What makes Enterprise Risk Management (ERM) so different from traditional risk management?
Nine times out of ten, this question is the first one I get when speaking with organizations about their risks.
Whether they know it or not, everyone in an organization from the janitor to the CEO engages in “risk management” of one sort or another on a daily basis.
- The janitor will put up one of those “caution, wet floor” signs after cleaning the bathrooms or at the entrance to the building on a rainy day.
- The CEO or CFO will purchase liability insurance in the event of a mistake or otherwise extremely unhappy customer.
- The IT Director may be on the lookout for vulnerabilities and take steps to protect the company’s data and systems.
Although these risk management activities are critical, most organizations only think in terms of their particular business unit or “silo” rather than the entire enterprise, which is the key difference between traditional risk management and ERM.
We invite you to continue reading for more in-depth information on the differences between traditional and enterprise risk management.
- Insurable vs. Not necessarily covered via insurance
In a traditional risk management framework, an organization is generally only looking at things that are insurable.
Consider our wet floor example – not only is the janitor putting out a sign to warn people of a slippery surface, the company will also have liability and workers’ compensation insurance in the event someone does slip and get hurt. Another example would be purchasing insurance policies for any company vehicles or equipment in the event of an accident.
On the other hand, ERM goes beyond hazard risks that are insurable to look at risks that may not be transferable in the form of insurance. For example, a company’s reputation cannot be protected through insurance, but proactively identifying and managing the threats to its reputation will help avoid or reduce the impacts.
It may be possible that some risks can be partially reduced by insurance but requires additional action by the company. If a data breach were to happen, a company’s reputation would be damaged. If the company bought a cyber insurance policy, the policy could help offset the costs associated with responding to the data breach and provide resources to the company to reduce the reputational damage. But the company would still need to take proactive measures to protect its information from hackers, malware, and misuse, reducing the likelihood of the risk occurring.
To learn more, visit Risk Transfer – A Response Strategy for Limiting Damage from a Negative Event.
- One-dimensional assessment (potential impact) vs. Multi-dimensional assessment
Traditional risk management not only evaluates risks from a loss prevention perspective; it also only considers the risk’s potential impact. Take our wet floor example – a company safety officer or facilities director will typically only consider what will happen if someone slips and falls, and take action to mitigate this risk through liability insurance and safety improvements.
Some traditional risk management activities may also consider the probability of a certain risk affecting the organization. However, as Laurie Brooks of Provident Financial Services explains:
“…we, as a culture, in the West in particular, are not well educated on the terms “probability” and “likelihood,” either from a mathematical standpoint, or even just from a common understanding of what we mean when we say something has a 50/50 chance of occurring.”
Enterprise risk management undoubtedly considers both impact and probability but also seeks to understand more about a particular risk. Depending on the organization and how in-depth they want to go, a robust ERM effort will also consider velocity and activity metrics. Commonly asked questions will include, according to Brooks:
- How soon will a risk pose a threat to our business?
- Is it coming up fast or slow? (a.k.a. velocity)
- Is the risk affecting us now, or will it become a problem in a year or more? Will the risk only become a problem if something else occurs first?
- What event(s) could trigger or speed up the velocity of a risk becoming a problem?
- Is this risk being actively managed, or is it on the back burner?
- How often are inactive risks being evaluated to determine if they need to be moved to active status?
- Do contingency plans need to be developed or updated?
As you can see, ERM peels back the onion layers to help management prioritize risk management activities and better allocate resources. A particular risk may have a catastrophic impact, but if it is constantly being monitored and highly unlikely of occurring, scarce company resources can be better spent on more urgent risks.
To learn more, visit Enterprise Risk Assessment – Transforming Risk Information into Action.
- Manages risks one-by-one vs. Analyzes risks and how they relate
In a traditional siloed environment, the management of risks occurs as needed on an individual risk basis. Departments within an organization will only look at risks within their areas and not really communicate with other parts of the company. As we explained above, this approach can create new risks in other departments.
