Volume 35, Number 1 71

RISK MANAGEMENT LESSONS FROM THE FINANCIAL 
CRISIS: A TEXTUAL ANALYSIS OF THE FINANCIAL CRISIS 
INQUIRY COMMISSION’S REPORT

Corey J. Fox 
 Texas State University • San Marcos, TX

ABSTRACT
There have been several retrospective analyses of the financial crisis. An area 

that continues to receive attention is the failure of risk management in financial firms 
at the heart of the crisis. After the crisis, the United States Government convened 
the Financial Crisis Inquiry Commission to explore causes of the crisis. Their 
conclusions have gone largely unexplored, especially in academic research. In this 
study, I first examine the commission’s report on the crisis identifying several re-
appearing themes. An exploratory follow-up analysis looking at financial and non-
financial firms suggests non-financial firms have areas to improve upon compared to 
their financial counterparts. 

Keywords: Financial crisis; Risk management; Risk management failure; Financial 
Crisis Inquiry Commission; FCIC

“Those who cannot remember the past are condemned to repeat it.”  
– George Santayana (Philosopher)

INTRODUCTION
The financial crisis of 2008 and 2009 was the worst financial disaster to hit 

the United States in over seven decades. Organizations of all types were impacted as 
the events in the financial industry rippled throughout the economy. The crisis left 
the economy in shambles, dissolved trillions of dollars in wealth, and left millions 
of people without jobs and homes (Financial Crisis Inquiry Commission [FCIC], 
2011). There have been many opinions about what the root causes of the crisis were 
(Jickling, 2009). While some recent research has suggested that excessive investment 
in financial products (both ordinary and exotic) were a considerable culprit (e.g., 
Tuckman, 2016; Vo, 2015) there has been much less work focused on the impact 
that risk management failures at the managerial level had on failing financial firms 
(e.g., Hubbard, 2009).  

 In 2009, the U.S. Government commissioned a committee to look into the 



72 Journal of Business Strategies

causes of the financial crisis. This committee, known as the Financial Crisis Inquiry 
Commission (FCIC), gathered and analyzed a myriad of data before putting out a 
complete report based upon their extensive analysis, outlining what it believed to be 
the main causes of the crisis. While this report was made public, there has been little 
exploration or discussion of the findings in academic circles (per mention in academic 
research papers) especially as it relates to risk management within organizations. 
This is unfortunate since the report is built upon a vast amount of information and 
has implications for management practices related to the management of risk.  

 As suggested by the quote above from George Santayana, it is thought that 
finding a cause(s) can help businesses learn, and hopefully avoid, making the same 
(or similar) mistakes in the future. The purpose of this paper is to look, qualitatively, 
at the commission’s in-depth report, analyze the passages around risk management 
and discuss the implications of the findings. Additionally, this paper explores 
whether financial and non-financial firms have learned from the failures identified in 
the commission’s report.

 The purpose behind expanding the study beyond just the large financial 
firms associated with the crisis, was to assess the degree of learning (if any) at other 
large, visible firms. The organizational learning literature (Huber, 1991; Madsen and 
Desai, 2010) has suggested that firms can make adaptations to its business operations 
and strategy as a result of reflections on their own experiences (experiential learning) 
or the experiences of others (vicarious learning). Financial institutions that were at 
the center of the crisis (such as the large financial firms and large regional banks) 
should be most likely to have made adaptations post crisis. However, we might also 
expect that other large, visible firms would make adaptations due in part to what they 
learned from the failings of these financial firms. However, the changes may be less 
pronounced since those firms were further away from the actual learning event.

 In doing so, this paper makes three important contributions to the extant 
literature in risk management and organization studies. First, this paper adds to 
what is currently known about risk management failure, and more specifically risk 
management failure during the financial crisis. While much has been made about 
the failure of complex quantitative risk management systems, less is known about 
managerial-level failures. Second, this paper synthesizes and condenses a broad 
array of disparate statements in the FCIC report on risk management during the crisis 
into a small set of important risk management issues. These issues are described and 
discussed in detail so that managers and organizations (in all industries) can learn 
from the mistakes of these failed institutions. Last, there are prescriptive remedies 
given to help companies avoid risk management failures in the future.      



Volume 35, Number 1 73

RESEARCH BACKGROUND

The Commission

Following the financial crisis, the US government convened a commission 
known as the Financial Crisis Inquiry Commission (FCIC)1, to examine the 
causes of the crisis. The FCIC was commissioned by the Fraud Enforcement and 
Recovery Act of 2009 and tasked with conducting a thorough investigation into the 
causes of the financial and crisis.2 The commission worked together for over 18 
months gathering data from a multitude of sources and conducting interviews with 
people involved at various stages and levels of the crisis. Over that time frame, the 
commission scoured over millions of pages of documents, including the work of 
journalists, academics and other published sources. The commission interviewed 
more than 700 material ‘witnesses’ and conducted numerous public hearings across 
the country in an attempt to learn about what happened. Despite the widely held 
belief amongst industry regulators that financial firms were prudent risk managers 
with sophisticated financial models who had strong ‘market’ incentives to undertake 
sound risk management practices, the risk management systems at these large firms 
failed.

 Risk management, like strategic management, is a process directed by 
the top managers of a firm during strategy formulation (Chapman, 2011). Risk 
management is generally described as an iterative, holistic process whereby firms 
identify, analyze, strategize, treat and communicate risks (Chapman, 2011; Frame, 
2003; Shenkir, Barton and Walker, 2010; Shortreed, 2010). During the financial 
crisis, for many financial firms, there was a breakdown in the process. As a result, 
the following research questions were explored in this paper: 

1) What were the contributing factors that led to financial firms’ risk 
management failures during the crisis?

2) Post crisis, have firms (both financial and non-financial) learned from 
these failures?

METHODOLOGY
To explore the research objectives identified, I conducted two studies. In 

Study 1, I pursued a textual approach research methodology. The textual approach 



74 Journal of Business Strategies

examines texts to gain insights about events. This research approach has been used 
before to make sense of events surrounding situations of crisis (e.g. Gephart, 1993). 
The purpose of Study 1 was to examine where the breakdown in risk management 
occurred at the large financial institutions who were at the heart of the crisis. In 
Study 2, I pursued an exploratory analysis where four separate types of firms were 
identified – large financial institutions, large regional banks, large non-financial 
companies with a dedicated financial services business segment, and large non-
financial companies without a dedicated financial services business. For each group 
identified, three representative firms were chosen and a textual analysis of these 
firms’ proxy statements from before and after the crisis was undertaken. The purpose 
of Study 2 was to examine whether financial and non-financial firms had learned 
from the failures identified in Study 1.

