Managing risks can be traced way back to the Stone Age civilisation as some historians believe that the earliest concept of risk management arose because of gaming, where people played games with dice and bones. These games eventually evolved into chess and checkers.
In ancient Egypt, the Nile River would yield a bountiful flow for 30 years in succession, and then have two dry years in which all harvests failed. After surveying, studying and calculating this risk, ancient Egyptians were able to plan for the next drought well in advance.
For many prehistoric cultures, a comet's appearance in the sky was seen as a precursor to destruction, war, disease and harbingers of bad tidings or heavenly messengers. People of that region would prepare for "fictional" risks to protect the clan from disasters. It is only in the latter times that scientists like Edmond Halley and Isaac Newton studied about comets and got wiser with the phenomenon.
The modern terms for managing risk arose after World War II, but the discipline mostly began as a study of using insurance to manage risk. The formative years from World War II to the mid-1960s led to the creation of new risks, aggravated old ones and, compelled by risk managers' responses to them, risk management evolved rapidly and gained its title and a core definition.
With advancement in economic activity and growth in business, there was a rise in questionable practices of financing corporate political campaigns and corrupt foreign practices in the mid-1970s. It was during this period when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 as a joint initiative to combat corporate fraud. The COSO framework covered 4 categories of risks – strategic, operations, reports and compliance.
From 1993 through 2003, more than one-third of Fortune 1000 companies - only a fraction of which were in volatile high-technology industries - lost at least 60% of their value in a single year. 90% of the cases were categorised under causes that represented strategic and operational failures as the primary reasons for the stock drops.
Furthermore, the Enron scandal of 2001 led to the bankruptcy of the Enron Corporation, an American energy company based in Houston, Texas and the de facto dissolution of Arthur Andersen, which was one of the five largest audit and accountancy partnerships in the world. In addition to being the largest bankruptcy reorganisation in American history at that time, Enron was cited as the biggest audit failure. This scandal clearly shows that corporations' fail to identify and minimise risks, especially uninsurable exposures that could lead to their downfall.
Systemic failures in major companies like Enron, WorldCom and Tyco International in the year 2002 and other corporate governance issues made way for enterprise risk management framework like the COSO 2004 Framework and the Combined Code on Corporate Governance of 2003 in the U.K. The western world started practising enterprise risk management disclosures as a mandate by regulators.
The Financial Crisis of 2007-08 exposed the limitations of banks' risk management. The guidelines were re-analysed and re-worked so that the financial industry could be better managed in the future. In recent years, much attention is given to the expansion of risk management to encompass a wide range of business risks including enterprise risk, many of which are uninsurable and traditionally out of the risk manager's purview.
The global financial crisis was a watershed moment that made the world, including India; put some serious thought into risk literacy with a newfound appreciation for crisis and business continuity planning within the private sector and government. India, too, has its fair share of scams and scandals; the outcome resulting in plausible changes made on the legal and compliance front.
In the present scenario, the COVID-19 pandemic has escalated the field back into prominence as businesses have to deal with safety issues along with digital risks, reputation risks, people risks, market risks and credit risks. The role of qualified risk professionals and chief risk officers has come to the fore. Companies are now responding to the new risk management landscape by creating new board risk committees and emphasising more on crisis experience in director recruitment. These committees are focusing on how to avoid operative risks, navigate through the new normal through crisis planning and create a risk-based culture and risk-based decision-making process.
Chief risk officers have the analytical understanding to evaluate everything from supply chains to staffing; manage relationships with law firms, insurance brokers, industry peers and fellow executives; effectively communicate to handle employees and media in a crisis; be financially literate to understand not only a company's balance sheet but also day-to-day operative risks; plan for company's recovery and resilience. The evolution of ERM continues to affect us today with opportunities for our profession to make a difference.
Risk has always been synonymous with audit. However, risk management is a completely independent and mutually exclusive function and every crisis and business failure has reminded us that risk needs to be looked at from an enterprise-perspective with a 360-degree approach, which goes beyond and above finance and insurance.
