10 Differences Between Traditional and Enterprise Risk Management

It’s amazing how perceptions of something can change over time. Just a few short years ago, most would scoff at the idea of working from home. However, with changing circumstances, times, and technology, people’s views have shifted considerably to the point that it’s become more mainstream.

Much the same can be said for enterprise risk management (ERM).

When first embarking on my risk career around 2009-10, I had a very risk-centric view of ERM.

It’s become abundantly clear to me since then that ERM is a living, breathing concept. Not only has the perception of ERM changed over the years, so has the approach to how it is practiced.

Therefore, as many ascribe, we are not talking about ERM 1.0 or even 2.0. For more about those concepts, I strongly recommend reading the previous iterations of this topic (available below this article).

One of the glaring differences, among many, that you’ll discover between those prior versions and this one is that first and even second generation ERM was very risk-centric, or simply focused on the downside.

That’s probably the most significant change over the years – namely, that while it has ‘risk’ in its title, ERM is really about achieving objectives, or put slightly differently, objective-centric.

In light of this foundational truth, the following list explores the key differences between traditional and enterprise risk management as it should be practiced and includes links to relevant articles where you can explore each point in more detail.

Difference #1: Avoiding specific types of incidents (i.e., insurable) vs. Ensuring goals are met (i.e., non-insurable, objective-centric)

This is by far the most distinct difference between traditional and enterprise risk management. All the other differences listed below essentially flow from this one in one way or another.

Risk management as it’s traditionally conceived is solely concerned with mitigating or otherwise managing losses. While this includes safety protocols and physical and information security, traditional risk management relies heavily on insurance and other forms of risk transfer. This means if a covered “peril” occurs, the company will be (typically financially) compensated or “made whole”.

ERM, at least how it should be practiced, is not solely concerned about avoiding risks and preventing failure. To the contrary, ERM is focused on helping the company achieve its goals through a combination of managing risks to strategy in the negative sense while using tools like risk appetite and tolerance to take informed risks and seize opportunities in pursuit of objectives. Therefore, ERM practices should really start with the development of the strategic plan and play a vital role in the execution of that plan.

To do this effectively, every risk is linked to a specific objective. Also, keep in mind that risks with a strong connection to strategic goals are not insurable, meaning the company could lose millions if they don’t stay on top of them. After all, there is nothing to compensate the company if it doesn’t meet its strategic goals, whatever the reason.

Difference #2: Reactive and rear-facing vs. Proactive and future-facing

Next in our lineup is how traditional risk management and even 1st generation ERM, especially if borne out of regulatory requirements, is reactive and rear-facing. This dovetails nicely with Difference #1 since it is impossible to avoid every risk all the time. Therefore, when something does occur, the company reacts to the situation in the moment.

The main purpose of traditional risk management and ERM 1.0 is to generate a list of random risks, with the question “what keeps you up at night?” frequently leading the conversation. This list of random risks is reactive by nature simply because the reason people are worried is because the risk(s) have already happened to other companies or leaders want to avoid it happening again to their company.

Another rear-facing attribute of traditional risk management is how insurers will look at historical claims, current situation, and other trend data to determine whether to issue coverage for a risk and what to charge in premiums should they choose to do so.

On the other hand, modern or robust ERM is focused on helping the company chart its future.

By its nature, proactive steps will need to be taken to address threats and seize opportunities to achieving objectives, as opposed to just reacting to one-off incidents as is the case with traditional risk management. And by future, we don’t mean 3, 6, or even 12 months down the road. Advanced ERM practices will also evaluate long-term trends to inform strategies aimed at helping the company build resiliency.

Difference #3: Documentation vs. Decision-focused

Similar to #2, this particular difference between traditional and enterprise risk management could extend to ERM that’s done solely to satisfy ORSA (Own Risk and Solvency Assessment), SEC (Securities Exchange Commission), or some other regulation. More specifically, the primary purpose of the traditional risk management is to document risks on a list and share that with executives, regulators, and/or the Board.

Now, in a way, traditional risk management can be decision-focused from the perspective of having to understand how much coverage to buy or what process or safety controls to put in place.

ERM, however, is about so much more as it is meant to richly inform decisions over time rather than “point in time” decisions referenced above. While reports will have their place, those done for the sake of documentation will not be helpful to executives trying to make strategic decisions. Simply providing a report just tells them what they already know, which according to surveys, is a common complaint. As Hans Læssøe states in his book Prepare to Dare:

To me, ERM is a toolbox for the risk manager. It’s not a process that leads to an enterprise risk management report in its own right.

When ERM and requisite processes like scenario analysis are viewed as a tool for enabling informed risk taking and decision-making, executives will then be able to see the value in it beyond satisfying regulators and will therefore want to do it rather than do it because they have to.

Difference #4: Uniform across organizations vs. Requires extensive customization

This particular difference between traditional risk management and ERM is a common misconception many companies fall victim to.

