10 Differences Between Traditional and Enterprise Risk Management

It’s amazing how perceptions of something can change over time. Just a few short years ago, most would scoff at the idea of working from home. However, with changing circumstances, times, and technology, people’s views have shifted considerably to the point that it’s become more mainstream.

Much the same can be said for enterprise risk management (ERM).

When first embarking on my risk career around 2009-10, I had a very risk-centric view of ERM.

It’s become abundantly clear to me since then that ERM is a living, breathing concept. Not only has the perception of ERM changed over the years, so has the approach to how it is practiced.

Therefore, as many ascribe, we are not talking about ERM 1.0 or even 2.0. For more about those concepts, I strongly recommend reading the previous iterations of this topic (available below this article).

One of the glaring differences, among many, that you’ll discover between those prior versions and this one is that first and even second generation ERM was very risk-centric, or simply focused on the downside.

That’s probably the most significant change over the years – namely, that while it has ‘risk’ in its title, ERM is really about achieving objectives, or put slightly differently, objective-centric.

In light of this foundational truth, the following list explores the key differences between traditional and enterprise risk management as it should be practiced and includes links to relevant articles where you can explore each point in more detail.

Difference #1: Avoiding specific types of incidents (i.e., insurable) vs. Ensuring goals are met (i.e., non-insurable, objective-centric)

This is by far the most distinct difference between traditional and enterprise risk management. All the other differences listed below essentially flow from this one in one way or another.

Risk management as it’s traditionally conceived is solely concerned with mitigating or otherwise managing losses. While this includes safety protocols and physical and information security, traditional risk management relies heavily on insurance and other forms of risk transfer. This means if a covered “peril” occurs, the company will be (typically financially) compensated or “made whole”.

ERM, at least how it should be practiced, is not solely concerned about avoiding risks and preventing failure. To the contrary, ERM is focused on helping the company achieve its goals through a combination of managing risks to strategy in the negative sense while using tools like risk appetite and tolerance to take informed risks and seize opportunities in pursuit of objectives. Therefore, ERM practices should really start with the development of the strategic plan and play a vital role in the execution of that plan.

To do this effectively, every risk is linked to a specific objective. Also, keep in mind that risks with a strong connection to strategic goals are not insurable, meaning the company could lose millions if they don’t stay on top of them. After all, there is nothing to compensate the company if it doesn’t meet its strategic goals, whatever the reason.

Difference #2: Reactive and rear-facing vs. Proactive and future-facing

Next in our lineup is how traditional risk management and even 1^st generation ERM, especially if borne out of regulatory requirements, is reactive and rear-facing. This dovetails nicely with Difference #1 since it is impossible to avoid every risk all the time. Therefore, when something does occur, the company reacts to the situation in the moment.

The main purpose of traditional risk management and ERM 1.0 is to generate a list of random risks, with the question “what keeps you up at night?” frequently leading the conversation. This list of random risks is reactive by nature simply because the reason people are worried is because the risk(s) have already happened to other companies or leaders want to avoid it happening again to their company.

Another rear-facing attribute of traditional risk management is how insurers will look at historical claims, current situation, and other trend data to determine whether to issue coverage for a risk and what to charge in premiums should they choose to do so.

On the other hand, modern or robust ERM is focused on helping the company chart its future.

By its nature, proactive steps will need to be taken to address threats and seize opportunities to achieving objectives, as opposed to just reacting to one-off incidents as is the case with traditional risk management. And by future, we don’t mean 3, 6, or even 12 months down the road. Advanced ERM practices will also evaluate long-term trends to inform strategies aimed at helping the company build resiliency.

Difference #3: Documentation vs. Decision-focused

Similar to #2, this particular difference between traditional and enterprise risk management could extend to ERM that’s done solely to satisfy ORSA (Own Risk and Solvency Assessment), SEC (Securities Exchange Commission), or some other regulation. More specifically, the primary purpose of the traditional risk management is to document risks on a list and share that with executives, regulators, and/or the Board.

Now, in a way, traditional risk management can be decision-focused from the perspective of having to understand how much coverage to buy or what process or safety controls to put in place.

