Mat Allen, head of enterprise risk services and solutions with Marsh in New York, recounts the story of a recent client meeting in the southeastern U.S. Allen had been talking about Standard & Poor's decision to include ERM in its debt rating criteria when the company's chairman held up a hand and asked why he should be expected to accept the judgment of a rating agency on risk management when the agencies had completely failed to spot the problems building up in structured products and banking.

For many risk managers, battling doubters is nothing new. The discipline is often viewed as a compliance function and claims that it can add value are sniffed at. "There is always skepticism about ERM because it is not well understood," says David Fox, who heads the enterprise risk function for Houston, Texas-based engineering firm KBR, which had 2008 revenues of $11.6 billion. "Is there increased skepticism as a result of the banking crisis? Sure. But that's OK. Too many had gained a false sense of security from models that were not understood. ERM will have to change to be more effective."

Claes M?rtenson, group risk manager at Brussels-based global chemicals giant Solvay, with annual revenues of 9.49 billion euros, or about U.S. $12.38 billion at current exchange rates, says the discipline can only defend itself if management is convinced that it is worth the time and money: "There are companies out there who just pay lip service to risk management. They do it because they have to do it, and if it's just seen as a burden to the company, then they could decide it's an area where they can make cuts in difficult times. That's certainly something that could happen."

So, what can risk managers learn from the crisis–and how can they guarantee support from their bosses? Tom Teixeira, the London-based vice president for enterprise risk solutions with software vendor Strategic Thought, and a former head of enterprise risk at Rolls-Royce, says risk managers can add value by getting close to the business, understanding the business plan and then carefully analyzing and managing the risks that could prevent the business from executing that plan.

But that kind of talk makes AIRMIC's Hopkin uneasy. He accepts that risk management needs to have clearly defined goals, but says the banking crisis has shown that defining those goals in reference to business objectives is a dangerous game. "Risk managers often say that you identify your risks by analyzing your objectives, but that assumes that your objectives are wise and sound–which, as the banks have demonstrated, may not be true at all. For example, if your objective is to achieve a 20% return–and we are bloody well going to do it because my bonus is riding on it–then the risk management process is going to be fatally flawed," he says.

In addition to thinking about business objectives, risk management should look at key dependencies, he argues–the things that could kill a company. As an example, Hopkin points to one of the growing legion of failed banks that the crisis has produced, Northern Rock, a U.K.-based mortgage lender that had a small deposit base and relied for much of its funding on the smooth running of the mortgage securitization markets. When those markets froze, the bank was tipped into a fatal liquidity crisis. "If Northern Rock's risk managers had asked the question 'What do we, as an institution, need to survive?' maybe they would have identified this critical dependency," he says. "It certainly wouldn't have come out of a risk analysis which was focused only on business objectives."

A second lesson concerns the role of risk models. Banks had been held up as an example to risk managers in other industries because of their ability to precisely quantify their exposures. But the crisis has demonstrated that ERM is about much more than measuring risk, says KBR's Fox: "The need for ERM in operating companies has been magnified by the banking crisis. However, risk quantification as practiced by the banks does not provide a meaningful ERM template. Apparently, few of them were able to convert the model-driven numbers into timely conversations about managing risk."

Instead of producing numbers, Fox argues that the focus of ERM has to be on actually managing risk, and doing so by focusing on more elusive concepts like attitudes, behavior, governance and communication: "KBR is focused on how to marry risk awareness with expert and timely perspectives about emerging and strategic issues. I think this has to be done qualitatively."

North Carolina State's Beasley argues that the models themselves were not to blame, but that the problem was one of governance and communication. Standard tools like Value at Risk (VaR), which purports to show banks how much money a trader, desk or business could lose in a single day, gave banks too much confidence about the risk they were running, critics allege. Expecting to be on the hook for a maximum of, say, $50 million if markets went against them on any given day, banks were caught flat-footed by losses many times bigger. But VaR numbers are only supposed to apply in normal trading conditions. Many people within the banks would have understood those limitations, says Beasley, but this understanding fell away further up the management hierarchy. "Part of the problem was that as the information was communicated upward, the limitations were overlooked, forgotten, ignored."

In the nonfinancial world, models are far less common. But they are starting to spread and the banking crisis can help companies build appropriate reporting and governance frameworks around them, Beasley argues: "Models don't have to be very sophisticated. As an example, if an airline is trying to work out where seat prices are going to be in the near future, there are a few major inputs to that pricing dynamic–fuel prices, market demand, the economy. You could do 10,000 simulations of the changing factors that determine pricing decisions using a simple Excel add-on. So there are any number of uses for models in the corporate world, but I think my caution would be this: As companies improve their modeling, they must never fall into the same trap that some banks did. You always have to step back and apply judgment to the numbers coming out of the model."

As a result of the economic slump, many companies are doing more modeling, says Strategic Thought's Teixeira. Because financing markets have been shut down, sales are being squeezed and exchange rates are volatile, companies are desperate to understand the volatility of their cash position and cash requirements to avoid slipping into a liquidity crisis of their own: "A lot of the organizations that I am dealing with are implementing brand new frameworks. They are starting from scratch and they may have very little data at this point, but they have this need, this want, this thirst to understand what the future may bring," he says.

Melissa Cameron, a principal in the regulatory and capital markets practice of Deloitte & Touche in New York, is seeing the same thing. She says that around half of her clients, typically Fortune 500-size companies, model some of their balance sheet numbers, and those that lack that capability are now scrambling to put it in place: "Our phones are running hot," Cameron says.

Companies could also learn something about risk management culture, a vague term that is used as a catch-all for attitudes and behavior as they relate to risk. "Banks didn't get into a mess because their models were wrong, they got into a mess because the culture was wrong," says Alex Hindson, head of enterprise risk management with Aon Global Risk Consulting in the U.K. "A big issue is how you sanction poor behaviors, inappropriate risk-taking, how you respond to bad news. If the answer is 'Just keep bringing money in, but I don't want to hear about what might go wrong,' then people are not going to talk about it and things will snowball."

One of risk management's mantras is that outsize profits should be treated with as much caution as outsize losses. While many banks ignored that rule, some institutions chose to swim against the tide, says AIRMIC's Hopkin. Banks like HSBC maintained a minimal exposure to the booming credit businesses that eventually capsized their competitors and were initially criticised by analysts and investors for producing slower earnings growth. HSBC has been feted as wise and conservative, although–like the rest of the sector–it is now seeking to bolster its capital base.

A final lesson might be to remain humble and keep striving to improve. Solvay's M?rtenson is a member of a networking group in which risk managers from the finance, energy and industrial sectors share ideas and discuss practices. He recalls an occasion on which risk managers from one large company delivered a glittering presentation of their ERM capabilities. A few months later, the company found itself in such difficulties that it was acquired by a competitor. "Some people told the risk management community that they had figured out ERM. If that was really true, their companies wouldn't be so badly managed," he says.

In Solvay's case, M?rtenson guesses that the company is one of the 20 best companies in Europe when it comes to ERM, but he also estimates that Solvay is only about halfway to managing risk as well as it could.

"We want to stay humble, keep learning," M?rtenson says. "There is a long way still to go."