How to Avoid Firefighting: Lessons from the 2008 Financial Crisis

The Resilient Enterprise | The riskmethods Blog

It´s been over ten years since the 2008 financial crisis, which affected people and businesses around the world. What can we learn from this global event? And how can we apply these lessons to enterprise risk management within our own companies? 

by Thomas Gröhl

In this post, I break down some of the lessons from 2008, and provide some actionable tips on how you can use what we learned then to improve your own company’s enterprise risk management practices.


The term “firefighting” is one that is used broadly these days, and can refer to a reactive response to any urgent situation. Your IT team can firefight a system outage, your PR team can firefight a bad story flying around social media and your customer service team can firefight a negative review. Firefighting is necessary, and something that every company has to do, at least some of the time. But—and here’s the key—it doesn’t always have to be that way.

In their book about the 2008 financial crisis, Firefighting, Ben Bernanke (former US Chair of the Federal Reserve), Timothy Geithner (former US Secretary of the Treasury) and Henry M. Paulson (former US Secretary of the Treasury) make exactly this argument. Writing for Politico, the pioneers of the American response to the worst US economic crisis since the Great Depression had this to say:

“The U.S. government was not well prepared for the financial conflagration of 2008, which helps explain why this fire burned so hot, why the efforts to contain it often seemed so messy, and even why that response became so wildly unpopular. Better preparation could have created better outcomes.


Firefighting in the EU

The criticality of preventive measures has also been emphasized in literal firefighting. The European Union, to prepare for the risk of forest fires during the upcoming summer season, just put in place the new rescEU system to tackle natural disasters. rescEU aims to step up disaster prevention and preparedness by establishing a simplified reporting framework focusing on key risks, by providing support to member states responding to risk and by setting up a new EU Civil protection network.

The EU and its independent member states agreeing to partner up on this issue should be an inspiration for the business world. So what can businesses do to make sure that they don´t end up fighting their own financial—or other risk management—fire?

Want to know what a truly risk-aware business looks like, and how it incorporates risk information into everyday processes like supplier relationship management? 

3 tips for businesses on how to avoid firefighting

Make risk an enterprise-wide concern

One of the lessons described in Firefighting was about how the structure of the American system left itself open for a financial crisis. Again from Politico: “America’s regulatory bureaucracy was fragmented and outdated, with no one responsible for monitoring and addressing systemic risks.” The truth is, most organizations are in a similar situation. If risk is considered at all, it’s often silo’d out by individual LOBs, instead of centralized and reported up through a single function that enables risk visibility and creates a function for identifying systemic problems. By making risk an enterprise-wide concern, you can start to spot problems before they happen, and take action to stop fighting fires and start preventing fires.

Empower your employees with the authority they need

One of the strong messages from Firefighting is that quick and strong action can avert major disaster—but if the authority for quick and strong action doesn’t exist, then it can’t occur. Do you know who in your organization has the decision-making power to take fast action in the event of a crisis? If not, you should define stakeholders and make sure that they have the clearly established authority along with respective mitigation plans to do what they need to do—before they actually need to do it.

Are you interested in supply chain financial risks? Check out our other articles:

Leverage the power of your network and be inclusive of your (business) partners

A truly comprehensive enterprise risk management program has to consider not just how risk might affect your company directly, but how it might affect business partners—which would in turn affect your company. After the financial crisis, regulatory reforms worked to address this issue from a global economic perspective; specifically, as noted in Politico, “…financial regulators have been mandated to look for potential threats to the financial system as a whole, not just factors that affect individual firms or markets.”  

In other words, don’t just look at what your company is doing—make sure you’ve also got an eye on what’s happening at key business partners, like suppliers, whose own economic crisis would create a ripple effect of risk for you. To this end, establishing a culture of collaboration is necessary. Create an environment that will help you leverage the power of your entire business network to reduce risk. Hopefully, the lessons of 2008 can inspire all organizations, not just government ones, to be more proactive about risk.

Subscribe now to the riskmethods newsletter and never miss out on new, interesting insights!

More from The Resilient Enterprise Blog

Back to top