Over the past two decades enterprise risk management (ERM) has evolved from concepts and visions of how risks should be addressed to a methodology that is becoming entrenched in modern management and is now increasingly expected by those in oversight roles (e.g., governing bodies and regulators). As Felix Kloman describes in his chapter "A Brief History of Risk Management," published in Fraser and Simkins (2010), many of the concepts go back a very long time and many of the so-called newly discovered techniques can be referenced to the earlier writings and practices described by Kloman. However, it is only from around the mid-1990s that the concept of giving a name to managing risks in a holistic way across the many operating silos of an enterprise started to take hold. In the 1990s, terms such as integrated risk management and enterprisewide risk management were also used. Many thought leaders, for example, those who created ISO 31000,[1] believe that the term risk management is all that is needed to describe good risk management; however, many others believe that the latter term is often used to describe risk management at the lower levels of the organization and does not necessarily capture the concepts of enterprise-level approaches to risk. As a result, the term ERM is used throughout this book.

As ERM continues to evolve there is still much discussion and confusion over exactly what it is and how it should be achieved. It is important to realize that it is still evolving and may take many more years before it is fully codified and practiced in a consistent way. In fact, there is a grave danger now of believing that there is only one way of doing ERM. This is probably a mistake by regulators who have too eagerly seized some of these concepts and are trying to impose them when the methods are not fully understood, and in some cases the requirements are unlikely to produce the desired results. As Fraser and Simkins (2010) noted in their first book on ERM: "While regulatory interest can force ERM into companies, if not done well, it can become another box-ticking exercise that adds little value."[2]

The leading and most commonly agreed[3] guideline to holistic risk management is ISO 31000. However, it should be mentioned that in the United States the COSO 2004 Enterprise Risk Management-Integrated Framework has been the dominant framework used to date. Many organizations are currently adopting one or the other of these frameworks and then customizing them to their own context.

  • [1] ISO 31000 was issued by the International Standards Organization in 2009. For a description refer to Chapter 7 of Fraser/Simkins by John Shortreed.
  • [2] Fraser/Simkins, 15.
  • [3] ISO 31000 has been agreed to by about 25 major countries of the international community as the guideline for risk management.
< Prev   CONTENTS   Next >