I think it all went wrong from the beginning; calling the risk practitioners "risk managers" creating the perception that they manage the risk, including the perception that the CRO is responsible for risk "management", Then the independent risk functions were mostly "born" out of the internal audit function and called the 2nd Line of Defense; creating the perception that it's another level of policemen and that there is something to "defend" against.
After all of that we created Red/Amber/ Green and the (un-trained) tone from the top started to be: Get everything Green; creating the perception that "Green is good" and anything Red is bad and as a result all the reds that could not be changed went "into hiding" as risk reports based on historic data started going through the process of "sanctification"-- the higher they went up, the better they get.
Then the whole world jumped on the bandwagon with studies, standards and guidance papers; followed by ideologies and systems based on the madness that "one size will fit all"
So, under the advice of consultants and the salesforces of vendors, organisations started to "implement" risk management, the final fatal mistake of the old way of thinking. You can never “implement” risk management, there is no blueprint as all organisations are different. You can be a brilliant CRO in one organisation and a total failure in the next just because of the difference in corporate cultures. You can have the best (and most expensive) ERM- system with magnificent reports and dashboards, if people do not care, it will not work.
No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:
• Nationality & culture
• Childhood experiences (and formative environment)
• Work ethics, trust & honesty
• Education (and the way it was obtained)
• Work experience
• Religion and other spiritual thinking
• Attitude towards life (and death)
Risk practitioners generally failed to address the underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.
The Future of risk management is Risk Culture Building: “The process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation.”