As a risk management professional who advocates Enterprise Wide Risk Management (EWRM), I get a lot of questions about what EWRM is. I have a story I like to tell that really speaks to the meaning of EWRM. It involves a piece of wooded land that I own in a very rural area of the South.

One day I was standing by the road surveying the property and one of my neighbors drove up to say hello. He asked what I was doing and I explained that I was surveying the land because I was considering erecting a small fence around it. He looked puzzled and then asked why I would want to do that. I actually thought that it was a silly question, but being neighborly, I explained that I wanted to put a fence around the property to keep bad people out. And then…I got my own moment of Zen. My neighbor laughed out loud and said, "Joe, fences only keep good people out. The bad people are going to come in anyway."

As a risk manager, I knew immediately he was right. I was looking at the situation from a "compliance" standpoint. I thought if I put up a fence that strangers would "comply" by not entering the property. But I really wasn't considering the risk associated with their intent, the idea that they may not comply, or even the likelihood that someone would go onto the property in the first place. Had I used an EWRM approach to this situation, I would have recognized that the chance of someone coming onto my property was small; the fence I had envisioned (the control) to keep bad people out would most likely be ineffective; and, the fence may actually have had the opposite effect of my intent by keeping good people, like my neighbor, out instead.