Besides creating additional headaches down the road, managing risks one-by-one also fails to show the cumulative effects various risks have on an organization, as well as risks that are related to each other. By not connecting the dots, companies could either expose themselves to much bigger risks or simply miss out on opportunities to meet or exceed their goals.
ERM ties all of these disparate risk management functions together, regardless of their type, and analyzes them to find connections, trends and any particular concentrations. Doing so helps senior management better allocate resources and prioritize risks that can affect their core mission and business strategy.
To learn more, visit Enterprise Risk Analysis – Prioritizing Risks for Maximum Benefit to the Organization.
- Occurs within one business unit (“siloed”) vs. Spans the entire organization (“holistic”)
Traditional risk management is departmentalized, meaning it occurs in a singular business unit, “silo” or “stove pipe.” For example, the IT department will focus on technology risks, the General Counsel will handle legal risks, and the Chief Financial Officer (CFO) will evaluate financial risks and so on. In many organizations, these departments will not communicate with one another about their risk management activities.
Although this is common practice in companies of all sizes, it has several shortcomings according to Dr. Mark Beasley, Director of the ERM Initiative at North Carolina State University.
First, managing risks in this “stove-pipe” manner will often, unknowingly, create risks to other areas of the organization – let’s say the IT Director is addressing a particular technology risk but creates a new legal risk in the process, or addressing a legal risk opens up new talent risks.
Also, many risks often fall between an organization’s silos or will not really apply to any particular silo. An example of this will be managing a company’s vendors, especially if these vendors deal with more than one department within the enterprise. In these situations, collaborations and coordination across the business units is required, but what often happens is no department wants to take ownership.
Or take a new product line – which department will own risks associated with production, communications, competitors, regulations and other areas? As you can imagine, this can get extremely difficult to manage, and things will inevitably get missed.
Enterprise risk management, on the other hand, is a top-level process that connects the various departments within an organization – it overrides any autonomy a particular department may have. Also, ERM is not only looking at hazard risks that can be addressed through insurance (…refer to #1), it is also integrated into strategy, planning and execution.
Companies with robust ERM programs will have a Director or Vice-President who will provide that view bringing all of the silos together to get a whole picture of risks that can affect the ability for the organization to meet its goals. This individual will typically report directly to the CEO or a Chief Risk Officer.
- Reactive & sporadic vs. Proactive & continuous
The examples in the intro are a great example of a company reacting to particular situations. The janitor only puts the wet floor sign out after the floor is wet or someone has slipped and fell. Or, the IT Director may only address a technology risk once an outage or hack has occurred.
Although not always the case, traditional risk management efforts are often times borne out of a particular event that management responds to.
On the flip side, enterprise risk management is proactive, continually looks at relations between risks, and assesses how the risks affect the organization both positively and negatively. It establishes a value-based and focused process that proactively identifies assumptions and scenarios that can either knock a strategy off track or result in missed opportunities, which allows the business to develop action plans to address the risk. Essentially, ERM is about getting in front of the risk, not waiting for it to happen then react.
To learn more, visit 8 Possible Consequences of Not Being Proactive in Risk Management.
- Considers only downside (loss) vs. Considers both upside and downside
When most people think about risk management, they understandably will only think about losses or negative impacts from a particular risk. This is true when looking at risk from a traditional standpoint – what is the downside of a particular risk and what steps do we need to take to mitigate a particular loss?
Enterprise risk management looks at the downside of risks; however, since ERM takes a more holistic and strategic view of risks across the organization, it will also consider the upside as well. The upside of risks is also known as opportunities, such as when a target is not only met but exceeded.
For example, a company initiates a marketing strategy to attract 40,000 more clients for a specific product. There is a risk that they won’t meet the target goal of 40,000, but the upside is exceeding the target goal. So the company creates contingency plans for both the downside and upside, with the upside being addressed by plans to increase resources to handle the additional clients. A risk may exist, but if the organization is willing to accept the risk and seize the opportunity, large gains can be achieved.