Study 1

First, I downloaded the entire FCIC report from the FCIC website (cited in 
the reference section). To find passages that were about risk management, I searched 
the text document for the phrase ‘risk manage’ which would catch any reference 
to risk management or risk manager. I also searched for two other variants of risk 
management by searching for ‘managing risk’ and ‘manage risk.’ In total, there were 
roughly 103 instances in the body of the main report of 410 pages. A graduate assistant 
and I parsed these instances and pulled out the surrounding sentences to create a 
list of passages. Of the 103 passages initially identified, 34 of the passages (33%) 
were identified as containing no substantive or relevant information to address the 
research question. Appendix A has several examples of these passages, all of which 
were excluded from consideration. An additional 30 passages (29%) discussed other 
influences of risk management failures beyond the scope of this study. For instance, 
information about regulators or the institutional environment were outside the 
boundary of the firm and thus subsequently excluded. The remaining 39 passages 
(38%) were related to risk management inside the financial firms so were used for 
the analysis.

 The assistant and I looked for themes in each of the passages. After initial 
analysis and conversations, five sources of failure emerged. The first category 
was classified as Risk Management Process Failures. This category included any 
mention of problems related to risk assessment, risk evaluation and analysis, risk 
treatment, or risk communication. This category also included any mention of 
problems with the firms existing risk management protocols. The second category 



Volume 35, Number 1 75

was classified as Support System Failures (Compensation). This category consisted 
of passages showing failures in the firm’s compensation system which may have had 
an impact on risk behavior. The third category was classified as Resource Allocation 
Failures. This category included any passage that described the human or financial 
resources allocated to support the risk management function. The fourth category 
was called Top Management Failures. This category focused on failures created by 
top management overconfidence and hubris. The fifth and final category was called 
Objective Tradeoff Failures. This category consisted of passages focusing on the 
tradeoffs made between risk and financial objectives.

 To validate the categories and the correct assignment of passages to 
categories, six undergraduate students, majoring in Finance with a concentration in 
Insurance and Risk Management at a large Midwestern university, volunteered to 
participate in exchange for extra credit. The students were randomly given between 
12 and 14 passages where each passage was evaluated by two students. In addition 
to the passage, students were given the category titles and a description of each 
category. In addition to the five categories mentioned above, an Other category 
was also included if the student thought the passage did not belong in any of the 
categories. Each student was instructed to place the passage into the category which 
they felt best described the passage. While it is certainly possible that some of the 
categories could indeed be related with one another (for instance, compensation 
systems might impact whether a firm focuses on performance metrics or risk 
management outcomes), the purpose was to validate the themes surrounding risk 
management according to the FCIC report (i.e., what appeared most often). Across 
the six volunteers, agreement was obtained just over 73% of the time. There were four 
passages in which both students failed to classify the passage according to one of the 
pre-specified categories. These passages were omitted from consideration, leaving 
35 total passages. Any remaining passages where at least one student classified the 
passage according to the pre-specified categories and another did not, were resolved 
through discussion.

Results

After the analysis was complete the passages were explored in relation to 
the five  general themes which had emerged. Below is a discussion of each general 
theme, each of which is supported with reference to several representative passages 
which provided information to identify the theme. Several of the themes are similar 
in nature and could be interpreted as being from relatively similar sources, however 



76 Journal of Business Strategies

an effort was made to try and segment the themes to be as fine-grained as possible. 
All of the supporting passages discussed can be found in Appendix A under the 
appropriate heading.3

 Risk management process failures. The most often mentioned failure 
found in the report points to a general failure of the risk management process in 
financial firms. The risk management process, according to literature in finance and 
strategic management, is generally conceived of as a holistic approach spanning 
the entire organization (e.g., Clarke and Varma, 1999; Fraser and Simkins, 2010; 
Miller, 1998; Miller and Waller, 2003) and has been referred to by various names 
like Enterprise (ERM), Integrated (IRM) or Strategic (SRM) risk management. This 
process generally includes risk identification, assessment, evaluation, treatment, 
review and communication (Chapman, 2011). Passages within the report suggest 
that there were breakdowns in each of these areas in addition to using a holistic 
approach.

 During the financial crisis, firms were still subscribing to the antiquated 
‘silo’ approach to risk management. The first general problem was that risks were 
being managed independent of one another without much information sharing across 
business lines. There is evidence of this shown in Passage 1 where Citigroup’s 
risk management function was operating independently along each of its separate 
business lines. Employees just steps away from each other, working with similar 
risk assets, or risk products which were related, did not know what each other were 
doing. Information that was gained from each business line with respect to the risk 
assets was being kept away from other sources that could potentially benefit from 
such information.

 A second area of concern was with the risk identification, assessment, 
evaluation and treatment process. For instance, as suggested in Passage 2 & 3, risk 
managers were not able to properly identify soft risks. Soft risks are those which 
require judgment and are not purely financial in nature. In too many instances, 
instead of using judgment, managers were using mathematical models as predictors 
for risks. Furthermore, the models being used to determine which risks should be 
managed were based on assumptions that were markedly wrong. There was little 
evidence of scenario planning in assessing the probabilities and worst case scenarios 
for home price declines. Lastly, as evidenced by additional passages, managers were 
comfortable using financial hedges as effective treatment strategies since it had the 
added benefit of reducing the amount of financial slack the firm had to hold.

 A third problem related to risk management processes was risk 
communication. Risk communication involves communication and consultation 



Volume 35, Number 1 77

between management and the individuals/departments responsible for implementing 
and carrying out the risk management strategy to make it more effective over time 
(Chapman, 2011). Prior research has found that having communication links between 
the governing parties of the organization and those in charge of risk management 
can increase efficiency and firm performance (Grace, Leverty, Phillips and Shimpi, 
2015). During the crisis it was evident that in some firms, communication between 
the management team and the risk management department/team was less than 
ideal. In Passage 4 for instance, the executive committee at Lehman Brothers failed 
to include the company’s Chief Risk Officer in decisions that directly impacted the 
risk of the firm.

