Managing Principal, ermINSIGHTS
Assistant Professor, St. Edward's University
Enterprise risk management (ERM) emerged more than 15 years ago as an all-encompassing alternative to the then traditional fragmented approach to risk management. This previous disjointed style is sometimes referred to as managing individual risks in stand-alone silos or stovepipes. Risk management practitioners started to flesh out and test the theory. Early practical applications took the form of integrated risk programs that combined selected hazard risks and financial risks.1
As the ERM process was debated and matured, practitioners started to include operational risks within their portfolio. Risk registers emerged that organized the various identified risks into categories that now included hazard, financial, and operational risks. Hazard risk examples include fires, lawsuits, and strikes. Financial risk examples include commodity price volatility, inflation, and currency exchange rate fluctuations. Operational risk examples include process disruptions, compliance failures, and technology breakdowns.2
ERM practitioners began encountering internal organizational push-back because the process was inappropriately seen as (1) reactionary and (2) an unnecessary expansion of audit and compliance. Peter Drucker once stated, “The purpose of business is to create and keep a customer.”3 Recognizing the corporate imperative ...