Traditional risk management gets that name because practices around insurance, safety, and prevention have been around for decades, even more than a century. Whether it’s physical safety or IT security, or even projects, there are literally dozens of standards companies can refer to guide their efforts. Examples, among many, can include ISO 27001 for information security, certifications available through the National Alliance for Insurance Education, and the Project Management Institute to name a few.

A traditional risk manager is able to follow these guidelines, apply them to their organization, and achieve the desired result with little to no customization.

ERM designed for informed decision-making will require much customization to be effective. While there are standards like ISO 31000 and COSO companies can refer to, they cannot just copy/paste them and expect them to magically work out because every company’s culture and needs are different. Doing so can lead to frustration for everyone involved and possibly even the company abandoning ERM altogether.

Also, part of this customization involves branching out to concepts and resources that, on the surface at least, bear little to no connection to ERM.

Due to a variety of factors around culture, industry size, and more, companies will need to experiment with different ways to identify risks, assess risks, how to run a workshop, and other tasks to understand what works and what doesn’t for the company.

Difference #5: Inward facing vs. Inward and outward facing

Considering the kind of insurable or specific threats traditional risk management addresses, its focus will strictly be internal to the company. The main concerns will be around the safety of employees, the security of the premises and networks, safety of its products, and more. There may be external sources to a particular risk, but the impacts the company is concerned with will strictly be internal.

ERM will also be concerned about internally borne risks that could derail objectives – i.e. talent or reputational risks.

However, it dramatically expands the scope to include trends and events that at first glance may have little to nothing to do with the company. ERM will also look to the broader world to see how they may trickle down and affect the company’s success. An example is how an armed conflict in another country may impact supply chains for raw materials.

Conversely, this outward facing doesn’t always have to focus on the negative. Opportunities may be unearthed that could lead to the company entering new markets or achieving some goal(s) faster.

Difference #6: Manage risks one-by-one vs. Understand connections and interdependencies

Possibly due to its nature of being reactive, traditional risk management is only going to handle risks on a one-by-one basis. For example, insurance policies only cover specific perils, so if that one thing occurs, it will be covered. Safety controls will focus on protecting employees from a specific hazard.

Also, the list-based nature of traditional risk management lends itself to being managed on a one-by-one basis. This is especially the case when you consider these risks have no connection to strategic objectives and are likely to be managed within a siloed business area.

We understand the primary focus of ERM is to help the company achieve goals and objectives (with a side course of improving decision-making). Therefore, tools like bow-tie analysis, root cause analysis, scenario planning, risk appetite, Monte Carlo simulation, and others that help the company understand interdependencies, triggers, cumulative effects, and more become extremely valuable to practitioners.

One example of interdependency involves the rollout of the GDPR regulations a few years ago. Part of the struggle with complying with this regulation had to do with how data is stored, accessed, and transmitted. Remember, in today’s world, data is not just on core servers someone accesses through an internal network, but also smartphones, tablets and laptops from anywhere.

Difference #7: “Siloed” within one department vs. Pervasiveness throughout the company

Another key difference between traditional risk management and ERM has to do with where each occurs in the organization.

Since traditional risk management is examining risks one-by-one, it typically occurs within one department or business unit. Legal will focus on their risks, while Marketing, Purchasing, HR, and other areas will focus on theirs in isolation. All of these risks should be deemed as “operational” risks, as they are the risks associated with specific processes performed by these individual business areas. There will be no coordination between respective business units. This of course can create new risks because any actions taken in one area could possibly create consequences in another.

ERM will tie these “siloes” together to get a more birds-eye view or risks. However, first generation, risk-centric ERM would just aggregate information from multiple business units and leave it at that. However, this approach is woefully inadequate for the needs of businesses today. Decision-makers need to understand just how widespread impact(s) are. This “pervasiveness” is what makes something an ‘enterprise’ risk.

Difference #8: One-dimensional vs. Multi-dimensional assessment

This particular difference is true regardless of the level of ERM the company is practicing. In a traditional risk approach, the main focus will be on severity.

Just how bad will it be if a certain risk were to materialize?

If the answer to this question indicates a significant severity, the company may be motivated to take action to reduce it, often through transferring the risk via insurance or putting significant time and effort into implementing process controls.

Enterprise risk management is interested in more than just severity. It will examine other factors like the probability of a specific severity (because it is more than just a single data point!), how quickly the effects will be felt (velocity), how widespread the risk will be (pervasiveness), how long the effects will last (persistence), and more.

Since it can take time for a company to work its way up to this multi-dimensional assessment, most just focus on severity and probability (a/k/a impact and likelihood) in the beginning. Even if this is all a company does, executives and other decision-makers will be able to better prioritize resources and focus on the right risks, at the right time, and in the right amount.

Difference #9: Relies to technical skills vs. Requires specific soft skills

Yet another key difference between traditional risk management and ERM are the skills each requires.

Perhaps due to its standardized and uniform nature, among other factors, traditional risk management mainly involves technical skills and knowledge someone can learn through education, certification programs, and experience. The risks being addressed are typically straightforward, so as long as someone possesses adequate knowledge and experience, they can handle them for any type of organization. Automation tools and AI are making these technical skills ever more relevant in these situations.

