In the wake of a string of catastrophic events such as economic crises (Asian financial crisis, Dot-com Bubble, etc.), major corporate failures (Enron, WorldCom) and the rise of new risks and uncertainties (epidemics, terrorism,), organizations all over the world are now facing increasing and conflicting pressures from their stakeholders demanding more protection and the guaranty of a safer and better managed risk environment. This has put Risk Management issues under the spotlights and ERM has becomes a top item on the ‘To Do’ list (if it has not been implemented yet) of most organizations around the world today, As noted by Michael Power in is 2004 book ‘the Risk Management of Everything’, Risk Management is indeed Everywhere Today!
ERM has emerged as a ‘new paradigm’ for managing the portfolio of risks that organizations face in today’s troubled environment. Evidence for this development can be found in the number of articles, books, and guidelines published on the subject (COSO, ISO 31000, etc.) as well as in policy and regulatory development over the past 10 years (Basel II, Sarbanes/Oxley, etc.). Hence ERM concepts, tools and practices have now ‘invaded both private and public organizations /governments all over the world’. The rise of risk management has been so spectacular, that Power describe it as an ‘explosion’ of new ‘risk control’ practices resulting from emerging social and political pressures aiming to manage ‘everything’. It is to be expected that industry players and policy makers will continue to focus more and more on mechanisms to improve corporate governance and risk management. However, as noted by some experts including myself, little effort has been expanded to ground theses practices on a sound theoretical basis and ERM still consist more of a collection of practices and tools pragmatically developed over time to satisfy the relentless social and political pressures for more protection.
Unfortunately, despite the ‘explosion’ of ERM practices throughout the world and as illustrated by the current crisis, it has not stopped the continuous mismanagement of risk by organizations and people that is the source of such a tremendous value destruction. As observed by policy makers, industry players and many more, the issue may not be in the ERM systems, methodology and tools already in place but in the way ERM is being practiced -meaning how ERM is implemented, internalized and applied by organizations to make decisions about risk issues.
So if the current practice of risk management, despite all the progress in control systems, tools and technology, is not ‘good’ enough, how can we make it work better? Answering those questions will one of the objectives of my blog.