One factor leading to the failures of financial companies, she said, is an overreliance on the use of financial models, "with the mistaken assumption that the risk quantifications based solely on financial modeling were reliable as predictive tools to justify decisions to take risk in the pursuit of profit."

Most financial models rely on an expected distribution of losses based on past experience, she explained.

While financial institutions expect there will be losses and manage the risks based on mathematical predictions, the "probabilities of greater deviations are commonly believed to be insignificant--and returns often are lucrative," meaning the financial models often are ignored, she said.

While financial modeling can raise important issues, Ms. Fox said it can "entirely miss other areas that present equal or other serious consequences."

Another factor in the financial meltdown, she added, was an overreliance on compliance and controls to protect assets, "with the mistaken assumption that historic controls and monitoring a few key metrics are enough to change human behavior."

Ms. Fox said controls typically are based on standards or regulatory guidance. Standards, she explained, are a collection of best practices and guidelines, which are developed collaboratively over time and based on experience.

"They are expanded or modified periodically to reflect new practices," she said. "As such, controls do not evolve in scope or speed to keep up with new risks being taken." They also are not designed to be predictive of emerging or future risks, she noted.

Ms. Fox said another cause of breakdown was "a failure to properly understand, define, articulate, communicate and monitor risk tolerances, with the mistaken assumption that everyone understands how much risk the organization is willing to take."

She added that with "20-20 hindsight, one can only speculate that if a fully understood risk tolerance level had been imposed by all financial institutions on their respected mortgage securities exposures and the market of collateralized debt obligations regardless of probability metrics, the current crisis may have been mitigated to a large extent, if not prevented altogether."

She added, "There was a failure to imbed ERM [enterprise risk management] best practices from the top, down to the trading floor, with the mistaken assumption that there was only one way to view a particular risk."

Ms. Fox added that financial institutions were among the early adopters of ERM; however, "even if senior leadership sponsors the development of an ERM program, that's not enough for ERM's foundational principles to take root and flourish."

In addition, she said that as humans "we tend to focus on what we expect to see. In such an environment, the credit risk of collateralized debt obligation securities was missed. What was viewed by at least one company as a market risk turned out to be, in fact, a credit event. As a result, organizations were caught unaware."

"In speaking of the failures at Fannie Mae and Freddie Mac," she said, "Rep. Henry Waxman, chairman of the House Oversight and Government Reform Committee, said, 'Their own risk managers raised warning after warning about the dangers of investing heavily in the subprime and alternate mortgage market, but these warnings were ignored.'"

This example, she said, illustrates a governance failure, preventing a direct connection "between the risk management function and the persons responsible for monitoring the adherence to risk management principles."

But while she said risk managers were largely not at fault, she summarized, "Ultimately, when we looked for a cause of the current financial crisis, it's critical to remember that organizations failed to behave in a number of critical ways.

"They failed to truly adopt an ERM culture; they failed to embrace and demonstrate appropriate ERM behavior; they failed to develop and reward internal risk management competencies; and finally, they failed to use ERM to inform management decision-making in both taking and avoiding risks."

In an online poll, where risk managers rated their firm's risk management program from one to five, with one being "defensive" or basic risk management, and five an optimal ERM approach, listeners indicated: 18 percent were at level one, 23 percent were at level two, 50 percent said their company practices "advanced risk management, 9 percent were at a level four, and none said their company practiced fully optimal ERM.