Because ERM is focused on strategic objectives and the overall future of the company, topics that come up in conversations require the ERM professional to possess “soft skills.” These are skills like emotional intelligence, discernment, and relationship building, which are more difficult to learn or develop since they involve our personality or the essence of who we are. For example, if you’re an introvert, you may struggle to strike up conversations with other business area leaders.

Also, since risk (and opportunity) management plays such a huge role in strategic planning, effective ERM is going to require a certain level of strategic thinking skills that are completely off the radar to a traditional risk manager.

These soft skills are often what make or break a company’s ERM program, especially since you’re often dealing with sensitive topics that require a high level of trust.

Difference #10: Practices are well accepted and anticipated vs. Requires constant buy-in at all levels

Traditional risk practices are long established and, therefore, almost second nature to most companies. Every company is going to do basic, traditional risk management one way or another, even if they don’t have a dedicated person.

It’s kind of like looking both ways before crossing a street – a person does it innately – they don’t have to be convinced of its importance.

ERM that focuses on helping the company achieve goals is different. It requires ongoing buy-in at all levels to be effective. With many companies initiating ERM to satisfy compliance or third-party requirements, ensuring constant buy-in is an ongoing activity, as practitioners battle against the consistently negative reputation that ERM has no value for managing the company for success.

Therefore, to convince executives and business units that ERM is worth their time, they will need to see the value of it in a consistent way. Having an executive champion, setting the right tone at the top, and constantly coming back to improving confidence in achieving goals and objectives can go a long way toward getting and keeping this buy-in.

This list is not exhaustive…

If there’s one thing I’ve come to appreciate over the years, it’s this: the more you know about something, the more you realize you don’t know. It’s totally possible to expand this list, but I want to be mindful of your time, and if you’re new to ERM, not overwhelm you. 🙂

As stated in the beginning, ERM is an ever-evolving set of principles and processes whose central goal should be to help the organization make the best decisions it can in the face of uncertainty. Please use this edition to start your journey or conversation with others in your company about shifting from traditional risk management to enterprise risk management.

What differences would you add to this list?

To share your thoughts on the differences between traditional risk management and enterprise risk management, please leave a comment below or join the conversation on LinkedIn.

And if you are just starting out on this journey, or you keep experiencing roadblocks to harnessing ERM as a strategic tool for ensuring your company’s success, please reach out to me to discuss your specific situation, needs, and goals today!

________________________________________________________________________________________________

8 Ways Enterprise Risk Management is Different (…and Better) than Traditional Risk Management

Published September 24, 2019

Soon after establishing this blog in the fall of 2016, I published a post outlining differences between traditional risk management and enterprise risk management (ERM). It has since become one of the most popular posts here and a good starting point for those just learning about ERM.

Much has changed since this article was first published, including my perspective on how ERM can be used as a competitive advantage, so I thought it would be a good idea to provide an update. While most of the differences listed below are the same as before, more insights have been added to them. But there have been some changes to the list, so let me know if you can spot them!

This update also includes additional resources, both internal and external, for helping you understand what ERM is, how it differs from traditional risk management, and why it is being adopted by organizations as a tool for decision-making.

Whether they know it or not, everyone in an organization from the janitor to the CEO engages in “risk management” of one sort or another on a daily basis.

  • The janitor will put up a “caution, wet floor” sign after cleaning the bathrooms or at the entrance to the building on a rainy day.
  • The company will purchase liability insurance in the event of a mistake or otherwise extremely unhappy customer.
  • An IT Director may be on the lookout for vulnerabilities and take steps to protect the company’s data and systems.

There’s no doubt that actions like these are critical, but as I’ll explain in the sections below, this is a very risk-based, silo approach to managing risk.

For a quick glance of differences, see the table below, or continue reading for more in-depth analysis of the differences between traditional and enterprise risk management.

1.    Insurable vs. Non-insurable (mostly)

In a traditional risk management framework, an organization only looks at things that are insurable.

In the wet floor example from earlier, the janitor not only puts out a sign to warn people about a slippery surface, the company will also have liability and workers’ compensation insurance in the event someone does slip and get hurt. Purchasing insurance for any company vehicles or equipment is another example.

ERM, on the other hand, goes beyond insurable hazards to include areas of risk that cannot be transferred through insurance. If a data breach occurs for example, the company could have insurance to help offset the cost of responding and addressing the problem.

However, this breach could also damage the organization’s reputation, which of course is not insurable. Proactive measures to protect information from hackers, malware, and misuse will need to be done to reduce the likelihood of this occurring.

