A quick little semi-rant... I've reached the point where my tolerance has been exceeded. It's very simple, really.
There, I said it. No, seriously, if you listen to all the "risk" haters out there these days, you'd swear that the failings or limitations of a risk assessment or risk analysis methodology was equivalent to "proof" that risk management as a whole is faulty and a failure. Nothing could be farther from the truth.
Case-in-point: Many people, who don't have any training of or understanding about quantitative methods like FAIR, love to hate on those methods because of the "imperfect data" argument (newsflash: all data is imperfect). "We don't know what we don't know, therefore it's all wrong." The response to that quip is a separate post (coming soon!), but suffice to say, limitations of a specific method DO NOT prove that an overall management process is somehow inadequate, wrong, or a failure.
The 2008 credit crisis is not the result of poor risk management. Rather, it demonstrates the failure of traditional ORM risk assessment / risk analysis methods, which failed to properly account for a number of key risk factors, and which also overlooked major exposures (for more on this, see the "Modern ORM" paper).
So, the next time someone tells you that "risk management is a failure," please ask them not to throw out the RM baby with the bathwater, and instead prod them into explaining their quip, which will inevitably lead to complaints about risk assessment or risk analysis, which is not equivalent to RM.
That is all.
Nice post Tom. I agree completely. RM by its very nature is an inexact science. What caused the 2008 credit crisis was not the result of poor risk management, but the ability to not care about that risk and sell it off to others with impunity. The timeline of exposure to most parties involved was so low that the risk essentially ceased to exist. When the music stopped, the groups left holding the hot potato are the ones really got burned.
Great post!
--Tyler