 Finally, in some cases, the entire risk management process was inadequate 
and lacking. In one passage, a consultant hired to examine Bear Stearn’s risk 
management process was highly critical suggesting that key elements in the process, 
such as risk identification and assessment, were infrequent. He continued that the 
risk management function did not have the resources it needed (as discussed in more 
detail below) and was of a low priority to the firm.

 Support system failures (Compensation). One of the most common systems 
for supporting goals and strategic decisions in organizations is the compensation 
system. In the management literature, executive compensation is a tool often used to 
align management interests with the interests of the firm’s owners. Scholars in the risk 
management arena have similarly concluded that one way to focus management’s 
attention on risk management is to align their compensation with risk management 
objectives and outcomes (Lam, 2014). Firms must reward risk management behavior 
through incentive structures which align good risk management practices with pay. 
Indeed, Grace and colleagues (2015) found evidence that firm performance was 
enhanced when compensation was aligned with risk management. 

 There are numerous instances in the report which suggest that several of 
the failed financial firms were not incentivizing good risk management, and instead 
were incentivizing more risky, short-term oriented behavior. Passages 5 through 
7 highlight this notion. For instance, the head of the Federal Deposit Insurance 
Corporation (FDIC) remarked that incentives favored short-term risk-taking and 
profits over long-term risk considerations, sustainability and solvency. Lam (2014) 
has suggested that incentivized performance can be problematic for risk management 
when incentives are one dimensional -- they focus on a single, bottom-line figure.

 At the time of the crisis, financial firms, in particular, tied aggressive pay 
packages filled with stock options to the price of the firm’s stock. In many situations, 
the options granted to executives came with accelerated payouts. In 2006, one year 



78 Journal of Business Strategies

before the onset of the company’s demise, Merrill Lynch CEO Stanley O’Neal made 
$91 million. When he walked away from the company as it began its decline he left 
with a total consolation package of $161 million (Farrell and Hansen, 2009). Richard 
Fuld, CEO of Lehman Brothers, was awarded $34 million before he departed. These 
kinds of pay structures, littered with stock options, created incentives to increase the 
amount of risk executives took to improve returns. This included greater leverage 
levels and, in some cases (e.g. Frannie and Freddie), fraudulent financial filings. 
Indeed, academic research has argued that executives at Bear Stearns and Lehman 
Brothers in particular, had incentives to take on large amounts of risk as they had 
already pulled out hundreds of millions of dollars in options and bonuses prior to the 
collapse (Bebchuk, Cohen and Spamann, 2010).    

 Resource allocation failures. One of the pre-requisites for successful risk 
management is the allocation of necessary resources to adequately perform the job. 
Depending upon the size of the organization and the scope of the risk management 
system (and goals for the system), the two most critical resources are human and 
financial capital. Firms need to have staff ready to engage with the risk management 
process, and depending upon the risk management strategies developed, the risk 
management staff needs the appropriate amount of capital to execute the strategy. 
During the financial crisis, the FCIC report alludes to both elements lacking.  

 In terms of inadequate personnel, the auditors of several of the failed firms 
were critical of the firms’ appointed risk managers. This included managers hired 
to lead the risk management departments. For instance in Passage 8, the auditors 
of AIG raised concerns about the skill sets of the top management team (CEO, 
CFO and CRO) and managers appointed to the ERM department concerning their 
capacity to do the job of managing risk. Also, in Passage 9, the SEC criticized 
Bear Stearns because their risk management functions lacked expertise in the risky 
products they were supposed to manage the risk, and the risk management function 
was understaffed.

 In addition to personnel, financial resources were also inadequate. Firms 
withheld, and sometimes cut, the resources for the risk management departments 
to do their jobs. For example, Passage 10 exhibits a willingness by management 
to tell the board of directors at Fannie Mae that risk management had all necessary 
resources to act on risk management initiatives. However, the CRO disagreed as his 
department saw double digit budget cuts which led to a reduction in head count in 
the year leading up to the crisis.

 Top management failures. Many of the failures in risk management 
during the crisis can be traced back to failures at the top of the firm and with each 



Volume 35, Number 1 79

firms’ corporate governance. In the management literature, the upper echelon’s 
perspective (Hambrick and Mason, 1984) suggests that firms are a reflection of its 
top management team as well as those in charge of setting the strategic direction 
of the firm. In the case of the financial crisis, top management teams were seen 
as a major reason why some firms had failed. Indeed, in testimony to the FCIC, 
J.P. Morgan CEO Jamie Dimon, one of the firms that survived the crisis, suggested 
that top management teams were to blame for the problems at the failed financial 
institutions and nobody else.

 Another cause of risk management failure during the financial crisis was 
managerial hubris concerning risk management competencies. Hubris refers to an 
extreme level of pride or overconfidence in one’s self and abilities. Hubris has been 
associated with a number of corporate maladies including overpaying for acquisitions 
(Hayward and Hambrick, 1997) and corporate social irresponsibility (Tang, Qian, 
Chen and Shen, 2014). Related to hubris, the overconfidence bias is the tendency 
for a person to have greater subjective confidence in their judgment or abilities than 
is objectively warranted. In many of the failed financial firms, the top management 
teams were very confident about the effectiveness and adequacies of their risk 
management systems. Numerous CEOs had made mention of their risk management 
competencies even though none had necessarily been tested in remotely turbulent 
market environments. For instance, in Passages 4,11 & 12 the CEOs of Lehman 
Brothers, AIG and Merrill Lynch touted their risk management programs, going so 
far as to suggest that their risk management programs were strong and a fundamental 
component of their business model. 

 Two potential reasons are apparent from the report which may have resulted 
in executive hubris. First, the resilience of the big financial institutions to avoid big 
losses in prior debacles, like the dot com bubble, led managers and firms to believe 
they had robust and successful risk management systems in place. Second, hubris 
may have resulted from misplaced overconfidence in the complex mathematical 
models used for assessing risk. Financial institutions were lulled into a false sense of 
security as these models would show that financial firms had little to be concerned 
about, and which up to that point, had kept the firms safe. In some instances, the 
complex models had even given the firms’ auditors reason to believe that risk had 
been reduced or eliminated. As an example, in Passage 13, AIG’s auditors were 
convinced that the firm’s economic risks were essentially zero. Thus, the models 
appeared to have been a contributing factor to executive hubris. Auditors and CEOs 
were not alone in their false sense of security. Regulators and industry experts like 
Fed Chairman Greenspan at the time, also believed the sophisticated modeling 



80 Journal of Business Strategies

techniques would protect financial firms from disaster.
 One might also consider that while cognitive bias appeared present, the 

other themes addressed herein are also the domain of top managers. Thus, while top 
management failures are highlighted as a function of managerial cognition, the other 
elements of failure are also reflections of decisions made by members of the top 
management team at the financial firms.

