To look at most risk training on offer, you’d think post-crisis risk management was all ‘business as usual’. Worse, perhaps it really is ‘business as usual’. Why, after such fundamental challenges to the logic and efficacy of risk management since 2007, has there been so little change to how all businesses – whether financial institutions or corporate businesses – approach risk and uncertainty? And what can we do about it? Since the financial crisis, there has been an industry of official rapporteurs, commentators and academics looking at the failures of governance, risk management and internal control. Their quality has ranged from profoundly insightful (e.g. Dahlem Group) or skillfully observational and analytical (Reinhart and Rogoff, for example), to repetitious of earlier, profound thought (but worthwhile nonetheless) – Taleb’s Black Swans and Skidelsky’s Return of the Master (about John Keynes) come to mind – to merely repetitious of earlier thought to arse-covering to flat-out denial. One message that seems to emerge clearly is that risk management is a very long way from being a mature discipline.
One concept that seems to have had a ‘good crisis’ is risk governance – the structures and processes in the firm that relate oversight of risk at board level with allocation of responsibilities for analysis of risk and its interpretation in the firm with the routines of assurance over risk management efficacy (cf. Walker Review or the G30 Report on governance in financial institutions). But, for all the appearance or posturing of dedication to enhancement, little has changed – as Alphonse Karr wrote, “plus ça change, plus c’est la même chose.”
In the UK, the Financial Reporting Council's amended (and renamed) Corporate Governance Code has enhanced the board responsibilities for review and narrative reporting requirements for listed companies by requiring them to “conduct a review of the effectiveness of the company’s risk management and internal control systems (sic) and report to shareholders that they have done so.” What would a “review of the effectiveness of a company’s risk management system” look like? What would it cover? What could and should it omit? So far, the FRC has not elucidated, although they have published observations emerging from their consultations with companies’ non-executive directors and senior officers. Clearly, any review of a company’s risk management system should pick up on the lessons of the recent turmoil in risk management and what they mean for our understanding of how risk management needs to adapt and change to remain relevant – or, perhaps, to regain relevance.
So, what are the lessons of the financial crisis – the lessons of recent history – and how do they add to the lessons of prior history? What should we learn from the financial crisis?
The answers to this question are complicated. But one thing is very clear: to understand how we need risk management practice (and, for that matter, risk management theory) to evolve, we need to address and learn the lessons of reality as it occurs, not some simplified, stylized version of reality. We need to confront the messy truth about risk and risk management as it occurs in real life and to understand what works and be realistic and understand what does not work and why.
If we are to move the discipline of risk management forward from its current infancy, training and educational curricula need to adapt to these messy realities. In a new course we have developed for risk practitioners, we address these challenges directly. The result will be better understanding of what risk management can and will achieve and how to achieve it. Click here to find out more about the course.
Einstein defined insanity as doing the same thing over and over again and expecting different results. Yet, by persevering with unchanged approaches to risk in light of evidence of their non-performance, we are risking appearing . . . well, maybe not insane, perhaps hopelessly optimistic. Now is not the time for hopeless optimism; we need something more concrete, more effective. And more realistic.
All developers of risk curricula and risk courses need to go back to the drawing-board. Reality is calling.