risk management

It’s not enough!

A very interesting column  from the FT’s Andrew Hill today, arguing that risk controls and processes on their own aren’t enough.

“The $2.3bn trading scandal at UBS … makes me wonder whether corporate boards have fully appreciated the risks of relying on risk managers.”

“Companies that put all their trust in risk controls – human or technological – foster dangerous complacency at the top.”

He goes on to point out that there are equally serious, but different, risks involved if all responsibility for risk management is in the hands of the boss.

The real point is that a modern corporate enterprise is a complex system, and relying on a single mechanism to manage your risks is just plain stupid. You need redundancy, so that if one control fails, there’s something else that might pick it up. And you need redundancy at all levels, from the detailed systems and controls through to the whole-enterprise level. So as well as good risk managers, and a good risk management system, and a board who are on top of the whole thing, the corporate culture (at all levels) has an important role to play.