It is interesting that when you get enough academics and practitioners shouting in a room, risk management becomes something akin to "risk knowledge": the quantification of security behaviors. Not to disparage in any way the importance of that step, but it is hardly sufficient to consider that practice "risk management." Management, as the name correctly implies, requires the proactive step of applying that knowledge.
Start with a portfolio manager who knows a Gaussian VaR of $1m. The risk knowledge step is to calculate a heavy-tailed VaR of $3m and an expected shortfall of $5m (just for argument's sake). The risk management step is to decide whether those numbers matter - do they really beg a reduction in risk - and, if so, what to do about it.
The answer is not trivial. There is no playbook that says "G-VaR of X, HT-VaR of Y, ES of Z: sell 25% of the position." One of the dangers of inviting random opinions on risk management is that frequently they tend to be simplistic, smug and heavily focused on the knowledge step, not the management step. (Aside: many responses on NC are far above the reading level of the audience, in what looks like an attempt by the author to prove he is the smartest person in the virtual room. Unfortunately I'm a pretty firm believer that the smartest guy in the room isn't the guy with the highest IQ; it's the guy who can explain the highest IQ's thoughts to everyone else.)
I was once told that the holy grail of risk management would be the perfect representation of any security's return distribution. Failing that, however, it is not enough just to approximate the return distribution; any attempt to do so must be enhanced by an active management step in which that approximation is dissected, understood and - most importantly - acted on appropriately.