 Objective tradeoff failures. The final contributing factor from the analysis 
suggests that some firms were faced with a difficult tradeoff between, what were 
framed as, mutually exclusive choices. The firms could either do the right thing 
from a risk management perspective or pursue strategies that advanced the goals 
and aspirations of the firm -- but not both. For instance, in Passage 14, there is clear 
indication that management at some firms, including Fannie Mae, were pursuing 
strategies that increased their firm’s level of risk while in pursuit of corporate 
objectives but which ran counter to good risk management practices. Additionally, 
some objectives and aspirations encompassed by corporate initiatives like growth, 
played a role in some decisions by risk management departments to loosen the reign 
on risk appetite. As mentioned in Passage 15, Citigroup allowed risk management 
departments to approve higher risk limits if a business line was growing. 

 Study 1 conclusions. To sum up, the analysis of the FCIC report seems 
to support five areas of risk management failure during the financial crisis. First, 
there were failures in the risk management process and the use of holistic risk 
management models. Second, systems (more specifically, compensation systems) 
that should support the risk management process and promote risk management 
thinking, were not constructed properly. Third, the necessary human and financial 
resources to properly support effective risk management functions were not provided. 
Fourth, top management hubris created a false sense of confidence in the existing 
risk management systems. Finally, firms were faced with a false choice between 
managing risk properly and achieving the bottom line objectives of the company. All 
of these issues, combined, led to an environment where risk management was likely 
to be less than adequate to deal with the challenges presented by the financial crisis.

Study 2

In study two, I wanted to explore some of the conclusions of study one in 
more detail and probe whether firms, both in and outside of the financial industry, had 
addressed the shortcomings which led to the failure of risk management. As such, 
study two was an exploratory study – a first step, in assessing pre and post crisis firm 



Volume 35, Number 1 81

behavior. Firms were segmented into four categories, each more removed from the 
center of the crisis. I started by identifying a representative set of three firms for each 
of the following four categories. The categories and representative firms were: large 
financial firms (J.P. Morgan Chase (JPM), Bank of America (BAC), Wells Fargo 
(WFC)), large regional banks (SunTrust Banks (STI), BB&T Corp (BBT), Fifth 
Third Bancorp (FITB)), large non-financial firms which had a dedicated financial 
services business segment (General Electric (GE), Ford Motor Company (F), Deere 
& Co (DE)), and large non-financial firms which did not have a dedicated financial 
services business segment (Nike (NKE), Proctor & Gamble (PG), The Coca-Cola 
Company (KO)).

 For each firm, proxy statements filed before the crisis (2005-2007) and 
after the crisis (2010-2012) were pulled from the SEC website. Each of the proxy 
statements was examined using a basic text analysis. I calculated averages for both 
sets of data so that I could get a more accurate picture of each firm’s situation before 
and after the crisis. In study two, I looked at four things related to study one. First, 
related to the use of a holistic risk management program, I looked at how often 
the terms ‘risk manage,’ or some variant of ‘manage risk’, were used in the proxy 
statement. Second, I looked for evidence that the appropriate human resources 
were allocated to risk management by searching for someone with a title who was 
designated as someone in charge of managing risk (e.g., Chief Risk Officer (CRO), 
risk executive, or risk manager). Third, related to the focus of compensation design, 
I looked for how prevalent risk and risk management were in a company’s discussion 
of executive compensation. Last, I explored the prevalence of ‘growth’ and ‘return’ 
in the proxy statements compared to the use of the word ‘risk’ as this may relate to 
the trade-off between risk and the firm’s bottom line. In this last part of the analysis, I 
made sure to only count the word ‘risk’ when it was not in reference to anything risk 
management-related. The use of word counts, as proxies for the level of importance 
of a theme or idea, has been described in prior qualitative methods research (e.g., 
Carley, 1993; Duriau, Reger, & Pfarrer, 2007) and used in strategic management 
research (e.g., Angriawan & Abebe, 2011).

Results

In regards to the use of a holistic risk management process, I searched for 
the phrase “risk management” and other variants (e.g., manage risk) to proxy for 
the importance of a formal risk management process. The number of instances were 
counted for each company and the results are displayed in Figure 1. The following 



82 Journal of Business Strategies

observations can be made when looking at the data. First, risk management was 
rarely discussed in the proxy documents before the crisis across all types of firms, 
whereas after the crisis, risk management appeared much more frequently. Second, 
financial institutions and regional banks – those closest to the crisis, used the phrase 
more than non-financial companies (as much as two to four times more). After the 
crisis, financial institutions used the term more than any other type of firm while 
non-financial firms without dedicated financial services business segments used 
the term the least (on average). This result is consistent with the findings of the 
FCIC that described pre-crisis behavior related to risk management. While after-
crisis behavior regarding risk management seems to have improved, the relatively 
infrequent mention of risk management in non-financial firms is troubling.

 With regards to human resource allocation, I searched the proxy statement 
for evidence that the firms had a dedicated executive or manager who was responsible 
for risk oversight. It was important that risk oversight was governed by someone 
within the firm as opposed to a committee on the Board of Directors. Search terms 
such as ‘chief risk,’ ‘risk executive,’ and ‘risk manager’ were used to capture 
titles which designate a position dedicated to risk oversight. Prior work in the risk 
management literature have used similar search terms as proxies for evidence of 
risk management programs and risk management implementation. For instance, 
Liebenberg & Hoyt (2003) uses the presence/absence of a Chief Risk Officer (CRO) 
as a proxy to identify a firm’s adoption of enterprise risk management. Similarly, Hoyt 
& Liebenberg (2011) use the CRO as a proxy for risk management implementation. 
Along these lines, Beasley and colleagues (2005) identifies the CRO and other high 
level risk managers as champions of risk management, thus suggesting that these 
human resources are necessary resources for successful risk management. 

The following observation was made from this qualitative search.4 Before the 
crisis, two of the financial institutions and two of the regional banks had a chief risk 
officer (although one of the regional banks only mentions the CRO in 2005 but not 
2006 or 2007), while none of the non-financial companies had one before the crisis. 
After the crisis, all of the financial institutions and regional banks had appointed an 
individual as the head of risk oversight, while only one non-financial company had 
done so. However, the non-financial company that appointed a CRO had a finance-
oriented business segment. This result is in-line with the FCIC report in that before 
the crisis, most financial firms had not allocated the appropriate human resources to 
risk management. Here too it seems troubling that non-financial companies have not 
followed in the footsteps of their financial counterparts and appointed an individual 
with a risk designation.



