Where Does Risk Management Originate?
Risk management does not have a single inventor or birthplace. It developed gradually from ancient trade, insurance, mathematics, engineering and military planning before becoming a formal business and project management discipline.
People have always tried to protect themselves against uncertain events. Traders divided cargo between ships, lenders charged more for dangerous voyages, builders used safety margins and rulers stored food for bad harvests.
These practices were not called risk management, but they used familiar principles such as diversification, contingency planning, risk transfer and loss prevention.
The short answer
Risk management originated in practical attempts to cope with uncertainty, particularly in trade and insurance. It became more scientific following the development of probability theory in the 17th century and developed into a formal management discipline during the 20th century.
Table of Contents:
- Does risk management have a single origin?
- Ancient approaches to risk
- Marine insurance and risk transfer
- Probability theory and risk analysis
- Industrialisation, engineering and safety
- The emergence of project risk management
- Enterprise risk management
- Modern risk management
- Risk management history timeline
- Summary
- Sources
Does risk management have a single origin?
No. It would be misleading to claim that risk management was invented by one civilisation, organisation or individual.
Risk management emerged from several overlapping areas:
- Trade and commerce
- Marine insurance
- Probability and statistics
- Banking and finance
- Engineering and workplace safety
- Military and aerospace programmes
- Corporate governance
- Project management
The history therefore depends on what we mean by risk management.
If we mean taking action to reduce uncertainty, its origins are ancient. If we mean a documented process for identifying, assessing, responding to and monitoring risks, the discipline is much more recent.
Ancient approaches to risk
Long before anyone created a risk register, merchants and lenders were finding ways to limit their exposure to loss.
Early commercial practices included:
- Dividing goods between several ships or caravans
- Sharing the cost of a trading voyage between investors
- Using loans whose repayment depended on the safe arrival of a ship
- Storing surplus food to prepare for poor harvests
- Using contracts to allocate responsibility for losses
These arrangements contained the foundations of several modern risk responses.
| Early practice | Modern equivalent |
|---|---|
| Dividing cargo between ships | Diversification |
| Sharing the cost of a voyage | Risk sharing |
| Charging more for a dangerous journey | Risk-based pricing |
| Keeping emergency supplies | Contingency planning |
| Assigning losses through contracts | Contractual risk transfer |
Ancient traders did not calculate risk scores or maintain probability-impact matrices. They nevertheless understood the crucial point: putting everything into one vulnerable venture was asking for trouble.
Marine insurance and the development of risk transfer
Marine trade played a major part in turning informal risk sharing into a recognisable financial activity.
Sea voyages exposed merchants to storms, piracy, shipwreck, theft, war and navigational failure. A successful voyage could produce a fortune. A lost ship could bankrupt everyone involved.
Marine insurance allowed a merchant or shipowner to pay another party to accept some of that financial risk. This established one of the principal responses still used in risk management: risk transfer.
Lloyd's Coffee House
A famous chapter in this history began at Edward Lloyd's Coffee House in London. By 1688, the coffee house had become a meeting place for merchants, shipowners and people willing to insure ships and cargo.
Reliable information was essential. Underwriters wanted to know:
- Where a ship was going
- What cargo it carried
- Who commanded it
- Where pirates or enemy fleets were active
- Whether similar voyages had suffered losses
This was more than betting on whether a ship returned. It connected information gathering, judgement, pricing and financial protection. Those remain central features of insurance and risk management.
Lloyd's later developed from these coffee-house arrangements into a major insurance market. Marine insurance existed before Lloyd's, but Lloyd's became one of the most influential institutions in the history of commercial risk.
Probability theory and risk analysis
The next leap came when uncertainty became something that could be examined mathematically.
In 1654, French mathematicians Blaise Pascal and Pierre de Fermat exchanged letters about how the stakes in an unfinished game of chance should be divided. Their work helped establish the foundations of modern probability theory.
Other mathematicians, including Christiaan Huygens, Jacob Bernoulli and Thomas Bayes, extended the study of probability and uncertainty.
This mathematical work provided foundations for:
- Calculating expected outcomes
- Estimating the likelihood of events
- Analysing patterns in historical data
- Pricing insurance
- Forecasting losses
- Comparing uncertain choices
Risk could now be considered as more than a vague possibility. Where suitable data existed, it could be estimated, compared and priced.
Probability theory did not invent uncertainty. It gave people a more disciplined language for analysing it.
Industrialisation, engineering and safety
The Industrial Revolution created larger factories, railways, mines, bridges, steam engines and increasingly complex machinery.
It also created spectacular new ways for things to go wrong.
Organisations had to deal with:
- Machinery failures
- Fires and explosions
- Structural collapse
- Worker injury
- Production interruption
- Transport accidents
- Loss of capital invested in major works
Engineering design, inspection, safety standards, maintenance and accident investigation all contributed to the development of more systematic risk control.
The emphasis was not simply on paying for losses after they occurred. It increasingly included preventing failures and reducing their consequences.
The emergence of project risk management
Modern project risk management owes much to the large defence, engineering and aerospace programmes of the mid-20th century.
These programmes involved thousands of connected activities, unfamiliar technologies, vast budgets and severe consequences for delay or failure. Informal judgement alone was no longer enough.
PERT and the Polaris programme
The Program Evaluation and Review Technique, normally shortened to PERT, was developed for the United States Navy's Polaris missile programme during the 1950s.
