Touted as the exemplar of risk management, enterprise risk management (ERM) is being re-evaluated in the aftermath of the subprime market meltdown. A strict methodology guiding companies to identify, measure, assess and monitor all risks to an organization--including their interplay within and across business units--ERM initially was embraced by financial institutions, followed by insurance and energy companies. In many cases, a new C-level position--the chief risk officer--was christened to oversee the effort. Given the veritable parade of CROs exiting the financial institutions sector in recent months, companies are now asking the obvious: Did ERM fail and, if so, why?
ERM guru James Lam navigates the question by responding that ERM both failed and succeeded, the latter a reference to the few Wall Street firms that sailed safely through the shoals, while others shipwrecked. "JPMorgan in the banking industry and Goldman Sachs in the securities industry--both well known for their ERM capabilities--actually did quite well relative to their competitors," says Lam, president of James Lam & Associates. "Other firms, of course, didn't see the signals." Those firms are the headline grabbers of the day--Bear Stearns, Countrywide Financial, Ambac, MBIA, UBS and Swiss Re, among others. Several have waved goodbye to their CROs, including State Street Corp., Ambac, Washington Mutual Inc. and Citigroup. Some CROs quit in disgust, never really given the opportunity to ride herd on an enterprise-wide risk management system or simply ignored by traders who ran amok in their own fiefdoms. Others were fired as scapegoats, left holding the bag for mistakes beyond their control. "When the onion peeled back, it disclosed that one part of the bank wasn't talking to the other--it was almost that simple," says Mat Allen, enterprise risk services practice leader at insurance broker Marsh in New York.