Traditional vs. enterprise risk management: How do they differ?

What is traditional risk management?

Traditional risk management, more commonly referred to as "risk management," tends to be a formal business function in large companies. How many people are involved depends on the size of the company, its risk philosophy and what it is required to do by law.

"Some of the earliest forms of risk management were things like credit risk, financial risk and operational risk," said Alla Valente, senior analyst at Forrester Research.

What is enterprise risk management?

Enterprise risk management spans different types of risk in an enterprise, including governance, risk and compliance (GRC), and cybersecurity. However, beyond and within those risk types are more specific forms of risks such as the following:

• regulatory risk (compliance with regulations or a new regulation);
• operational risk (supply chain, business continuity, IT system failure, workforce issues, health and safety);
• cyber risk (application vulnerabilities, internal and external threats including data exfiltration, loss of control of systems, software or data);
• compliance risks (noncompliance or inadequate compliance);
• financial risks (revenue loss, cost overruns, regulatory fines, legal dispute settlements, assets, debts, insurability); and
• hazard risks (health, safety, acts of God, errors or omissions by employees).

While the above list is not exhaustive, it doesn't take much imagination to see that the various risk functions overlap. The only way to understand their interconnections is to have a committee of people representing the different risk types, working together to identify risks and mapping them out so that the totality of potential risks can be understood better as well as the impacts of specific events and decisions.

What are the major differences between traditional and enterprise risk management?

Siloed vs. holistic. Organizations with traditional risk functions still have other risk functions in the organization, but they tend not to work together because each area "owns" its risk. Given the interconnectedness of risks, irrespective of their type, a siloed approach does not manage some types of risks well, if at all.

Operating in silos also means there's a lack of understanding of the potential upstream and downstream effects of risk. For example, a cybersecurity breach isn't just a security problem because it could also include compliance, financial, operational, legal and reputational risks.

Enterprise risk management (ERM) takes a more holistic approach to managing risks, including understanding the relationships among the various risk types.

Chris Matlock

"Enterprise risk management tends to catalyze conversations that would not happen organically," said Chris Matlock, vice president, advisory, corporate strategy and risk practice at Gartner, citing the issue of data privacy. "There are many leaders making choices that directly and indirectly impact whether we are in compliance with data privacy, for example."

When the larger scope of risks and their potential impacts are known, companies can innovate and understand opportunities in a risk-aware way. They're also in a position to understand the potential scope of strategic risks and their various implications. Importantly, ERM enables companies to take a proactive approach to risk management.

Risk averse vs. risk taking. Traditional risk management tends to be risk averse. For example, the financial services industry uses scoring algorithms to decide who is and is not creditworthy. However, some credit-worthy individuals will default on loans because they were distracted at payment time, lost their job or experienced financial difficulties. That possibility is factored into the price of credit, and credit risk insurance is available to cover such losses.

Companies in the money business, such as banks, tend to be risk averse, while technology startups are known to be risk taking. An example is the digital cash startups which failed in the mid-1990s because they were attempting to operate outside of established financial systems. Now there's cryptocurrency, which is essentially the same idea, but it has a built-in system of record which is enabled by blockchain.

Whether a company is risk averse or risk taking depends on its risk appetite, or the amount of risk an organization is willing to take to achieve its goals.

Alla Valente

"The key is to balance the risks and rewards. What are the risks that are worth taking?" said Forrester's Valente. "A lot of organizations think they have a low risk appetite, but do they have plans to grow? Are they launching new products? Is innovation important? All of those growth strategies are not without risk."

Reactive vs. proactive. Traditional risk management tends to be reactive. A risk has manifested or it's in the process of manifesting, which causes the company to change its policy and behavior going forward. However, risk management through the rearview mirror carries its own risks.

For example, a laptop manufacturer was debuting its brand at a major trade show. The company had an impressive booth exhibit and hired a prestigious PR firm. It had also funded the most expensive TV ad its large ad agency had ever produced. While at the trade show, the company's executives learned that the screen component manufacturer would not be able to deliver for several months. The company lacked secondary suppliers, so it was unable to sell the product. Within weeks, the company failed because the conglomerate parent company pulled all funding.

Enterprise risk management takes a proactive approach to risk management using a combination of people, processes and technology. ERM solutions integrate with GRC and other risk function specific solutions so a higher-level view of enterprise risks can be achieved. Capabilities tend to include risk assessment, risk identification, risk management, risk monitoring and risk reporting.

While ERM implementations differ among companies, Gartner's Matlock said the three critical factors include the following:

• organizational culture
• risk appetite of senior leadership
• resources allocated for ERM

Insurable vs. non-insurable. Another difference between traditional risk management and ERM can be insurability. For example, if an employee gets hurt at work, there is workers' compensation insurance and also the company's general liability policy. The rule does not always apply: For example, cyber-risk is usually not a part of traditional risk management and yet cyber insurance exists.

Some risks are uninsurable, however. For example, if an executive commits a crime, such as embezzlement or insider trading, insurance will not cover the executive's criminal fines.

An ERM function helps identify uninsurable risks wherever they may exist, because the heads of the various risk organizations are providing periodic updates. They are also working together to manage the enterprise's scope of risks.

Management by insurance (relying too heavily on an insurance policy) is a bad practice because policy limits and claim settlements can differ greatly. For example, the spike in ransomware attacks has caused cyber insurance to spike by 18% in the first half of 2021. The increasing number of cyber attacks is causing insurance companies to set lower caps and underwrite fewer policies. Insureds have a duty to mitigate losses, so if a known application or firmware vulnerability remains unpatched and a hacker exfiltrates sensitive data as a result, the insurance company might refuse to pay the claim.

Bottom line

Traditional risk management continues to have a place. However, the various risk functions must work together to manage risks effectively in today's dynamic business environment.

ERM is gaining momentum because today's enterprises realize they're not managing risks as effectively as they could. Companies must be patient, though, because creating an ERM function takes time -- about two or three years, according to Gartner's Matlock.