What Is Traditional Risk Management?
All businesses carry out some form of risk management. Traditional risk management, more commonly referred to as “risk management,” tends to be a formal business function in large companies. How many people are involved depends on the size of the company, its risk philosophy and what it is required to do by law?
Characteristics Of Traditional Risk Management:
- Risk averse
Limitations Of Traditional Risk Management
- Does not incorporate informed risk-taking
- Limited approach
- Less able to adapt to changing scenarios
- Harder to tailor to business risk profile or circumstances
- Restricts risk management to the team or department level
What Is Enterprise Risk Management?
ERM is defined as “a methodology that looks at risk management strategically from the perspective of the entire firm or organization.”
How Does Enterprise Risk Management Differ From Traditional Risk Management?
- Some experts pin the difference on timing: traditional risk management typically only occurs after an incident has already happened and is done to prevent that situation from happening again. On the other hand, ERM is future-looking, and attempts to determine potential events and situations that could, or are even likely to, occur.
- Traditional Risk Management tends to focus on risk avoidance, while ERM takes note of potential risks and identifies which ones are worth taking, therefore focusing more on opportunity alongside pure risk.
- ERM encompasses the entire enterprise; and is top-down, whereas traditional risk management may focus on only one area, and not emanate from a holistic view of the entire organization.
- As traditional risk management (TRM) is well established and routinely practised across businesses, it has become quite standardized. ERM is more dynamic, agile and adaptable to situations or organizations.
|Traditional Risk Management (TRM)
|Enterprise Risk Management (ERM)
|➔ Focuses solely on risks that can be insured.
|➔ Accounts for insurable hazards along with any other risk an organisation faces that no amount of money can remedy.
|➔ Reactive risk management that takes place only after an incident has happened to prevent it from reoccurring
|➔ Proactive risk management that attempts to predict potential events before they happen, while considering impact and probability
|➔ Risk-averse mindset – viewing risks only as something that can cause the organisation to lose money
|➔ Risk-taking mindset – where the downsides and upsides of risks are considered to determine which pose an opportunity for growth and expansion
|➔ Fragmented approach where each department manages risk independently with no communication outside of their respective business units
|➔ Integrated and holistic approach where risk management is coordinated throughout the business with senior-level oversight to help better allocate resources and prioritise risks
|➔ Disjointed activity with no connection to strategic objectives and little awareness of risk across the organisation
|➔ Risk is embedded as a culture and ingrained as a valuable decision-making tool to ensure business success
|➔ Follows basic and limited standards that may stall operations and provide minimal value to an organisation
|➔ Follows modern standards such as the COSO framework and ISO 31000 which complement the technical and soft skills required to extend risk management beyond a compliance-oriented exercise
Interested to learn more about ERM? Check out IRM’s certifications to understand ERM in depth as the Institute of Risk Management is the word’s leader professional body in Enterprise Risk Management with recognition in 140+ countries.
Blog Author: Sanskar Raheja, Level 1 Qualified