INTRODUCTION

What is risk management (and its alternative title “enterprise risk management”)? When and where did we begin applying its precepts? Who were the first to use it? This is a brief and highly personal study of this discipline’s past and present. It is a description of some of its emotional and intellectual roots. It spans the millennia of human history and concludes with a detailed list of contributions in the past century.

RISK MANAGEMENT IN ANTIQUITY

Making good decisions in the face of uncertainty and risk probably began during the earliest human existence. Evolution favored those human creatures able to use their experience and minds to reduce the uncertainty of food, warmth, and protection. Homo sapiens survived by developing “an expression of an instinctive and constant drive for defense of an organism against the risks that are part of the uncertainty of existence.”¹ This “genetic expression” can be construed as the beginning of risk management, a discipline for dealing with uncertainty.

As the millennia passed, our species developed other mechanisms for coping with each day’s constant surprises. We invented a pantheon of divine creatures to blame for misfortune, praise for good luck, and to whom we offered sacrifices to mitigate the worst. These gods and goddesses, the personification of heavenly bodies, high mountains, and the deepest seas, led to a dependence on human oracles, soothsayers, priests, priestesses, and astrologers, to predict the future. We created a written language (Mesopotamia, Sumeria, Egypt, Phoenicia) in order to pass knowledge to the future. As our species used language, experience, memory, and deduction to explain random uncertainty, we created an alternative and backup explanatory system.

The classical world of the Greeks and Romans demonstrates the development of written language, providing a significant advantage over oral recitation. At first, Greek memories passed on information from the past. Their written language extrapolated it into more rational predictions. Homer, capturing memory, sang of Zeus, Hera, Athena, Apollo, and the corps of divinities responsible for the victory at Troy as well as the misadventures of Odysseus on his return home. But by 585 BC, the Greek philosopher Thales used his observations, written data, and deductions to predict an eclipse of the sun, even though he continued to profess a belief in these gods.² A century later Herodotus used intelligent “enquiry” to write “history,” but he too persisted with the power of divinities. It was finally Thucydides, in the early 400s BC, who proposed a “new penetrating realism,” one that “removed the gods as explanations of the course of events.” Thucydides was “fascinated by the gap between expectation and outcome, intention and event.”³ Perhaps he should be called the father of risk management.

A few philosophers in classical Greece tried to emphasize observation, deduction, and prediction, but they inevitably collided with the inertia of belief in the long-standing system of divine intervention as the explanation for misfortune as well as good luck. With the growth and dominance of the new monotheistic religions in the Middle East and Mediterranean, it would take another millennium before the ideas Thucydides first advanced grew into the solid body of scientific knowledge to replace myth and superstition.

AFTER THE MIDDLE AGES

Jump ahead another 1,000 years to the emergence of the Renaissance and Enlightenment. Two changes encouraged the idea that we could actually think intelligently about the future. Peter Bernstein described the first, in his Against the Gods: “The idea of risk management emerges only when people believe they are to some degree free agents.”⁴ The second was our growing fascination with numbers. Our increasing disenchantment with the explanation that a “superior power” ordained everything became coupled with the capability of manipulating experience and data into numbers and thence probabilities. We could predict alternative futures! Peter Bernstein’s book is a joyful and often lyrical exploration of development of the concept of risk as both threat and opportunity. We became capable of “scrutinizing the past” to suggest future possibilities. He describes those men who first advanced the ideas of probability measurement, introducing us to familiar and unfamiliar names from the Renaissance onward:

• Leonardo Pisano (who introduced Arabic numerals)
• Luca Paccioli (double-entry bookkeeping)
• Girolamo Cardano (measuring the probability of dice)
• Blaise Pascal (“fear of harm ought to be proportional not merely to the gravity of the harm, but also to the probability of the event”)
• John Graunt (who calculated statistical tables)
• Daniel Bernoulli (the concept of utility)
• Jacob Bernoulli (the “law of large numbers”)
• Abraham de Moivre (the “bell” curve and standard deviation)
• Thomas Bayes (statistical inference)
• Francis Galton (regression to the mean)
• Jeremy Bentham (the law of supply and demand)

Today’s risk management rests, for better or for worse, on these and other fascinating characters.

