The ongoing financial crisis underscores the need for companiesto take a sobering look at their approach to risk management.

Among the many lessons to be learned, one is immediately clear:The subprime debacle represents a failure in riskmanagement, rather than a failure of risk management.

We are still not out of the woods and there may still be moreshoes to drop, but some general views are emerging.

While there are many reasons why we are in this crisis,inadequate risk management practices feature high as a contributoryfactor.

Clearly, improvements need to be made, and we see three aspectsof enterprise risk management implementation that need to bestrengthened.

First, far from being a compliance exercise, risk management isa strategic imperative and should be treated as such.

Second, financial managers should urgently reassess the adequacyof their current risk management capabilities in order to doso.

And finally, the greatest shortcoming is cultural–managementshould improve the engagement of employees, as well as the boardand senior executives responsible for risk management.

So, how do you go about strengthening ERM implementation?

Based on surveys and discussions with finance managers in avariety of industries, the commitment to ERM remains strong, andthere is increased urgency to strengthen ERM implementation.

Although there are many ways to do this, we have identifiedthree areas of focus and recommend specific actions within eacharea that require immediate attention.

#1: Treat ERM as a strategic imperative.

If ERM is to be truly integrated with how firms are managed,then implementation must begin with active engagement of the firm'sboard and senior executives. Try the following steps:

o Reinforce the role of the chief riskofficer:

This is the single most important action that a company can taketo recognize ERM as a strategic imperative. Many companies haveappointed a senior executive (often a chief risk officer, orenterprise risk manager) to oversee risk management for theirentire organization.

The current financial crisis has shown us that merely makingsuch an appointment is not sufficient. If–as we believe and oursurveys indicate–ERM is viewed as critical to the survival andprofitability of a firm, then the CRO's responsibility must becommensurate.

Studies have shown that problems arise when risk management doesnot have a seat at the management table, or when risk management'swarnings are ignored, or when risk management is performedunevenly. No doubt, authors and academics writing the history ofthe current crisis will find evidence of all three.

The current validation of the risk management function couldresult in a dramatic improvement in corporate prestige.

Just as a CFO has a specific set of responsibilities, we maysoon see a convergence of responsibilities that are aligned withthe CRO. Indeed, these new responsibilities may require theestablishment of new professional standards and levels ofexperience for future CROs.

As stakeholders come to realize the importance of riskmanagement, CROs may see their professional and fiduciaryobligations increase. And as regulators and the financial industryseek ways to prevent past mistakes, risk managers will likely playan increasingly important public policy role.

o Increase board engagement on risk:

We expect that boards should and will demand better metrics andinformation about risk management performance. Not only will theboard's level of questioning dig deeper and be less satisfied bytraditional compliance or audit reports, the questioning will placea premium on verifiable evidence of employee involvement.

We anticipate a significant increase in the number ofboard-level risk oversight committees, and we expect that theirscope of oversight will be broad.

o Align incentives to reflect risk:

Although this has been a topic of discussion for some time, thecurrent crisis has demonstrated that compensation practices can beat odds with managing risk appropriately. We believe thatcompensation programs will undergo a transformation as companiesattempt to rid themselves of inducements to exceed stated risktolerances.

We expect the scrutiny of incentive compensation programs,historically left to policymakers and investor groups, will comeincreasingly from boards of directors and fellow managers, who areloathe to share the fate of companies that have failed in the wakeof this crisis.

#2: Improve your ERM capabilities.

Companies need a variety of skills, methodologies, tools andprocesses to manage risk appropriately. Each of these is probablyworth reassessing in the current environment to identify andovercome any significant shortcomings.

If one of the aims is to add up all the bits to develop a viewof aggregate risk exposure across the firm, then two issues needurgent attention.

o Recognize operational risk as material.

In our experience, there is a fundamental disconnect between theway institutions view operational risk and the way operational riskmanagement should be implemented. To a large extent this may occurbecause the term operational risk conjures up images of day-to-dayprocessing errors.

These minor operations issues are often only a small part ofoperational risk, which is driven in large part by catastrophicfailures in management (such as, inappropriate sales practices orunauthorized activities).

A significant number of corporate bankruptcies and insolvenciesduring the past 20 years have been caused by operational failure.Indeed, the current financial crisis can be viewed as a failure ofoperational risk management at so many levels.

o Fungibility should be stress-tested.

One lesson made clear from American International Group'snear-collapse is that capital and cash are not fungible within thedifferent parts of a conglomerate financial institution.

Legal and regulatory restrictions limit the flow of capital andcash between legal entities within an enterprise. Even if theneeded funds were available, these restrictions would haveprevented AIG from dealing with its problems.

Some type of fungibility testing has been suggested within theEuropean Union's Solvency II framework, and its potential value torisk management is now evident. Understanding the limits of capitaland cash flow between legal entities within the same organizationis vital.

# 3: Understand and manage your riskculture.

At the end of the day, good risk management results from peopledoing the right thing. It is not sufficient for ERM to impact onlya few people at the top of the organization, nor should it be puton the shoulders of employees without proper guidance. Youshould:

o Establish clear guidance onaccountability.

Much has been said about setting the right “tone at the top” forERM. Companies still have a long way to go to do that in a way thatis clear and engaging to employees.

A starting point may be to articulate a company's mission,vision and values as well as its risk strategy and objectives.

Ultimately, though, it is management's own actions in holdingpeople accountable in a way that reinforces the alignment ofinterests of employees, management and other stakeholders that willmake a difference.

o Assess your risk cultureregularly.

To make a difference in employee engagement, management needs todetermine whether their impression of the company's risk culture isborne out by rank-and-file opinion.

Employee risk awareness and engagement should be assessedregularly to identify gaps between management expectations andemployee understanding, with appropriate measures undertaken tobridge the divide.

These three aspects of risk management and supportingrecommended actions were put forth with the view that had suchpractices been more firmly established, perhaps we might not be inthe midst of such a severe financial crisis.

It is the actions we take now that can help us prepare tonavigate the complex and inherently risky world of the future.

Prakash Shimpi is a global practice leader ofenterprise risk management at Towers Perrin in New York. He is aFellow of the Society of Actuaries and a Chartered Enterprise RiskAnalyst. This article is based on his essay written for the Societyabout the financial crisis. He can be reached at [email protected]