Magazine article Risk Management

Climbing the ERM Tree: The History and Complexity of Enterprise Risk Management

Magazine article Risk Management

Climbing the ERM Tree: The History and Complexity of Enterprise Risk Management

Article excerpt

Enterprise risk management (ERM) emerged from the fundamental roots of risk management itself: preserve assets, protect people and comply with laws and regulations. And like a young tree, ERM has developed a strong trunk with several distinct branches, each representing a different approach.

There are three primary reasons why ERM has developed so many branches. First, there is no standard definition of ERM. Instead, there are a variety of national and global standards, which have led to much confusion over what exactly the discipline of ERM really means.

Second, the marketing of ERM by professional service firms tends to mirror the services that those firms are selling. Accountants, insurance brokers and consultants craft their ERM approaches around their specific agendas, in effect creating more branches on the tree.

Third, how ERM is developed within organizations is largely dependent upon where it has been implemented (or where the ERM seed fell, if you will). For instance, the practice of ERM could be rooted in compliance, risk or value creation depending on where it is "owned" within the organization.

So although these branches all come from a common trunk, the diversity of perspectives has made ERM implementation more daunting. Understanding the rationale behind these approaches, however, can be the first step to cultivating an effective ERM program.


The Horticulture of ERM

The lowest branch on the tree, closest to the base, represents the earliest ERM efforts. These were centered around integrated risk programs, such as those created by Honeywell and United Grain Growers in the late 1990s. The fruit of this branch was the creative financing of historically immiscible risk categories in blended programs (i.e., commodity prices or volume risks combined with hazard risks, or multi-line and multi-year basket aggregates with exotic triggers and floating retentions).

Two additional limbs appeared in quick succession in 2001 and 2002. In the wake of 9/11, the business continuity planning branch emerged with a focus on disaster preparedness and emergency response planning. A renewed emphasis on physical security and system redundancy was accompanied by terrorism risk assessments, modeling of man-made disasters and the passage of the Terrorism Risk Insurance Act (TRIA). Another compliance-related branch grew out of the Enron implosion to ultimately include Sarbanes-Oxley and the COSO ERM framework.

Governance, risk and compliance (GRC) is another branch in the compliance and audit family that has emerged over the last few years and is gaining support among audit firms, information technology providers and consultants. This branch focuses on adapting the ERM approach to include corporate governance and risk management requirements from entities like the New York Stock Exchange and the rating agencies including the auditing, reporting and compliance practices for those requirements.

As the U.S. companies embrace the general concept of sustainability, a new ERM branch has grown to include the green movement. From this perspective, ERM is seen as being less about the risks faced by businesses in executing their strategies than the risks that those strategies may pose to the environment. Terms like "cap and trade," "carbon footprint" and "sustainable development" have worked their way into the risk management lexicon. We have rapidly moved from "greenhouse gases" to "global warming" to "climate change." Company stakeholders have expanded far beyond employees, owners and customers to literally encompass the entire world. It remains to be seen how large or rapidly this branch grows, but it seems clear it will remain firmly attached to the ERM trunk.

Some practitioners have always seen ERM as a process that can be used to gather data and statistics, especially about emerging risks, in order to provide "risk intelligence" that enables senior management to make risk-adjusted decisions. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.