Where once philosophers and theologians attributed fortune or misfortune to the whims of gods, the efforts of those early thinkers described in Bernstein’s book, “have transformed the perception of risk from chance of loss into opportunity for gain, from FATE and ORIGINAL DESIGN to sophisticated, probability-based forecasts of the future, and from helplessness to choice.”⁵

Bernstein contrasts the development of more rigorous quantitative approaches to probabilities with recent attempts to understand why “people yield to inconsistencies, myopia, and other forms of distortion throughout the process of decision-making.” His story of risk and risk management is one of rationality and human nature, fighting with each other and then cooperating, to provide a better understanding of uncertainty and how to deal with it. “… Any decision relating to risk involves two distinct yet inseparable elements: the objective facts and a subjective view about the desirability of what is to be gained, or lost, by the decision. Both objective measurement and subjective degrees of belief are essential; neither is sufficient by itself.”

“The essence of risk management,” Bernstein concludes, “lies in maximizing the areas where we have some control over the outcome while minimizing the areas where we have absolutely no control over the outcome and the linkage between effect and cause is hidden from us.”

THE PAST 100 YEARS

Experience and new information allowed us to think intelligently about the future and plan for potential unexpected outcomes. Many millennia contributed to our growing ability to distill and use information, but the developments since 1900 are more apparent and useful. Here is a synopsis of these critical events.

The twentieth century began with euphoria, new wealth, relative peace, and industrialization, only to descend into chaotic regional and worldwide wars. These and other catastrophes crushed illusions about the perfectibility of society and our species, leaving us less idealistic and more appreciative of the continuing uncertainty of our future.

Ideas drove change in this century. Stephen Lagerfeld cogently summed it up:⁶ “Apart from the almost accidental tragedy of World War I, the great clashings of our bloody century have not been provoked by the hunger for land, or riches, or other traditional sources of national desire, but by ideas—about the value of individual dignity and freedom, about the proper organization of society, and ultimately about the possibility of human perfection.”

Risk management is one of those ideas that a logical, consistent, and disciplined approach to the future’s uncertainties will allow us to live more prudently and productively, avoiding unnecessary waste of resources. It goes beyond faith and luck, the former twin pillars of managing the future, before we learned to measure probability. As Peter Bernstein wrote, “If everything is a matter of luck, risk management is a meaningless exercise. Invoking luck obscures truth, because it separates an event from its cause.”⁷

If risk management is an extension of human nature, I should list the most notable political, economic, military, scientific, and technological events of the past 100 years. The major wars (from the Russo-Japanese, World Wars I and II, Korea, the Balkan, the first Gulf War and Iraq, to the numerous regional conflicts) and the advent of the automobile, radio, television, computer and Internet, the Great Depression, global warming, the atom bomb and nuclear power, the rise and fall of communism, housing, the dot-com, derivative, and lending bubbles, and the entire environmental movement affected the development of risk management. Major catastrophes did so more directly: the Titanic (the “unsinkable” ship sinks), the Triangle Shirtwaist fire (the failure to allow sufficient exits), Minimata Bay (mercury poisoning in Japan), Seveso (chemical poisoning of the community in Italy), Bhopal (chemical poisoning in India), Chernobyl (Russian nuclear meltdown), Three Mile Island (potential U.S. nuclear disaster that was contained), Challenger (U.S. space shuttle break up), Piper Alpha (North Sea oil production platform explosion and fire), Exxon Valdez (Alaskan ship grounding and oil contamination), to cite some of the more obvious. Earthquakes, tsunamis, typhoons, cyclones, and hurricanes continue to devastate populous regions, and their increasing frequency and severity stimulate new studies on causes, effects, and prediction, all part of the evolution of risk management.