As we’ve demonstrated, traditional risk management is fragmented and sporadic and focuses almost exclusively on loss prevention.
ERM not only helps a company minimize losses, it also helps maximize growth opportunities, increase income and asset values, and reduce or eliminate uncertainties.
To learn more, visit Wait a Second – You Mean We Can Have Positive Risks Too?.
- Focuses solely on loss prevention vs. Focuses on business goals, adding value and more
The areas of focus from a traditional vs. enterprise risk management are just as, or even more significant, than the silo vs. holistic factor.
On the one hand, traditional risk management focuses on preventing losses usually in the form of hazards. Circling back to our examples in the intro, the basic task of putting down a wet floor sign is focusing on preventing loss in the form of an employee or customer getting hurt. If an IT Director is solely considering technology risks, they will only be looking at how a gap in their security may create a gap for a data breach, which can cost a lot of money and affect the company’s bottom line.
Don’t get me wrong – the protection of the company’s financial status is important but doesn’t address other areas that are vitally important for an organization’s long-term success.
ERM goes much further to include all risks that can affect its ability to meet its goals, regardless of the type of risk. Looking at the risks holistically and seeing any connections or inter-dependencies help an organization not only minimize losses, but maximize growth opportunities, reduce uncertainty or otherwise add value.
This not only includes your garden variety risks such as hazards to any capital, employees or customers, but also risks to an organization’s reputation, talent (people), business strategy, competition and more. For example, a traditional risk management approach will only look at how a data breach is affecting the company from an immediate dollar and cents perspective. ERM, if done properly, will proactively ID this risk and evaluate how it will affect the company’s reputation with customers and suppliers, as well as the company’s mission and long-term strategy.
To learn more about how ERM goes beyond loss prevention, check out the following:
- Enterprise Risk Management as a Strategic Tool for Companies
- 3 Best Practices for Factoring Risk into Your Strategic Planning Process
- 5 Ways to Better Understand and Quantify Reputation Risk
- 4 Ways to Survive Reputation Scrutiny and Improve Reputation Risk Oversight
- Disjointed vs. Embedded in culture and mindset
As we explained way back in number one, traditional risk management only occurs within a particular department or silo. The IT department will only focus on their area and not necessarily communicate their risk management activities with the legal or finance departments.
As a result, efforts to identify and mitigate risks become disjointed across the enterprise, resulting in some risks getting missed, new risks being created or a duplication of effort.
When ERM ties these different silos together, compares risks and how they relate to one another, the entire company begins to look at how their actions (…or inactions) are impacting other areas of the enterprise. Everyone from executives to managers and front line employees begin thinking about the pros and cons of what they’re doing, the impact of their actions and more.
This isn’t to say that every action or decision will require a formal process for identifying and assessing risks. Much of the time, this will be an informal process where a manager or even an employee will stop for a minute and think about how their actions may create reputation, talent, strategic or some other risk to the enterprise.
To learn more, visit 5 Critical Steps to Cultivating a Positive Risk Culture.
Again, any organization will be involved in managing risk to one extent or another. Most organizations though will simply look at potential losses of a particular risk and how they can mitigate these losses, usually through insurance.
However, many believe the traditional forms of risk management are inadequate to deal with the realities of an ever-changing world where reputations can be damaged in an instant and even the slightest altercation could derail a company’s growth potential. This is why the holistic, birds-eye view provided by enterprise risk management is taking a larger role in companies from a wide-range of industries around the world.
Want to learn more about enterprise risk management and how it can help your company proactively identify risks, reduce uncertainty or spot growth opportunities you may be missing? Continue browsing our ERM learning resource for more, or feel free to contact me, Carol Williams, to discuss your individual needs.
Featured image courtesy of “artur84” via FreeDigitalPhotos.net