Enterprise risk management encourages organizations to establish a central risk function. The term describes an individual or unit responsible for coordination of risk discussions across the entity. General characteristics are:

Hierarchical level: The individual occupies a high position in an organizational hierarchy.

Scanning activities: Identifies external and internal exposures that senior executives involved with day-to-day responsibilities might miss.

Sharing activities: Uses technology to share relationships among exposures and information to help owners develop risk mitigation strategies.

Nonactivity: Does not manage risk directly. This is the job of risk owners, who have the responsibility and resources to pursue the goals of the organization.

Evolving trends

We are seeing a trend that may provide renewed impetus for creating a central risk function. It goes like this:

2002 compliance: Enron and other corporate scandals produced new legislation that required chief executive officers and chief financial officers to be on top of internal controls. Auditors had to be independent, boards had to know what was going on and senior executives had to change behaviors. This was the compliance phase of ERM.

2004 governance: Regulators realized that organizations have larger problems than simply fixing internal control processes. Led by individuals, such as attorneys general, and agencies, such as the Department of Justice, regulators pursued boards and executives that inflated prices, spun the perceived value of securities, overpaid CEOs, and engaged in or allowed practices involving conflicts of interest or fraud. Companies evaluated ERM in terms of improving organizational governance.

2008 hard-to-quantify risks: Now we have a growing recognition that ERM is reaching maturity, not in the sense of getting old but rather in getting it right. The real benefit of understanding and coordinating risk management does not lie in legal exposures of failed compliance or governance. Rather, it exists because we live in an uncertain world where the most critical risks are rarely identified let alone quantified in advance.

We are about to see a paradigm shift in ERM. We had a period where the Committee of Sponsoring Organizations auditors, regulators and consultants encouraged sometimes elaborate processes to identify and mitigate exposures. While not a bad idea in theory, the problem is the world is moving too fast for detailed measurement tools even if we identify the right exposures. A new approach is needed.

The traditional management practice is to develop a strategy (the plan), provide resources (the budget), approve the plan and budget at various hierarchical levels, give individuals goals and incentives, and execute the plan. In most cases, the model does not contain a risk management component.

The emerging ERM model builds upon the U.S. Marines who "shoot, move and communicate." This is anathema to many senior executives. They raise objections. How can you move before you know where you are going? What do you shoot at? Where is the plan? How will we know whether resources are being used as approved?

To better understand the Marine concept, imagine a landing on a beach by an amphibious force facing a dug-in enemy in coastal hills. What is the plan? Nobody cares once the landing door drops. Shoot at the bad guys. Get out of harm's way. Talk about what is happening. Figure out what to do.

It was different in the 1950s when organizations operated largely in a domestic economy. In 2008, we have a global battleground requiring constant motion. Areas at greater risk include:

China and India: With 36% of the global population, these countries need constant surveillance. In 2002, China was the place to be. In 2004, intellectual property problems in China and improvements in India sent everyone to Mumbai, Chennai and Bangalore. What is the life cycle of a fixed strategic plan?

Technology: Almost everything we need with respect to information and amusement can be carried in cell phones. Today's innovative product is tomorrow's obsolete relic. What is the validity of a budget prepared six to 18 months ago?

Logistics: A firm's raw materials may come from three continents. Components may be fabricated in 16 countries. The supply chain might be supported by Indians who update a massive data base and Bulgarian engineers who upgrade the information systems themselves. All products designated for customers in North America may be shipped at the last minute through the congested and vulnerable port of Long Beach, Calif. Where is the risk management in the supply chain?

Soon we will be using 100 million barrels per day of oil, and China alone will consume incredible resources. Still, there is no viable plan for the allocation of resources. We cannot refine 100 million barrels a day even if we could find and ship the crude oil. Population cannot grow indefinitely. We are not planning. People and countries are shooting, moving and communicating. Organizations must do the same.

The world is in flux. What can organizations do? Create a central risk function. Scan emerging markets, technology, logistics and the global conundrum. Share the findings with key executives. Respond quickly to changing circumstances on the worldwide battlefield. This is the future of enterprise risk management.

John J. Hampton is the KPMG Professor of Business and Dean of the School of Professional and Continuing Studies and Graduate Business Programs at St. Peter's College in New Jersey. He specializes in business ethics, legal liability and enterprise risk management. He is a former executive director of the Risk & Insurance Management Society Inc. To read Mr. Hampton's columns and interviews, visit www.Business Insurance.com/ERM.