Other examples of non-insurable risks include:

  • Strategic goals – if a company is unable to achieve its strategic goals, it will not be able to file a claim with an insurance company to recoup costs. ERM helps executives understand risks and opportunities to provide more assurance that goals will be met.
  • Social media – impacts can go beyond reputation to include customer service, product sales, and even the long-term viability of the company if they can’t keep up with the marketing and expectations of consumers.
  • Vendor disruptions – some risks can be transferred through insurance, but many cannot. Vendor disruptions can not only impact reputation, they can lead to production delays, lost revenue, and more.
  • Mergers & Acquisitions – although connected to strategic goals, risks and opportunities around M&A deals are not insurable. This story about Prudential’s acquisition of an online insurance startup illustrates all of the considerations that go into such a large deal.
  • Lack of innovation – shifting consumer and technological trends are certainly not insurable. Organizations slow to adapt will struggle or may even go out of business altogether…just ask Kodak.

Sometimes risks like these are not a big deal, but put together, they can take a company down. Check out the following resources for more.

2.   One-dimensional assessment (severity) vs. Multi-dimensional assessment

Besides only looking at an issue from a loss prevention perspective, traditional risk management also only considers the impact or severity of a given issue at a certain point in time. I emphasize issue because in many cases, traditional risk management is looking at something that has already occurred and will occur again (issue) rather than the possibility of something (risk).

Consider our wet floor example – a company safety officer or facilities director will typically only consider what will happen if someone slips and falls, and take action to mitigate this risk through liability insurance and safety improvements. They are evaluating, at least informally, something they know is going to happen.

In some cases, traditional risk management activities will also consider the probability of a certain risk or issue affecting the organization.

While ERM also considers impact and probability, it peels the onion layers back to understand more about potential events (i.e. risks) and how they relate to the strategic plan, organizational mission, or a specific operation.

Besides impact, ERM will definitely look at probability on a consistent basis as opposed to evaluating it sporadically, which alone adds tremendous value for the organization. Other parameters or questions ERM will consider include:

  • How fast will we feel the effects of the risk? (Velocity)
  • How widespread will the risk be? (Pervasiveness)
  • How long will the effects of the risk last? (Persistence)
  • How prepared are we to respond? (Preparedness)
  • How effective are existing risk mitigation or “control” activities? (Effectiveness)

The tendency for many organizations is to jump right into assessing risks from multiple dimensions. However, it can take time for an organization to do this effectively. Keeping things simple in the beginning is valuable for better understanding risks and opportunities without being overwhelming.

Looking at risks or issues beyond the single lens of loss prevention provides decision-makers with more information to prioritize resources to ensure the organization is focusing on the right risks, at the right time, and in the right amount. A risk may have a catastrophic impact, but if its chances of occurring are very low, it would be unwise to use scarce resources on mitigating it.

Being more targeted frees up more resources to focus on achieving strategic objectives.

Check out the following resources for more information:

3.   Manages risks one-by-one vs. Analyzes material risks and how they relate

In a traditional silo environment, the management of risks occurs as needed on an individual basis. Departments will only look at risks within their areas and not communicate with other parts of the company. Approaching risk management this way can expose a company to much bigger risks at worst, and at best, causes the company to miss out on opportunities to meet or exceed strategic goals.

On the flip side, ERM combines these activities and uses a variety of tools to examine interdependencies, understand triggers between risks and cumulative effects of risks, and more. These tools help senior management better allocate resources and prioritize risks.

The first tool is risk appetite and tolerance. Risks are compared to the applicable tolerance to determine the appropriate response. It is during this analysis where organizations may find some risks are being over-managed since they are well below their tolerance level. Going through this process allows executives to re-direct resources to more urgent needs.

For risks that are above the tolerance, a root cause analysis can be done to understand where resources should be focused. Root cause analysis is especially useful for understanding complex or urgent risks. The simplest way to describe root cause analysis is to ask “why?” until you reach the true cause. If it’s determined that two or more risks share the same root cause, addressing this root cause can provide double the benefits.

A couple words of caution:

  • One, it can take time to realize the wide-reaching benefits of using tools like risk appetite and root cause analysis, but don’t be afraid to start. After all, if you don’t start, you will never realize the benefits!
  • Two, fully understanding cumulative effects of a risk requires sophisticated computer models for example, which can be very complicated, especially if there isn’t any actuarial or scientific expertise in your organization. (Don’t be afraid to outsource this function if needed.)

Although understanding connections between risks and cumulative effects is more advanced, getting to this point will provide tremendous benefits to the organization.

For more information, visit:

4.   Occurs within one business unit (“siloed”) vs. Spans the entire organization (“holistic”)

Traditional risk management occurs within one department, or put another way, occurs in its own “silo” or “stove pipe.” Most organizations are going to be well experienced with this basic level of risk management.

Conducting risk management this way can inadvertently create risks in other areas, or create risks that fall between siloes that will be missed altogether. The IT Director is addressing a technology risk but creates a new legal risk in the process, or addressing a legal risk creates new talent risks.

Another shortcoming of the stove-pipe approach is that it often leads to wasted resources.  A particular risk may have a big impact to a department but minimal impact to the organization as a whole. Take this revenue risk from a client as an example: during a risk assessment discussion, the department head listed it as a severe impact, but when the risk is considered in the context of the whole organization, its rating dropped several points to minor.