Volume 35, Number 1 83

 The third aspect of study one examined was the integration of risk 
management outcomes and processes in compensation design. To explore this, each 
company’s compensation discussion section in the proxy statement was examined. 
Of particular interest was how each company talked about the integration of risk 
processes in setting compensation policies – not simply how much of a compensation 
package was ‘at risk’ but how the compensation package took into account risk 
assessment, management and outcomes. The following observation was made 
from this qualitative search.5 Before the crisis, most all of the financial institutions 
and regional banks specifically identified how risk was taken into account when 
designing compensation while none of the non-financial companies described in 
much detail how risk management was considered in setting compensation. After the 
crisis, all of the financial institutions and regional banks discuss in detail how risk 
was considered in setting compensation. For non-financial firms, half of them discuss 
some aspect of how risk was considered in setting compensation, however only one 
does so  thoroughly. This result too is in-line with the FCIC report in that firms did a 
poor job pre-crisis in linking risk management outcomes with compensation design.

 The final issue examined from study one was the focus on strategies aimed 
to improve the bottom line and which overshadowed sound risk management. To 
explore this relationship, I searched for the words ‘growth’ and ‘return’ in the firm’s 
proxy statements. After getting a count of these words, a ratio of how often the word 
‘risk’ appeared in relation to these two words was calculated. The ratios are graphed 
in Figure 2. As can be seen in the graphs, risk is talked about more than return after 
the crisis compared to before. A ratio of less than one means that the firm talked 
about return more than risk. An interesting take-away appears when looking at the 
magnitude of the ratios. For financial institutions and regional banks, four of the six 
firms mention risk over two times more than return after the crisis, with one of those 
firms mentioning risk over four times as much, and one firm mentioning it almost 
three times as much. While for non-financial firms, the use of risk compared to 
return increases post crisis; four of the six firms use risk and return about the same 
number of times while two talk about risk less than return. These results, particularly 
for financial firms, appear to be in line with the FCIC report. Almost all of the firms 
focus more on return and growth prior to the crisis than risk.

GENERAL DISCUSSION
The purpose of this study has been twofold. First, I wanted to identify the 

contributing factors or risk management failure leading up to, and during, the 

(2)



84 Journal of Business Strategies

financial crisis. Drawing upon the FCIC report, five ‘themes’ emerged from the 
passages which mention risk management. Second, I wanted to explore, in a very 
general sense, the extent to which failures identified at the large financial companies 
at the center of the crisis, had been remedied immediately after the crisis by all types 
of firms, not just financial firms.

 The analyses uncover several areas for firms to consider as they look to 
improve their risk management. These suggestions are aimed largely at non-
financial institutions. The reason being that following the crisis, regulatory bodies 
in the U.S. issued a number of regulations and specific guidance for risk-reporting 
aimed at financial institutions and regional banks. For instance, in response to risk 
management failures the government passed legislation like the Dodd-Frank Wall 
Street Reform and Consumer Protection Act (2010) aimed at reducing future risks to 
the financial industry. This legislation was largely aimed at the risk management at 
financial institutions, giving oversight authority to the Federal Reserve.

 In addition to Dodd-Frank regulations, the SEC approved the Proxy 
Disclosure Enhancement (2009) guidelines designed to enhance disclosures about 
risk in the firm’s proxy filings. In the new guidelines, firms are required to make 
some reference to compensation design and risk, as well as the role the Board 
of Directors plays in risk oversight. While helpful, the SEC rules do not require 
behavioral changes, only the disclosure of additional information. However, given 
the present analysis, it is apparent that financial firms and regional banks have done a 
much better job post-crisis in addressing how risk management and risk, in general, 
figure into the management of the firm. These firms appear to be adhering to the new 
standards.  

 While it is clear that financial institutions and regional banks have 
addressed the shortcomings of risk management found during the financial crisis 
(likely in response to increased reporting and regulatory requirements), non-
financial companies appear to have several areas which need improvement. While 
financial firms seemed to have at least made some aesthetic changes based upon 
their experiences (I would hesitate to call it learning without more detailed internal 
information about the processes of the firm), it does not appear that non-financial 
companies have learned vicariously from the experiences of the financial companies. 
There are multiple opportunities for non-financial firms to improve upon their risk 
management processes, which are addressed below.



Volume 35, Number 1 85

Compensation Systems

Compensation systems are one area that non-financial firms could improve 
in their pursuit of improved risk management. As suggested by Lam (2014), 
incentivized performance becomes problematic when the incentives are focused on 
one dimension of firm performance -- in many instances, stock price. Furthermore, 
incentives became especially problematic for financial firms when those contracts 
came with accelerated payout options. These two characteristics, a singular focus 
on stock price performance and accelerated payout options, made it difficult for 
managers to focus on the long-term outcomes of risk when making decisions. Recent 
research has suggested (e.g. Rochette, 2009) and empirically found (e.g. Grace 
et al., 2015) that one way to improve risk management is to tie incentives to risk 
management objectives in addition to other outcomes.

 For firms seeking to improve the alignment of their compensation with 
risk management, first managers need to identify key performance indicators (KPI) 
that will either A) be impacted by the risk management process, or B) be reflective 
of success for key risk management activities. Each KPI is developed by first 
establishing the performance objective, then identifying the appropriate performance 
measure for the objective, and finally, developing the KPI.

Once KPIs have been established, compensation needs to be explicitly linked 
to each KPI. As an example, one of the key risk factors identified by John Deere in its 
2010 financial report, which may materially impact the firm’s financial performance, 
is stated as “John Deere’s business results depend largely on its ability to develop, 
manufacture and market products that meet customer demand.” As a result, one of 
Deere’s performance objectives might be: to have all customers rate their satisfaction 
with the quality of Deere products as the best in the industry – this would seem to 
substantially reduce the risk that customers are dissatisfied with Deere products. The 
performance measure could be: the percentage of customers that rate Deere products 
as highest quality in the industry. The KPI could then be: 90% of customers ranking 
Deere as having the highest quality products in the industry each quarter/half-year/
etc. If Deere is hitting this KPI, they in theory, would reduce one of the key risks that 
could materially impact their business. The CEO’s compensation would then be tied 
to this KPI. (To be clear, this is just an illustrative example using a company that is 
highly visible. I am not suggesting that Deere is not using KPIs tied to risk factors 
when it comes to designing executive compensation.)