ERM, however, is about so much more as it is meant to richly inform decisions over time rather than “point in time” decisions referenced above. While reports will have their place, those done for the sake of documentation will not be helpful to executives trying to make strategic decisions. Simply providing a report just tells them what they already know, which according to surveys, is a common complaint. As Hans Læssøe states in his book Prepare to Dare:

To me, ERM is a toolbox for the risk manager. It’s not a process that leads to an enterprise risk management report in its own right.

When ERM and requisite processes like scenario analysis are viewed as a tool for enabling informed risk taking and decision-making, executives will then be able to see the value in it beyond satisfying regulators and will therefore want to do it rather than do it because they have to.

Difference #4: Uniform across organizations vs. Requires extensive customization

This particular difference between traditional risk management and ERM is a common misconception many companies fall victim to.

Traditional risk management gets that name because practices around insurance, safety, and prevention have been around for decades, even more than a century. Whether it’s physical safety or IT security, or even projects, there are literally dozens of standards companies can refer to guide their efforts. Examples, among many, can include ISO 27001 for information security, certifications available through the National Alliance for Insurance Education, and the Project Management Institute to name a few.

A traditional risk manager is able to follow these guidelines, apply them to their organization, and achieve the desired result with little to no customization.

ERM designed for informed decision-making will require much customization to be effective. While there are standards like ISO 31000 and COSO companies can refer to, they cannot just copy/paste them and expect them to magically work out because every company’s culture and needs are different. Doing so can lead to frustration for everyone involved and possibly even the company abandoning ERM altogether.

Also, part of this customization involves branching out to concepts and resources that, on the surface at least, bear little to no connection to ERM.

Due to a variety of factors around culture, industry size, and more, companies will need to experiment with different ways to identify risks, assess risks, how to run a workshop, and other tasks to understand what works and what doesn’t for the company.

Difference #5: Inward facing vs. Inward and outward facing

Considering the kind of insurable or specific threats traditional risk management addresses, its focus will strictly be internal to the company. The main concerns will be around the safety of employees, the security of the premises and networks, safety of its products, and more. There may be external sources to a particular risk, but the impacts the company is concerned with will strictly be internal.

ERM will also be concerned about internally borne risks that could derail objectives – i.e. talent or reputational risks.

However, it dramatically expands the scope to include trends and events that at first glance may have little to nothing to do with the company. ERM will also look to the broader world to see how they may trickle down and affect the company’s success. An example is how an armed conflict in another country may impact supply chains for raw materials.

Conversely, this outward facing doesn’t always have to focus on the negative. Opportunities may be unearthed that could lead to the company entering new markets or achieving some goal(s) faster.

Difference #6: Manage risks one-by-one vs. Understand connections and interdependencies

Possibly due to its nature of being reactive, traditional risk management is only going to handle risks on a one-by-one basis. For example, insurance policies only cover specific perils, so if that one thing occurs, it will be covered. Safety controls will focus on protecting employees from a specific hazard.

Also, the list-based nature of traditional risk management lends itself to being managed on a one-by-one basis. This is especially the case when you consider these risks have no connection to strategic objectives and are likely to be managed within a siloed business area.

We understand the primary focus of ERM is to help the company achieve goals and objectives (with a side course of improving decision-making). Therefore, tools like bow-tie analysis, root cause analysis, scenario planning, risk appetite, Monte Carlo simulation, and others that help the company understand interdependencies, triggers, cumulative effects, and more become extremely valuable to practitioners.

One example of interdependency involves the rollout of the GDPR regulations a few years ago. Part of the struggle with complying with this regulation had to do with how data is stored, accessed, and transmitted. Remember, in today’s world, data is not just on core servers someone accesses through an internal network, but also smartphones, tablets and laptops from anywhere.

Difference #7: “Siloed” within one department vs. Pervasiveness throughout the company

Another key difference between traditional risk management and ERM has to do with where each occurs in the organization.

Since traditional risk management is examining risks one-by-one, it typically occurs within one department or business unit. Legal will focus on their risks, while Marketing, Purchasing, HR, and other areas will focus on theirs in isolation. All of these risks should be deemed as “operational” risks, as they are the risks associated with specific processes performed by these individual business areas. There will be no coordination between respective business units. This of course can create new risks because any actions taken in one area could possibly create consequences in another.

