The global financial crisis produced many painful outcomes:
historic losses, institutional failure, fear, finger-pointing and
unprecedented government actions. For those financial services
firms fortunate enough to survive, however, the crisis also yielded
a highly valuable output: sharp insights into the strengths and
weaknesses of their risk management programs.
Leading organizations throughout the industry continue to
harvest these insights to address their constantly evolving risks
and strengthen their risk management capabilities. In this way,
these companies are taking a page from their own risk-management
playbooks to better understand how their current risk management
capabilities can be fine-tuned to better manage and mitigate the
impact of extreme events.
This process requires several steps. First, every firm needs to
gain a clear assessment of risk management's role in the crisis.
Second, it is important to understand what risk management-related
lessons can be mined from the economic and regulatory events of the
past two years. And finally, it is useful to understand the makeup
and value of "post-crisis" risk management building blocks.
On first glance, the origins of the global financial crisis
appear inexplicable, given the fact that the financial services
industry has prided itself -- and rightfully so -- on leading-edge
risk management. The shock of the crisis and its profound impact on
financial services organizations worldwide has generated an
understandable amount of finger-pointing, as well as an unhelpful
level of oversimplification. Some pundits have gone so far as to
blame risk management itself.
It is more instructive, and more constructive, to look
While failures in risk management certainly occurred within the
industry, a wide range of factors, many of which fall beyond the
purview of risk management programs, played key roles in sparking
the financial crisis. On a macro level, financial accounting and
reporting standards obscured important underlying economics.
Government and monetary policies, along with overreliance on
third-party viewpoints, also contributed to the meltdown.
Within organizations, deficiencies in corporate governance
processes limited the recognition and use of important outputs that
risk management processes produced. In many instances, a lack of
effective transparency, accountability and escalation of crucial
risk information hindered senior executives and corporate directors
from understanding the true nature of the risks a company had
undertaken. Several organizations went well beyond their "risk
appetite" -- sometimes without even realizing it. Moreover, many
organizations today continue to struggle with the establishment and
implementation of a risk appetite.
Collectively, these corporate governance, executive management,
board, regulatory and monetary policy issues extend well beyond the
reach and scope of risk management. Underscoring this point,
financial services companies today frequently request outside
assistance related to (1) establishing a risk appetite; (2)
developing corresponding risk tolerances and limits; and (3)
improving risk transparency through such means as enhancing the
flow of risk information up, down and across the organization.
Efforts are focused on better aligning risk management activities
and processes with corporate strategy and business objectives.
Executives do not cease decision-making after making one or two
bad decisions. Instead, they seek ways -- e.g., involving more
perspectives, identifying additional information inputs or
eliminating sources of misleading information -- to strengthen
their decision-making process.
The financial crisis and lingering recession provide lessons
companies can apply to their ongoing risk management efforts,
including the following:
- If it sounds too good to be true, it probably is. Many
crises are forged out of beliefs that tomorrow will be just like
today. In retrospect, few individuals believed that real estate
prices in the United States would not continue to go up or remain
constant for an indeterminable period.
- Don't bet your company on third-party assurances. In
the period leading up to the financial crisis, too many companies
relied too heavily on external assurances from third parties. The
lesson here is that it is important, if not critical, for an
organization to formulate its own independent view.
- Balance quantitative measures with qualitative
assessments. Many institutions failed to share a wide range of
balanced rigorous quantitative measures and qualitative assessments
to provide different perspectives on the same exposures. Such a
balance provides more insight about evolving conditions and creates
- Avoid undue concentration risk. Many companies relied
on outdated assumptions that were unchallenged by management. These
organizations did not integrate market and counterparty risks
effectively to identify the size of their concentration risk.
- Incentives influence behavior. Improperly designed
compensation incentives create a "heads I win, tails you lose"
situation, and can also focus too much on short-term gains versus
institutional viability. Risk management often was not an equal
player at the business table in terms of compensation, clout and
- Liquidity can be as important as solvency. If
stakeholders lose confidence in a business, the strength of the
business' balance sheet may not matter.
- Lack of transparency can fuel a crisis. Given the global
economy's ever-present need for information, when the market cannot
be certain of the exposures that exist among its counterparties, it
may stop functioning altogether.
- Time to act can be a real differentiator. Issues are no longer
isolated. Because of the interconnectedness of the Information Age,
crises are no longer confined to single institutions or even
regions. What happens in Iceland or Main Street USA impacts all
industry participants in one form or another at rapid speed. Market
judgment is also swift and merciless, putting significant pressure
on companies to make quick, accurate decisions. Time to act is one
of the most valuable assets in managing risk, yet is often hindered
by numerous hierarchical and silo organizational constraints.
Most, if not all, of these "lessons" existed prior to the
crisis, and the recession simply illuminated them. The present
challenge resides in determining how financial institutions can
apply these lessons in a sustainable manner.
Leading companies have leveraged the lessons learned by
reexamining and, where possible, strengthening key building blocks
of effective, post-crisis risk management, such as the role of risk
management, risk culture, risk reporting and risk measures.
The Role of Risk Management
In its most effective form, risk management begins with defining
and understanding a company's risk appetite related to its
strategic objectives. It should also identify the inherent risks
associated with the achievement of the business strategy and
determine the most appropriate techniques required for a company to
operate within its established risk tolerances and limits.