 As Lam (2014) has suggested, compensation must not be aligned with simple 
measures of return, but with long-term risk-adjusted return hurdles with appropriate 



86 Journal of Business Strategies

vesting periods. Additionally, plans should continue to reward management for 
stability, continuity, and comparative performance to incentivize a long-term view 
when making decisions involving risk. Also, organizations may consider claw-
back policies for compensation when management knowingly engages in harmful 
behavior or exceeds the risk appetite of the firm. Eliminating golden parachutes 
and sizeable compensation packages upon termination for poor performance, as a 
result of exceeding pre-specified risk thresholds, may also encourage executives 
to act in a responsible way as they consider risk. Lastly, management also needs 
to be mindful that their compensation plans, while incorporating the above, still 
encourage innovation and capital investment to increase long-term value. This can 
be done using risk-adjusted hurdle rates to determine which projects or strategies are 
in-line with the firm’s stated level of risk tolerance.

Human Resource Allocation

In terms of resource inadequacies, there are several areas for improvement. 
First, managers need to staff the risk management function with human capital 
which has the appropriate certifications and qualifications given the business of the 
firm, and second, provide adequate funding for the risk management function to 
execute on its risk management strategy. Risk managers should be chosen based 
upon their track record, their experience, their knowledge of the industry and their 
knowledge of the business. As risk management has become more important as 
a result of recent crises, universities are offering more risk management degrees 
and professional organizations are offering special certificates for risk management 
certifications. For example (at the time of the writing of this paper), New York 
University offered a Masters Degree in Risk Management in their Global Degree 
Department in the business school; John Hopkins University offered a Masters 
Degree in ERM; and many other universities (e.g., University of Connecticut) have 
financial risk management programs. Other universities, such as Stanford University, 
offer an online program for a Risk Management Certificate through their Center 
for Professional Development. Non-university entities like the National Alliance 
for Insurance Education and Research also offered a class-based/seminar-based 
Certified Risk Management (CRM) program.

 In addition to education-based training, many professional organizations 
offer certification tests for risk managers in specific functional fields. For example, 
the Project Management Institute offers a Risk Management Professional (RMP) 
certification test; the American Hospital Association offers a Certified Professional 



Volume 35, Number 1 87

Healthcare Risk Manager (HRM) designation; and the Risk and Insurance 
Management Society offers a Certified Risk Management Professional (CRMP) 
credential test.

 Thus, in theory, these programs should make finding risk management 
professionals easier and more cost efficient. Just as you would not have a Chief 
Financial Officer without financial or accounting expertise, firms should not have 
a Chief Risk Officer without substantive risk management expertise. Ideally, 
firms would select risk managers that are educated in the risk management field, 
has experience managing risk in the specific functional area, has the appropriate 
designation (for instance, a risk manager which is certified as a Healthcare Risk 
Manager is probably not the appropriate manager to work as a risk management 
professional in a bank), and is credentialed.

Financial Resource Allocation

In addition to human capital, firms need to be more diligent about allocating 
financial resources to their risk management functions. By having better risk 
management systems as mentioned above, identifying the scope of the risk 
management program should be easier for management. With a better understanding 
of the scope of the risks which need to be treated, managers can make more accurate 
budgets. Instead of taking shots in the dark, managers can develop reasonable and 
accurate figures for risk management expenses. In addition to allocating resources 
to the risk management function, firms should also build up financial slack buffers 
that insulate the firm from risk events. There is considerable evidence that having 
cash on hand is not inefficient, but can drive firm value. Kim and Bettis (2014) show 
that large cash holdings, beyond what is needed for transactional purposes, have a 
positive impact on firm value. Similarly, Deb, David and O’Brien (2017) found that 
cash creates shareholder value when it is used for adapting to uncertainty, such as 
by firms operating in competitive, research-intensive or growth-oriented industries. 
Thus, the adequate level of financial resources for risk management is dependent on 
the firm, its existing resource position, and industry conditions. While the state of 
financial resource allocation was not examined specifically in this study, future work 
should explore this domain.

Risk vs. Return

Additionally, managers need to align their  risk management performance 
with their corporate objectives and goals. Managers may want to consider using 



88 Journal of Business Strategies

objectives that are not purely based on financial performance, such as growth and 
returns. For instance, S&P has begun to rank firms on their risk management activities. 
Depending upon the industry, firms may want to consider pursuing a particular level 
of risk management ranking as a stated year-end objective. If firms want to continue 
incorporating financial metrics they could incorporate risk by utilizing risk-adjusted 
performance outcomes. Firms may also want to consider developing performance 
indicators which address the key risks they disclose in their annual reports (please 
see the example above in the Compensation Systems section for an example). A 
focus on reducing the key risk indicators could be considered in addition to purely 
performance-based measures.

 It is important to keep in mind that the suggestions mentioned here are not 
exhaustive and are but a few of the many things management can do to improve 
risk management. It is important to remember that risk management should be an 
integral part of a firm’s strategy. Risk management should be incorporated into the 
strategy-making process so that it is not subjugate to business objectives, but instead 
helps the firm accomplish its long-term goals and objectives.

Limitations and Future Research

As with all research there are limitations associated with this study. First, 
the most obvious is that this study relies on a commission’s report which is based 
on first-hand accounts of the events leading to the crisis. Thus, there is no ability to 
control for any biases or omissions of the commission. However, the creation of the 
commission was done in a way which sought to limit this concern from the outset. 
The commission was constructed as a bi-partisan effort and was given unprecedented 
access to information sources that any researcher studying the crisis will not be able 
to collect on their own. Furthermore, while the research presented here is based 
on the report of a single commission, it bears noting that the commission’s work 
is the amalgamation of over 700 first-hand accounts, millions of pages of text and 
research, and countless hours of public scrutiny. Nevertheless, this limitation should 
be taken into account when interpreting the findings of this study. 

