ERM - CRO Outlook

Building a Unified Theory of Risk Management: How and Why

To improve enterprise risk management, move further away from risk silos, and gain a better understanding of both obvious and hidden risks, the financial services industry needs to create a new risk paradigm. This can only be achieved by developing a framework that unites the four forces of risk management: culture, psychology, governance, and environmental risk.

Friday, May 13, 2022

By Clifford Rossi

Our risk management frameworks have not advanced commensurate with the level and trajectory of risk over time. A new paradigm is therefore desperately needed.

Take, for example, enterprise risk management. What fundamental theory explains the mechanics of ERM? I don’t mean PD*LGD*EAD, since we have a fairly strong handle on these concepts and can model them – for the most part – with a fair degree of reliability.

clifford-rossiClifford Rossi

No, I am talking about the macro dynamics affecting different risk types and the micro-level interactions among such risks that can go unknown to us until an event happens.

Imagine a world in which classical physics and quantum mechanics did not exist. We would have no ability to fly an airplane or land a spacecraft on the moon. And yet, we operate in a risk management world effectively devoid of any theoretical foundation to explain the development and dynamics of risk at our firms.

The Argument for a New Paradigm

Our field of risk management evolved from a set of audit (e.g., COSO and internal controls), regulatory and other principles. However, unlike other fields – such as finance or economics or even physics – we have yet to offer a theoretical foundation that describes the risk landscape in some logical and consistent manner.

This has profound implications for the way we conduct risk management today. We currently organize our staff around risk specialty areas, typically following an outdated taxonomy that is not only overly simplistic and siloed but also misses the mark on hidden risks that are reflective in the dynamic interactions among risk types. Those hidden risks are the “dark matter” equivalent of risk, and they lie just beyond the direct reach of our existing risk frameworks.

We need a Unified Theory of Risk Management (one which explains the implications of risks for our industry) to correct these problems. To make the case, I’ll now present such a framework, which is loosely based on principles and terms borrowed from classical physics and quantum mechanics.

Classical physics focuses primarily on the behavior of macroscopic objects, while quantum mechanics studies “small matter,” such as subatomic particle behavior. To date, no unified theory of physics exists; however, we can adapt the framework for physics to describe the world of risk management.

The structure of an atom, for example, can be seen to represent the risk exposure of an organization, where individual risk types – e.g., operational, credit, market, liquidity and asset-liability management (ALM) – form the nucleus. A different set of risks – most notably, reputation, regulatory, compliance and legal – can be described as the electrons moving about that nucleus.

How these risks collide with one another is central to building a unified theory of risk management, and can be described as “quantum risk mechanics.” A depiction of this theoretical framework featuring these ideas is presented below (see Figure 1), followed by a description of how each component (the four fundamental forces of risk management) relates to the unified theory of risk management.

Figure 1: Elements of a Unified Theory of Risk Management

The Four Forces of Risk Management

The velocity and trajectory of a firm’s risks are determined by its risk appetite and ERM effectiveness. Just as the four fundamental forces of physics explain the natural environment, the four forces of risk management dictate decisions about risk appetite and ERM. Let’s now take a quick look at each of these forces:

Force 1: Environmental

Think of the environmental force as cosmic inflation applied to risk management. The risk management environment is comprised of economic, geopolitical and physical (e.g., climate) forces that pull on risk and push it up and down. Risks expand (“risk on”) or contract (“risk off”) as these environmental conditions change.

Force 2: Risk Culture

Risk culture represents a company’s embedded DNA for risk. Some companies have strong risk DNA, while others are weak. This intangible force, however, matters critically in determining a firm’s risk-taking posture and its ERM effectiveness. Indeed, it is a prerequisite for effective ERM and balanced risk.

Force 3: Risk Psychology

This force represents the cognitive biases of boards and senior management, taking into account their behavior, incentives and responses to risk. Risk management, after all, is not a pure science, and is imbued with a hefty dose of psychology, belief systems and – sometimes – irrationality. If you think back to the herd mentality and recency and confirmation biases exhibited by senior management teams during the global financial crisis (GFC), you get the picture.

Force 4: Risk Governance

This force represents the gluons of risk management – or those risk “particles” that bind a company’s collection of risk practices and activities together. Effective ERM is illusory without strong risk governance practices.

Quantum Risk Mechanics

With these forces in place, to fully understand how risks relate to each other requires a discussion of quantum mechanics. Quantum mechanics in physics focuses on explaining the behavior of subatomic particles. (More specifically, according to Quantum Entanglement Theory, it describes conditions for how particles interact with each other – often in peculiar ways.)

Similarly, risk entanglement theory explains how “non-nuclear” risks – e.g., regulatory, compliance, reputation and legal – interact with “nuclear” risks – such as credit, operational and ALM. Each non-nuclear risk happens only because of some nuclear risk event. Lamentably, we tend to cite all these risks in our risk taxonomies, without any explanation of their relationship with each other.

Complicating matters further, non-operational nuclear risks can be amplified by operational risk, and therein lies a problem for traditional risk management: i.e., it’s a framework built largely for individual risk assessment, rather than for identifying, assessing and managing interstitial risks.

Borrowing again from physics, in a probabilistic world that can be difficult to pin down precisely (at least, at times), an uncertainty principle applies to our framing of risk types.

Closing Thoughts and Observations

How can you use this framework to improve your company’s ERM capabilities?

First, this unified theory of risk management provides a mechanism for better depicting the relationship of individual risk types in your risk taxonomy to each other – in a manner that supports cohesive and integrated risk management.

Second, you can use this theory for developing risk talent. After all, whether someone is dedicated to operational risk or credit risk, they should be conversant in the language and techniques for managing all major risk types.

Third, this theory allows you to build better risk identification and assessment capabilities – oriented not just toward managing the individual risks but also the spaces between them.

Last but not least, such a framework better enables you to more effectively assess the maturity of your ERM process, beginning with risk governance and culture.


Clifford Rossi (PhD) is a Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business, University of Maryland. Before joining academia, he spent 25-plus years in the financial sector, as both a C-level risk executive at several top financial institutions and a federal-banking regulator. He is the former managing director and CRO of Citigroup’s Consumer Lending Group.


We are a not-for-profit organization and the leading globally recognized membership association for risk managers.

weChat QR code.
red QR code.

BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals