I came away from the RSA conference with the impression that most practitioners actually believe that the current financial meltdown was a clear example of risk management failing the financial sector. This was even a major point made by Art Coviello, President of RSA, in his opening keynote. But it’s an incorrect assumption, based on a flawed perspective of the true purpose of risk management.
The sub-prime crisis was a classic example of the spectacular success of financial risk management. As I have long emphasised, risk management is a decision-support device, not a decision-making one. If you have any business sense, you wouldn’t possible make any decisions on the basis of a crude, oversimplified, uncertain and context-free calculation. You’d make it on a much richer set of facts that included important personal and political considerations, such as bonus targets and market expectations, as well as unwritten assumptions, such as the fact that many existing policies will be ignored in the event of a major crisis.
Risk decisions are the prerogative of the responsible business manager, not a spreadsheet or a piece of software or the assessment of a junior technician in the IT department. And the financial crisis clearly demonstrated the power and effectiveness of risk management methods to deliver a convincing assurance to auditors, regulators, shareholders and governments. It creates an illusion of control. That’s what it’s there for. And it’s been spectacularly successful.