward at 65 miles an hour. And the whole point of enterprise risk management is not to create another layer of bureaucracy, but rather to have your chief risk officer facilitate the conversations, and then the discussions about priorities. What are the really big risks we've got to grapple with? It's a very powerful management tool, and I hope you all have a chance to take a look. Thank you.