Introduction

The management of risk has always been of fundamental importance to all organisations. Yet risk management – the formalised processes used today to identify, assess, prioritise, manage, mitigate, communicate and report on risk – is a relatively new business discipline. As an example, it may well astonish some of the younger readers of this book to learn that there were no “risk registers” used in any of the clients in my last audit portfolio in1990. How times have changed!

Risk management, as an idea, developed steadily throughout the 20th century, out of a combination of wars, weather-related disasters, mathematical theories and business imperatives. The advantages of taking a disciplined approach to future uncertainties, based on probabilities rather than on luck or faith, became clear. The title of Chief Risk Officer was first used in 1993 by James Lam at GE Capital to describe a function that involved managing “all aspects of risk”. Peter Bernstein, in his influential book Against the Gods: The Remarkable Story of Risk² published in 1996 summarised this changed attitude as follows: “If everything is a matter of luck, risk management is a meaningless exercise. Invoking luck obscures truth because it separates an event from its cause.” Developments in risk management theory were encouraged and adopted by businesses, driven notably by the insurance and financial services sectors in the US, so that by the end of the 1990s formalised processes were becoming the norm ...