As I look ahead to the state of risk management in 2012, I have trouble moving beyond 2008.

I also have trouble coming up with a cohesive theme, so I'm opting for multiple choice instead. Organizational risk management practices in 2012 will be characterized by one of the following quotes:

  1. "Don't let yesterday use up too much of today," (Cherokee proverb cited by Will Rogers and others);
  2. "Enterprise risk management is a process, affected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives, (COSO's Enterprise Risk Management -- Integrated Framework, cited in this report); or
  3. "Great companies identify something larger than transactions to provide purpose and meaning," (Rosabeth Moss Kanter writing in the November 2011 Harvard Business Review).

The difficulty in looking ahead stems from the fact that the past -- namely, the fallout of the global risk management crisis whose impact struck in 2008 -- remains with us. We call it the financial crisis, but its spark consisted of risk management, decision-making and human nature.

And while I believe I know how risk management practices should evolve in 2012 (in a ways that specifically address human decision-making and human nature) I'm not sure we're ready to progress beyond our devotion to an almost entirely process- and technology-driven approach to risk management.

COSO's integrated framework and related enterprise risk management (ERM) and governance, risk management and compliance (GRC) frameworks are necessary, but not sufficient; at least not until they incorporate more human nature considerations and recommendations into their guidance. And these human issues should extend well beyond "getting tone at the top right."

The risk management blowup of 2008 remains vividly in the present thanks to excellent portrayals of the crisis, including Michael Lewis' The Big Short and writer/director J.C. Chandor's excellent Margin Call (a film innovatively released in theaters and online simultaneously last month).

In his book that examines how the financial crisis occurred, Lewis, a former Wall Streeter, quotes a source who says, "Managers tend to pick a strategy that is the least likely to fail, rather than to pick a strategy that is most efficient … The pain of looking bad is worse than the gain of making the best move." No wait, I'm wrong; that's actually a quote from Lewis' Moneyball, and a passage that also happens to crystallize the herd-like risk management decision-making that contributed to the financial crisis.

Here's the sort of question that Lewis asks in The Big Short -- and it is something that too few risk management programs ask: "What are the odds that people will make smart decisions about money if they don't need to make smart decisions -- if they can get rich making dumb decisions? The incentives on Wall Street were all wrong; they're still all wrong." Try asking the same of your company and its moderate behavioral incentives.

Chandor's movie, aside from delivering excellent entertainment value (a better lit, less caustic Glengarry Glen Ross), nails the human and cultural aspects of risk management. The movie imagines the day a large investment bank -- one helmed by a character with the last name of, ahem, Tuld -- makes the crippling realization that its risk-management approach will soon wipe out the firm. There is one possible out: madly selling off all of its complex yet worthless financial products to unsuspecting customers and peers the next day. Doing so, of course, might wreck he firm's reputation and it certainly will poison the relationships all of its traders had developed over their careers.

Yet the scenario depicted in the film -- a highly concentrated narrative of the dynamics of the entire financial crisis itself -- illustrate that risk management is complicated because people are complicated.

Kevin Spacey's Sam Rogers crystallizes this complexity by packing into one character a cutthroat sales manager, an ethical businessman, a jaundiced employee (one passed over for a much more cutthroat peer in a previous succession-planning process) and, ultimately, someone who glumly accepts the notion every person has his price. Even the good guys in this account recognize that the bad guys are behaving as the system permits (yet, some of the good guys also seem to hope for behavior that rises above what is merely allowable).

Again, nothing against existing risk management frameworks, but which one of them addresses this human complexity?

As the answer "C" above suggests, a small but growing number of thought leaders appear to believe it is possible to address human complexity within our management (and risk-management) systems. Their general point, and one Kanter emphasizes, is that our organizational theories, processes and behaviors "catch up" to the way the world currently works.

On first blush, this type of thinking is not terribly cutthroat friendly (nor appetizing for folks who believe "coffee is for closers"). Kanter reasons that great companies:

  • View themselves as an intrinsic part of society (like families, government or religion);
  • Strive to profit but chose to do so in a way that enables them to thrive over the long-term; and
  • Invest in the future while considering larger societal needs.

Can you name three companies that operate this way when push comes to global financial meltdown?

That might be the wrong questions. Here's a more constructive question: What do enduring companies with great risk management capabilities do? They certainly aim beyond what is required of them in terms of governance, risk management and compliance (GRC) regulations, standards and accepted practices.

And what does this "beyond risk" capability look like in practice? Here's hoping -- and maybe even resolving -- that 2012 gets us a heck of a lot closer to the right answers before we use up too many of our tomorrows.

Contributing editor Eric Krell reports on governance, risk management and compliance for Business Finance.