The financial services industry is often caught in a debate about whether it faces too much regulation or not nearly enough. This is a valid topic of discussion. But it distracts from another, even more critical matter: regulations in the aftermath of the most recent financial crisis have failed to effectively address the root problem that caused so many bank failures.

The financial crisis of 2008 was almost unanimously attributed to banks taking on too much risk. Subsequent regulatory actions aimed at reducing risk have ranged from stress testing to liquidity guidelines to the Volcker Rule. However, this regulatory reform has been unfocused — thereby increasing risk rather than reducing it.

While regulations are essential for an orderly financial system, they too often fall into a vicious cycle. Regulatory limits are introduced. To protect their interests, institutions respond with new products and approaches — often purposely convoluted to skirt regulations. This adds new risks, which the complexities make difficult to recognize. Therefore the dangers come to light only when the next disaster strikes, as was the case with collateralized debt obligations and variable-interest entities in the run-up to 2008. After the crisis, more regulations are introduced to deal with this newly-identified risk, and the cycle starts all over again — with complexities and risks compounding over time.

As an example, the 30-page Basel I was introduced to ensure that banks held adequate capital by limiting the growth of banks' balance sheets. It ended up creating an incentive to increase off-balance sheet transactions, since such items had no regulatory capital requirements. The off-balance sheet transactions added risks that went unnoticed until the 1990s. Recognizing the problem, the 347-page Basel II followed. It led to incentives to create products so complex that their risks were not evident until 2008. This was followed by the difficult-to-comprehend, 1,000-page Basel III. And yet no one is certain that the fundamental problem has been licked. What's next — a 2,000-page Basel IV?

In order to create a safer financial system, we need to better understand the nature of risk. Risk is the culprit in bank failures, but it is also the driver of banks' revenues. Therefore limiting total risk can create undesirable incentives. We must objectively define when risk is a systemic problem.

When banks take on risk, their results can fall short because of the usual, everyday expected ups and downs of the market, or normal risk. Revenues from other transactions typically cover such normal shortfalls and losses. With tail risk, unexpected events can throw banks' results massively off-kilter, and the shortfalls and losses that are larger than revenues must be absorbed by capital. In an extreme situation, known as extreme-tail risk, such losses can exceed the institution's capital. When they do, the bank fails.

The failures of 2008 were caused not by too much risk, but more specifically by too much extreme-tail risk. Managing extreme risk as an extension of normal risk is a disaster waiting to happen, as shown by the experiences of Bear Stearns, Lehman Brothers, Wachovia Corp. and Washington Mutual.

Extreme and normal risk need to be managed simultaneously and distinctly, as they impact institutions very differently. But regulatory and institutional actions have yet to fully address the extreme-tail risk vulnerability. There are not even any metrics with which to measure it. Without such metrics, banks and regulators rely on extensions of normal-risk management and remain unaware of big vulnerabilities (think London Whale).

Regulatory reforms have fallen short because they have ignored this issue. The Volcker Rule, for example, focuses on limiting risk from proprietary trading. It thus creates incentives for banks to attempt to achieve the same financial results through other means that may be more complex and carry higher extreme risk. In the absence of metrics to track extreme risk, the Volcker Rule mistakenly implies that a problem has been addressed. It's like locking up the liquor cabinet to keep out an addict and assuming the problem has been fixed.

Stress testing is a step in the right direction. But the subjective scenarios and black-box analyses need to go farther to address the fundamental problem of extreme risk, or else stress tests too will be gamed by the banks. Moreover, without transparent, objective metrics, banks can't institutionalize stress testing in their management processes.

Businesses have very precise metrics for profits and volatility from normal risk. Shouldn't there be metrics for extreme risk that can create life-and-death vulnerabilities?

We need an objective way to measure extreme risk, along with specific regulatory and institutional guidelines to manage and contain it effectively. Financial crises are part of economic cycles, and we will face one again. Unless banks and regulators address the root of the problem, we may be in for a repeat of 2008.

Karamjeet Paul, managing principal of Strategic Exposure Group, is the author of Managing Extreme Financial Risk: Strategies and Tactics for Going Concerns (Academic Press, October 2013). He maintains a blog on the sustainability of financial institutions during crises at