Loading...
Using Artificial Intelligence (AI) on ASTM standards and related intellectual property is prohibited. Violations will result in suspension of access.
By Kathy Hunt
Mar 02, 2026
For as long as humans have worked, they have contended with work-environment hazards and the mitigation of injury and loss. Before erecting pyramids for the pharaohs, ancient Egyptians evaluated material strength, manpower, and environmental conditions to reduce the likelihood that the massive structures would collapse. Before setting sail, ancient Chinese traders portioned out their goods between multiple ships to lessen the chance that their entire inventory would be lost at sea. Meanwhile, to protect themselves against loss due to theft or accident, merchants of ancient Babylon (modern-day Iraq) created simple forms of insurance to protect their goods. What all these civilizations tried to do was to manage risk.
During the Middle Ages, threats of piracy, bad weather, and disease hovered over European maritime trade. Using experiential evidence, merchants of this time began to quantify their risks and enter into trade guilds and insurance contracts to protect their livelihoods.
In today’s modern business world, standards are playing a critical role in minimizing risk. And new standards from the committee on homeland security applications (E54) aim to create a common language and approach to enterprise risk management to minimize those risks.
In 1963, Robert Mehr and Bob Hedges published their seminal book, Risk Management in the Business Enterprise. Considered by many scholars to be the fathers of risk management, the two emphasized that risk should be managed in a comprehensive manner and not merely insured, which had been the practice up to this point.
In the book, Mehr and Hedges outlined five steps for implementing risk management (RM): identify possible threats; measure threat size; assess possible reactions; choose the proper response; and monitor the outcome. Following these steps would help businesses to accept, transfer, and reduce risk.
Traditional RM is often described as being siloed. It focuses on risk in separate departments, such as accidents on assembly lines, and not on an organization as a whole. Generally, with RM, the threats have been previously identified, and the goal is to minimize their impact on a specific part of a business. Critics of the approach argue that by taking this isolated approach and alleviating issues in only one area, unintended consequences in other areas could result.
Unlike traditional RM, enterprise risk management (ERM) looks at the possible pitfalls across an entire organization. The concept itself arose in the 1990s after multiple high-profile corporation failures had preventable losses. During this time, a growing emphasis on shareholder satisfaction also emerged, providing additional impetus for the introduction of ERM.
Acknowledging the interdependencies that exist within a company, ERM places risk management into one common framework. This allows organizations to identify, evaluate, monitor, and communicate all facets of risk, including financial and occupational health and safety, throughout their enterprises. It helps them determine how to become more resilient. It also provides insight into how they can benefit from taking calculated risks.
“ERM looks at the bigger picture. How do organizations instill resilience and continuity? To become resilient, you have to look at all the aspects of risk inside an enterprise and balance risk exposure with financial constraints,” says Phillip Selleh, member of E54’s subcommittee on continuity of operations (E54.02).
In recent years, as organizations around the globe face more complex and more frequent challenges, including supply chain disruptions, financial volatility, and threats to physical security and cybersecurity, the need for a holistic and proactive approach to risk has grown. In response, fields as diverse as education, finance, and manufacturing have begun to introduce ERM policies and procedures into their workplaces.
“As we look across the different sectors of government and business, there are different organizations trying to put in place proper policies, plans, and procedures for ERM, but they aren’t doing it in the same way,” says E54 member Tim Stickler. “We saw this lack of standardization and recognized how all sectors would benefit from having a standard practice.”
Managing risk has always been a part of the business world.
To create a common language and approach to the integration of ERM, the continuity of operations subcommittee recently published the standard practice for enterprise risk management (E3502). As the standard states, it offers “a structured, systematic, and integrated approach to identifying, assessing, mitigating, monitoring, and reporting risks across all organizational functions.”
The standard helps guarantee that RM enriches decision-making, creates a risk-aware culture in the workplace, reinforces regulatory compliance, and provides an overall meaningful contribution to operational resilience. It is aligned with regulatory requirements, governance structures, and industry best practices.
“Every standard should list risk in some form or fashion because risk impacts practically everything that we do,” says Dr. John Bridges III, member of the committee on homeland security applications. “If you’re looking at a career transition, what are the risks of making that leap? If you take your aging pet to the vet, do the risks involved with a procedure outweigh the benefits? Little things like this that we take for granted are all part of the risk-based approach.”
“With E3502, we’re bringing together different types of resources and references to give you the opportunity to have a systems approach to thinking about risk,” he continues. “With it, you gain additional insight and considerations for when you’re creating risk management initiatives. The standard could be the benchmark to say we now have something that addresses our risk concerns across multiple portfolios.”
Ask friends, family, or even random strangers what they think the biggest threat to business is today and chances are they’ll cite cyberattacks. As headline-grabbing as these incidents may be, hacking isn’t the only element of technological risk.