Second, the methodology incorporated in Study 2 of the current research may 
also be considered a limitation. The author purposefully selected a limited sample 
of highly visible and recognizable firms to perform the exploratory analysis. Given 
the exploratory nature of the study, it was not the intent to collect a large number 
of firms and employ econometric analysis. Highly visible firms are typically more 
heavily scrutinized by the public than are low visibility firms. The firms that I have 



Volume 35, Number 1 89

chosen, I have reasoned, would be the most susceptible to pressure to improve their 
risk management activities following a crisis such as the financial crisis. Investors, 
and the public alike, want to know what these large firms are doing to ensure the 
safety of investments and the economy in response to what was seen in the financial 
industry. Thus, if these firms had not changed their approach to risk management, it 
is highly likely that other firms facing less scrutiny would have done so. 

Finally, findings of Study 1 are based solely upon the experiences of financial 
companies during the crisis. The conclusions of Study 2 are based upon an analysis 
of non-financial companies. As a result, this may represent a threat to the external 
validity of the results. The purpose of applying lessons from financial companies to 
non-financial companies was to highlight the clear shortcomings in risk management 
at firms’ where risk management is a critical factor in achieving success, and using 
this as a platform for all firms to build and learn from in the future. This is similar 
to the ‘strategic benchmarking’ concept (Drew, 1997), where firms find examples of 
other firms who have capabilities or competencies in a particular area (such as risk 
management), and benchmark their own activities in this area versus the activities 
of the selected firms that have built those capabilities. In this instance, the financial 
firms should have capabilities and competencies in risk management. Non-financial 
firms, then, should be able to learn from the strategies and activities (or lack thereof) 
of these financial firms. Ultimately however, in choosing the method and a limited 
sample, the generalizability of the conclusions reached in this study should be 
considered when interpreting the results. Attempts were made to ensure rigor and 
validity in both studies, however, stricter protocols for qualitative research could be 
argued for.

 With respect to future research, there are several avenues to pursue. From 
a theoretical perspective, there is still much we do not know about what contributes 
to risk management success or failure. Just by looking at the shortcomings of risk 
management during the financial crisis there seems to be several management-related 
research themes. First, it might be instructive to understand what characteristics of 
executives are associated with better or worse risk management. An upper echelons 
perspective would be informative in this area, exploring biases, personalities and 
other demographic characteristics that may be associated with risk management. 
Additionally, research on corporate governance is a natural fit with the risk 
management literature. Exploring the impact of board composition, executive 
compensation and other governance characteristics on risk management systems 
might be informative.

 From a methodological perspective, future research might focus on more 



90 Journal of Business Strategies

qualitative studies. One of the avenues mentioned briefly in the present paper is the 
role of risk communication in the risk management process. Perhaps exploring how 
executives and risk managers are interacting and communicating can give us more 
insight in to why the risk management process can be so difficult for firms. Finally, 
future quantitative research could focus on themes touched upon in this study related 
to resource allocation, executive compensation and risk management performance. 
However, before research on these areas can commence, better measures of risk 
management outcomes are necessary -- this too could be an area for theoretical 
development.

 Finally, I would be remiss to not mention that the items identified in this 
paper were occurring against a backdrop that included a very weak institutional 
environment. The institutional environment (e.g., Scott and Davis, 2007) as 
described in the management literature, provides a backdrop for firm behavior. The 
institutional environment embodies both informal and formal pressures exerted on 
firms by outside influences. The FCIC report consistently mentioned the general 
weakness of the institutional environment before the crisis. This was apparent in two 
areas -- weak regulating bodies not promoting best practices in risk management, and 
an overreliance on institutionalized practices such as letting firms police themselves. 
Whilst a more detailed discussion is beyond the scope of the current paper, they need 
to be mentioned.

CONCLUSION
To conclude, the goal of this paper was to highlight the shortcomings of 

financial firms’ risk management activities during the financial crisis in the hopes 
of uncovering areas for improvement for all firms regardless of industry.The 
assumption is that risk management failures occur because organizations do not 
have (sophisticated) risk management systems in place. This research suggests that 
is not entirely true. In the case of many of the financial firms that failed, most had 
“sophisticated” risk management systems. To make matters worse, many thought 
their systems were strong. The failures of these institutions help us understand that 
while a system might be in place, the system needs to be constructed such that the 
fundamental elements like resources, incentives, corporate objectives and managers, 
must be aligned. While this may seem like a relatively basic idea, it has escaped 
many companies.

 The FCIC’s report on the financial crisis provides a wealth of insight and 
information. Yet the implications for risk management as a result of the commission’s 



Volume 35, Number 1 91

work has not yet been fully understood. It is easy to look back in hindsight and 
point out all of the missteps which occurred. The foresight required to steer clear 
of all possible sources of risk during the crisis was probably outside the grasp of 
any human being. Be that as it may, I have identified a number of failures that were 
within the grasp of managers and boards of directors. Successful risk management 
was not impossible. Perhaps after exploring the reasons for failure in more detail, 
managers can be more cognizant of these issues in the future. 

ENDNOTES
1. The commission was an independent group of individuals, consisting of 10 
private citizens that had experience across a number of different fields related to 
different aspects of the crisis (e.g. banking, housing, finance, etc.). The members 
of the commission were elected by both parties in Congress to ensure bi-partisan 
conclusions (a majority opinion was reached although there were some members 
who provided a minority opinion).
2. This article is based upon, to a large extent, information which is contained in the 
FCIC’s report.  Thus, statistics, quotes, and paraphrased comments not cited directly 
in the document are sourced from the FCIC’s report which is cited in the references 
section above.
3. The list of passages presented in Appendix A is not exhaustive, i.e. is not the 
complete list of passages used for the analysis. A complete list of passages can be 
obtained from the author.
4. The specific data points are not presented quantitatively in the paper but are 
available upon request from the author.
5. See note 4.

REFERENCES
Angriawan, A. & Abebe, M. (2011). Chief Executive Background Characteristics 

and Environmental Scanning Emphasis: An Empirical Investigation. Journal of 
Business Strategies, 28(1), 1-22.

Beasley, M., Clune, R. & Hermanson, D. (2005). Enterprise Risk Management: An 
Empirical Analysis of Factors Associated with the Extent of Implementation. 
Journal of Accounting and Public Policy, 24, 521-531.

Bebchuk, L., Cohen, A., & Spamann, H. (2010). The Wages of Failure: Executive 
Compensation at Bear Stearns and Lehman 2000-2008. Yale Journal of 
Regulation, 27, 257-265.



92 Journal of Business Strategies

Carley, K. (1993). Coding Choices for Textual Analysis: A Comparison of Content 
Analysis and Map Analysis. In P. Marsden (Editor), Sociological Methodology 
(pp. 75-126). Oxford: Blackwell. 

