o “How did so many major, allegedly sophisticated financial players miss or overlook such huge, systemic exposures?

o “What other shoes might yet be left to drop?

o “How can we prevent this from ever happening again?”

However, others are rushing to the defense of ERM. Indeed, a report by the New York-based Risk and Insurance Management Society concluded that our current woes did not “arise from a failure of risk management as a business discipline.”

Carol Fox, former chair of the RIMS Enterprise Risk Management Development Committee, defended ERM during a RIMS webinar on: “The 2008 Financial Crisis–A Wakeup Call for Enterprise Risk Management.”

She said those companies that followed the precepts of risk management for their enterprise–such as Goldman Sachs–helped protect their firms against “the worst of the downturn.”

Ms. Fox, senior director of risk management of Convergys Corp., emphasized that to be effective, ERM must “fundamentally change the way organizations think about risk.”

The study characterized the financial crisis as a result of the “failure to embrace appropriate enterprise risk management behaviors–or attributes–within these distressed organizations.”

She said RIMS believes the financial crisis is a “call to action,” adding that the crisis makes an even stronger case for ERM. Ms. Fox observed that many financial organizations failed to:

o Adopt an ERM culture.

o Embrace and demonstrate appropriate ERM behaviors.

o Develop and reward internal risk management competencies.

o Use ERM to inform management decision-making in both taking and avoiding risks.

When reviewing their governance infrastructure, Ms. Fox said companies need to be sure they have “authorized escalation points outside of the normal reporting,” as well as ways to make sure important information gets to the board and/or key decision-makers.

She charged there was “a failure to imbed ERM best practices from the top down to the trading floor, with the mistaken assumption that there was only one way to view a particular risk.”

A factor leading to the failures of financial companies, she said, was an overreliance on the use of financial models, “with the mistaken assumption that the risk quantifications based solely on financial modeling were reliable as predictive tools to justify decisions to take risk in the pursuit of profit.”

She also pointed out that most financial models rely on an expected distribution of losses based on past experience.

Another factor in the financial meltdown, she added, was an overreliance on compliance and controls to protect assets, “with the mistaken assumption that historic controls and monitoring a few key metrics are enough to change human behavior.”

Ms. Fox said controls typically are based on standards or regulatory guidance. Standards, she explained, are a collection of best practices and guidelines, which are developed collaboratively over time and based on experience.

Howard Stecker, senior vice president with SMART Business Advisory and Consulting in New York, said risk managers may come out of all this with more authority in their company. “My conjecture is that those companies that have had real problems stemming from misidentifying risk, I would think the chief risk officer position would gain more focus,” he observed.

What may help the most, he added, is outside pressure from regulators and rating agencies. Also important is the sustainability of the risk management processes at an organization. In other words, he said, because some of the processes are repeated every day, it's important to determine their sustainability.

“If a company takes six months to pull the information together to do their risk evaluation, a lot happens in six months these days,” Mr. Stecker said. “So how valid is the information you collected six months ago and how helpful is it?”

He projected there will be much more focus on finding more timely and efficient ways to collect information to help with evaluating risk.

One of the issues, he said, is that much of the information needed comes from a multitude of data sources throughout the company, which requires pulling data together in new and different ways than systems might have been designed to do.

“The owners of the data sources need to be connected more to that process,” he said. “All it's going to take is a rating agency to downgrade somebody because they get spooked about their risk management policies. Effectiveness is what ratings agencies are looking for in ERM programs.”

He also wondered whether the term–ERM–may need to be changed. “I wonder if [ERM] is descriptive enough…It may be an outdated term that has a stigma attached,” according to Mr. Stecker. (To weigh in on this question, go to Caroline McDonald's April 10 blog at www.noriskzone.com.)

Patrick Finegan, a principal with Towers Perrin and senior consultant in its ERM practice, said that skyrocketing interest in ERM “is borne out by our own evidence. We've never seen a search like this before at our domain.”

A trickle of interest “became a steady stream” with the announcement by Standard & Poor's–first on a tentative basis in December 2007, and finalized in May 2008–that it would make ERM a crucial component of its credit rating analysis of all corporations. “That turned the attention of directors and treasurers to ERM, and many of them were unprepared to address some of the very simple questions S&P was presenting to them,” he noted.

The trickle of interest that had become a stream after the announcement “became a flood, really–with the collapse of Lehman Brothers in mid-September 2008, with the request for an $85 billion bailout by AIG and the takeover of Fannie Mae and Freddie Mac–all within the space of a week,” Mr. Finegan recalled.

Immediately following the collapse of Lehman Brothers, he said, Towers Perrin conducted a survey of financial officers.

