Risk management, even if flawlessly executed, does not guarantee that big losses will not occur. Big losses can occur because of business decisions and bad luck. Even so, the events of 2007 and 2008 have highlighted serious deficiencies in risk models. For some firms, risk models failed because of known unknowns. These include model risk, liquidity risk, and counterparty risk. In 2008, risk models largely failed due to unknown unknowns, which include regulatory and structural changes in capital markets. Risk management systems need to be improved and place a greater emphasis on stress tests and scenario analysis. In practice, this can only be based on position-based risk measures that are the basis for modern risk measurement architecture. Overall, this crisis has reinforced the importance of risk management.