In the past, I have written about how to build a resilient organization. The problem with risk management in many organizations is that they don't know how to pull it all together and incorporate it into a strategy, instead of keeping as a separate add on that's left lying around in case something goes wrong.

There are signs that this might be changing.

At the end of last year, the GARP Risk Review ran a piece on the evolution of senior risk officers changing from compliance specialists into experts on governance, capital allocation, data management, internal reporting and group-level budgeting and planning.

Sean Lyons, a principal of Risk-Intelligence-Security-Control (R.I.S.C.) International, outlines what companies need to do in his piece An introduction to corporate defense management.

According to Lyons, companies need to develop a "cybernetic loop" to bring it all together. Lyons doesn't nut out specifically what this loop should look like or how to do it, but he does give us a picture of a comprehensive system that incorporates everything from corporate governance to physical security, one that's capable of anticipating, preventing, detecting and reacting. Still, with unexpected events like a 9/11, SARS outbreak or Hurricane Katrina, it's not foolproof. But it's better to have a system like this than not.