When practitioners, consultants and academics discuss leading organizational risk management practices, they hone in on people, processes and supporting technology. As major risk management failures in recent years have illustrated, mastering these three dimensions is necessary but not sufficient.
Effective enterprise risk management (ERM) -- or any discreet risk management process -- hinges on other dimensions as well, including organizational culture, behavior, ethics and change management … all the squishy, human stuff that defies convenient categorization in COSO cubes and other traditional risk management frameworks.
Risk management needs more dimensions.
In a detailed and engaging post mortem on MF Global, several New York Times business writers examine what went wrong. This "Wall Street CSI"-esque article focuses on CEO Jon Corzine, who once said that he considered "one of my most important jobs to be chief risk officer of our firm."
On paper, and on the surface, MF Global's approach to risk management seemed sound. Beneath these nods to people, process and technology, however, trouble lurked. "[S]oon after joining MF Global, Mr. Corzine torpedoed an effort to build a new risk system, a much-needed overhaul, according to former employees," the Times notes.
In a situation that parallels the plight of Kevin Spacey's character in the excellent 2011 film "Margin Call," MF Global's top risk officers, including Michael Roseman, expressed growing discomfort with MF Global's investments in European debt in 2010.
These risk officers "pushed Mr. Corzine to seek approval from the board if he wanted to expand [the firm's high-risk investments]," according to the Times article. "Mr. Roseman then gave a PowerPoint presentation for board members, explaining the sovereign debt trade as Mr. Corzine sat a few feet away. The presentation made clear the risks, which hinged on the nation's not defaulting or the bonds losing so much value they caused a cash squeeze. The directors approved the increase. Mr. Roseman eventually left the firm."
Additionally, Corzine's outward expressions that he welcomed criticism from his team, in fact, may not have been so welcoming. "Within MF Global, Mr. Corzine welcomed discussion about his bet and his reasons for it, though some senior managers said they feared confronting such a prominent figure," according to the Times piece. "Those who did challenge him recall making little progress. One senior trader said that each time he addressed his concerns, the chief executive would nod with understanding but do nothing."
This is reminiscent of the 2008 financial crisis, from which we discovered -- among many other difficult lessons (if they even qualify as "lessons" -- a term that indicates we have genuinely learned something) -- that all investment banking risk officers are not created equal. CROs who rose up the ranks from the trading floor had more credibility and influence (i.e., their guidance was more likely to be listened to and followed) than risk officers with strictly functional grooming.
So, how do we get at these less tangible and perhaps less easily measured dimensions of risk management effectiveness -- dimensions that cover leadership, culture and individual behavior?
That's up to the practitioners, consultants and academics, of course, but it's also up to board members, shareholders, business bloggers and anyone else who has a stake in more effectively preventing the type of systemic risk management failures that can bring a global economy to its knees.
I'm open for input and ideas, like this one from the realm of U.S. politics, which is suffering from an innovation-crippling two-dimensional problem of its own, according to philosophy professor John Perry.