What also occurs when risks fall between silos is no one department wants to take ownership…

Risk around vendors, especially ones who deal with more than one department within the enterprise, is a great example. A new product line is another example – which department will own all of the risks associated with a project like this (i.e. production, communications, competitors, regulations, etc.)?

Enterprise risk management ties these disparate siloes together to give executives and business units a holistic view of risk and opportunities. It is a top-level process that overrides any autonomy a particular department may have by bringing together a multi-functional group of people to discuss risk at the organizational level.

Trisha Sqrow, Assistant Vice President of Risk Management at Dallas-Fort Worth International Airport, explains that taking this holistic approach is “…a true team effort.”

In larger organizations or ones with a robust ERM program, there is typically a director, vice president, or chief risk officer role who will tie all of the different siloes together so executives can get the entire picture of risks that could help or harm the organization’s ability to meet its goals.

Check out the following resources to learn more:

5.   Reactive & sporadic (Rear-view) vs. Proactive & Continuous (Forward-view)

Examples provided in the beginning of this article are great examples of an organization reacting to a particular issue.

A rear-view will also not consider risks to objectives. While there may be a list of risks, thought leader and consultant Tim Leech explains how lists in a traditional risk management environment have nothing to do with “…the company’s top value creation objectives.” A survey I held last year explains how having a list of risks like this is frustrating for ERM professionals since they simply show executives what they already know. Below is an example of how it was phrased to me.

Traditional risk management activities are often borne out of a particular event that management responds to. Executives, managers and support staff will go into a scramble mode when something comes up.

A reactive approach can also result in business failure altogether.

Take the example of Borders Bookstore, which in its day, was known as a “…killer of local bookstores.” However, starting the mid-‘90s, Borders began struggling after making a poor investment in CD and DVD sales just when the industry was starting to go digital.

As the other big-box book retailer, Barnes & Noble, began beefing up its online presence, Borders opted to refurbish its stores and even outsource online sales to Amazon! Many shoppers would explain how they would go to Borders to find books just to turn around and actually purchase them online.

Couple this with the success of Amazon’s Kindle and Barnes & Nobles’ Nook e-readers and it was only a matter of time.

One question that inevitably comes up in situations like this is “How could we have known this?”

Taking a more proactive approach like ERM helps the organization get out in front of risk or seize opportunities to achieving strategic objectives. Proactive can take two approaches: preparing for current day risks and identifying emerging risks that could affect the organization down the road. General Motors is one company that uses a virtual crystal ball to understand, prioritize, and factor risks and opportunities into its strategic and business plans for the next 1, 5, 10 or even 20-30 years.

Learn more by visiting:

6.   Disjointed vs. Embedded in culture and mindset

Although every organization manages risks to one extent or another, these activities tend to be “disjointed” or ad-hoc with no rhyme or reason, no connection to strategic objectives, or other business areas. Marketing may embark on a certain project in pursuit of a strategic objective and take a few moments to identify risks to the project, but there is no conversation with other impacted areas or to gain a different perspective.

In cases like this though, the risk activities are more of a “CYA” documentation exercise than something that adds value by ensuring business units are making informed decisions.

Besides not providing any value to the enterprise as a whole, a disjointed approach also causes risks to be missed, new risks to be created, or a duplication of effort.

On the other hand, a mature ERM process that is a valuable decision-making tool is systematic and ingrained in processes and ways of thinking. This is not to imply that every action or decision requires a formal process for identifying and assessing risks – in many cases, this will be an informal process where a manager or even an employee will stop for a minute and think about how their actions may create reputation, talent, strategic, or some other risk to the enterprise.

Embedding a risk mindset in the culture of the organization means that risk becomes just another part of the business conversation and decision-making process. Executives and managers don’t see risk management as a compliance or “CYA” exercise, but instead a valuable tool in ensuring the company’s success.

Changing the culture of an organization to be more risk aware though is something that doesn’t happen overnight. Key to cultural changes is executive leadership – without the right tone at the top, the company will struggle to move beyond a disjointed approach to risk management.

To learn more about risk culture and challenges to embedding it throughout the organization, check out:

7.   Standardized vs. More nuanced and requires soft skills

Risk management in its traditional or basic form has been common practice for companies and non-profit organizations for many years. There is an assortment of designations an individual can earn from organizations like the National Alliance for Insurance Education and Research, RIMS, the Professional Risk Managers’ International Association (PRMIA), and others.

There are also numerous international standards around traditional risk management activities that organizations can refer to. ISO 27000 (IT) and ISO 18000 (Health and Safety) from the International Standards Organization are a couple of examples.

And for publicly-traded and insurance companies, regulators at both state and national levels are beginning to require annual reports on top risks.

Many organizations starting their ERM journey also have standards to refer to, with the two most common being COSO and ISO 31000. Both of these standards released updated versions in 2017 and 2018 respectively. Despite incorporating more on risk taking into both standards, many practitioners and thought leaders feel they are still too focused on managing risks instead of achieving organizational objectives.

Also, many organizations become frustrated when exclusively using one of these standards because they often experience stalled processes and minimal value to the organization.

