Enterprise Risk Management vs. Traditional Risk Management: Which One Is Best for You?

Jessica Donohue

When tackling the risks your business faces, the question of enterprise risk management vs traditional risk management has probably come up.

What is the difference between traditional and enterprise risk management? Which one will deliver the most benefit? These are the sort of questions that exercise the minds of governance, risk and compliance professionals.

 

Enterprise Risk Management vs Traditional Risk Management

Traditional Risk Management Definition

All businesses carry out some form of risk management.

Some are more mature and consistent in this than others; for instance, those in regulated industries, like financial services or pharmaceuticals, may have more prescribed risk management techniques. Others, without a regulatory imperative, are more able to determine their risk management path.

Enterprise Risk Management Definition

What is enterprise risk management (ERM)? Investopedia defines it as “a methodology that looks at risk management strategically from the perspective of the entire firm or organization.”

 

How Does Enterprise Risk Management Differ From Traditional Risk Management?

When looking at traditional risk management vs enterprise risk management, what exactly is the difference?

Some commentators pin the difference on timing: traditional risk management “typically only occurs after an incident has already happened and is done to prevent that situation from happening again.”

ERM, conversely, is future-looking, and “attempts to determine potential events and situations that could, or are even likely to, occur.”

TRM tends to focus on risk avoidance, while ERM takes stock of potential risks and identifies which ones are worth taking, therefore focusing more on opportunity alongside pure risk.

And as we noted above, ERM encompasses the entire enterprise; and is top-down, whereas traditional risk management may focus on only one area, and not emanate from a holistic view of the entire organization.

Because traditional risk management (TRM) is well established and routinely practiced across business, it has become quite standardized. ERM is more dynamic, agile and adaptable to situations or organizations. Of the two, ERM is recognized as “far and away the more fluid, adaptable, and dynamic of the two methods.”

Characteristics of Traditional Risk Management

  • Standardized
  • Backward-looking
  • Risk averse

Limitations of Traditional Risk Management

  • Does not foster informed risk-taking
  • Siloed approach
  • Less able to adapt to changing scenarios
  • Harder to tailor to business risk profile or circumstances
  • Restricts risk management to team or department level

 

ERM vs Traditional Risk Management

In our table below, we capture the differences when comparing traditional vs enterprise risk management.

   Traditional Risk Management  Enterprise Risk Management
 Reactiveness Reactive — tends to respond to incidents that have occurred and focus on preventing reoccurrence Proactive — looks forward to prevent risk occurring
 Scope Focuses on insurable and financially tangible risks Encompasses both insurable and non-insurable risks, and those where the cost is hard to define — for instance, risks that damage brand or reputation
 Adaptability Standardized, prescribed approaches Fluid, adaptable, agile
 Effort Focused on business units or departments; siloed; can create duplicatory activity Holistic and enterprise-wide; minimizes duplication
 Alignment Limits risk prioritization and alignment across teams Enables risks that impact multiple departments to be prioritized and tackled in an integrated way
 Integration Approach, metrics and reporting inconsistent between teams, sites or departments Approach, metrics and reporting consistent and integrated across the business
 Identification Identifies and tackles risks on a case-by-case basis Focuses on root-cause risks common to every silo
 Mitigation Risk mitigation focuses on impact on individual business units or teams Risk mitigation takes into account impact on entire organization
 Mindset Risk averse: focuses on mitigation Risk tolerant: takes an enterprise-wide risk culture
 Connection Standards and approaches are business-specific and can be simplistic Aligns with recognized standards like the COSO Framework to ensure your risk management approach is in line with best practice
 Prominence Keeps risk conversations to team or department level Elevates risk discussions to board level
 Responsiveness  A static checklist of risks and responses  A real-time, responsive approach to the changing organization and risk landscape

 

Taking Your Next Steps in Enterprise Risk Management

The debate over ERM vs TRM will not go away any time soon. But we hope that by exploring some of the differences, we’ve helped you to understand why enterprise risk management can help elevate your approach to risk, delivering a degree of board understanding and oversight not seen in a traditional risk management strategy.

If this has made to keen to start on, or accelerate, your own ERM strategy, what should you do next? What are the steps you need to take to embed ERM in your business and reap the rewards?

Reading Diligent’s guide, 7 Steps to Performance-Enhancing ERM, is a good place to start; it shares the seven actionable steps you can take to achieve ERM maturity, driving your organization towards performance-enhancing Enterprise Risk Management.

Find out how you can manage the risks that impact your strategic objectives with Enterprise Risk Management from Diligent.

Related Insights

The Rising Tide of ESG – Navigating the Road Ahead

video

The Board's Role in Leading and Enabling GRC

article

Board and Executive Collaboration: Components of a Secure Platform for the Evolving Workplace

White Paper