An organization is run by its people. Managing risk is a key factor to strategic business planning and success. So the saying that everyone is a “risk manager” may sound cliché and simple, but it’s absolute. How to effectively manage risk and building out a risk infrastructure has evolved dramatically through the years.
The Evolution of Risk
In the early 2000s, financial risk was at the forefront when the Sarbanes-Oxley Act (SOX) was enacted and organizations began to establish the three lines of defense model. The Great Recession led to new regulations and requirements, resulting in organizations reevaluating how they could apply the earlier elements of the risk governance model.
A risk-aware culture took some time for many organizations to adopt after the Great Recession. We often still saw the risk-aware culture broken into a segregated model — the business, and the people responsible for monitoring and calling out what’s wrong.
But, in the last several years, the industry has matured because there is more integration of risk-aware culture across all three lines of defense. Efforts have been made to improve how the teams work together and are better integrated, resulting in operational improvements and cost efficiencies. Enterprise Risk Management teams are now viewed as advisors and align with each business area to strengthen risk management practice and behaviors.