Enterprise risk management vs. traditional risk management: Which one is best for you?
When tackling the risks your business faces, the question of enterprise risk management vs traditional risk management has probably come up.
What is the difference between traditional and enterprise risk management? Which one will deliver the most benefit? These are the sort of questions that exercise the minds of governance, risk and compliance professionals.
Enterprise Risk Management vs Traditional Risk Management
Traditional Risk Management Definition
All businesses carry out some form of risk management.
Some are more mature and consistent in this than others; for instance, those in regulated industries, like financial services or pharmaceuticals, may have more prescribed risk management techniques. Others, without a regulatory imperative, are more able to determine their risk management path.
Enterprise Risk Management Definition
What is enterprise risk management (ERM)? Investopedia defines it as “a methodology that looks at risk management strategically from the perspective of the entire firm or organization.”
How Does Enterprise Risk Management Differ From Traditional Risk Management?
When looking at traditional risk management vs enterprise risk management, what exactly is the difference?
Some commentators pin the difference on timing: traditional risk management “typically only occurs after an incident has already happened and is done to prevent that situation from happening again.”
ERM, conversely, is future-looking, and “attempts to determine potential events and situations that could, or are even likely to, occur.”
TRM tends to focus on risk avoidance, while ERM takes stock of potential risks and identifies which ones are worth taking, therefore focusing more on opportunity alongside pure risk.
And as we noted above, ERM encompasses the entire enterprise; and is top-down, whereas traditional risk management may focus on only one area, and not emanate from a holistic view of the entire organization.
Because traditional risk management (TRM) is well established and routinely practiced across business, it has become quite standardized. ERM is more dynamic, agile and adaptable to situations or organizations. Of the two, ERM is recognized as “far and away the more fluid, adaptable, and dynamic of the two methods.”
Characteristics of Traditional Risk Management
- Standardized
- Backward-looking
- Risk averse
Limitations of Traditional Risk Management
- Does not foster informed risk-taking
- Siloed approach
- Less able to adapt to changing scenarios
- Harder to tailor to business risk profile or circumstances
- Restricts risk management to team or department level
ERM vs Traditional Risk Management
In our table below, we capture the differences when comparing traditional vs enterprise risk management.
Traditional Risk Management | Enterprise Risk Management | |
---|---|---|
Reactiveness | Reactive — tends to respond to incidents that have occurred and focus on preventing reoccurrence | Proactive — looks forward to prevent risk occurring |
Scope | Focuses on insurable and financially tangible risks | Encompasses both insurable and non-insurable risks, and those where the cost is hard to define — for instance, risks that damage brand or reputation |
Adaptability | Standardized, prescribed approaches | Fluid, adaptable, agile |
Effort | Focused on business units or departments; siloed; can create duplicatory activity | Holistic and enterprise-wide; minimizes duplication |
Alignment | Limits risk prioritization and alignment across teams | Enables risks that impact multiple departments to be prioritized and tackled in an integrated way |
Integration | Approach, metrics and reporting inconsistent between teams, sites or departments | Approach, metrics and reporting consistent and integrated across the business |
Identification | Identifies and tackles risks on a case-by-case basis | Focuses on root-cause risks common to every silo |
Mitigation | Risk mitigation focuses on impact on individual business units or teams | Risk mitigation takes into account impact on entire organization |
Mindset | Risk averse: focuses on mitigation | Risk tolerant: takes an enterprise-wide risk culture |
Connection | Standards and approaches are business-specific and can be simplistic | Aligns with recognized standards like the COSO Framework to ensure your risk management approach is in line with best practice |
Prominence | Keeps risk conversations to team or department level | Elevates risk discussions to board level |
Responsiveness | A static checklist of risks and responses | A real-time, responsive approach to the changing organization and risk landscape |
Taking Your Next Steps in Enterprise Risk Management
The debate over ERM vs TRM will not go away any time soon. But we hope that by exploring some of the differences, we’ve helped you to understand why enterprise risk management can help elevate your approach to risk, delivering a degree of board understanding and oversight not seen in a traditional risk management strategy.
If this has made to keen to start on, or accelerate, your own ERM strategy, what should you do next? What are the steps you need to take to embed ERM in your business and reap the rewards?
Reading Diligent’s guide, 7 Steps to Performance-Enhancing ERM, is a good place to start; it shares the seven actionable steps you can take to achieve ERM maturity, driving your organization towards performance-enhancing Enterprise Risk Management.
Find out how you can manage the risks that impact your strategic objectives with Enterprise Risk Management from Diligent.