What do terrorism and regulatory compliance have in common?

The dramatic shift in the way American businesses define risk. Traditionally, risk has been divided into three categories: market, credit and “other.” Suddenly, risk management is no longer just about preventing bad loans or dealing with Mother Nature. The wake up call of September 11th and high profile indictments at Enron and others have spurred feverish activity in disaster planning and raising the bar on fraud. However, some of the most important lessons on how to create a culture of risk management have yet to be learned.

What is the cost of not asking the right questions?

The World Trade Center attack dealt a devastating blow to many financial institutions and made an impact on the nation’s economy when it shut down the New York Stock Exchange. The grounding of airlines temporarily stopped the flow of paper checks. The industry responded by spending billions of dollars to protect themselves from future incidents based on the effects of risk. The bad news, however, is that a reactive approach to focusing on preventing the disaster that just passed may be causing people to ignore other equally devastating risks.

At the Securities Industries Association’s recent Risk Management Conference, keynote speaker Thomas Russo, Vice Chairman and Chief Legal Officer, Lehman Brothers, Inc. got attendees buzzing when he told them that potentially catastrophic risks are still being overlooked. The bird flu or similar epidemic could be extremely problematic for businesses that concentrate key people in geographic locations, Russo pointed out. While the likelihood of a bird flu epidemic hitting this country is up for debate, what if your outsourcing facility in India or supplier in China was hit by bird flu? It illustrates precisely why every company (not just those in financial services) needs a comprehensive program of risk management.

A bank with all its wealth management specialists in a single region that suddenly gets hit with a fast-moving virus could be severely impacted. If a medical epidemic was not even on management’s risk radar screen, what happens when the data is fine, but the people are gone? How to do you make an action plan for so many things that have not happened yet?

What is the cost of not establishing a risk culture?

Companies learned how to survive a terrorist attack by living through 9/11. Enterprise risk management (ERM) provides organizations with that same valuable knowledge without the pain of experiencing a difficult event. With ERM, companies move to a proactive mode to assess the impact, likelihood and effectiveness of controls related to risk, and develop mitigation plans. ERM is a proven discipline that provides hard numbers and invaluable assessments, which often yield results that surprise even the most hands-on managers.