Risk management, which is omnipresent nowadays, as Georges Dionne rightly highlights, is nevertheless a relatively young field. Twenty or 30 years ago, the term would have seemed pretentious, and the natural reaction of a company director would have been to associate it with the management of insurance coverage. Not that insurance is no longer the anchor point for risk management—it still is—but the term risk management means a lot more than just insurance coverage. In this respect, three events have changed the content of risk management: the collapse of the Long-Term Capital Management fund in 1998, followed by that of Enron in 2001, and finally that of Lehman Brothers in 2008. These three companies were all among the best in their category, and were considered to have the most sophisticated risk management of the time. Lehman Brothers was thus rated “excellent” in risk management, a real role model. This made these failures all the more resounding. Three main lessons have been drawn from these incidents. First of all, good management of identified risks presupposes good overall governance of all the processes of the organization concerned. Next, sophistication is not enough for good risk management, because it can mask major deficiencies in terms of internal control. Finally, operational risk should not be underestimated and should be subjected to careful and reasoned assessment.

Risk management therefore goes beyond simple knowledge of the risks to which the company ...