“So, how are we doing?” is the question many in the board and C-suites are probably asking of their enterprise risk management team. The answers will likely vary from, “We are just getting started and it is too soon for results”; “While it isn't perfect, we are getting results”; or even, “I believe we have exceeded expectations.” All three answers may also be appropriate for any given ERM implementation, for like any other strategic initiative operated by people, the take-up rate will vary from department to department. There is, of course, an answer in the other extreme: “It's gone off the rails …”.

As of yet there is no agreed upon definition for Enterprise Risk Management (ERM). The ISO 31000 and Guide 73 define risk management as “coordinated activities to direct and control an organization with regard to risk”. Enterprise or enterprise-wide risk management has grown out of the need for financial and non-financial organizations to direct and control risks outside of the traditional operational hazards and events. Financial institutions (and some other enterprises) have, on the other hand, long been using risk management techniques of another sort to direct and control financial, credit, and market related risks. Enterprise-wide risk management has been expressed as a way to bring the direction and control of all categories of risks under one umbrella so that all critical risks to the organization are identified and directed and controlled. Towards this end, ...