The most significant milestones, in my opinion, are more personal: the new ideas, books, and actions of individuals and their groups all of whom stimulated the discipline. Here’s my list:

• 1914 Credit and lending officers in the United States create Robert Morris Associates in Philadelphia. By 2000 it changes its name to the Risk Management Association and continues to focus on credit risk in financial institutions. In 2008 it counted 3,000 institutional and 36,000 associate members.⁸
• 1915 Friedrich Leitner publishes Die Unternehmensrisiken in Berlin (Enzelwirt. Abhan. Heft 3), a dissertation on risk and some of its responses, including insurance.
• 1921 Frank Knight publishes Risk, Uncertainty and Profit, a book that becomes a keystone in the risk management library. Knight separates uncertainty, which is not measurable, from risk, which is. He celebrates the prevalence of “surprise” and he cautions against over-reliance on extrapolating past frequencies into the future.⁹
• 1921 A Treatise on Probability, by John Maynard Keynes, appears. He too scorns dependence on the “Law of Great Numbers,” emphasizing the importance of relative perception and judgment when determining probabilities.¹⁰
• 1928 John von Neumann presents his first paper on a theory of games and strategy at the University of Göttingen, “Zur Theorie der Gesellschaftsspiele,” Mathematische Annalen, suggesting that the goal of not losing may be superior to that of winning. Later, in 1944, he and Oskar Morgenstern publish The Theory of Games and Economic Behavior (Princeton University Press, Princeton, NJ).
  • The U.S. Congress passes the Glass-Steagall Act, prohibiting common ownership of banks, investment banks, and insurance companies. This Act, finally revoked in late 1999, arguably acted as a brake on the development of financial institutions in the United States and led the risk management discipline in many ways to be more fragmented than integrated. The financial disasters after 2000 cause some to question the wisdom of revocation.
• 1945 Congress passes the McCarran-Ferguson Act, delegating the regulation of insurance to the various states, rather than to the federal government, even as business became more national and international. This was another needless brake on risk management, as it hamstrung the ability of the insurance industry to become more responsive to the broader risks of its commercial customers.
• 1952 The Journal of Finance (No. 7–, 77–91) publishes “Portfolio Selection,” by Dr. Harry Markowitz, who later wins the Nobel Prize in 1990. It explores aspects of return and variance in an investment portfolio, leading to many of the sophisticated measures of financial risk in use today.¹¹
• 1956 The Harvard Business Review publishes “Risk Management: A New Phase of Cost Control,” by Russell Gallagher, then the insurance manager of Philco Corporation in Philadelphia. This city is the focal point for new “risk management” thinking, from Dr. Wayne Snider, then of the University of Pennsylvania, who suggested in November 1955 that “the professional insurance manager should be a risk manager,” to Dr. Herbert Denenberg, another University of Pennsylvania professor who began exploring the idea of risk management using some early writings of Henri Fayol.
• 1962 In Toronto, Douglas Barlow, the insurance risk manager at Massey Ferguson, develops the idea of “cost-of-risk,” comparing the sum of self-funded losses, insurance premiums, loss control costs, and administrative costs to revenues, assets, and equity. This moves insurance risk management thinking away from insurance, but it still fails to cover all forms of financial and political risk.
  • That same year Rachel Carson’s The Silent Spring challenges the public to consider seriously the degradation to our air, water, and ground from both inadvertent and deliberate pollution. Her work leads directly to the creation of the Environmental Protection Agency in the United States in 1970, the plethora of today’s environmental regulations, and the global Green movement so active today.¹²
• 1965 The Corvair unmasked! Ralph Nader’s Unsafe at Any Speed appears and gives birth to the consumer movement, first in the United States and later moving throughout the world, in which caveat vendor replaces the old precept of caveat emptor. The ensuing wave of litigation and regulation leads to stiffer product, occupational safety, and security regulations in most developed nations. Public outrage at corporate misbehavior also leads to the rise of litigation and the application of punitive damages in U.S. courts.¹³
• 1966 The Insurance Institute of America develops a set of three examinations that lead to the designation “Associate in Risk Management” (ARM), the first such certification. While heavily oriented toward corporate insurance management, its texts feature a broader risk management concept and are revised continuously, keeping the ARM curriculum up-to-date.¹⁴
• 1972 Dr. Kenneth Arrow wins the Nobel Memorial Prize in Economic Science, along with Sir John Hicks. Arrow imagines a perfect world in which every uncertainty is “insurable,” a world in which the Law of Large Numbers works without fail. He then points out that our knowledge is always incomplete—it “comes trailing clouds of vagueness”—and that we are best prepared for risk by accepting its potential as both a stimulant and penalty.
