Enterprise risk management - proof or still promise