ERM that focuses on enabling success requires a bit more finessing in order to be a valuable tool for decision-making.

Practitioners not only need to be familiar with various technical processes around ERM (i.e. identification, assessment, etc.), they also need to have a combination of soft skills in order to transform risk management from a compliance-oriented exercise into one that plays a significant role in ensuring the company’s success.

Below are a few additional resources that explore risk management standards and soft skills.

8.   Risk Averse vs. Risk Taking

The original version of this article explained how traditional risk management focuses solely on losses while ERM considers both the upside and downside of risks.

This is true, but as long-standing ERM thought leaders explain, the difference goes much deeper than this.

Up to this point, you may have noticed how the word “risk” has been used in the negative sense – in other words, seeing risks as threats and something to avoid or mitigate.

In his book Risk Management in Plain English: A Guide for Executives, Norman Marks discusses how traditional risk management is about managing a list of “so-called risks.” BUT…

Risk management is really about increasing the likelihood of achieving your objectives.

It would not be an earth-shattering statement to say that any business has to take risks in order to be successful. At the current pace of change in our world, which will only accelerate as time goes on, companies who simply avoid risks and fail to take calculated, informed risks to improve business performance will not remain relevant in the long-term.

Good executives understand this…they always weigh the pros and cons and “taking risks.” And this doesn’t only happen at the executive-level either.

However, are they making decisions like this in a systematic way?

This is where ERM comes in – it helps executives make informed and intelligent decisions and provides a framework for others to follow to ensure the organization is taking the right level of the right risks.

Another thought leader, Hans Læssøe, describes in his book, Prepare to Dare, different levels of risk management with basic (traditional) at the bottom and progressive at the top. Basic risk management in the form of insurance and health and safety is pretty universal in one form or another. From there, most large organizations are going to evaluate risk around projects and strategy, but it still occurs in a silo in many cases.

More advanced companies are going to take things further to discuss risk taking explicitly and embed this way of thinking throughout the organization in a systematic way.  This essentially

…changes management of risks from being a governed and required effort to be a cultural element which is ‘just being done’.

It is this approach where I focus my attention with my clients – improving performance by taking “smart” risks. It has been a journey for me, going from the standard view of ERM to this focus, but wow! The difference it makes when talking with executives is mind-blowing. After all, you have to meet them where they are. And the executives are focused on business performance.

To join me on this journey, check out the books linked above or visit:

Like Hans and others explain, the world is changing, and the risk management profession is no different. Many “traditional” risk management tasks and compliance activities will likely become automated in the years ahead in what’s known as the 4th industrial revolution.

Keeping pace with change and learning how practitioners can adapt their role to be more of an active partner in the organization’s success will be the key to maintaining and growing ERM in the decades ahead.

Click here to visit the original version of this article.

How has your understanding of ERM grown in the last few years?

Does ERM in your organization focus on averting risk or taking informed risks to optimize business performance?

As always, I am eager to hear your thoughts on where we’ve been as a profession and where we are going. Feel free to leave a comment below or join the conversation on LinkedIn.

If your company is trying to move from a traditional to enterprise risk approach and not sure where to begin, check out StrategicDecisionSolutions.com to learn more about how I help organizations harness ERM.

_______________________________________________________________________________________________________________

8 Ways Enterprise Risk Management is Different (…and Better) than Traditional Risk Management

Published October 16, 2016

What makes Enterprise Risk Management (ERM) so different from traditional risk management?

Nine times out of ten, this question is the first one I get when speaking with organizations about their risks.

Whether they know it or not, everyone in an organization from the janitor to the CEO engages in “risk management” of one sort or another on a daily basis.

  • The janitor will put up one of those “caution, wet floor” signs after cleaning the bathrooms or at the entrance to the building on a rainy day.
  • The CEO or CFO will purchase liability insurance in the event of a mistake or otherwise extremely unhappy customer.
  • The IT Director may be on the lookout for vulnerabilities and take steps to protect the company’s data and systems.

Although these risk management activities are critical, most organizations only think in terms of their particular business unit or “silo” rather than the entire enterprise, which is the key difference between traditional risk management and ERM.

We invite you to continue reading for more in-depth information on the differences between traditional and enterprise risk management.

Traditional Risk Management Enterprise Risk Management
1. Insurable Not necessarily covered by insurance
2. One-dimensional assessment (potential impact) Multi-dimensional assessment
3. Manages risks one-by-one Analyzes material risks and how they relate
4. Occurs within one business unit (“siloed”) Spans the entire organization (“holistic”)
5. Reactive & sporadic Proactive & continuous
6. Considers only downside (loss) Considers both upside and downside
7. Focuses solely on loss prevention Focuses on business goals, adding value and more
8. Disjointed activities Embedded in culture and mindset
  1. Insurable vs. Not necessarily covered via insurance

In a traditional risk management framework, an organization is generally only looking at things that are insurable.

