Full Text

There is a popular Seinfeld episode in which George Costanza is asked to give a lecture on risk management, an area of "expertise" that just happened to make it onto his resume. He actually knows nothing about the subject so, in desperation, he finds an educational audio book, which begins: "Chapter 1: In order to manage risk, we must first understand risk. How do you spot risk? How do you avoid risk and what makes it so risky?"

That makes everything much clearer, right?

Ironically, when I first saw this episode I remember thinking, "What on earth is risk management and who would ever want to do something like that for a living?" Here I am today, however, knee deep in this fascinating world and truly loving it.

In early 2004, I had my own Costanza moment when I was "volun-told" by my CFO to champion an enterprise risk management program for our company. It sounded great and had a catchy name. Even though I wasn't quite sure what it would entail, I eagerly accepted. Does this sound familiar to anyone?

My laptop was the starting point to determine the meaning of ERM. I asked Google because it always knows. Sure enough, I came across thousands of references to ERM. Fabulous! This should make my job so much easier-thousands of people seem to know how to do it, who wants it and why it is so good for us.

Next, more rigorous digging began, layer by layer. With the precision of a seasoned archeologist, I dusted off the various ERM articles and texts. A pattern started to appear. Strangely, no one seemed to be able to tell me the exact definition of ERM.

Since my moment of panic four years ago, several organizations have made valiant efforts to standardize the concept and practice of ERM. COSO, for example, attempts to clarify ERM as follows:

"ERM is a process, effected by an entity's board of directors, management and other personnel, applied...