Within the management literature, most organizations have viewed the process of risk management primarily as an issue of compliance with statutory or regulatory requirements. Risk management within organizations has traditionally occurred within specific areas – technology, regulatory, financial, environmental etc. – with little or no coordination. Major ‘risk’ events such as September 11, Enron, WorldCom and the recent financial crisis made it increasingly apparent that the processes, policies and procedures of managing organizational risk must be a cohesive, constant analysis of both the internal and external organizational environment.
After the major ‘risk’ events of the last twenty years, the literature suggests a concentration on compliance with statutory regulatory requirements as the driver for risk management within an organization may not be an effective motivation for the management of risk.
The notion of risk as a fundamental part of strategic management has also become increasingly important in organizations. The rise of Enterprise Risk Management (ERM), sophisticated approaches to financial risk by both financial and non-financial organizations and an emphasis by regulators on risk related issues manifests this importance. However, as we know, ERM is a relatively recent management activity and has not been fully implemented in most organizations.
ERM implementation is a recent development and there has been little academic research about its success or the barriers to furthering its progress. In particular, very little has been published about attempts to identify and manage strategic risks while integrating them into a corporate-wise ERM framework.
As more organizations are focusing on the systemic and controllable risks within their business as well as ERM, a question emerges as to how this fits in with an organization managing its strategic objectives? Moreover, how does the risk function manage ‘strategic risks’? Yet it is unclear from the literature what strategic risks are and how they are managed. There needs to be a common understanding of strategic risk and what it means to be managed by organizations.