• 1973 In 1971, a group of insurance company executives meet in Paris to create the International Association for the Study of Insurance Economics. Two years later, the Geneva Association, its more familiar name, holds its first Constitutive Assembly and begins linking risk management, insurance, and economics. Under its first Secretary General and Director, Orio Giarini, the Geneva Association provides intellectual stimulus for the developing discipline.¹⁵
  • That same year, Myron Scholes and Fischer Black publish their paper on option valuation in the Journal of Political Economy and we begin to learn about derivatives.¹⁶
• 1974 Gustav Hamilton, the risk manager for Sweden’s Statsforetag, creates a “risk management circle,” graphically describing the interaction of all elements of the process, from assessment and control to financing and communication.
• 1975 In the United States, the American Society of Insurance Management changes its name to the Risk & Insurance Management Society (RIMS), acknowledging the shift toward risk management first suggested by Gallagher, Snider, and Denenberg in Philadelphia 20 years earlier. By 2008, RIMS has almost 11,000 members and a wide range of educational programs and services aimed primarily at insurance risk managers in North America. It links with sister associations in many other countries around the world through IFRIMA, the International Federation of Risk & Insurance Management Associations.¹⁷
  • With the support of RIMS, Fortune magazine publishes a special article entitled “The Risk Management Revolution.” It suggests the coordination of formerly unconnected risk management functions within an organization and acceptance by the board of responsibility for preparing an organizational policy and oversight of the function. Twenty years lapse before many of the ideas in this paper gain general acceptance.
• 1979 Daniel Kahneman and Amos Tversky publish their “prospect theory,” demonstrating that human nature can be perversely irrational, especially in the face of risk, and that the fear of loss often trumps the hope of gain. Three years later they and Paul Slovic write Judgment Under Uncertainty: Heuristics and Biases, published by Cambridge University Press. Kahneman wins the Nobel Prize in Economics in 2002.
• 1980 Public policy, academic and environmental risk management advocates form the Society for Risk Analysis (SRA) in Washington. Risk Analysis, its quarterly journal, appears the same year. By 2008, SRA has more than 2,500 members worldwide and active subgroups in Europe and Japan. Through its efforts, the terms risk assessment and risk management are familiar in North American and European legislatures.¹⁸
• 1983 William Ruckelshaus delivers his speech on “Science, Risk and Public Policy” to the National Academy of Sciences, launching the risk management idea in public policy. Ruckelshaus had been the first director of the Environmental Protection Agency, from 1970 to 1973, and returned in 1983 to lead EPA into a more principled framework for environmental policy. Risk management reaches the national political agenda.¹⁹
• 1986 The Institute for Risk Management begins in London. Several years later, under the guidance of Dr. Gordon Dickson, it begins an international set of examinations leading to the designation, “Fellow of the Institute of Risk Management,” the first continuing education program looking at risk management in all its facets. This program is expanded in 2007–2008 for its 2,500 members.²⁰
  • That same year the U.S. Congress passes a revision to the Risk Retention Act of 1982, substantially broadening its application, in light of an insurance cost and availability crisis. By 1999, some 73 “risk retention groups,” effectively captive insurance companies under a federal mandate, account for close to $750 million in premiums.
• 1987 “Black Monday,” October 19, 1987, hits the U.S. stock market. Its shock waves are global, reminding all investors of the market’s inherent risk and volatility.
  • That same year Dr. Vernon Grose, a physicist, student of systems methodology, and former member of the National Transportation Safety Board, publishes Managing Risk: Systematic Loss Prevention for Executives, a book that remains one of the clearest primers on risk assessment and management.²¹
• 1990 The United Nations Secretariat authorizes the start of IDNDR, the International Decade for Natural Disaster Reduction, a 10-year effort to study the nature and the effects of natural disasters, particularly on the less-developed areas of the world, and to build a global mitigation effort. IDNDR concludes in 1999 but continues under a new title, ISDR, the International Strategy for Disaster Reduction. Much of its work is detailed in Natural Disaster Management, a 319-page synopsis on the nature of hazards, social and community vulnerability, risk assessment, forecasting, emergency management, prevention, science, communication, politics, financial investment, partnerships, and the challenges for the twenty-first century.²²
• 1992 The Cadbury Committee issues its report in the United Kingdom, suggesting that governing boards are responsible for setting risk management policy, assuring that the organization understands all its risks, and accepting oversight for the entire process. Its successor committees (Hempel and Turnbull), and similar work in Canada, the United States, South Africa, Germany, and France, establish a new and broader mandate for organizational risk management.²³