For example, suppose a company's strategic objective involves
entering a new foreign market to generate a new source of revenue.
Inherent risks within this scenario might include political and
foreign exchange risks. The risk management techniques should then
determine (1) whether the inherent political risks represent an
acceptable potential cost of executing this objective (i.e., doing
business in the region); and (2) how the foreign exchange risk
might be mitigated -- e.g., hedging contracts or requiring customer
payments to be in U.S. dollars.
When deciding whether entering a foreign market is consistent
with the company's risk appetite, capital needs, reputational risk,
regulatory considerations and other matters should all be vetted by
appropriate executive management (and, if necessary, the board).
Scenarios should be modeled by looking at the effects of the new
business venture under various stress points, including scenarios
that may not have ever happened historically.
This much is certain: while it may be difficult to deconstruct
and/or quantify risk, a financial services company's risk culture
qualifies as a crucial success factor in nearly every client
debriefing, article and case study related to risk management.
By now, tone at the top may be an overused phrase, yet it
remains critical to successful risk management. Communication
represents another valuable building block of an effective risk
culture. No matter how valuable the information that risk
management processes and systems produce is, it quickly becomes
worthless if it is not relayed throughout the organization in a
timely fashion. Executive management and the board must encourage
such real-time and transparent communication for an effective risk
culture to evolve. Shooting the messenger only stifles the ability
of people to step forward and raise serious issues to the
appropriate management level.
While processes provide the pipes, if you will, for
communications, culture provides the fuel: Managers must want to
use and relay risk information if the risk management structure is
to deliver on its full value.
Culture also represents the "glue" that enables the risk-related
policies to be transformed into processes, and for those processes
to be executed by people throughout the organization. Perhaps most
important, an effective risk culture helps ensure that the focus on
risk-based decision-making becomes sustainable over time.
The financial crisis exposed model risk as a key risk area.
Economic models remain an effective tool in post-crisis risk
management. In fact, when used as one of several data points within
an analysis, they can be extremely valuable -- but only if their
limitations are understood and addressed.
Model risk refers to the risk of a loss due to significant
discrepancy between the economic model's outputs and actual market
experience. This form of risk stems from several causes, including
inadequate tools, the use of adequate tools for the wrong purpose
and/or misinterpretations and incorrect applications of the
In the wake of the crisis, pressure to manage model risk has
intensified for several reasons, including:
- Financial firms facing increasing model governance and
validation expectations from regulators, rating agencies, investors
and clients, to varying degrees;
- Major model-related losses increasing scrutiny and demand for
independent validations; and
- Fair value accounting rules (FAS 157 and FAS 159) highlighting
the focus on the number and types of instruments that are
Model risks reflect a disconnection between reality and the
picture of reality that powerful systems and tools produce. For
this reason, they are in many ways emblematic of the missteps
leading up to the financial crisis.
The crisis was not caused in isolation by risk management, a
lack of regulations or the absence of effective management systems
and tools. Rather, it was caused by a combination of factors that
created dissonance between theory and reality. Some of these
factors may have been identified and mitigated by risk management
processes but were not communicated effectively throughout the
organization, hindering the ability of management and the board to
learn of and understand emerging risks clearly.
One of the procedural shortcomings the crisis highlighted
relates to risk reporting. At some companies, reporting was too
detailed; at others, it was too general. In virtually all
organizations, the challenge is not as much about having enough
data but rather presenting far too much risk information to
management and boards.
There is an abundance of data available, but relevant analysis
is sorely missing. Most boards and senior management teams simply
want to understand if the company is riskier today than it was
yesterday, and why. They also want to know whether the current
level of risk is within expectations and appetites. Despite these
simple objectives, most risk reporting fails to deliver the key
Effective risk reporting tailors the reports to different
audiences. The same report or an excerpt of a report to management
should not be used for the board.
Board reporting should focus only on the most significant risks,
and then identify how these risks potentially affect performance
and shareholder value. It also should promote awareness of risks
throughout the organization, provide assurance that management
processes are working effectively and, when appropriate, detail the
impact (on both the organization itself and outside participants)
of recent risk events that occur.
Senior management risk reporting should provide qualitative
analysis to supplement quantitative tools and analytics, while
identifying trends and important exceptions to risk tolerances.
These reports should also identify key risks and related
performance (and/or risk) indicators, identify required actions and
contain discussions of current risk management initiatives and
In addition, senior management risk reporting should contain
several forward-looking aspects versus focusing on historically
based accounting information. It is the forward-looking information
that allows management to see what's coming and initiate
appropriate risk mitigation responses.
At the business-line level (or even the process level), risk
reporting should be more granular in nature; here the focus is
typically historical and reporting is segmented by department (or
product line, geography, etc.). Updates on control failures and
improvements should be featured prominently, and the reports should
address specific consideration of data integration and other
In closing, there is no "magic bullet" to protect everyone from
the next crisis. Fortunately, risk management continually evolves
within the financial services industry, where companies are
reconfiguring their frameworks, establishing new risk agendas and
bolstering their building blocks to ensure they will be better
prepared for the future, regardless of what the future brings in
terms of new risks and challenges.
Carol Beaumier is an executive vice president and head of
the global financial services and regulatory risk consulting
practices at Protiviti, a global business consulting and internal
Cory Gunderson is a managing director and head of
Protiviti's U.S. financial services industry and global risk and
Both authors can be reached through the firm's Web site