This article addresses a fundamental question: What are the limitations of mainstream enterprise risk management (ERM), and how might risk management be reconceived to better address real organizational uncertainty?
The article claims that core elements of ERM — especially its mechanical focus on predefined risk appetite and extensive audit trails — reflect an impoverished conception of risk that fails to confront the complex, interconnected realities organizations face. ERM, as commonly practiced, tends to preserve boundaries and produce the illusion of security rather than truly managing uncertainty, leading to what the author terms the “risk management of nothing.” Instead, the article suggests that regulators and leaders should view risk appetite as a dynamic organizational process grounded in both values and metrics. It also proposes that business continuity management (BCM) offers insights for reconstructing risk practices that are more adaptive and responsive to real-world contingencies.
Reference:
Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society, 34(6–7), 849–855.