Consider our wet floor example – not only is the janitor putting out a sign to warn people of a slippery surface, the company will also have liability and workers’ compensation insurance in the event someone does slip and get hurt. Another example would be purchasing insurance policies for any company vehicles or equipment in the event of an accident.

On the other hand, ERM goes beyond hazard risks that are insurable to look at risks that may not be transferable in the form of insurance. For example, a company’s reputation cannot be protected through insurance, but proactively identifying and managing the threats to its reputation will help avoid or reduce the impacts.

It may be possible that some risks can be partially reduced by insurance but requires additional action by the company.  If a data breach were to happen, a company’s reputation would be damaged.  If the company bought a cyber insurance policy, the policy could help offset the costs associated with responding to the data breach and provide resources to the company to reduce the reputational damage.  But the company would still need to take proactive measures to protect its information from hackers, malware, and misuse, reducing the likelihood of the risk occurring.

  1. One-dimensional assessment (potential impact) vs. Multi-dimensional assessment

Traditional risk management not only evaluates risks from a loss prevention perspective; it also only considers the risk’s potential impact. Take our wet floor example – a company safety officer or facilities director will typically only consider what will happen if someone slips and falls, and take action to mitigate this risk through liability insurance and safety improvements.

Some traditional risk management activities may also consider the probability of a certain risk affecting the organization. However, as Laurie Brooks of Provident Financial Services explains, “…we, as a culture, in the West in particular, are not well educated on the terms “probability” and “likelihood,” either from a mathematical standpoint, or even just from a common understanding of what we mean when we say something has a 50/50 chance of occurring.”

Enterprise risk management undoubtedly considers both impact and probability but also seeks to understand more about a particular risk. Depending on the organization and how in-depth they want to go, a robust ERM effort will also consider velocity and activity metrics. Commonly asked questions will include, according to Brooks:

  • How soon will a risk pose a threat to our business?
  • Is it coming up fast or slow? (a.k.a. velocity)
  • Is the risk affecting us now, or will it become a problem in a year or more? Will the risk only become a problem if something else occurs first?
  • What event(s) could trigger or speed up the velocity of a risk becoming a problem?
  • Is this risk being actively managed, or is it on the back burner?
  • How often are inactive risks being evaluated to determine if they need to be moved to active status?
  • Do contingency plans need to be developed or updated?

As you can see, ERM peels back the onion layers to help management prioritize risk management activities and better allocate resources. A particular risk may have a catastrophic impact, but if it is constantly being monitored and highly unlikely of occurring, scarce company resources can be better spent on more urgent risks.

  1. Manages risks one-by-one vs. Analyzes risks and how they relate

In a traditional siloed environment, the management of risks occurs as needed on an individual risk basis. Departments within an organization will only look at risks within their areas and not really communicate with other parts of the company. As we explained above, this approach can create new risks in other departments.

Besides creating additional headaches down the road, managing risks one-by-one also fails to show the cumulative effects various risks have on an organization, as well as risks that are related to each other. By not connecting the dots, companies could either expose themselves to much bigger risks or simply miss out on opportunities to meet or exceed their goals.

ERM ties all of these disparate risk management functions together, regardless of their type, and analyzes them to find connections, trends and any particular concentrations. Doing so helps senior management better allocate resources and prioritize risks that can affect their core mission and business strategy.

  1. Occurs within one business unit (“siloed”) vs. Spans the entire organization (“holistic”)

Traditional risk management is departmentalized, meaning it occurs in a singular business unit, “silo” or “stove pipe.” For example, the IT department will focus on technology risks, the General Counsel will handle legal risks, and the Chief Financial Officer (CFO) will evaluate financial risks and so on. In many organizations, these departments will not communicate with one another about their risk management activities.

Although this is common practice in companies of all sizes, it has several shortcomings according to Dr. Mark Beasley, Director of the ERM Initiative at North Carolina State University.

First, managing risks in this “stove-pipe” manner will often, unknowingly, create risks to other areas of the organization – let’s say the IT Director is addressing a particular technology risk but creates a new legal risk in the process, or addressing a legal risk opens up new talent risks.

Also, many risks often fall between an organization’s silos or will not really apply to any particular silo. An example of this will be managing a company’s vendors, especially if these vendors deal with more than one department within the enterprise. In these situations, collaborations and coordination across the business units is required, but what often happens is no department wants to take ownership.

Or take a new product line – which department will own risks associated with production, communications, competitors, regulations and other area? As you can imagine, this can get extremely difficult to manage, and things will inevitably get missed.

Enterprise risk management, on the other hand, is a top-level process that connects the various departments within an organization – it overrides any autonomy a particular department may have. Also, ERM is not only looking at hazard risks that can be addressed through insurance (…refer to #1), it is also integrated into strategy, planning and execution.

Companies with robust ERM programs will have a Director or Vice-President who will provide that view bringing all of the silos together to get a whole picture of risks that can affect the ability for the organization to meet its goals. This individual will typically report directly to the CEO or a Chief Risk Officer.

