Risk management is almost an oxymoron - like Jumbo Shrimp. Firms that are great at risk management are fastidious about statistically significant effects, but at the same time can make brilliant leaps of insight on small amounts of data. They can create the most comprehensive models with genius analytics, and spend just as much time breaking them apart. They can work like crazy to predict everything, but simultaneously stand ready to react to those unpredictable events - when the unexpected happens.
This wonderful Fortune article about Jamie Dimon and his top team at JP Morgan Chase is a case in point. They were one of the very few banks that avoided most of the fallout from the sub-prime mortgage debacle. That team has a passion for details - and a willingness to dive into the numbers in frequent senior management meetings in which they pored over detailed analyses of the firm's entire risk position. They constantly managed by the numbers and the models. Yet the Fortune article reports Dimon talking in October of 2006 with William King, then JP Morgan's chief of securitized products, about their subprime positions and saying, "We need to sell a lot of our positions. I've seen it before. This stuff could go up in smoke!" Dimon was willing to go with his gut and say it was time to shift - ahead of the models.
More broadly, great risk cultures push the limits of sophisticated modeling and use acres of computers to crunch away, each night simulating the most likely possible future scenarios and thereby trying to engineer risk out of the business. At the same time, they take this output and review it with wizened practitioners who have lived through previous crashes whose job it is to review the results and then break the model - questioning its assumptions by imagining the unimaginable. For example, when Long Term Capital (LTC) had problems it was because certain assets correlated which had never correlated before. The academics at LTC only knew how to make the model - not break the model. When things get bad enough - as my friend Paul Carroll notes - almost everything is correlated, and you need someone who has enough experience to see where assumptions can lead you astray.
Lastly, great risk cultures have the ability to take action quickly. Because it is impossible to predict everything, the better firms have evolved their information and control infrastructures so they can take rapid corrective action when things shift. I have argued before that most firms' information systems made organizations more opaque and less nimble in this latest crisis, which put unneeded risk into their companies.
The most important thing to learn is that when coming out of this risk debacle, make sure that you don't attempt to engineer the perfect risk management system. Instead create the best one, and then institute organizational processes to break it on a regular basis. Also make sure your information systems help you sense and respond to the unpredictable events. Don't let your information make you less agile at the very time when you must take fast, accurate action to adjust.