Risk & Strategy
Jessica Donohue Image
Jessica Donohue
Senior Specialist

Enterprise risk management vs. traditional risk management: Which one is best for you?

May 20, 2022
0 min read
Woman considering the core differences between ERM and TRM

When tackling the risks your business faces, the question of enterprise risk management vs traditional risk management has probably come up.

What is the difference between traditional and enterprise risk management? Which one will deliver the most benefit? These are the sort of questions that exercise the minds of governance, risk and compliance professionals.

Enterprise Risk Management vs Traditional Risk Management

Traditional Risk Management Definition

All businesses carry out some form of risk management.

Some are more mature and consistent in this than others; for instance, those in regulated industries, like financial services or pharmaceuticals, may have more prescribed risk management techniques. Others, without a regulatory imperative, are more able to determine their risk management path.

Enterprise Risk Management Definition

What is enterprise risk management (ERM)? Investopedia defines it as “a methodology that looks at risk management strategically from the perspective of the entire firm or organization.”

How Does Enterprise Risk Management Differ From Traditional Risk Management?

When looking at traditional risk management vs enterprise risk management, what exactly is the difference?

Some commentators pin the difference on timing: traditional risk management “typically only occurs after an incident has already happened and is done to prevent that situation from happening again.”

ERM, conversely, is future-looking, and “attempts to determine potential events and situations that could, or are even likely to, occur.”

TRM tends to focus on risk avoidance, while ERM takes stock of potential risks and identifies which ones are worth taking, therefore focusing more on opportunity alongside pure risk.

And as we noted above, ERM encompasses the entire enterprise; and is top-down, whereas traditional risk management may focus on only one area, and not emanate from a holistic view of the entire organization.

Because traditional risk management (TRM) is well established and routinely practiced across business, it has become quite standardized. ERM is more dynamic, agile and adaptable to situations or organizations. Of the two, ERM is recognized as “far and away the more fluid, adaptable, and dynamic of the two methods.”

Characteristics of Traditional Risk Management

  • Standardized
  • Backward-looking
  • Risk averse

Limitations of Traditional Risk Management

  • Does not foster informed risk-taking
  • Siloed approach
  • Less able to adapt to changing scenarios
  • Harder to tailor to business risk profile or circumstances
  • Restricts risk management to team or department level

ERM vs Traditional Risk Management

In our table below, we capture the differences when comparing traditional vs enterprise risk management.

Traditional Risk Management Enterprise Risk Management
ReactivenessReactive — tends to respond to incidents that have occurred and focus on preventing reoccurrenceProactive — looks forward to prevent risk occurring
ScopeFocuses on insurable and financially tangible risksEncompasses both insurable and non-insurable risks, and those where the cost is hard to define — for instance, risks that damage brand or reputation
AdaptabilityStandardized, prescribed approachesFluid, adaptable, agile
EffortFocused on business units or departments; siloed; can create duplicatory activityHolistic and enterprise-wide; minimizes duplication
AlignmentLimits risk prioritization and alignment across teamsEnables risks that impact multiple departments to be prioritized and tackled in an integrated way
IntegrationApproach, metrics and reporting inconsistent between teams, sites or departmentsApproach, metrics and reporting consistent and integrated across the business
IdentificationIdentifies and tackles risks on a case-by-case basisFocuses on root-cause risks common to every silo
MitigationRisk mitigation focuses on impact on individual business units or teamsRisk mitigation takes into account impact on entire organization
MindsetRisk averse: focuses on mitigationRisk tolerant: takes an enterprise-wide risk culture
ConnectionStandards and approaches are business-specific and can be simplisticAligns with recognized standards like the COSO Framework to ensure your risk management approach is in line with best practice
ProminenceKeeps risk conversations to team or department levelElevates risk discussions to board level
ResponsivenessA static checklist of risks and responsesA real-time, responsive approach to the changing organization and risk landscape

Taking Your Next Steps in Enterprise Risk Management

The debate over ERM vs TRM will not go away any time soon. But we hope that by exploring some of the differences, we’ve helped you to understand why enterprise risk management can help elevate your approach to risk, delivering a degree of board understanding and oversight not seen in a traditional risk management strategy.

If this has made to keen to start on, or accelerate, your own ERM strategy, what should you do next? What are the steps you need to take to embed ERM in your business and reap the rewards?

Reading Diligent’s guide, 7 Steps to Performance-Enhancing ERM, is a good place to start; it shares the seven actionable steps you can take to achieve ERM maturity, driving your organization towards performance-enhancing Enterprise Risk Management.

Find out how you can manage the risks that impact your strategic objectives with Enterprise Risk Management from Diligent.


Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.

© 2024 Diligent Corporation. All rights reserved.