  • In 1992, British Petroleum turns conventional insurance risk financing topsy-turvy with its decision, based on an academic study by Neil Doherty of the University of Pennsylvania and Clifford Smith of the University of Rochester, to dispense with any commercial insurance on its operations in excess of $10 million. Other large, diversified, transnational corporations immediately study the BP approach.²⁴
  • The Bank for International Settlements issues its Basel I Accord to help financial institutions measure their credit and market risks and set capital accordingly.
  • The title “Chief Risk Officer” is first used by James Lam at GE Capital to describe a function to manage “all aspects of risk,” including risk management, back-office operations, and business and financial planning.
• 1994 Bankers Trust, in New York, publishes a paper by its CEO, Charles Sanford, entitled “The Risk Management Revolution,” from a lecture at MIT. It identifies the discipline as a keystone for financial institution management.²⁵
• 1995 A multidisciplinary task force of Standards Australia and Standards New Zealand publishes the first Risk Management Standard, AS/NZS 4360:1995 (since revised in 1999 and 2004), bringing together for the first time several of the different subdisciplines. This standard is followed by similar efforts in Canada, Japan, and the United Kingdom. While some observers think the effort premature, because of the constantly evolving nature of risk management, most hail it as an important first step toward a common global frame of reference.²⁶
  • That same year Nick Leeson, a trader for Barings Bank, operating in Singapore, finds himself disastrously overextended and manages to topple the bank. This unfortunate event, a combination of greed, hubris, and inexcusable control failures, receives world headlines and becomes the “poster child” for fresh interest in operational risk management.
• 1996 The Global Association of Risk Professionals (GARP), representing credit, currency, interest rate, and investment risk managers, starts in New York and London. By 2008, it has more than 74,000 members, plus an extensive global certification examination program.²⁷
  • Risk and risk management make the best-seller lists in North America and Europe with the publication of Peter Bernstein’s Against the Gods: The Remarkable Story of Risk. Bernstein’s book, while first a history of the development of the idea of risk and its management, is also, and perhaps more importantly, a warning about the overreliance on quantification: “The mathematically driven apparatus of modern risk management contains the seeds of a dehumanizing and self-destructive technology.”²⁸ He makes a similar warning about the replacement of “old-world superstitions” with a “dangerous reliance on numbers,” in “The New Religion of Risk Management,” in the March–April 1996 issue of The Harvard Business Review.
• 1998 The collapse of Long-Term Capital Management, a four-year-old hedge fund, in Greenwich, Connecticut, and its bailout by the Federal Reserve, illustrate the failure of overreliance on supposedly sophisticated financial models.
• 2000 The widely heralded Y2K bug fails to materialize, in large measure because of billions spent to update software systems. It is considered a success for risk management.
  • The terrorism of September 11, 2001, and the collapse of Enron remind the world that nothing is too big for collapse. These catastrophes reinvigorate risk management.
  • PRMIA, the Professional Risk Manager’s International Association, starts in the United States and United Kingdom. By 2008, it counts 2,500 paid and 48,000 associate members. It, too, sponsors a global certification examination program.²⁹
  • In July, the U.S. Congress passes the Sarbanes-Oxley Act, in response to the Enron collapse and other financial scandals, to apply to all public companies. It is an impetus to combine risk management with governance and regulatory compliance. Opinion is mixed on this change. Some see this combination as a step backward, emphasizing only the negative side of risk, while others consider it a stimulus for risk management at the board level.
• 2004 The Basel Committee on Banking Supervision publishes the Basel II Accords, extending its global capital guidelines into operational risk (Basel I covered credit and market risks). Some observers argue that while worldwide adoption of these guidelines may reduce individual financial institution risk, it may increase systemic risk. These global accords may lead to similar guidelines for nonfinancial organizations.³⁰
• 2005 The International Organization for Standardization creates an international working group to write a new global “guideline” for the definition, application, and practice of risk management, with a target date of 2009 for approval and publication.³¹
• 2007 Nassim Nicolas Taleb’s The Black Swan is published by Random House in New York. It is a warning that “our world is dominated by the extreme, the unknown, and the very improbable … while we spend our time engaged in small talk, focusing on the known and the repeated.”³² Taleb’s 2001 book, Fooled by Randomness (Textere, New York) was an earlier paean to the importance of skepticism on models.
• 2008 The United States Federal Reserve bailout of Bear Stearns appears to many to be an admission of the failure of conventional risk management in financial institutions.

