Home > Risk > When risk management began

When risk management began

September 15, 2020 Leave a comment Go to comments

Recently, I read an article that said risk management had been traced back to around 2,000 BC when there had been some commodity trading in India.

I think it dates back to at least the dawn of the human era, and was probably practiced in some fashion before. (I am not getting into the question of whether God thought about what might happen when he created the heavens and the earth.)

Consider the first people to discover fire. They soon realized not only the opportunities it presented for heat and safety but also for cooking. They also learned what happens if you are not careful and get burned by it.  They acted accordingly.


The fire discoverers had objectives: safety, food, heat, etc. They considered the current situation and what might happen, then decided whether or not to take the risk.

That was risk management.

Arguably, it was more effective than some practices today as the potential for harm was weighed against the potential for gain, and a calculated decision made.

They were not listing all the things that can go wrong with fire, holding a meeting to discuss them, and comparing each harm to a risk appetite.

Instead, they decided that if they were careful the benefits outweighed the risks.

How can we move risk management practices forward, away from enterprise list management to enterprise success management?

I welcome your thoughts.

  1. September 15, 2020 at 7:14 AM

    I have often stated that Joseph, from the book of Genesis, is one of our earliest examples of an executive with risk management responsibilities. As the Vizier of Egypt, he was tasked with storing up in the years of plenty for the predicted years of famine.

  2. GSosbee
    September 22, 2020 at 1:34 PM

    Norman, I have been attempting to bring the change you suggest since 1998, so I share your concern/frustration. From what I have observed, the hurdles/walls that have to be overcome:

    • Organizational kingdoms. Current organizational theory has “risk management” on the mid-management level at best. While risk managers in larger organizations enjoy a somewhat broader scope of responsibility than risk managers at smaller organizations, very few (if any) have any material strategic input.

    Since risk management is a strategic tool, the risk manager must have direct access to the Board of Directors at least through a near-real-time risk management dashboard reflecting the current risk status versus the Board’s risk appetite and tolerance boundaries.

    • Who is a risk manager? Simple definition; but a difficult position to correctly identify. The simple but correct answer is anyone who makes choices starting at when to get up. From an organizational viewpoint, every employee from the janitor to the CEO. In other words, everyone.

    However, the risk manager under this discussion is the person who, acting on direction provided by the owner(s)/Board of Directors, designs, implements and manages a program that protects not only organizational gained assets and also current and future organizational liquidity through one program, one set of definitions and one measurement system. This does not mean that others in the organization cannot manage the risks they specialize in (such as audit risk, commodity risk, capital allocation risk, etc.) and even have a “Risk Manager” title. What it does mean is the Speciality Risk Managers follow the procedures and definitions set by the Chief Risk Executive (next paragraph), so their areas of expertise can be measured and scored on the same basis as all other organizational risks.

    Unfortunately, overriding the one risk program requirement in the financial services industry has been the SEC and NYSE’s questionable decision to call quants handling the capital allocation risk “Chief Risk Officer (CRO).” As evident in the Wells Fargo episode, this is not what the regulators and the NYSE had in mind. While it cost $3B in fines and penalties against Wells Fargo, the industry continues unabated as if nothing has changed. The effect of this issue is that the CRO title cannot be used in any other industry as it is codified. Thus the development of the Chief Risk Executive to designate the enterprise risk manager.

    • However, the main issue is risk management professionals (risk managers in the enterprise sense) have not elevated their game to the senior management level. As a risk management professional who made it up the corporate ladder, this is the issue that most disturbs me: no initiative and no effort to better one’s self will get one nowhere.

    • Norman Marks
      September 22, 2020 at 2:39 PM

      Thank you, Gary.

      I see it this way.

      Risk practitioners have to stop trying to manage or mitigate risk. Forget about risk status.

      Instead, help management at all levels figure out which risks to take. Help them understand not only the potential for harm but the potential for reward, and how to assess one against the other.

      We will not get people’s attention until they realize how we help them be successful.

      I have a new book coming out on that topic later this year.

      But the principle is straightforward. Stop analyzing only the cons and not the pros. Analyze both, just as the cavemen did.

  1. September 17, 2020 at 6:49 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: