11/14/22, 10:47 AM Traditional vs. Enterprise Risk Management: How Do They Differ?

Businesses understand they cannot exist in a risk-free environment. How to manage the risks they face
depends on many variables, including the industry the business is in and its size.

In some industry verticals, such as financial services and insurance, the risk function tends to be more mature
than at other companies because their business models are risk-based and they are subject to regulations
which require them to manage risks in specific ways. In verticals where risk is not the primary business, risk
management also exists, but the universe of risks tends to vary from industry to industry and company to
company, as do the ways in which they manage risk.

This article looks at the difference between traditional risk management and enterprise risk management.

What is traditional risk management?

Traditional risk management, more commonly referred to as "risk management," tends to be a formal business
function in large companies. How many people are involved depends on the size of the company, its risk
philosophy and what it is required to do by law.

"Some of the earliest forms of risk management were things like credit risk, financial risk and operational risk,"
said Alla Valente, senior analyst at Forrester Research.

THIS ARTICLE IS PART OF

What is risk management and why is it important?

Which also includes:

governance, risk management and compliance (GRC)

risk avoidance

risk map (risk heat map)

https://www.techtarget.com/searchcio/feature/Traditional-vs-enterprise-risk-management-How-do-they-differ 1/4
11/14/22, 10:47 AM Traditional vs. Enterprise Risk Management: How Do They Differ?

What is enterprise risk management?

Enterprise risk management spans different types of risk in an enterprise, including governance, risk and
compliance (GRC), and cybersecurity. However, beyond and within those risk types are more specific forms of
risks such as the following:

regulatory risk (compliance with regulations or a new regulation);

operational risk (supply chain, business continuity, IT system failure, workforce issues, health and safety);
cyber risk (application vulnerabilities, internal and external threats including data exfiltration, loss of control
of systems, software or data);
compliance risks (noncompliance or inadequate compliance);
financial risks (revenue loss, cost overruns, regulatory fines, legal dispute settlements, assets, debts,
insurability); and
hazard risks (health, safety, acts of God, errors or omissions by employees).

While the above list is not exhaustive, it doesn't take much imagination to see that the various risk functions
overlap. The only way to understand their interconnections is to have a committee of people representing the
different risk types, working together to identify risks and mapping them out so that the totality of potential risks
can be understood better as well as the impacts of specific events and decisions.

Traditional risk management and enterprise risk management share many similarities in their aim to mitigate risks that can harm a company. Here ar

What are the major differences between traditional and enterprise risk management?
Siloed vs. holistic. Organizations with traditional risk functions still have other risk functions in the organization,
but they tend not to work together because each area "owns" its risk. Given the interconnectedness of risks,
irrespective of their type, a siloed approach does not manage some types of risks well, if at all.

Operating in silos also means there's a lack of understanding of the potential upstream and downstream effects
of risk. For example, a cybersecurity breach isn't just a security problem because it could also include
compliance, financial, operational, legal and reputational risks.
https://www.techtarget.com/searchcio/feature/Traditional-vs-enterprise-risk-management-How-do-they-differ 2/4
11/14/22, 10:47 AM Traditional vs. Enterprise Risk Management: How Do They Differ?

Enterprise risk management (ERM) takes a more holistic approach to managing risks, including understanding
the relationships among the various risk types.

"Enterprise risk management tends to catalyze conversations that would not happen
organically," said Chris Matlock, vice president, advisory, corporate strategy and risk
practice at Gartner, citing the issue of data privacy. "There are many leaders making
choices that directly and indirectly impact whether we are in compliance with data
privacy, for example."

When the larger scope of risks and their potential impacts are known, companies can
innovate and understand opportunities in a risk-aware way. They're also in a position to
Chris Matlock understand the potential scope of strategic risks and their various implications.
Importantly, ERM enables companies to take a proactive approach to risk management.

Risk averse vs. risk taking. Traditional risk management tends to be risk averse. For example, the financial
services industry uses scoring algorithms to decide who is and is not creditworthy. However, some credit-worthy
individuals will default on loans because they were distracted at payment time, lost their job or experienced
financial difficulties. That possibility is factored into the price of credit, and credit risk insurance is available to
cover such losses.

Companies in the money business, such as banks, tend to be risk averse, while technology startups are known
to be risk taking. An example is the digital cash startups which failed in the mid-1990s because they were
attempting to operate outside of established financial systems. Now there's cryptocurrency, which is essentially
the same idea, but it has a built-in system of record which is enabled by blockchain.

Whether a company is risk averse or risk taking depends on its risk appetite, or the amount of risk an
organization is willing to take to achieve its goals.

"The key is to balance the risks and rewards. What are the risks that are worth taking?"
said Forrester's Valente. "A lot of organizations think they have a low risk appetite, but
do they have plans to grow? Are they launching new products? Is innovation important?
All of those growth strategies are not without risk."

Reactive vs. proactive. Traditional risk management tends to be reactive. A risk has

manifested or it's in the process of manifesting, which causes the company to change its
policy and behavior going forward. However, risk management through the rearview
mirror carries its own risks. Alla Valente

For example, a laptop manufacturer was debuting its brand at a major trade show. The company had an
impressive booth exhibit and hired a prestigious PR firm. It had also funded the most expensive TV ad its large
ad agency had ever produced. While at the trade show, the company's executives learned that the screen
component manufacturer would not be able to deliver for several months. The company lacked secondary
suppliers, so it was unable to sell the product. Within weeks, the company failed because the conglomerate
parent company pulled all funding.
https://www.techtarget.com/searchcio/feature/Traditional-vs-enterprise-risk-management-How-do-they-differ 3/4
11/14/22, 10:47 AM Traditional vs. Enterprise Risk Management: How Do They Differ?

Enterprise risk management takes a proactive approach to risk management using a combination of people,
processes and technology. ERM solutions integrate with GRC and other risk function specific solutions so a
higher-level view of enterprise risks can be achieved. Capabilities tend to include risk assessment, risk
identification, risk management, risk monitoring and risk reporting.

While ERM implementations differ among companies, Gartner's Matlock said the three critical factors include the
following:

organizational culture
risk appetite of senior leadership
resources allocated for ERM

Insurable vs. non-insurable. Another difference between traditional risk management and ERM can be
insurability. For example, if an employee gets hurt at work, there is workers' compensation insurance and also
the company's general liability policy. The rule does not always apply: For example, cyber-risk is usually not a
part of traditional risk management and yet cyber insurance exists.

Some risks are uninsurable, however. For example, if an executive commits a crime, such as embezzlement or
insider trading, insurance will not cover the executive's criminal fines.

An ERM function helps identify uninsurable risks wherever they may exist, because the heads of the various risk
organizations are providing periodic updates. They are also working together to manage the enterprise's scope
of risks.

Management by insurance (relying too heavily on an insurance policy) is a bad practice because policy limits
and claim settlements can differ greatly. For example, the spike in ransomware attacks has caused cyber
insurance to spike by 18% in the first half of 2021. The increasing number of cyber attacks is causing insurance
companies to set lower caps and underwrite fewer policies. Insureds have a duty to mitigate losses, so if a
known application or firmware vulnerability remains unpatched and a hacker exfiltrates sensitive data as a
result, the insurance company might refuse to pay the claim.

Bottom line
Traditional risk management continues to have a place. However, the various risk functions must work together
to manage risks effectively in today's dynamic business environment.

ERM is gaining momentum because today's enterprises realize they're not managing risks as effectively as they
could. Companies must be patient, though, because creating an ERM function takes time -- about two or three
years, according to Gartner's Matlock.

https://www.techtarget.com/searchcio/feature/Traditional-vs-enterprise-risk-management-How-do-they-differ 4/4