Updated, originally published 30 January 2009
I believe the message in this article, resurrected from my archive, is still valid.
Risk management controls: not implemented, or subverted?
We are continuing to experience economic turmoil (i.e., from the 2008-2009 financial crisis). After the first severe and generalized wave of economic upheaval originating in the US recession, many in risk management circles were speaking of “the failure of Enterprise Risk Management”.
First, let’s not characterize in a blanket fashion what happened in those terms, because failure depends upon one’s point of view. The failure was not universal. The people responsible for what Galbraith called the “seemingly imaginative, currently lucrative, and eventually disastrous innovation in financial structures” did not fail. He was writing about the1987 crash, but might just as well have been referring to the infamous “collateralized debt obligations” (CDOs) that characterized the 2008 crash.
Nor did the innovators of Credit Default Swaps, “designed essentially as a regulatory loophole” (Wikipedia), fail when they and their lobbyists engineered their freedom from regulation. On the contrary, they succeeded brilliantly at what they set out to do. (“They’re in the Caymans” my aunt quipped, as she pored over her devastated accounts.)
Two standpoints were expressed about risk management and the financial crisis:
The first was: Where was risk management? “The crisis represents a ‘huge failure of enterprise risk management’” (Frank Coyne, Chairman of ISO, Insurance and Technology Blog, Nov 12, 2008). This impugnes the methods and practice of ERM.
The second was that the crisis really represented “a failure to implement enterprise risk management processes at all” (Society of Actuaries). This does not impugne the methods and practice of ERM, it says they were not applied.
I think we can safely assume that in most key financial organizations, risk management practices of some description were in place, but did not “fail”, simply because they were ignored and suppressed. In other words, any system of controls can be subverted if it is overwhelmed by an institutionalized practice of profit-making that is culturally sanctioned.
Risk management – best practices
The risk management function, in the aftermath of the 2008-2009 crisis, enjoyed a raised profile. Today, to assess its efficacy (assuming its sincere application) we can ask whether the following practices are present:
(a) Fully articulate corporate values, and use them systematically as risk criteria to assess operations – business rules, ethics, professional codes, risk tolerance philosophies, regulatory guidelines;
(b) Review the scope and assumptions of financial models. In other words, stress test them not only through their inputs, but by situating them in the wider strategic context to understand their qualitative limitations;
(c) Submit strategic plans to risk assessment in light of environmental scan that identifies industry trends, emerging issues, stakeholder interests and competitors’ aims;
(d) Encourage the audit function not to conduct risk assessment but rather to check the effectiveness, comprehensiveness and rigour of the risk assessment process itself;
(e) Use future scenarios methodology to build plausible versions of future events, and check the resilience of the firm’s intended strategies against them.