PERT used networks of connected activities and three estimates for activity duration:
- Optimistic
- Most likely
- Pessimistic
This approach explicitly acknowledged that project durations were uncertain rather than pretending every activity had one perfectly reliable completion time.
Around the same period, the Critical Path Method was developed for industrial scheduling. Together, these approaches helped establish the quantitative analysis of project schedules.
Monte Carlo simulation
Increasing access to computers also made Monte Carlo simulation practical.
Instead of producing one promised completion date or cost, a simulation can run thousands of possible combinations and estimate:
- The probability of meeting a deadline
- The probability of staying within budget
- The range of possible outcomes
- The activities contributing most to uncertainty
These techniques helped shift project planning away from false precision and towards risk-informed decision-making.
Formal project risk processes
During the late 20th century, professional project management bodies began to define formal processes for:
- Planning how risk will be managed
- Identifying risks
- Assessing probability and impact
- Planning risk responses
- Assigning risk owners
- Monitoring risks throughout delivery
Familiar tools such as the risk register, probability-impact matrix and risk identification workshop emerged from this increasingly structured approach.
Enterprise risk management
Risk management eventually expanded beyond insurance, safety and individual projects.
Senior leaders needed a joined-up view of risks affecting an entire organisation, including:
- Strategy
- Finance
- Operations
- Regulation
- Technology
- Cybersecurity
- Reputation
- Supply chains
This broader approach became known as Enterprise Risk Management, or ERM.
ERM aims to connect risk with objectives and decisions rather than treating each risk as an isolated problem owned by a separate department.
Modern risk management
Modern risk management brings together ideas from all the earlier stages of its development.
It uses:
- Insurance to transfer financial exposure
- Statistics to analyse likelihood and variation
- Engineering controls to prevent failure
- Project processes to assign and monitor risks
- Governance frameworks to connect risk with organisational objectives
ISO 31000, first published in 2009 and revised in 2018, provides widely used guidance for managing risk. It is designed to apply to different organisations, sectors, decisions, operations and projects.
Modern standards generally treat risk as the effect of uncertainty on objectives. This is important because risk is not restricted to disasters and threats. Uncertainty can also create opportunities.
The language has changed, the tools have improved and the spreadsheets have multiplied. The underlying challenge remains ancient: something unexpected may happen, so what should we do about it?
Risk management history timeline
| Period | Development | Contribution to risk management |
|---|---|---|
| Ancient world | Trade, lending and shared commercial ventures | Risk sharing, diversification and contingency planning |
| Medieval and early modern trade | Growth of marine insurance | Formal transfer and pricing of financial risk |
| 17th century | Development of probability theory | Mathematical analysis of uncertainty |
| 18th and 19th centuries | Industrialisation, insurance and engineering controls | Loss prevention, inspection and safety management |
| 1940s–1960s | Defence, nuclear and aerospace programmes | Quantitative modelling and systems engineering |
| 1950s onwards | PERT, CPM and computer simulation | Schedule and cost uncertainty analysis |
| 1980s–2000s | Formal project and enterprise risk processes | Risk registers, owners, responses and governance |
| 2009 onwards | ISO 31000 and related standards | International principles and guidance |
Summary
Risk management did not begin at a single moment. Its earliest roots lie in the practical methods used by traders, lenders and communities to protect themselves from uncertain losses.
Marine insurance developed more formal ways to transfer and price risk. Probability theory made uncertainty easier to analyse. Industrialisation encouraged systematic safety and engineering controls. Defence and aerospace programmes drove the development of quantitative project techniques.
During the late 20th and early 21st centuries, these different traditions came together as formal project, enterprise and international risk management frameworks.
Therefore, the most accurate answer to the question “Where does risk management originate?” is:
Risk management originated gradually from ancient trade and loss-sharing practices. It became a measurable discipline through insurance and probability theory, and a formal management process through engineering, major projects, corporate governance and international standards.
Continue learning about risk management
Explore our guides to risk management, risk assessment and risk registers.
View Risk Management GuidesSources and further reading
This article draws on historical and professional sources covering insurance, probability, project analysis and international risk management standards.
- Lloyd's — Coffee and commerce, 1652–1811. History of Edward Lloyd's Coffee House, marine intelligence and the development of underwriting in London. Read the Lloyd's history .
- Lloyd's — History. Overview of Lloyd's development from its beginnings in a London coffee house in 1688. Read the Lloyd's history overview .
- RAND Corporation — Quantitative Risk Analysis for Project Management. Historical discussion of quantitative project risk analysis, including the Polaris programme and the development of PERT. Read the RAND paper .
- RAND Corporation — Graph Theoretic Algorithms for Ground Based Strategic Deterrent Scheduling. Includes a history of PERT and CPM and their origins in major 20th-century programmes. Read the RAND report .
- Project Management Institute — Project Schedule Risk Analysis. Explanation of PERT and Monte Carlo simulation as approaches to project schedule risk. Read the PMI article .
- International Organization for Standardization — ISO 31000:2009. The first edition of the international standard providing generic principles and guidelines for risk management. View ISO 31000:2009 .
- International Organization for Standardization — ISO 31000:2018. The current risk management guidelines, intended to help organisations identify, analyse and manage uncertainty. View ISO 31000:2018 .
- Stakeholdermap.com — Risk Meaning and Definition. Supporting explanation of risk within project management. Read the risk definition .
Historical accounts sometimes use the term “risk management” retrospectively. Ancient merchants were not following a modern risk management framework, but many of their practices resemble techniques now described as risk sharing, transfer, diversification and contingency planning.

