The global financial collapse should have sent corporateexecutives running to implement enterprise risk management (ERM)strategies, but so far it hasn't.

That's the conclusion of two recent reports by KPMG and the RiskManagement and Insurance Management Society (RIMS) that both issuewake-up calls for corporations to revamp and strengthen ERMpractices. “This is an imperative that says, in order to preventanother financial catastrophe, organizations must change the waythey think about risk and consider implementing an enterprise riskmanagement program or improve the one they already have in place,”warns Joseph Restoule, RIMS president and head of risk managementat NOVA Chemicals Corp.

Most companies remain out of the loop. For example, when KPMGasked 130 audit executives and board members about their ERMstrategies, the consulting company found deficiencies around riskculture. Almost 60% acknowledged that their companies' employeeshad little or no understanding of how to assess risk.

What's more, despite repeated warnings that ERM's successdepends on support from the C-suite as well as board members,one-third of the corporate executives interviewed by KPMG said thatthe top leaders at their organizations had no risk managementtraining or guidance, with only 16% receiving frequent or at leastannual training. That's unfortunate, says Restoule: “The key tosuccessful ERM practices depends on certain behavioral attributesof the organization at all levels.”

John Farrell, KPMG's lead partner for ERM comes to the sameconclusion. “When ERM programs miss the 'behavioral' piece of theequation, there is no foundation for critical thinking and judgmentaround decision-making,” he says “All executives–particularlysenior management–must understand the risks facing theirorganization in order to help define their company's risk appetiteand effectively manage risks.”

The just published RIMS report, The 2008 Financial Crisis: AWake-up Call for Enterprise Risk Management, also blames riskmanagement failures on an over-use of financial modeling, anover-reliance on compliance and control, the lack of understandingabout risk tolerances and failure to incorporate state-of-the-arttechnology. Indeed, just one-fourth of the respondents to KPMG'ssurvey said their companies apply technology to their ERM programs.Another 25% said they are considering technology purchases in thisarea.

Once the “tone from the top” is established, KPMG suggestsaligning the process to strategic objectives to drive businessvalue. To revamp and strengthen ERM, companies need to establish asingle view of risk, with a common risk language, categories,evaluation factors and response options, and also make sureinternal auditing resources are spread across the company. Programsthat aren't enterprise wide are doomed to failure, Farrell says.“When risk management is siloed without one person or team owningthe process, no one has visibility to aggregate exposures andaccountability for the decisions and risk interrelationship can'teasily be identified,” he says.