Risk and the need to manage it is nothing new. Hoffman observes that Maslow implicitly recognized risk in his famous hierarchy of needs by placing food and shelter, both essential to survival and the first rung of the ladder (Hoffman, 2002). A failure to manage the risk of these needs not being met can have catastrophic results, as much for organizations today as it was for the earliest life forms. Bernstein cites the impact of wars on markets, and storms and piracy on shipping routes as much as some of the major risks faced and managed by our predecessors (Bernstein, 1996a). He also notes that only 350 years separate today's risk management techniques from decisions made on the basis of superstition and instinct (Bernstein, 1996b).
Are risk concepts today new to organizations?
If risk is nothing new to organizations, why is risk management generating rising levels of interest at present as seen by the growing volume of current literature on the topic? For example, Stevenson et al propose that heightened levels of competition and a rapid pace of change are destroying predictability for organizations, implicitly raising the levels of risk faced (Steveneson, 1995), while Lewis claims that modified competitive, technological, social, and political circumstances have magnified the potential impact of operations-related failure (Lewis, 2003). Delamontagne and Witzel echo this in stating that events such as the September 11th terrorist incident in New York and the Enron meltdown have moved risk management higher on the business agenda (Delamontagne, 2003; Witzel, 2002). Hoffman (2002) maintains that watershed changes in society, technology, science, and the interconnected nature of global society and business make the subject more relevant than ever before. He supports this position with reference to a database of operational loss events suggesting that majority of reported commercial losses have occurred since the beginning of 1990s. Whether this rise in historical trend levels might instead be due simply to improved record-keeping and transparency is unfortunately note explained.
Seeking to understand the likelihood and impact of future events, be they favorable or unfavorable, in order to maximize future business performance, is a decades old activity: by the late 1960s, Royal Dutch Shell had begun to develop scenarios that were designed to help management prepare for future uncertainties. This preparation was useful in enabling management to react more quickly to the 1973 oil crisis, for example Wack and King et al were describing "long-range planning" in terms similar to those used for risk management today (Wack, 1985; King et al, 1978). Here the authors discussed the need to generate predictions of the future along multiple dimensions (staff, product, competition, etc) and compare these predictions to the desired future organizational state to identify the management interventions required. They noted that this planning process would not eliminate risk, but should identify and help to manage risks, thereby increasing the "benefit/cost ratio". In 1981, Pomeranz et al used similar words to describe "strategic planning" (Pomeranz, 1981). They observed that companies were increasingly engaging in strategic planning in an effort to better manage the "shifting conditions which can disrupt achievement of a company's long-range plan". They characterize strategic planning as a process that attempt to match environmental threats with corporate resources, and go on to suggest that the auditing of strategic plans can help to define business risks and verify that these risks have been "appropriately considered".
Although the concepts described in these earlier papers have much in common with risk management as it is understood today, efforts have been made over the last several years to develop the frameworks, tools, and processes to drive and support risk management as a discipline separate from but aligned with strategic performance management. …