Tuesday, May 27, 2008

Rules of Risk Management

This article is authored by David Finnie, Principal of RSD Solutions.

We all love lists and sets of rules providing insights, especially when those lists and rules are easily digested and meaningful in our lives (or humorous as are David Letterman’s 10 reasons …).

I recently found a list of 101 rules of risk management
[1] and I was impressed that such a list had been compiled. Unfortunately, it was primarily an insurance based list although it did, of course, have significant overlap with similar issues in financial risk management. The list intrigued me, but as I worked my way through the list, I realized that it was simply too long. Certainly not too long in terms of coverage since risk management is a large, complex and growing field, but too long to capture the key “truths” that help guide risk management professionals through their day-to-day activities and too long to be memorable.

I found another list with only nine rules
[2]. These rules are geared toward traders and money managers and they are good rules for them. But, their range is too limited to cover the risk management spectrum for a risk professional.

There are also books on the rules of risk management. Of course, these books go well beyond the simple expression of some key rules. They capture some good rules to varying degrees, but they do not provide them in an easily digestible or truly memorable form.

Here is my attempt to provide a short list of key rules and insights. Of course, these rules come from my experience and are to some degree specific to the companies and situations with which I gained that experience. They also, I will admit, come from Tolkein’s Lord of the Rings trilogy.

Rule 1: All that is gold does not glitter

This line makes it clear that not all that we need to know will be clearly evident and easily discovered. To be effective, the risk manager must understand the business, must be able to undertake effective risk analysis and must always look beyond the superficial and the enticingly obvious in order to fully understand the risks being taken. This need to search for the “gold” also warns against complacency when everything looks good.

Rule 2: Not all those who wander are lost

There is a discovery process in risk management which necessitates a willingness to wander or explore. This involves looking for unusual, unexpected occurrences within a business’s operations and results. It means always being willing to question and to go deep into what is happening in both the organization and the environment in which it operates.

Rule 3: The old that is strong does not wither

This line speaks to the value of experience and implies a wisdom arising from that experience. Risk management includes a “gut feel” or “trust your instincts” element that can only come from experience, listening to those with experience and taking the time for careful reflection and consideration.

Rule 4: Deep roots are not reached by the frost

Strong, well founded risk management approaches, processes and governance allow a firm to grow and prosper during the good times and weather the frost of the downturns. For me, it also suggests that this ability to thrive throughout the business cycles comes from strong, risk-based, well-managed capital.


So, these rules warn against complacency, encourage exploration and questioning, recognize the value of experience and wisdom, and demand strong risk governance and risk-based capital. Not bad for the first stanza of a poem about a solitary ranger in a fantasy world.

I have to admit that I did find a set of nine rules focused on risk management put out by RiskMetrics Group. These rules are good, straightforward and very sensible. But, risk management is as much art as it is science and I like being able to capture the same concepts and themes using poetry so I will use the ones above.

I invite you to critique these rules and to provide the rules that you have found important.





[1] Compiled by the late Tom Hallet with help from his colleagues and associates. This list can be seen on the Harvard Aimes Group web site - www.riskmanagementsearch.com/index.htm
[2] Nine Risk Management Rules It Pays Not To Forget, Bensman, Miriam, Futures, June 1994

Rules of Risk Management

This article is authored by David Finnie, Principal of RSD Solutions.

We all love lists and sets of rules providing insights, especially when those lists and rules are easily digested and meaningful in our lives (or humorous as are David Letterman’s 10 reasons …).

I recently found a list of 101 rules of risk management
[1] and I was impressed that such a list had been compiled. Unfortunately, it was primarily an insurance based list although it did, of course, have significant overlap with similar issues in financial risk management. The list intrigued me, but as I worked my way through the list, I realized that it was simply too long. Certainly not too long in terms of coverage since risk management is a large, complex and growing field, but too long to capture the key “truths” that help guide risk management professionals through their day-to-day activities and too long to be memorable.

I found another list with only nine rules
[2]. These rules are geared toward traders and money managers and they are good rules for them. But, their range is too limited to cover the risk management spectrum for a risk professional.

There are also books on the rules of risk management. Of course, these books go well beyond the simple expression of some key rules. They capture some good rules to varying degrees, but they do not provide them in an easily digestible or truly memorable form.

Here is my attempt to provide a short list of key rules and insights. Of course, these rules come from my experience and are to some degree specific to the companies and situations with which I gained that experience. They also, I will admit, come from Tolkein’s Lord of the Rings trilogy.

Rule 1: All that is gold does not glitter

This line makes it clear that not all that we need to know will be clearly evident and easily discovered. To be effective, the risk manager must understand the business, must be able to undertake effective risk analysis and must always look beyond the superficial and the enticingly obvious in order to fully understand the risks being taken. This need to search for the “gold” also warns against complacency when everything looks good.

Rule 2: Not all those who wander are lost

There is a discovery process in risk management which necessitates a willingness to wander or explore. This involves looking for unusual, unexpected occurrences within a business’s operations and results. It means always being willing to question and to go deep into what is happening in both the organization and the environment in which it operates.

Rule 3: The old that is strong does not wither

This line speaks to the value of experience and implies a wisdom arising from that experience. Risk management includes a “gut feel” or “trust your instincts” element that can only come from experience, listening to those with experience and taking the time for careful reflection and consideration.

Rule 4: Deep roots are not reached by the frost

Strong, well founded risk management approaches, processes and governance allow a firm to grow and prosper during the good times and weather the frost of the downturns. For me, it also suggests that this ability to thrive throughout the business cycles comes from strong, risk-based, well-managed capital.


So, these rules warn against complacency, encourage exploration and questioning, recognize the value of experience and wisdom, and demand strong risk governance and risk-based capital. Not bad for the first stanza of a poem about a solitary ranger in a fantasy world.

I have to admit that I did find a set of nine rules focused on risk management put out by RiskMetrics Group. These rules are good, straightforward and very sensible. But, risk management is as much art as it is science and I like being able to capture the same concepts and themes using poetry so I will use the ones above.

I invite you to critique these rules and to provide the rules that you have found important.


[1] Compiled by the late Tom Hallet with help from his colleagues and associates. This list can be seen on the Harvard Aimes Group web site - www.riskmanagementsearch.com/index.htm
[2] Nine Risk Management Rules It Pays Not To Forget, Bensman, Miriam, Futures, June 1994