Enterprise Risk Management (ERM) has undergone a conceptual and operational transformation over the past three decades. Historically, organisations conceptualised risk predominantly through the lens of hazard, a strictly negative potential for financial loss, physical harm, or operational disruption that necessitated mitigation, avoidance, or transfer via insurance mechanisms. However, this reflects a fundamental paradigm shift: risk is no longer viewed solely as a threat to be minimised, but rather as the effect of uncertainty on objectives, inextricably linking risk management with strategic planning, value creation, and organisational resilience.

Standards and Regulatory Frameworks

The codification of risk management into formal, internationally recognised standards traces its modern origins to the issuance of AS/NZS 4360:1995 by Standards Australia and Standards New Zealand. Before the publication of this seminal document, risk management protocols were heavily siloed and fragmented, focusing distinctly on isolated domains such as financial risk, credit risk, or occupational health and safety. AS/NZS 4360 represented the first generic, enterprise-wide framework that transitioned risk management away from industrial safety toward an integrated strategic discipline.

Following its routine revision in 2004, the managing committee responsible for AS/NZS 4360 resolved that rather than merely updating the regional standard, they would promote the development of a unified international standard. In 2005, the International Organisation for Standardisation (ISO) established a specialised working group comprising experts from numerous countries to draft the first global standard, using AS/NZS 4360:2004 as the foundational blueprint. This initiative culminated in the publication of ISO 31000:2009, which established a universal approach applicable across all organisational types, sizes, and sectors.

The ISO 31000 standard was revised in 2018 to reflect the complexity of global business environments. The updated ISO 31000:2018 streamlined the operational text, reduced the number of rigid definitions, and placed unprecedented emphasis on integrating risk management into organisational governance, culture, and strategic decision-making. The 2018 iteration made it clear that the primary purpose of risk management is to create and protect value, moving beyond traditional loss-prevention approaches and encouraging leaders to manage risk proactively when decisions are made, rather than as an afterthought.