470 words. Updated 09 May 2024.

What was the essence of the 2008 crisis? Did Enterprise Risk Management fail by not flagging bank operations – that is, irresponsible mortgage lending, securitization of such junk to be sold to pension funds, and fraudulent assignment of AAA credit ratings – and so precipitate this monumental crisis? Will ERM fail again?

We are continuing to experience turmoil after the first severe and generalized wave of economic upheaval originating in the US recession. Many in risk management circles were speaking at the time of “the failure of Enterprise Risk Management”.

Risk management controls: subverted? or not implemented at all?
In fact, two standpoints were expressed about risk management and the financial crisis.

The first was: Where was risk management? The crisis represents "a huge failure of enterprise risk management’” (Frank Coyne, Chairman of ISO, Insurance and Technology Blog, Nov 12, 2008). This impugnes the methods and practice of ERM.

The trouble is, failure depends upon one’s point of view. The people responsible for what Galbraith called the “seemingly imaginative, currently lucrative, and eventually disastrous innovation in financial structures” did not fail. He was writing about the1987 crash, but might just as well have been referring to the infamous “collateralized debt obligations” (CDOs) that characterized the 2008 crash.

Similarly, the innovators of Credit Default Swaps, “designed essentially as a regulatory loophole” (Wikipedia), did not fail when they and their lobbyists engineered their freedom from regulation. On the contrary, they succeeded brilliantly at what they set out to do.

The second standpoint is probably closer to the mark: the crisis really represented “a failure to implement enterprise risk management processes at all” (Society of Actuaries).

I think we can safely assume that in most key financial organizations, risk management practices of some description were in place. They did not “fail”, rather, they were simply ignored and suppressed. In other words, any system of controls can be subverted if it is overwhelmed by corruption, especially as an institutionalized practice.

Risk management – best practices
The risk management function, in the aftermath of the 2008-2009 crisis, enjoyed a raised profile. Today, to assess its efficacy (assuming its sincere application) we can ask whether the following practices are present:

(a) use of corporate values (business rules, ethics, professional codes, risk tolerance guidelines) as well as regulatory rules as risk criteria;
(b) review of the limitations of scope and assumptions built into financial models;
(c) risk assessment of strategic plans;
(d) use of audit, not to conduct risk assessment, but rather to check the effectiveness of the risk assessment process;
(e) use of future scenarios methodology to check the resilience of the firm’s strategy.

Conclusions
With societal shifts, and in the very rise and fall of civilizations, we see ebb and flow of accountability and integrity. We have the tools and methods. It is a matter of our intention.