Lots of bloggers, including some here at CA (here, here, and here) have opined about the current financial crisis and how one of its causes was a total failure of financial risk management (here's a blog devoted to the topic; more posts here, here, and here).

It's hard to argue with that, given the financial devastation that exists worldwide today. Still, just stating that the cause is a "total failure of risk management" is not terribly enlightening. It might be useful to see if we can explore more specifically what areas of risk management actually failed.

I was reading an interesting document recently from the Risk and Insurance Management Society titled "The 2008 Financial Crisis - A Wake-up Call for Enterprise Risk Management" (requires free registration). It describes some of the extreme reactions to the financial mess that attribute it to a total failure of enterprise risk management. A quote that illustrates this is ""¦we may have to tear up the manual of enterprise risk management and start over." Quotes like this assert that the entire discipline of risk management is at fault, and that maybe we should all just "go back to the drawing board" and start again, in terms of how risk management is done.

As tempting as it is to scream that the "risk management sky is falling," a more nuanced approach might be more useful. The RIMS paper attributes the failure more precisely to these key factors:

1) Failure to embrace appropriate risk management behaviors
Risk management needs to be an essential component in all key business processes, and every person who participates in those processes needs to be aware of the impact of their actions on risk, and to provide timely information that improves the management of risk related to that business process.

2) Failure to create and reward risk management competencies
The individuals who were actually on the front lines taking financial risks were incented to maximize short-term profits, not to make prudent business decisions that would provide the best level of risk-return for the enterprise. It goes without saying that effective risk management requires incentives that further that goal, rather than subvert it.

3) Failure to use risk management to inform management's decision making (for both risk-taking and risk-avoiding decisions)
Even if the people on the front lines are diligent about their risk management responsibilities (and, as noted above, that's typically not universally true), unless this information related to risk is used proactively to inform and impact top management decision-making, it's value is negated.

Unfortunately, my belief is that these problems are endemic to many companies, including those that would claim that they have an established and successful risk management model for the enterprise. They seem to think that as long as they have someone somewhere that is responsible for "risk management," then everything is OK and they can rest easy.

I think the problem that contributed mightily to this crisis is fairly straightforward to capture, but extremely difficult to remedy the lack of a common risk management framework across the enterprise.

This has many elements, each of which is required to help avoid similar disasters in the future.

First, there should be common processes, terminology, and practices for managing risks of all kinds. Everyone should manage risk in a way that is consistent across the enterprise "" otherwise, it's as if individual groups are speaking different languages when discussing risk. And, given the complexity and cross-organizational nature of most enterprise risks today, such a situation is very likely to lead to poor risk management approaches.

Second, it is essential that risk tolerances be fully understood, communicated, and monitored across the enterprise. When the people on the front lines are not aware of how much risk upper management is willing to take, improper (and risky) activities often result. This means that not only must everybody be speaking the same language in relation to risk, but communication and monitoring of risk tolerances should be proactive and ongoing.

Third, risk management practices should be incorporated into all key business processes and decisions. Each individual must know what their risk-related responsibilities are, and they fit into the "bigger picture" of the enterprise risk management model. Risk must be considered as an essential element of all business processes, just as quality and cost are emphasized and tracked for all processes.

And, fourth, if management is going to make their risk-related decisions using high quality information, that information must be easy to capture and enter into the system by the individuals who have direct access to it. For example, failure of a risk-related control must be able to be quantified and captured immediately (entered into a GRC management system of some kind) by those individuals who are testing that control. Relying on multiple levels of communication (especially informal communication such as email) tends to lower the quality of the information on which management may base their decisions.

Many people much smarter and more knowledgeable than I will probably debate these issues in relation to the financial crisis for years to come. But, although technically true, a phrase such as "a failure of risk management" is not specific enough to be useful as a diagnostic tool that would help avoid similar situations in the future. It seems to me that the lack of a common risk management framework across these companies, and the associated attributes listed above, are the elements that combined to create a situation where these catastrophic problems could arise.