Chapman, R. (2011). Simple Tools and Techniques for Enterprise Risk Management. 
New York: West Sussex, UK: John Wiley and Sons, Ltd.

Clarke, C. & Varma, S. (1999). Strategic Risk Management: The New Competitive 
Edge. Long Range Planning, 32(4), 414-424.

Deb, P., David, P., & O’Brien, J. (2017). When is Cash Good or Bad for Firm 
Performance? Strategic Management Journal, 38(2), 436-454.

Drew, S. (1997). From Knowledge to Action: The Impact of Benchmarking on 
Organizational Performance. Long Range Planning, 30(3), 427-441.

Duriau, V., Reger, R., & Pfarrer, M. (2007). A Content Analysis of the Content 
Analysis Literature in Organization Studies. Organizational Research Methods, 
10(1), 5-34.

Farrell, G., &Hansen, B. (2008, April 9). Stock May Fall but Execs’ Pay Doesn’t. 
USA Today.  Retrieved from http://usatoday30.usatoday.com/money/companies/
management/2008-04-09-ceo-pay_N.htm

Financial Crisis Inquiry Commission. (2011). The Financial Crisis Inquiry Report: 
Final Report of the National Commission on the Causes of the Financial and 
Economic Crisis in the United States.Washington, D.C.: U.S. Government 
Printing Office. (Available from https://fcic.law.stanford.edu)

Frame, J. (2003). Managing Risk in Organizations. San Francisco: Jossey-Bass.
Fraser, J. & Simkins, B. (2010). Enterprise Risk Management: An Introduction 

and Overview. In J. Fraser & B. Simkins (Eds), Enterprise Risk Management: 
Today’s Leading Research and Best Practices for Tomorrow’s Executives (pp. 
3-17). Hoboken, NJ: John Wiley and Sons.

Gephart, R. (1993). The Textual Approach: Risk and Blame in Disaster Sensemaking. 
Academy of Management Journal, 36(6), 1465-1514.

Grace, M., Leverty, J., Phillips, R., & Shimpi, P. (2015). The Value of Investing in 
Enterprise Risk Management. The Journal of Risk and Insurance, 82(2), 289-
316.

Hambrick, D. & Mason, P. (1984). Upper echelons: The Organization as a Reflection 
of its Top Managers. Academy of Management Review, 9(2),193-206.

Hayward, M. & Hambrick, D. (1997). Explaining the Premiums Paid for Large 
Acquisitions: Evidence of CEO Hubris. Administrative Science Quarterly, 
42(1), 103-127.



Volume 35, Number 1 93

Hoyt, R. & Liebenberg, A. (2011). The value of Enterprise Risk Management. The 
Journal of Risk and Insurance, 78(4), 795-822.

Hubbard, D. (2009). The Failure of Risk Management: Why it’s Broken and How to 
Fix it.  Hoboken, NJ: John Wiley and Sons.

Huber, G. (1991). Organizational Learning: The Contributing Processes and the 
Literatures. Organization Science, 2(1), 88-115.

Jickling, M. (2009). Causes of the Financial Crisis (R40173). Washington, DC: 
Congressional Research Service. Retrieved from: http://digitalcommons.ilr.
cornell.edu/key_workplace/600

Kim, C. & Bettis, R. (2014). Cash is Surprisingly Valuable as a Strategic Asset. 
Strategic Management Journal, 35(13), 2053-2063.

Lam, J. (2014). Enterprise Risk Management: From Incentives to Controls. John 
Wiley and Sons.

Liebenberg, A. & Hoyt, R. (2003). The Determinants of Enterprise Risk Management: 
Evidence from the Appointment of Chief Risk Officers. Risk Management and 
Insurance Review, 6(1), 37-52.

Madsen, P. & Desai, V. (2010). Failing to Learn? The Effects of Failure and Success 
on Organizational Learning in the Global Orbital Launch Vehicle Industry. 
Academy of Management Journal, 53(3), 451-476.

Miller, K. (1998). Economic Exposure and Integrated Risk Management. Strategic 
Management Journal, 19, 497-514.

Miller, K. & Waller, H. (2003). Scenarios, Real Options and Integrated Risk 
Management. Long Range Planning, 36, 93-107.

Rochette, M. (2009). From Risk Management to ERM. Journal of Risk Management 
in Financial Institutions, 2(4), 394-408.

Scott, R. & Davis, G. (2007). Organizations and Organizing: Rational, Natural and 
Open System Perspectives. Upper Saddle River, NJ: Pearson Prentice Hall. 

Shenkir, W., Barton, T., & Walker, P. (2010). Enterprise Risk Management. In J. 
Fraser & B. Simkins (Eds), Enterprise Risk Management: Today’s Leading 
Research and Best Practices for Tomorrow’s Executives (pg. 441-463).Hoboken, 
NJ: John Wiley and Sons.

Shortreed, J. (2010). ERM Frameworks. In J. Fraser and B. Simkins (Editors), 
Enterprise Risk Management: Today’s Leading Research and Best Practices for 
Tomorrow’s Executives (pg. 97-123). Hoboken, NJ: John Wiley and Sons.

Tang, Y., Qian, C., Chen, G. & Shen, R. (2014). How CEO Hubris Affects Corporate 
Social (Ir)Responsibility. Strategic Management Journal, 36(9), 1338-1357.



94 Journal of Business Strategies

Tuckman, B. (2016). Derivatives: Understanding Their Usefulness and Their Role in 
the Financial Crisis. Journal of Applied Corporate Finance, 28(1), 62-71.

Vo, L. (2015). Lessons From the 2008 Global Financial Crisis: Imprudent Risk 
Management and Miscalculated Regulation. Journal of Management Sciences, 
2(1), 205-222.

BIOGRAPHICAL SKETCH OF AUTHOR
Corey J. Fox is an Assistant Professor of Management in the McCoy College 

of Business at Texas State University. He received his PhD in Business Administration 
from Oklahoma State University. His current research focuses on issues related to 
risk and risk management in organizations, corporate resource allocation decisions, 
and corporate citizenship. His work has been published in such outlets as the Journal 
of Managerial Issues and Strategic Organization.



Volume 35, Number 1 95

Appendix A
 Example Passages



96 Journal of Business Strategies



Volume 35, Number 1 97

Figure 1
 Risk Management Counts

Figure 2
Risk/Return Ratios