Risk Management and the Financial Crisis
You can’t have a compensation structure that will cause you to have good
risk management. You have to have a risk management structure that
will cause you to have good risk management. You can have a
compensation structure that could negatively affect your risk
management, but I think it is very hard to make it positive. It is very hard
for your compensation to cause you to have good risk management. You
need to have good risk management to have good risk management.
—DAVID VINIAR, 2010
While flawed risk management was one of the fundamental causes of the financial crisis, the roles of the chief risk officer and risk managers were only part of the larger culture, governance, and management that distinguished successful firms from those that failed.
Risk management refers to the process by which an organization identifies and analyzes threats, examines alternatives, and accepts or mitigates those threats. In its current form, risk management is a new discipline, both in terms of organization of the risk management function and in terms of ways to assess risks. Firms differed whether they kept the risk management function separate from revenue-generating operations, merged risk management into line units, or adopted a hybrid approach. Successful firms such as JPMorgan Chase, Goldman Sachs, Wells Fargo, and Toronto Dominion managed risk in different ways. What they had in common was a respect for the risk function and the importance of managing risk-return trade-offs on a firm-wide basis. Unsuccessful firms frequently dismissed (Freddie Mac), sidetracked (Lehman), isolated (AIG), layered their risk officers far down in the firm (Countrywide), or otherwise disregarded them (Fannie Mae). At many firms, enterprise risk management expert Stephen Hiemstra explains, risk management was a compliance exercise rather than a rigorous undertaking.1