Having failed to anticipate a series of recent catastrophes, from the housing crash to the liquidity crisis, it comes as no surprise that fully 96% of senior executives said in a recent Ernst & Young survey that their companies' risk-management processes leave room for improvement.
Many will argue that the "black swan" nature of the crisis defied prediction, but Douglas Hubbard, president of Hubbard Decision Research, counters that "none of the events we've experienced was completely unforeseeable, even if it was extremely unlikely. The data exists, but we get lost and overwhelmed by it."
Sam Savage, a Stanford University professor and author of The Flaw of Averages, sees important new tools emerging, such as visualization software that displays data pictorially, helping executives to see correlations more clearly. He is also keen on interactive simulations that work like mega-spreadsheets: adjust the level of an event's probability and the program will compute the way a given tweak ripples through other assumptions.
Many experts now believe that companies need to shift the locus of risk assessment from specialists to a broader base of employees. "Companies like J.P. Morgan and Goldman Sachs didn't fall down the same rabbit hole as the other investment banks, because they had a culture of intelligent risk-taking, where employees were accountable for sounding a warning if something didn't seem right," says William Bojan Jr., president and CEO of Integrated Governance Solutions. "Risk management has to be in the fabric of the company."
In October, a report from the Senior Supervisors Group, made up of financial regulators in seven countries, found that despite some recent improvements, financial institutions continue to overestimate the quality of their risk-management systems. They still have substantial work to do, and investments to make, in the IT infrastructure that supports certain facets of risk assessment. Yet the E&Y survey (which included companies in all industries) found that only 6% of organizations plan to significantly expand risk-management resources over the next 12 to 24 months, while 32% anticipate a slight increase.
Some lessons, it seems, aren't learned so easily.