How ERM Differs from Traditional Risk Management

How ERM Differs from Traditional Risk Management
How ERM Differs from Traditional Risk Management

There is not much difference between traditional risk management and ERM. The two processes are quite similar, with the a-one-of-scope difference between them. In as much as they both try to minimize the effects of risk on a business through identification and analysis, they do so from a different view. For instance, traditional risk management is more localized and has a specific aspect of dealing with the risks that affect the business in one way or another. ERM, on the contrary, assumes a more extensive view with a broader scope on the risk factors that the company or enterprise faces.

Keeping in mind that traditional risk management assumes a specific view of dealing with risk, you can say that its primary focus is on particular hazards and does not try to solve many problems at once. These hazards are mostly dealt with by employing simple solutions like getting an insurance cover.

When you look at it, traditional risk management does not see things from a broad perspective. That’s where ERM comes in. It makes use of a more holistic view and considers business risk as well. Unlike the traditional process that only limits each investigation to a department or smaller business unit, ERM takes a different course and considers all the risks that a business or organization may face at some point. It then amalgamates them and checks for any trends or connections.

You can say that ERM is an advancement to traditional risk management because it takes into account specific hazards that occur to enterprises within different departments. It, however, doesn’t stop there and goes further to address financial, operational, and strategic risks that are taken care of from an enterprise-wide view.

In as much as these two processes tend to appear similar, many people never really get the difference when talking about risk. They differ in three main areas, namely:

  • Insurance
  • Mode of risk treatment
  • Reactive vs. proactive decision making


As mentioned earlier, if the solution to your risk is insurance, then that definitely falls under the traditional risk management framework. Here, the criterion is simple, and there are not many complexities. Situations are invariably specific, and even though they are beneficial, they fail to take into consideration the overall view and how the entire enterprise can be protected.

ERM, however, goes further beyond just addressing the close problem. It looks at the organization as a whole. It adds on to the protection brought by the insurance. Its main aim is to make sure that the business is not vulnerable to other threats, and it reduces the chances of them happening.

A good example is in the healthcare industry, where it relates to compliance. For instance, the Health Insurance Portability and Accountability Act (HIPAA) has enabled better regulation and accountability in this specific industry, which has, in turn, led to better results for its users. However, some organizations, like the International Standards Organization (ISO), National Institute of Standards and Technology (NIST), and the Payment Card Industry (PCI) have come up with some compliance requirements that different individual departments should take up throughout the healthcare business.

This compliance procedure was not as effective as it ought to be, and it wasn’t easy either. It then called for a better way to deal with the requirements and the Health Information Trust Alliance (HITRUST) decided to bring them together under one umbrella. This, then, matches the description of the ERM process, which aims at protecting the entire organization. The idea is to ensure that there is no one department with specific compliance requirements that may lead to uneven benefits on different areas of the enterprise.

Mode of Risk Treatment

The traditional risk management approach assesses the risks of different business areas separately. The same risks may have spillover effects on other departments, and if there is poor communication, the issue goes unaddressed. It gets worse. Traditionally, there is a limited viewpoint and the same risk may continue to occur in different departments and never get fully appreciated.

ERM, on the other hand, can connect the risks and deal with their cumulative effects across different areas. The ERM process is a bit delicate, and views the business as a whole. It understands its needs and tries to come up with different paths that the enterprise can take to meet its strategic goals. ERM observes trends and connections, then analyses them together to identify risks so that they can either be prevented or their effects minimized.

Reactive vs. Proactive Decision Making

ERM is more of a precautionary measure. It enables a business to get ready for risks far before they happen rather than just waiting for the problem to strike and then start looking for solutions. For large organizations, all security issues are dealt with by a Security Operations Center (SOC).


Imagine if big companies would wait until they are faced with a cyberattack, and all the data had been blocked or stolen? What would happen then? Definitely, before restoring the data, there would be a massive delay. It is paramount, therefore, that every organization gets ready for such scenarios.

The use of ERM enhances the safety of any business because not only does it help in identifying potential risks to the enterprise, but it also enables working out protection and disaster recovery procedures before the risk occurs. One remarkable benefit of this is that, whenever there is a cyberattack, the restoration of IT systems will be quicker. Also, the framework could stop the attacks from happening altogether.

Traditional risk management is good, and, in a way, protects an organization. However, using ERM will ensure the whole company is protected from any potential threat. The main aim is reducing the chances of risks occurring while ensuring the business stays aligned with its strategies.

Author Bio

Ken Lynch
Ken Lynch

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.

This is an article provided by our partners network. It might not necessarily reflect the views or opinions of our editorial team and management.

Contributed content