Traditional vs. enterprise risk management: How do they differ?

What is traditional risk management?

Traditional risk management, more commonly referred to simply as "risk management," tends to be a formal business function in large companies. How many people are involved depends on the size of the company, its risk philosophy and what it's required to do by law. The traditional approach is oriented to basic business risks involving financial matters and business operations.

"Some of the earliest forms of risk management were things like credit risk, financial risk and operational risk," said Alla Valente, an analyst at Forrester Research.

What is enterprise risk management?

Enterprise risk management spans different types of risk in an enterprise, including cybersecurity risks and issues related to governance, risk and compliance (GRC) initiatives. Examples of the specific forms of risks often addressed in ERM programs include the following:

• Regulatory compliance risk stemming from a failure to comply with new or existing regulations.
• Operational risk related to areas such as supply chain management, business continuity, IT system failure, personnel issues, and workplace health and safety.
• Cyber-risk from issues such as application vulnerabilities, network intrusions, and both internal and external security threats that can result in data breaches or data loss.
• Financial risk, such as lost revenue, cost overruns, regulatory fines, legal dispute settlements, debts and insurance costs.
• Reputational risk caused by data breaches, data privacy violations, product defects, unethical business practices and other corporate missteps.

While the above list isn't exhaustive, it doesn't take much imagination to see that the various risk management functions overlap. The only way to understand their interconnections is to have a committee of people representing the different risk owners (i.e., corporate executives and business managers who are accountable for managing particular risks). The ERM committee or team works together to identify risks and map them out so the totality of potential risks as well as the impacts of specific business events and decisions can be understood better.

What are the differences between traditional and enterprise risk management?

Here's a more detailed look at four major differences between traditional risk management and ERM.

Siloed vs. holistic

Organizations with traditional risk management functions often have multiple risk initiatives that tend to not work together because each business area separately "owns" its risk, without a unifying central structure. Given the interconnectedness of many business risks, a siloed approach doesn't manage some types of risks well, if at all.

Operating in silos also means there's a lack of understanding of the potential upstream and downstream effects of risk. For example, a cybersecurity breach isn't just a security problem because it could also include compliance, financial, operational, legal and reputational risks.

ERM takes a more holistic approach to managing risks, including understanding the relationships among the various risk types.

Chris Matlock

"Enterprise risk management tends to catalyze conversations that would not happen organically," said Chris Matlock, vice president and advisory team manager for the corporate strategy and risk practice at Gartner. "There are many leaders making choices that directly and indirectly impact whether we are in compliance with data privacy, for example." ERM brings them together to manage privacy-related risks in a more comprehensive way.

When the larger scope of risks and their potential business impacts are known, companies can innovate and understand opportunities in a risk-aware way. They're also in a position to better understand strategic risks, their implications and how to mitigate the risks. Importantly, ERM helps companies take a proactive approach to risk management.

Risk averse vs. risk taking

Traditional risk management tends to focus on risk avoidance. For example, the financial services industry uses scoring algorithms to decide who is and isn't creditworthy. However, some creditworthy individuals will default on loans because they lose their job or experience financial difficulties for other reasons. That possibility is factored into the interest rates on loans, and credit risk insurance is available to cover such losses.

While many banks are risk averse, some are more willing to take risks in their lending practices. Other businesses -- technology startups, as one example -- are known for risk taking. A well-managed ERM program helps insulate risk-taking organizations from potential business problems.

Whether a company qualifies as risk averse or risk taking depends on its risk appetite and risk tolerance. Risk appetite is the amount of risk an organization is willing to take overall to achieve its goals, while risk tolerance is a calculation of how much it will deviate from its documented risk appetite in particular business initiatives.

Alla Valente

"The key is to balance the risks and rewards," Valente said. "What are the risks that are worth taking? A lot of organizations think they have a low risk appetite, but do they have plans to grow? Are they launching new products? Is innovation important? All of those growth strategies are not without risk." ERM can help companies strike that balance when risks can't just be avoided altogether.

Reactive vs. proactive

Traditional risk management tends to be reactive. A risk has manifested itself or is in the process of doing so, which causes the company to change its policies and behavior going forward. However, risk management through the rearview mirror carries its own risks.

For example, a company introducing an important new product, backed by an expensive marketing and advertising campaign, might learn at the last minute that a supplier won't be able to deliver a key component for several months. If the company didn't plan for such a risk by lining up a secondary supplier, it could be forced to delay the product rollout, missing out on expected sales and potentially jeopardizing its ability to stay in business.

Enterprise risk management takes a proactive approach to managing risks, using a combination of people, processes and technology. ERM applications integrate with GRC software and other risk-specific tools to provide a higher-level view of business risks. Capabilities typically include risk assessment, risk identification, risk monitoring, risk reporting and other risk management features.

Insurable vs. non-insurable

Another difference between traditional risk management and ERM can be insurability. If an employee gets hurt at work, there is workers' compensation insurance and the company's general liability policy to cover the financial risk as part of traditional risk management. The rule doesn't always apply, though. For example, cyber-risk usually isn't part of traditional risk management, yet cybersecurity insurance is available.

Some risks are uninsurable, however. If an executive commits a crime, such as embezzlement or insider trading, an insurance policy won't cover criminal fines assessed to the company because of the executive's behavior.

An ERM program helps identify uninsurable risks wherever they exist, because the heads of the various risk functions in an organization provide periodic updates to the enterprise risk management team. They also work together to manage the company's entire spectrum of risks.

Bottom line

Traditional risk management continues to have a place. However, the various risk functions must cooperate to manage risks effectively in today's dynamic business environment.

ERM is gaining momentum because many enterprises realize they're not managing risks as well as they could. Increasingly, enterprise risk management is also seen by organizations as a potential way to gain competitive advantages over business rivals. Companies that are new to the process must be patient, though. Creating an ERM program takes time -- about two or three years, according to Matlock.