In the 2000s risk was thought to be on the forefront of everyone's mind. CEO's appointed Chief Risk Officers (CRO's) to handle the company's "risk" issues. Delegation of risk, it was thought by the suits, would surely demonstrate leadership on the issue. Shareholders, they hoped, would take comfort in their organizations improving bureaucracy. The new checks and balances would surely mean risks were under control.
CEO's, however, had every incentive to pick risk managers who actually served no purpose other than one in title alone. It was in their interest to appoint someone to the job who seemed competent but wouldn't get in the way too much. When's the last time a CEO, used to yes-people, picked the smart, argumentative, person to work with them on a key initiative?
Risk management isn't something you delegate to someone and never think of again. Unless embedded into the very fabric of an organization it will fail. Appointing someone risk manager and having corporate systems revamped doesn't actually mean you care about risk and it certainly doesn't mean you understand risk.
Consider this interesting tidbit: In 2006, Risk Magazine handed out its prestigious Risk Manager of the Year award to none other than Madelyn Atoncic of Lehman Brothers as she "completed a fundamental revamp of (Lehman's) strategic risk management, while also implementing new processes."
One has to wonder if those new processes failed to set off alarms or if the management team that was all to happy to delegate risk was also all to happy to ignore it?
In the words of Mark Williams, author of Uncontrolled Risk, "Lehman had finally created a top-notch risk management department. But if the strength of a risk management department is its ability to accurately report on risk and be heard, then Lehman's risk management department was a complete failure."