By MATTHEW BRODSKY, senior editor/Web editor of Risk & Insurance®
The world has taken notice of enterprise risk management (ERM), and companies the globe over want some ERM for themselves.
It started in the United States with ratings agencies grading financial service companies, then all companies, on their ERM. Now further proof comes with the new ISO 31000:2009, the first international standard on the practice of risk management.
Launched by a group from New Zealand, the standard was published in November. It's in the process now of becoming the base document for a new American national standard. This international consensus gives the standard more weight than any existing risk credential, even if you're one of those risk professionals with 10 acronyms after your name.
ISO 31000 is more than just about buying insurance. It is substantially focused on the enterprise--in the fullest sense of the word. It takes into account the interconnected and very public, transparent nature of business today.
Gone is the idea of risk control. Enter "risk treatment." The distinction is true ERM. Instead of seeing risk the old-fashioned way--pitfalls to be feared and avoided--the ISO standard broadens the definition to include opportunities. Sure, international standards are dry, mechanical, and nobody has to listen to them if they don't want, right? Isn't ERM supposed to be mythical, amazing?
But this ISO standard if embraced could be revolutionary. ERM once was the domain of fat-cat consultants, paid big bucks to come into your offices and tell you how to implement it. They built up the ERM myth while speaking in jargon and devouring billable hours. They made ERM seem amazing--even impossible--while jabbering about it year after year at industry conferences. Why? Reread my previous sentence about "paid big bucks."
ISO 31000 instead delivers a clear path that all risk owners in a company can use themselves to build an ERM framework in their organization. Stripped of the mythical jargon, the standard can even be used by any manager in the enterprise, from project to financial managers.
Of course, there's still that tricky issue of implementation.
We have many examples of these companies since the Great Meltdown of 2008. They are the ones no longer existent, or mired in debt, or owned by the government. If the ISO 31000 movement shows us anything, plenty of other companies around the world want to use ERM to distinguish themselves, among their peers, partners, clients, raters and, most importantly, regulators.
(Read Cyril Tuohy's Counterpoint on this topic, "ERM: Risk Management's Dream State")
April 1, 2010
Copyright 2010© LRP Publications