This essay challenges core elements of enterprise risk management (ERM) and suggests that an impoverished conception of ‘risk appetite’ is part of the ‘intellectual failure’ at the heart of the financial crisis. Regulators, senior management and boards must understand risk appetite more as the consequence of a dynamic organizational process involving values as much as metrics. In addition, ERM has operated as a boundary preserving model of risk management subject to the ‘logic of the audit trail’, rather than a boundary challenging practice which confronts and addresses the complex realities of interconnectedness. The security provided by ERM is at best limited to certain states of the world and at worst it is illusory – the risk management of nothing. In contrast, Business continuity management (BCM) may provide clues about how risk management might be reconstructed.