ERM will tie these “siloes” together to get a more birds-eye view or risks. However, first generation, risk-centric ERM would just aggregate information from multiple business units and leave it at that. However, this approach is woefully inadequate for the needs of businesses today. Decision-makers need to understand just how widespread impact(s) are. This “pervasiveness” is what makes something an ‘enterprise’ risk.

Difference #8: One-dimensional vs. Multi-dimensional assessment

This particular difference is true regardless of the level of ERM the company is practicing. In a traditional risk approach, the main focus will be on severity.

Just how bad will it be if a certain risk were to materialize?

If the answer to this question indicates a significant severity, the company may be motivated to take action to reduce it, often through transferring the risk via insurance or putting significant time and effort into implementing process controls.

Enterprise risk management is interested in more than just severity. It will examine other factors like the probability of a specific severity (because it is more than just a single data point!), how quickly the effects will be felt (velocity), how widespread the risk will be (pervasiveness), how long the effects will last (persistence), and more.

Since it can take time for a company to work its way up to this multi-dimensional assessment, most just focus on severity and probability (a/k/a impact and likelihood) in the beginning. Even if this is all a company does, executives and other decision-makers will be able to better prioritize resources and focus on the right risks, at the right time, and in the right amount.

Difference #9: Relies to technical skills vs. Requires specific soft skills

Yet another key difference between traditional risk management and ERM are the skills each requires.

Perhaps due to its standardized and uniform nature, among other factors, traditional risk management mainly involves technical skills and knowledge someone can learn through education, certification programs, and experience. The risks being addressed are typically straightforward, so as long as someone possesses adequate knowledge and experience, they can handle them for any type of organization. Automation tools and AI are making these technical skills ever more relevant in these situations.

Because ERM is focused on strategic objectives and the overall future of the company, topics that come up in conversations require the ERM professional to possess “soft skills.” These are skills like emotional intelligence, discernment, and relationship building, which are more difficult to learn or develop since they involve our personality or the essence of who we are. For example, if you’re an introvert, you may struggle to strike up conversations with other business area leaders.

Also, since risk (and opportunity) management plays such a huge role in strategic planning, effective ERM is going to require a certain level of strategic thinking skills that are completely off the radar to a traditional risk manager.

These soft skills are often what make or break a company’s ERM program, especially since you’re often dealing with sensitive topics that require a high level of trust.

Difference #10: Practices are well accepted and anticipated vs. Requires constant buy-in at all levels

Traditional risk practices are long established and, therefore, almost second nature to most companies. Every company is going to do basic, traditional risk management one way or another, even if they don’t have a dedicated person.

It’s kind of like looking both ways before crossing a street – a person does it innately – they don’t have to be convinced of its importance.

ERM that focuses on helping the company achieve goals is different. It requires ongoing buy-in at all levels to be effective. With many companies initiating ERM to satisfy compliance or third-party requirements, ensuring constant buy-in is an ongoing activity, as practitioners battle against the consistently negative reputation that ERM has no value for managing the company for success.

Therefore, to convince executives and business units that ERM is worth their time, they will need to see the value of it in a consistent way. Having an executive champion, setting the right tone at the top, and constantly coming back to improving confidence in achieving goals and objectives can go a long way toward getting and keeping this buy-in.

This list is not exhaustive…

If there’s one thing I’ve come to appreciate over the years, it’s this: the more you know about something, the more you realize you don’t know. It’s totally possible to expand this list, but I want to be mindful of your time, and if you’re new to ERM, not overwhelm you. 🙂

As stated in the beginning, ERM is an ever-evolving set of principles and processes whose central goal should be to help the organization make the best decisions it can in the face of uncertainty. Please use this edition to start your journey or conversation with others in your company about shifting from traditional risk management to enterprise risk management.

What differences would you add to this list?

To share your thoughts on the differences between traditional risk management and enterprise risk management, please leave a comment below or join the conversation on LinkedIn.

And if you are just starting out on this journey, or you keep experiencing roadblocks to harnessing ERM as a strategic tool for ensuring your company’s success, please reach out to me to discuss your specific situation, needs, and goals today!

Receive Our Weekly Blog Updates

To our readers:

This blog was launched to provide strategy and risk practitioners with a go-to resource to better guide their efforts within their companies. Thank you for bringing me and my team along to be part of your journey towards better risk management, strategic planning and execution, and overall decision-making. Happy reading!