~This article, contributed by Robert Kaplan and Anette Mikes, was originally published by the Harvard Business Review.~

The recent disclosure of a multibillion-dollar trading loss at JPMorgan Chase reminds us again of the challenge and complexity of risk management, the subject of our June 2012 HBR article “Managing Risks: A New Framework.” Many people, including quite a few US legislators and regulators, believe that risks can be managed by establishing and following rules, standards and guidelines. But for certain categories of risk, this is a false and dangerous assumption.

Our article classifies risks based on their degree of controllability and their connection to the strategy. We identify and describe three categories of risk: preventable risks, strategy risks, and external (non-preventable) risks. Each requires customized risk management processes.

A rules and compliance-based approach may work well for managing preventable risks, but is inadequate for strategy and external risks, as companies that failed during the financial crisis illustrated all too well. The  compliance-oriented risk manager of a failed UK bank observed that his organization had “a cultural indisposition to challenge” and that the task of “being a risk and compliance manager … felt a bit like being a man in a rowing boat trying to slow down an oil tanker.”

We have learned time and again that rules don’t overcome the various individual and organizational biases that prevent people from imagining and discussing the things that can go wrong with complex strategies. Processes that foster open and challenging debates can, however, overcome these biases, which is why highly interactive risk management processes need to remain central for any company’s risk management function. But can effective risk management be sustained?

During the global financial crisis, while several investment banks failed, JPMorgan was using a very different approach to risk management. First, CEO Jamie Dimon was widely acknowledged as the “ultimate chief risk officer of the bank.” Second, the formal head of the risk management function reported directly to Mr. Dimon and was part of the executive team with continual access to the company’s board of directors.

Apart from these well-reported facts, having studied the risk management processes in JPMorgan Private Bank during the 2008– 2009 financial crisis (Mikes, Rose, and Sesia, 2010, HBS Case 311-003), we were struck by a pioneering approach: in addition to independent risk managers, the private banking unit also deployed a group of local, “embedded” risk managers who were sufficiently savvy, informed and empowered about the complexity of risks being assumed that they could be active risk advisers to the investment managers.

We do not know to what extent this approach was replicated within the bank and cannot therefore say whether it was applied in the CIO (Chief Investment Office) unit that incurred the recent trading losses. But according to Dina Dublon, former CFO at JPMorgan Chase and currently HBS Professor of Management Practice, the empowerment and deployment of embedded risk managers was part of formal risk management at the bank well before the financial crisis.

This raises the question, was JPMorgan’s multibillion-dollar trading loss a failure of risk management as a staff function or was it a failure that goes beyond the realm of what we can expect risk officers to do? Mr. Dimon attributes the loss to a “bad strategy, executed poorly” as well as to “many errors, sloppiness, and bad judgment.” A number of executives in the CIO, where the loss was incurred, left the bank soon after the loss had been revealed. But none of these was a high-profile risk officer. By all evidence, the bank has not blamed the risk management function for the loss.

In fact, a group of risk managers (described by Dimon as “some of our best people”) was parachuted into the CIO unit to investigate and “fix” the problems. Former JPMorgan executive Dina Dublon commented to us “he [Dimon] would hang the manager of the business, as the one with the ultimate responsibility for taking and managing risks, before touching a functional risk manager. Risk management cannot be a fully delegated responsibility.”

Yet the press was quick to declare JPMorgan’s loss as a spectacular failure of risk management. But was it? Certainly, not all losses are failures of risk management — unless we expect to take no risk at all. Finance professor Rene Stulz, for example, has made the point that a large loss in itself is not evidence of a risk management failure, because a large loss can happen even if risk management is flawless (“Six Ways Companies Mismanage Risk,” HBR, March 2009). 

He outlines six types of risk-management failure: the mismeasuring of known risks, ignoring known risks, miscommunicating risks, failing to monitor risks, devising the wrong response to risk, and measuring risk with the wrong metrics. We can think of this catalog of failure types as the preventable risks of risk management itself. This can  help us  understand whether JPMorgan’s “egregious” trading loss was the con- sequence of a combination of detectable problems — or whether it occurred despite a fairly rigorous process of risk  management.

What is at stake is not only what expectations we have of risk management as a management discipline but ultimately whether we believe that good risk management practices are  sustainable. Success breeds complacency — and it is possible that firms that believe they have a good handle on their risks may start losing their grip as they become confident, or even overconfident, about their risk management. Good risk management should take into account the risks of risk management too.

Can we continue to rely on firms to manage such risks by themselves? Understandably, the current media coverage is teeming with highly politicized arguments suggesting that politicians, regulators, and commentators do not trust banks to be able to do so. But we must ask ourselves what kind of regulators (regulations) would have caught (prevented) the increasing risk exposure at JPMorgan’s chief investment office? What would be the costs of such regulations?

Whatever the technical arguments will be, as accounting professor Michael Power warns us, the forthcoming debates cannot be abstracted from social questions of the credibility and legitimacy of experts (risk experts, regulators, and so on): the “how” of risk management remains inextricably linked to the status of “who” does it.

In our article, we express our belief that risk management (with all its risks) is a viable, valuable, and learnable practice for organizations — but it works only if it is tailored to the context in which it is deployed and is not taken for granted. It has to remain an intrusive, nonintuitive process because it often goes against people’s deeply held beliefs, including the desire to demonstrate high profits and returns from their actions. Effective risk management is also costly, because it has to be separate from existing strategy-oriented functions. As Gentry Lee, chief systems engineer at NASA’s Jet Propulsion Laboratory, describes it: “Risk mitigation is painful; not a natural event for humans to perform.”

In all this, let’s not lose sight of the purpose of risk management, which is to limit the downside exposure from the optimism inherent when traders, project managers and executives expect high returns from risky strategies, whether making markets in new financial securities, sending missions into space, or drilling for oil and gas three miles below the surface of the Gulf of Mexico. But limiting the downside does not mean inhibiting risk taking. Quite the opposite; it should actually enable organizations to engage in daring, innovative strategies that promise high expected returns.

Download both of these free white papers : The Art of Balancing Risk and Reward and Society, Shareholders and Self-Interest: Accountability of Business Leaders in the Financial Services. This research delves into the need for financial organizations to create a balance between risk management and the need to make a profit and keep their commitments to shareholders while protecting their customers.

NOTE: Originally published by Harvard Business Review in 2012. Copyright 2012 Harvard Business Review. All rights reserved. Reprinted by permission.