JPMorgan's trading loss should send shudders down the spine of shareholders, management and regulators. The once paragon of risk management has turned into a case study of what not to do. 

If we have learned nothing from the financial crisis of 2008-2009 or any other notable financial disaster for that matter, it is that the catalyst of these events is deficient risk governance and management  History is littered with spectacular risk management fiascos from MF Global to Amaranth LLC to Long-Term Capital Management. But unlike these others, what is spooky about the JPMorgan situation is that it wasn't supposed to happen.

Fortunately, its troubles provide industry and regulators with a wake-up call for addressing fundamental long-standing cultural biases and structural deficiencies with regard to the way risk management functions within a financial institution.

Foremost, the quality of the risk management function is set from the beginning by its board of directors. Without an active voice supporting a strong risk management culture, risk management has little chance of providing an effective counterbalance to risky strategies that lie outside the firm's risk appetite. In the case of JPMorgan, it seems less the fact that they did not support risk management, but they had little expertise to know what risk management entails.

Complicating matters is the age-old issue of how an iconic and strong chief executive can wield considerable power over the board and management, including setting the tone for how risk management operates within the firm. It isn't sufficient to establish a chief risk officer position and for that executive to report the CEO or board, as is the case for JPMorgan, rather, the CRO has to be empowered by the board to oversee all aspects of risk in an integrated fashion and to have deep expertise in that field.

The JPMorgan CRO only had partial oversight of the firm's risk management practices. Liquidity and interest rate risk oversight was performed by the now infamous chief investment office, according to JPMorgan’s annual report.

Interestingly, the position of CRO, unlike that of the CFO or head of a line-of-business tends to take on a variety of roles across the industry depending on the perceptions of the CEO and board of the risk management function. This diversity suggests that the industry continues to wrestle with whether the function is to be a watchdog or a lapdog. The answer is that it actually is neither, the risk management function should ideally be looked upon as the moral compass of the company, providing objective views on the strategic direction of the firm; not saying no all the time and not rubber stamping business strategy either.

Beyond the governance aspects of a quality risk management function lay the practices and controls that enable a firm to quickly size up emerging risks, establish clear rules defining permissible business activity and limit excessive buildups of risk.

Looking a bit further into the JPMorgan example, we now know that the models used to determine how much risk the firm was exposed to by the CIO trades was itself a work-in-progress and may have been operated by the trading group rather than the risk managers. Moreover, one has to call into question the size, complexity and opacity of the transactions and ask how that aligns to its risk vision. In the immediate example, the massive concentration of risk in a specific credit default index seems well outside of normal position limits that should be in place and closely monitored.

While a robust risk management office serves as the first line of defense against excessive risk-taking by a firm, the safety and soundness regulator remains a secondary but critical role overseeing firm risk. In the case of JPMorgan, its risk managers and the OCC; its primary safety and soundness regulator, had ample warning before the announcement of the trading loss emerged to conduct its own deep dive analysis into the trades.

In the case of the OCC, it continues to point to an ongoing problem where the scale, complexity and ever-evolving innovation of financial instruments and trading strategies simply overwhelms government-paid examiners. In the end, it is futile to think that a couple of $100,000+ a year civil servants will somehow miraculously unravel the trading strategies of multi-millionaire traders.

The scrutiny on JPMorgan comes at a time when the Federal Reserve has proposed a set of risk management regulations for large banks including specifications for board and CRO qualifications and the roles of board risk committees, among other provisions. The fact that such regulations have to be imposed says a lot about an industry that has yet to embrace risk management as a core function of the firm. If the industry wants to lessen the grip of regulation in general it must adopt a stance around risk management that charity begins at home.

Clifford Rossi is an executive-in-residence and Tyser Teaching Fellow at the University of Maryland's Robert H. Smith School of Business. He has held senior risk management and credit positions at Citigroup, Washington Mutual, Countrywide, Freddie Mac and Fannie Mae.

Editor's Note: This is the first installment of a weekly column about risk management