Enterprise Risk Management (ERM) vs Traditional Risk Management

Enterprise risk management (ERM) is a buzzword that has been doing rounds in the risk management field for the past few years. It is often used by managers in a context that implies that it is wider in scope than the traditional risk management function.

However, the number of risk management professionals who do not clearly know and understand the differences between traditional risk management and enterprise risk management is astounding. It is for this reason that this article will enumerate the major differences between the two approaches.

Insurable vs. Non-Insurable Risks

Traditional risk management mostly deals with risks where the exposure can be transferred to other parties in the form of an insurance contract. In some cases, where insurance contracts are not available, derivatives and structured finance products are used in order to meet this objective. However, enterprise risk management (ERM) is wider in scope. Here, the organization tries to deal with risks that are not insurable.

For instance, if there is an accident in the workplace and some employees suffer physical harm, then the financial loss arising from the harm can be covered by insurance. However, the accident also causes a loss to the reputation of the organization. This harm is not easy to quantify and hence cannot be insured.

The enterprise risk management (ERM) considers risks that would not be admissible in a traditional environment viz. damage to the company’s social media presence, damage caused by vendor disruptions, damage caused by incorrect mergers and acquisitions, etc.

Single Dimension vs. Multiple Dimensions

Traditional risk management is only focused on one aspect of risks. This aspect is known as the probable impact. The probable impact is a product of the probability of a risk occurring along with the financial impact of the risk.

The enterprise risk management (ERM) framework is more holistic in nature. Instead of just trying to minimize the probable impact, it looks deeper to see how the risk affects the strategic goals of the organization. Some of the common questions asked by practitioners of enterprise risk management (ERM) are as follows:

• Will the risk be limited to one part of the organization or will it spread across various functions?

• What is the speed at which the risk will impact the various functions of the organization?

• Will the effects of the risk be short-lived or long-lasting?

Basically, enterprise risk management (ERM) helps look at risks from a broader perspective. Loss prevention is not the only key metric and other dimensions such as timing, information, and preparedness are also evaluated.

Department Level vs. Enterprise Level

In a traditional risk management environment, the risk is managed in a decentralized fashion. This generally means that every department discovers its own risks and makes a plan to mitigate them. These approaches may be right at the department level. However, when aggregated at the company level, these risks can often be inconsistent, contradictory, conflicting, and outright inefficient.

Risk management literature is full of cases wherein managers have inadvertently created risks in other parts of the organization while trying to minimize their own risk. Also, in many cases, resources are wasted when departments act in a silo.

A centralized risk management department is known to be more efficient and consumes much fewer resources. Another issue is that sometimes risks span different departments. In such cases, there is conflict regarding the ownership of these risks.

It is for this reason that enterprise risk management (ERM) takes a more centralized approach towards risk management. Here, decisions related to risk management are taken at the enterprise level. The purpose is not to work in the best interests of any department but of the organization as a whole.

Reactive vs. Proactive

Traditional risk management is often reactive in nature. This means that it is either reacting to an event that has taken place in the present or preventing an event that has taken place in the past. Traditional risk management relies on empirical data. However, a lot of risks are the result of newer technologies. Hence, they cannot be understood while looking in a rearview mirror.

New-age technologies create newer unseen risks and market shifts. This is whether the concept of enterprise risk management (ERM) comes into place. The emphasis is on trying to find out how the future will play out while keeping the current context in mind.

Standardization vs. Customization

The traditional risk management process is more or less standardized. Over the years, several frameworks and models have been developed. Implementing these frameworks is a fairly standard and common process and can be easily implemented. These processes cover most of the standard risks which an organization faces.

However, there are some non-standard risks being faced by organizations as well. This is why a more customized approach is necessary for enterprise risk management (ERM). The customized approach is not focused on compliances like the traditional approach. Instead, it is a more creative function that uses creativity as well as statistical skills in order to predict the possible risks.

The bottom line is that enterprise risk management (ERM) is a wider and more advanced version as compared to traditional risk management. The differences between them are significant. With the passage of time, more and more organizations are migrating towards the use of enterprise risk management (ERM).

Authorship/Referencing - About the Author(s)

The article is Written By “Prachi Juneja” and Reviewed By Management Study Guide Content Team. MSG Content Team comprises experienced Faculty Member, Professionals and Subject Matter Experts. We are a ISO 2001:2015 Certified Education Provider. To Know more, click on About Us. The use of this material is free for learning and education purpose. Please reference authorship of content used, including link(s) to ManagementStudyGuide.com and the content page url.