Perhaps Peter Bernstein’s Against the Gods is a fitting end to this list of risk management milestones. It illustrates the importance of communication. Too often, new ideas have been unnecessarily restricted to the cognoscenti. Arcane mathematics, academic prose, and the secretiveness of current risk management “guilds,” each protecting their own turf, discourage needed interdisciplinary discussion. Peter’s lucid prose, compelling syntheses of difficult concepts, personal portraits of creative people, and particularly his warnings of the perils of excess quantification, bring us an appreciation of both the potential and perils of risk management. No matter what title we attach to this thinking process (risk management; enterprise risk management; strategic risk management; etc.), it will continue to be a part of the human experience.

None of this retrospection has any meaning or value unless it acts as a stimulant for a more prudent, intelligent, and optimistic use of the ideas and tools of past innovators.

Step out and create some new risk milestones.

Paradoxically, the very mortality that bears each of us along to a finite conclusion also gives us, through its unfolding, the means to repossess what we believe we have lost. It is in memory, given its true shape through the imagination, that we can truly possess our lives, if we will only strive to regain them.

—Louis D. Rubin Jr., Small Craft Advisory
Atlantic Monthly Press, New York, 1991

Risk and time are opposite sides of the same coin, for if there were no tomorrow there would be no risk. Time transforms risk, and the nature of risk is shaped by the time horizon: the future is the playing field.

—Peter Bernstein, Against the Gods, John Wiley & Sons, New York, 1996
(Revision September 2008. An earlier version of this brief history
appeared in the December 1999 issue of Risk Management Reports.)

ABOUT THE AUTHOR

Felix Kloman is President of Seawrack Press, Inc. and a retired principal of Towers Perrin, an international management consulting firm. His experience includes serving as Editor and Publisher of Risk Management Reports for 33 years, from 1974 to 2007, and more than 40 years in risk management consulting with Risk Planning Group (Darien, CT), Tillinghast (Stamford, CT), and Towers Perrin (Stamford, CT). He is the author of Mumpsimus Revisited (2005), and The Fantods of Risk (2008), both sets of essays on risk management. He is a Fellow of the Institute of Risk Management (London), a past director of the Nonprofit Risk Management Center, a past and founding director of the Public Entity Risk Institute, past chairman of the Risk Management & Insurance Committee for the U.S. Sailing Association, and a charter member of the Society for Risk Analysis. He received the Dorothy and Harry Goodell Award from the Risk & Insurance Management Society in 1994.

He is a graduate of Princeton University, 1955, with an AB in History.