Organizations have long practiced various parts of what has come to be called enterprise risk management. Identifying and prioritizing risks, either with foresight or following a disaster, has long been a standard management activity. Treating risk by transfer, though insurance or other financial products, has also been common practice, as has contingency planning and crisis management.

What has changed, beginning very near the close of the last century, is treating the vast variety of risks in a holistic manner, and elevating risk management Risk Management to a senior management responsibility. Although practices have not progressed uniformly though different industries and different organizations, the general evolution toward ERM can be characterized by a number of driving forces.

What is Risk Management?

Risk management is simply a practice of systematically selecting cost effective approaches for minimizing the effect of threat realization to the organization. All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks.

Whereas risk management tends to be pre-emptive, business continuity planning (BCP) was invented to deal with the consequences of realized residual risks. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied together that such separation seems artificial. For example, the risk management process creates important inputs for the BCP (assets, impact assessments, cost estimates etc). Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management's pre-emptive approach and moves on from the assumption that the disaster will realize at some point.

Financial risk management is the practice of creating value in a firm by using financial instruments to manage exposure to risk. Similar to general risk management, financial risk management requires identifying the sources of risk, measuring risk, and plans to address them. As a specialization of risk management, financial risk management focuses on when and how to hedge using financial instruments to manage costly exposures to risk.

In the banking sector worldwide, Basel Accord are generally adopted by internationally active banks to tracking, reporting and exposing operational, credit and market risks.

Currently working for Compass Bank, a smaller regional bank, the same general risk is still apparent. From deposit fraud including check kiting, Insider Trading fraud, Internet Banking concerns, and robbery. Compass Bank must insure to continually track, monitor, rethink or revamp, and implement.

Finance theory (i.e. financial economics) prescribes that a firm should take on a project when it increases shareholder value. Finance theory also shows that firm managers cannot create value for shareholders, also called its investors, by taking on project that shareholders could do for themselves at the same cost. When applied to financial risk management, this implies that firm managers should not hedge risks that investors can hedge for themselves at the same cost. This notion is captured by the hedging irrelevance proposition: In a perfect market, the firm cannot create value by hedging a risk when the price of bearing that risk within the firm is the same as the price of bearing it outside of the firm. In practice, financial markets are not likely to be perfect markets. This suggests that firm managers likely have many opportunities to create value for shareholders using financial risk management. The trick is to determine which risks are cheaper for the firm to manage than the shareholders. A general rule of thumb, however, is that market risks that result in unique risks for the firm are the best candidates for financial risk management.

Why the Change?

The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Risk Management Peregrine Systems and WorldCom (recently MCI and currently now part of Verizon Businesses). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Some believe the legislation was necessary and useful, others believe it does more economic damage than it prevents, and yet others observe how essentially modest the Act is compared to the heavy rhetoric accompanying it.