“All enterprises need to take a careful look at their IT security policies, programs, procedures, and safeguards because IT is changing so quickly. Advancements in technology, the use of the internet, and now AI — all these things are tremendously powerful and useful tools that can be beneficial to humankind,” Stickler says. “But if people are given false information or information that is only partially correct and they can get that information in a few keystrokes, that’s a problem. This is why cybersecurity and IT security are so important these days.”
Protecting intellectual property is critical, but other significant dangers likewise exist. When creating the standard practice for enterprise risk management, the subcommittee members took into account something called PESTEL: political, economic, socio-cultural, technological, environmental, and legal risk factors for organizations. In the past, instability in any one of these sectors may not have affected an organization’s productivity and financial well-being. This is no longer the case.
Take, for instance, the 2025 wildfires that ravaged Los Angeles, CA. According to the Los Angeles County Department of Economic Opportunity (LACDEO), fire destroyed over 16,000 structures, including 200 commercial buildings and 100 schools. Health care, scientific and technical services, retail, education, and construction were among the industries hit hard by this disaster. The LACDEO projected that the loss of economic output for the county was between $5.2 and $10.1 billion. Overall, the cost of damages from that month’s wildfires was estimated at $53 billion.
To help plan for extreme weather events, the effects of climate, and the disruptions resulting from both, E3502 features an appendix with an analysis of environmental risk factors. It highlights enterprise functions, key risk considerations, organizational system context, and mitigation strategies, such as environmental impact analysis and disaster preparedness. The same assessment is provided for the other PESTEL risk factors.
“PESTEL’s terminology has been around a long time, but in the past, environmental, political, social, and technological factors often did not impact, or greatly impact, your organization,” Selleh said. “In today’s environment, political and social factors are becoming strong influencers in organizations. You have to look at these different aspects and react to how geopolitics affects your supply chain, and how societal change impacts your organization. You have to look at your risk.”
From the PESTEL standpoint, political risk pertains to a country’s political stability; levels of bureaucracy; tariffs and taxes; trends in regulation and deregulation; as well as freedom of the press, rule of law, and corruption. In PESTEL, sociocultural risk is divided into three categories: demographic, societal and/or cultural, and belief/attitude-related. Factors such as population growth, social class structure, income disparities, religion, and traditions fall into these groups.
Along with considering PESTEL as they created the standard, the subcommittee also looked at existing standards for risk management. “We wanted to see what siloes already existed and pull them together so they were all underneath the same framework of ERM,” Selleh says.
One of these was the ISO 31000–risk management guidelines. Published by the International Organization for Standardization (ISO) in 2009 and currently undergoing revision, the guidelines offer a structured framework for carrying out risk processes. The standard helps identify, analyze, and develop treatments for risk. However, it does not cover enterprise risk.
“A lot of people look to ISO 31000 as the standard for risk management. However, they don’t look at the different things that connect to, from the content to the context of, the standard itself,” Bridges says. “Quality Management Systems–ISO 9000 and Environmental Management Systems–ISO 14000 are examples of things that play into standards and things we should consider when trying to create a standard for enterprise risk management.”
In addition to ISO 31000, the subcommittee incorporated information from ISO 37000–governance of organizations into E3502. Selleh points out that to have a good ERM system, a good management system is needed. After all, this is what governs the entire organization. He added that the subcommittee also referenced standards from the European Union and the National Institute of Standards and Technology that focused on information management and cybersecurity.
Stickler said that ASTM standards from the subcommittees on physical and electronic security (E54.05); response robots (E54.09); and chemical, biological, radiological, nuclear, and explosives (CBRNE) detection and protection (E54.01) are additionally important.
“When I look at those other subcommittees, their missions are different,” he said. “In E54.02, we look at what’s necessary from an organizational perspective.”
As with all consensus standards, E3502 does not mandate how organizations should carry out ERM. Instead, it covers what they should consider if implementing it. One recommendation is to create “risk owners” in organizations. These employees oversee risks in their respective areas and ensure they align with the organization’s strategic objectives and appetite and tolerance for risk.
Another suggestion is to use both qualitative and quantitative techniques to analyze the probability of risk and possible repercussions around it. Related to this is establishing key risk indicators (KRIs), reporting mechanisms, and escalation procedures, which will monitor the effectiveness of existing risk controls and detect new threats.
Moreover, when establishing an ERM framework, organizations should anticipate performing regular assessments against industry best practices, benchmarks, and maturity models. This commitment to continuous improvement enables them to increase their understanding of risk, optimize risk levels, and strengthen organizational resilience.
The standard can be used with organizations of all sizes and fields in both public and private sectors. It was created to support management of financial, operational, strategic, technological, legal, environmental, compliance, and reputational risks.
“With the number of incidents occurring, now is the time to look at your organization from an ERM perspective. Review E3502 and bring down those siloes to create an ERM approach,” Selleh said. “This will be the path to organizational resilience.”
He added that the subcommittee on continuity of operations hopes to survey members of different industries about how they address ERM. This insight will allow the subcommittee to strengthen this and other ASTM standards. ●
Kathy Hunt is a U.S. East Coast-based journalist.
March / April 2026