“We expected a lot of tactical responses–that they were renegotiating credit lines, preserving cash,” he said. “All these things have come to pass. But when asked to pick from several things that were of major concern to them as a consequence of the financial crisis–then a week old–72 percent of the respondents said they were concerned about vulnerabilities of their own ERM practices.”

What's more, the response was “cross-sectional–from every major industry represented on the Fortune 500,” he added.

The survey alerted them that “we were going to see a real surge in interest by the risk managers themselves in evaluating whether there were gaps in what they were doing. We've seen that echoed now by boards of directors.”

Who is responsible? Clearly top management, he said, who will “create a department, a risk management department, to deal with risk” that may comprise one or many sections in an organization.

The key to ERM is “the enterprise part,” Mr. Finegan added. “Companies have begun to learn that unless you're looking at all the moving pieces simultaneously out of one department, or at least have the ability to do so, it's likely you'll miss interactions between the moving parts and a perfect storm. For example, the convergence of so many disruptive market movements in September cannot be on the radar, because you're looking at everything on a silo or bunker basis.”

He also pointed out that “the thing to remember is ERM is still very young and we're learning a lot as we're going along.”

Mr. Finegan added that “if I had a lesson for risk managers, it would be to approach the subject with humility. Because it's such a young discipline, it's foolish to think that any company or industry or industry body can formulate highly particularized best practices that can be applied to all companies.”

He added that there isn't a set of standards “we can rely upon and presume it will guide us through crisis after crisis.” The best risk managers can do, he said, is to formulate guiding principles–building blocks of good ERM programs.

The other major lesson, he said, is that ERM is not about compliance. “I think, especially at the commercial banks, that companies fell back upon compliance like check lists, upon routines that they filled in the blanks and made sure someone had signed off on that line item, and they got a false sense of security.”

However, he added, risk management is not about “what you've seen in the past–it's about what you haven't seen. It's about looking ahead to emerging developments on the horizon.” Sometimes there are signals and sometimes there aren't, he warned, “but good risk management is about the unexpected loss.”

A good analogy for enterprise risk management, he suggested, is chess.

A lot of games are deterministic and can only be played in a finite number of ways–like checkers, he noted. But in chess, however, “your response cannot be scripted,” Mr. Finegan said.

However, he pointed out, experienced chess players fall back on principles, strategies and tactics that have been “honed with years of experience, which over time will generate better odds of succeeding.”

In looking at financial storms of the past, he said, “what we've found is the companies that are better prepared from a risk management perspective do better–but that does not mean they don't suffer losses.”

He pointed out that Goldman Sachs “sits on a pedestal, because its risk management practices over the years have historically and consistently been better than that of its competitors.”

Was the firm hurt by the financial crisis? “Of course it was,” he said. “It took a tremendous amount of money from the federal government in the Troubled Asset Relief Program.” Goldman was also, he noted, the first institution thinking viably about buying its way out of the program.

When Hurricanes Katrina and Rita hit, he pointed out that most insurers were already being rated on the basis of their ERM practices by S&P. “It was the first controlled comparison between the so-called ERM ratings and ability to withstand Katrina and Rita,” Mr. Finegan said. “To the best of my knowledge, no major insurer went belly-up during 2005's hurricane season. However, the vast majority of insurers had to restate their reserves multiple times.”

These insurers, he said, told the market what they thought their losses were, “and then they had to eat their words multiple times.” A core group of insurers, however, did not–and “all of them were rated strong or excellent on risk management metrics by Standard & Poor's,” he noted.

The lessons learned, he said, are that organizations:

? Cannot approach their discipline as a compliance exercise.

? Need to realize that the discipline is evolving–the tools are getting better, but best practices today will not be best practices tomorrow.

? Good ERM spans all areas of governance, not just reporting and not just controls.

While there is much debate about the reasons ERM failed in the current economic crisis, he said, “I think what has happened in a number of organizations is that the more successful a company or operation is, because of favorable market conditions, the less likely it is they want to hear from risk managers.”

During a housing boom, he said, the higher the prices for houses go, “the less tolerance, the less patience mortgage lenders have for listening to someone saying there will be a correction. No one is willing to believe the spigot will run dry.”

Meanwhile, risk managers can “shout as loud as they want, but unless the board and the senior executives provide the right tone, nothing will happen,” he added.

Will the financial crisis change ERM? “We've never seen such a surge. We've never had so many companies ask us to do a risk governance review, and the requests are coming from directors–directors do not like being in an uncomfortable position,” he said.

The problem has been that board directors have routinely, every quarter, received a risk report from the company.

“That report has seemed to be comprehensive and thorough, and yet so much has gone wrong,” he said. “So there is–perhaps more now than in my lifetime–a general uneasiness among board members about the quality, reliability and candor of the information they're receiving from management.