Founder's Blog

Is Risk Management a Source of Risk?

I recently responded to a question about risk management failure on one of the LinkedIn groups I subscribe to. Jacek Marczyk, a risk management consultant, responded to a CNN article entitled "The risk fallacy" by asking whether risk management is itself a source of risk.

Jacek's view, reflected in his article (here), seems to be that the Big Financial ferms failed because they neglected to factor market complexities into their risk models; and, moreover, that we all need to get better at modeling complexity. Although I agree with the second point (with a tip o' the hat to the quants out there), I disagree with the first. Now that government investigations, referenced below, and a heap of anlysis have exposed many of the factors behind The Fall, it seems fairly clear that AIG, Lehman, Morgan Stanley, and Bear Sterns suppressed risk management from the top down. Not only did they not go the extra mile with their risk models, they never really left the bench.

For those of us who support the quantification and qualification of risk, this is good news: the Big Financials' risk management failures cannot be taken as indicative of the futility of risk management, managerial or operational. Their chief indication is simply bad board oversight and excecutive accountabiility at the afflicted firms.

Read on and comment >

Earlier Posts

Is Risk Management a Source of Risk?

Lessons learned from big-finance failures may not be all they seem.

How not to attract a qualified security manager

When bad security management impedes good security hiring.

Failure is not an option: it's a style

A brief cautionary tale about maintaining grace in the face of almost unthinkable contingencies.

Should IT governance be a board-level issue?

Is IT, in concept and practice, still too mechanical for board-level attention? Should it be?


What we can learn from an exquisitely annoying, terribly useful communication channel.

Will companies love open source to death?

What will increasingly mainstream adoption mean for open source software?

Forgotten risk vectors and the shifting audit 'verse

Isn't it time for internal auditors to bring business performance in scope?

Getting better at the big picture

Thinking about context and how we solve problems