Never think risk management is done and dusted. You must reassess it regularly.

The credit crisis has unearthed serious problems with risk management in some financial institutions. Ironically, the crisis has spread from the very industry that created many of the risk management controls subsequently adopted by other organisations. How is it that they managed to get things so wrong? Does it reveal fundamental flaws in the discipline? And what can the rest of us learn from these mistakes?

Many financial institutions that got into trouble were just not getting the basics right. The Société Générale fraud in January was an early warning that something was wrong with the way banks managed their traders. They may have had large and highly professional credit and market risk departments, but clearly their operational risk management wasn’t up to much if a single rogue trader could wipe $7bn off the balance sheet.

These problems came to a head during the credit crisis. Risk management departments were too siloed – and that meant there was no single picture of the total exposure to bad debt. Enterprise risk management (ERM) was meant to bring it all together and instil a culture of risk management throughout the organisation. Despite the fact that rating models had been affirming these programmes for a number of years, some of them clearly weren’t working properly.

Why not? The banks had ERM frameworks in place – compliance told them as much – but they weren’t properly embedded. These gaps meant the exposures were able to escalate as the market for traded credit products grew. No one, not the regulators, rating agencies or the banks themselves, properly understood the complex debt structures. So what hope was there for the chief risk officer to get a handle on the overall strategic risk they posed?

Instilling a culture of risk management – which means everyone becomes a risk manager – was hard to achieve in banks, particularly as it didn’t sit well with the bonus culture that allowed them to make such massive profits during the good times. The money-making traders were often at odds with the nay-saying risk managers. But by absolving responsibility for risk to another department and putting pressure on it to approve transactions, the traders went about their business unhindered, with terrible consequences.

Perhaps this is the most important lesson from the financial apocalypse. Never become complacent and think risk management is done and dusted. It requires regular reassessment. Some of the bankers may have thought the risk was outsourced into the hands of the chief risk officer and therefore it must have been managed. That wasn’t the case.

The banks also trusted the ratings agencies too much. They blindly believed the investments were worth what the ratings agencies said they were worth. The lesson here is not to assume ratings are always correct and remember they can change very quickly.

In the future, it might be worth considering an employee’s risk management credentials as part of his or her assessment and remuneration. It is a performance criterion that some businesses have begun to include in annual reviews.

Now is the time for reappraising ERM. Financial businesses have shown that even the most mature programmes cannot prevent disaster. But a properly embedded programme allows companies to realise benefits – and they’re probably less likely to get into serious trouble. An important lesson is not to rely too much on systems and models, particularly

if the underlying information is flawed. Organisations should strive for continuous improvement with their programmes and remember that a culture of risk awareness is vital. In many ways, ERM is more important now than ever.

Key points

• The firms that got into trouble were not getting basic risk management right.

• ERM was in place but it wasn't properly embedded.

• ERM was meant to instil a culture of risk awareness, but this didn't sit easy with big bonus-driven bankers.

• Risk management requires regular reassessment.

• Now is not the time to give up on ERM.