I accept Scott Randall’s point about the problem of any organization being over defensive and the risk management function really being the “risk police.” The essential key, as in so much of personal and professional life, is to strike the right balance. I outlined this is some detail back in 2001. (See: http://www3.sungard.com/SunGardFinancial/menus/documents/risk_managers/200110%20organizational%20balance.pdf )

After a solid risk culture that is established at the top of an organization, I believe the next essential requirement of good risk management is reliable, accessible and useful risk information. This requires summary measures such as the much maligned Value-at-Risk AND the ability to drill down into relevant details when issues arise.

Rich Peterson’s point stems from the basic insight that risk is fundamentally a portfolio concept and can only be assessed meaningfully in this context. Attempting to evaluate risk piecemeal at the micro level will never be adequate. This is the essential rationale behind enterprise risk management and other efforts such as Governance, Risk and Compliance, to achieve greater integration across areas of risk. Nothing in this integration necessarily makes it a purely defensive effort, although it is all too easy to fall into that trap. If I have any fear about GRC, it is that compliance tends to be a one-sided issue. Obeying the law should not be optional and there should be no question that rigid compliance is the only accepted benchmark. In contrast, market and credit risk are necessary aspects of running a profitable business. Gauging how much risk is involved and whether there is sufficient market compensation to make taking such risk worthwhile is an essential aspect of its proper management. Zero risk is simply not an option.

If GRC leads to confusing compliance, where uncompromising control is necessary, with forms of risk that are appropriately managed and balanced against expected and unexpected returns, it could be a step in the wrong direction. Nevertheless, if the necessary distinctions are clearly maintained, a more integrated administration of all the related forms of risk should improve overall performance.