Economic Crisis: Why ERM Did Not Fail

economic-crisisRisk management controls: not implemented — or rather, subverted

We are continuing to experience economic turmoil. After the first severe and generalized wave of economic upheaval originating in the US recession, many in risk management circles were speaking of “the failure of Enterprise Risk Management”. First, let’s not characterize what happened in those terms, because failure depends upon one’s point of view; the failure was not universal. The people responsible for what Galbraith called the “seemingly imaginative, currently lucrative, and eventually disastrous innovation in financial structures” did not fail.  (He was writing back at the time prior to the October 1987 crash, about parallels to 1929 — but might just as well have been referring to collateralized debt obligations – CDOs).

Nor did the innovators of Credit Default Swaps, “designed essentially as a regulatory loophole” (Wikipedia), fail when they and their lobbyists engineered their freedom from regulation. On the contrary, they succeeded brilliantly at what they set out to do. (“They’re in the Caymans” my aunt quipped, as she pored over her devastated accounts.)

Two distinct standpoints were expressed about risk management and the crisis . The first was: Where was risk management? “The crisis represents a ‘huge failure of enterprise risk management'” (Frank Coyne, Chairman of ISO, Insurance and Technology Blog, Nov 12, 2008). The second was that the crisis really represented “a failure to implement enterprise risk management processes at all” (Society of Actuaries).

Assume that, in a given organization, risk management practices of some description were in place. Well, if they were ignored for the sake of profits, then we conclude that any system of controls can be subverted if it is overwhelmed by an institutionalized practice of profit-making that is culturally sanctioned.

Risk management – best practices

On the other hand, if risk management was not ignored, but not effective, then we can consider whether these points were heeded:

(a) In risk assessment, fully articulate corporate value criteria – business rules, ethics, professional codes, philosophies, regulatory guidelines, etc. – and use them as criteria to identify risk.

(b) Review the scope and assumptions of financial models. In other words, stress test them not only through their inputs, but by situating them in the wider strategic context to understand their limitations.

(c) Submit plans to risk assessment in light of environmental scan that identifies industry trends, economic forecasts and stakeholder interests.

(d) Encourage the audit function to check the effectiveness and rigour of the risk assessment process.

(e) Use future scenarios methodology. This helps you define the critical aspects of the business, build plausible future visions, and check the resilience of the firm’s intended strategies. It is one of the few ways we have to deal with “black swan” risk and high uncertainty.

People who are wary of spending too many resources on risk management are justifiably suspicious of a possible bureaucratic burden. But those who have an incisive risk ID process will find that a lot of the unstructured chatter that takes place in management meetings is replaced by cogent analysis.

[Revised. Originally published 30 Jan 2009.]

If you enjoyed this post, make sure you subscribe to my RSS feed!

Tags: , ,

One Comment

  1. Financial Risk Modeling
    2011/10/25 at 09:45:54

    […] Determining the model’s scope and management context Another issue is determining which processes any particular model comprehends. Does the data model somehow support corporate values and long term objectives, or can it be overwhelmed by core activities outside its scope? (See my post: Economic Crisis: Why ERM Did Not Fail). […]

Leave a Reply

Name required

Mail (will not be published) required