CSO - Enterprise risk management (ERM) is hardly new. Eric Cowperthwaite, CISO at the nonprofit healthcare organization Providence Health and Services, recalls hearing the term for the first time in the late 1990s, "and it existed before then, even if we didn't call it that," he said.
Indeed, the term goes back several decades, according to Jeff Spivey, who is vice president at RiskIQ, president at Security Risk Management, and international vice president of ISACA.
"My father was involved in risk management beginning in 1968," he said. "What was then called 'risk management' is now called 'enterprise risk management.'"
John Shortreed, a member of the International Organization for Standards, which developed ISO 31000, one of the most prominent frameworks for ERM, says the framework has been "evolving and maturing over the last decade, in response to the increasing risks [in] our world" brought on by such varied factors as interconnectivity, climate change and economic upheaval.