  1. Reactive & sporadic vs. Proactive & continuous

The examples in the intro are a great example of a company reacting to particular situations. The janitor only puts the wet floor sign out after the floor is wet or someone has slipped and fell. Or, the IT Director may only address a technology risk once an outage or hack has occurred.

Although not always the case, traditional risk management efforts are often times borne out of a particular event that management responds to.

On the flip side, enterprise risk management is proactive, continually looks at relations between risks, and assesses how the risks affect the organization both positively and negatively. It establishes a value-based and focused process that proactively identifies assumptions and scenarios that can either knock a strategy off track or result in missed opportunities, which allows the business to develop action plans to address the risk.  Essentially, ERM is about getting in front of the risk, not waiting for it to happen then react.

  1. Considers only downside (loss) vs. Considers both upside and downside

When most people think about risk management, they understandably will only think about losses or negative impacts from a particular risk. This is true when looking at risk from a traditional standpoint – what is the downside of a particular risk and what steps do we need to take to mitigate a particular loss?

Enterprise risk management looks at the downside of risks; however, since ERM takes a more holistic and strategic view of risks across the organization, it will also consider the upside as well.  The upside of risks is also known as opportunities, such as when a target is not only met but exceeded.

For example, a company initiates a marketing strategy to attract 40,000 more clients for a specific product.  There is a risk that they won’t meet the target goal of 40,000, but the upside is exceeding the target goal.  So the company creates contingency plans for both the downside and upside, with the upside being addressed by plans to increase resources to handle the additional clients.  A risk may exist, but if the organization is willing to accept the risk and seize the opportunity, large gains can be achieved.

As we’ve demonstrated, traditional risk management is fragmented and sporadic and focuses almost exclusively on loss prevention.

ERM not only helps a company minimize losses, it also helps maximize growth opportunities, increase income and asset values, and reduce or eliminate uncertainties.

  1. Focuses solely on loss prevention vs. Focuses on business goals, adding value and more

The areas of focus from a traditional vs. enterprise risk management are just as, or even more significant, than the silo vs. holistic factor.

On the one hand, traditional risk management focuses on preventing losses usually in the form of hazards. Circling back to our examples in the intro, the basic task of putting down a wet floor sign is focusing on preventing loss in the form of an employee or customer getting hurt. If an IT Director is solely considering technology risks, they will only be looking at how a gap in their security may create a gap for a data breach, which can cost a lot of money and affect the company’s bottom line.

Don’t get me wrong – the protection of the company’s financial status is important but doesn’t address other areas that are vitally important for an organization’s long-term success.

ERM goes much further to include all risks that can affect its ability to meet its goals, regardless of the type of risk. Looking at the risks holistically and seeing any connections or interdependencies help an organization not only minimize losses, but maximize growth opportunities, reduce uncertainty or otherwise add value.

This not only includes your garden variety risks such as hazards to any capital, employees or customers, but also risks to an organization’s reputation, talent (people), business strategy, competition and more.  For example, a traditional risk management approach will only look at how a data breach is affecting the company from an immediate dollar and cents perspective. ERM, if done properly, will proactively ID this risk and evaluate how it will affect the company’s reputation with customers and suppliers, as well as the company’s mission and long-term strategy.

  1. Disjointed vs. Embedded in culture and mindset

As we explained way back in number one, traditional risk management only occurs within a particular department or silo. The IT department will only focus on their area and not necessarily communicate their risk management activities with the legal or finance departments.

As a result, efforts to identify and mitigate risks become disjointed across the enterprise, resulting in some risks getting missed, new risks being created or a duplication of effort.

When ERM ties these different silos together, compares risks and how they relate to one another, the entire company begins to look at how their actions (…or inactions) are impacting other areas of the enterprise. Everyone from executives to managers and front line employees begin thinking about the pros and cons of what they’re doing, the impact of their actions and more.

This isn’t to say that every action or decision will require a formal process for identifying and assessing risks. Much of the time, this will be an informal process where a manager or even an employee will stop for a minute and think about how their actions may create reputation, talent, strategic or some other risk to the enterprise.

Again, any organization will be involved in managing risk to one extent or another. Most organizations though will simply look at potential losses of a particular risk and how they can mitigate these losses, usually through insurance.

However, many believe the traditional forms of risk management are inadequate to deal with the realities of an ever-changing world where reputations can be damaged in an instant and even the slightest altercation could derail a company’s growth potential. This is why the holistic, birds-eye view provided by enterprise risk management is taking a larger role in companies from a wide-range of industries around the world.

Want to learn more about enterprise risk management and how it can help your company proactively identify risks, reduce uncertainty or spot growth opportunities you may be missing? Continue browsing our ERM learning resource for more, or feel free to contact me, Carol Williams, to discuss your individual needs.

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Receive Our Weekly Blog Updates

Meet Carol Williams, SDS Founder & Lead Strategist

To our readers:

This blog was launched to provide strategy and risk practitioners with a go-to resource to better guide their efforts within their companies. Thank you for bringing me and my team along to be part of your journey towards better risk management, strategic planning and execution, and overall decision-making. Happy reading!

Find more SDS Insights