In early 2008, the economy was beginning to look bad, but it was the second half of 2008 when the full market meltdown occurred. This report, authored by Bill Coffin, notes how the majority of Wall Street’s major investment firms had either collapsed or suffered staggering losses. As a drastic response, the federal government stepped in to provide critical funding to help struggling entities survive.  Everyday investors are still left trying to put together the pieces of the fallout and figure out what happened to the wealth they established for themselves. 

It is hard to place blame on any one person or a single group of people because the crisis that has evolved is the result of numerous people not paying attention to the overwhelming risks that were present, often hidden by ineffective risk models.  One thing that analyst agree on and the RIMS report reiterates over and over is that the failure of not properly utilizing and understanding the purpose of risk management and enterprise risk management is a major cause for the financial crisis. 

Many articles are now addressing the question of “Where were the risk managers?” and “Why did they not catch or prevent this disastrous event?”  Conversely, risk managers are claiming that they can only inform executives of the risk.  It is up to the leadership of the company to make informed decisions based on the information given to them.  Also, top management may not understand the risk they are informed on; hence, management needs to continue asking questions until they fully understand the risk. 

Failure Points

The Risk Insurance Management Society (RIMS) prepared this report to address some of the reasons for the failure.  These failures were: a failure to embrace appropriate enterprise risk management behaviors, a failure to develop and reward internal risk management competencies, and a failure to use enterprise risk management to inform management’s decision making for both risk-taking and risk-avoiding decisions.  These failures ultimately caused the current financial crisis and if companies had properly designed and implemented a comprehensive risk management program, the financial crisis may have been prevented or its impact lessened. 

Needed Risk Behaviors

RIMS states that any risk management framework can work effectively for a company as long as the organization demonstrates competency in seven behavioral attributes:

  • Adoption of an ERM-based approach
  • ERM process management
  • Risk appetite management
  • Root cause discipline
  • Uncovering risks
  • Performance management, and
  • Business resiliency and sustainability


It is important for companies to develop a mature ERM program that is practiced at all levels.  Support from the top is critical.  Employees need to hear from management how valuable risk management is to the organization and its continued success of the organization.

Properly implementing risk management is not the only problem faced by companies.  There was also an over-reliance on financial models.  Many business leaders assumed that risk quantifications models were the most reliable and sufficient way to measure risk.  However, solely relying on financial models but not understanding the assumptions made to create the models allowed companies to accept risk beyond their risk appetite.  Financial models can be very helpful but it is important to not ignore the tail risk because as Geoff Riddell, chief executive of Zurich Global Corporate explained, “The world does not follow a normal distribution and low frequency and high severity events can appear at any time.  The discounting of these extremes is very dangerous.”  By ignoring this low-probability, high risk companies are becoming their own worst enemy. 

Companies need to remember that risk management is more than just complying with regulations and implementing controls.  Risk management is also about taking a proactive stance on protecting the entity from its known and unknown risks.  Management also needs to be able to stop projects and transactions from occurring that are too risky and have the potential to cause detriment to the company. 

Management needs to have the ability to distinguish between different risks.  Citigroup CFO Gary L. Crittenden states he misread the risk for collateralized debt.  The risk was believed to be a market-risk when in fact it was really a credit risk.  It had been evaluated from a market-risk perspective but the risk that caused the greatest harm, the credit-risk, was not properly evaluated.  Therefore, Citigroup was not properly prepared for the credit-risk associated with collateralized debt. 

Lessons Learned

When looking at the financial crisis is it important to not only see the current events as all bad and to learn from the situation.  RIMS has three lessons that can be learned from the financial crisis: (1) Management needs to better understand expected and desired outcomes and to design the organization’s enterprise risk management program accordingly, (2) it is important to realize that merely implementing an enterprise risk management program is not enough, and (3) the individual skills of those responsible for leading the risk activities within an organization provide insight into the competencies needed to drive a sustainable risk program.  Even though companies failed to do numerous things which caused the financial crisis, there are steps that can be taken to prevent another crisis and safeguard companies from failing again.  Companies need to start fully understanding their risk tolerance level and begin taking measures that ensure projects and transactions are not undertaken that are above the risk tolerance level for the company. 

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2009-01-01