When I was appointed in my first Enterprise Risk Management (ERM) role, the organisation was in its early stages of ERM framework maturity.
Back then, the framework was not even called ERM.
It was a requirement under London Stock Exchange rules and UK Corporate Governance Code to report to the board, and disclose in the Annual Report and Accounts, about significant risks to the business and how these are addressed.
There were many risk professionals in the business, covering a wide range of risk, from compliance to safety and competition. And majority were doing a fantastic job in actually addressing these key risks to the business.
You can probably guess that my appointment created confusion and possibly even some nervousness. What was my role exactly? How was my role different from theirs? Was anyone being made redundant? They were experts in their field, why should they need to align to ERM framework?
The context was challenging, and I was not starting from a comfortable position. Now writing about this, I am not even sure how I survived ๐.
The first thing that I did was to clarify the difference between their roles and mine. I started to educate everyone on the objectives of ERM and how we would deliver them.
So, what is the difference?
Letโs start with defining the concepts.
Traditional Risk Management. This is a process that aims at identifying certain risks to the business and take decisions and subsequent actions to address them. It involves having expertise in addressing that specific risk. It is quite a silo approach, and the stakeholders are in specific areas of the business.
For example, managing regulatory risks is a traditional risk management process. Risk managers are usually legal experts, corporate affairs professionals, and compliance specialists. The risks are usually managed within specific areas of the business.
Enterprise Risk Management. This is more a framework that consolidates the information from different areas of Traditional Risk Management with the purpose of having a consolidated view of all risks in the business. The stakeholders are many and range from management to board members, investors and authorities. It is usually the output of this process that gets reported in the Annual Report and Accounts.
For example, ERM will consolidate information about credit risk, safety, regulatory, competition, reputation risks. All of which are going through a separate traditional risk management process.
There are other specific differences that I tried to summarise below.
| Component | Traditional Risk Management | Enterprise Risk Management |
| Definition | A process that aims at identifying certain risks to the business and take decisions and subsequent actions to address them. | A framework that consolidates the information from all areas of Traditional Risk Management with the purpose of having a consolidated view of all risks in the business. |
| Formalisation | Exists always but can be informal. | Recognition depends on formalisation. |
| Type | Process | Framework |
| Risks | One specific risk | All key risks to the business |
| Expertise | Expertise in the specific risk area | Expertise in creating common methodologies (e.g., assessment, KRIs etcโฆ) |
| Stakeholders | Specific business areas, ERM, authorities | Board, investors, authorities |
| Risk management | Addressing specific risks, creating and implementing the risk management strategy for each risk. | Not really managing any risk, helping more with oversight and common framework for decision making. |
Traditional risk management is key in addressing risks. ERM does not really address any risks. It helps with a consolidated view over outputs of separate Traditional Risk Management processes.
The two donโt really exclude but complement each other. And while I am an ERM expert, I must recognise that a business can survive without ERM but does not survive without Traditional Risk Management processes for their key risks.
Is the difference important?
Yes. As in my case, not being able to explain it, can create frustrations. And these are still present even in mature and regulated businesses, although even the concept of ERM is not so new anymore. About 25 years in use now.
I was talking to a Head of Enterprise Risk Management function just last year and he was telling me that the ERM team still needs to explain their role to the actuaries (insurance company).
Also, a few days ago, in an organisation with more than 7 years of ERM programme, while discussing to implement a risk event monitoring process, the risk managers started to challenge this initiative.
Why creating a duplicated process as they already had incident management in place in their Traditional Risk Management approach? What will change for them? Is this replacing their incident management process?
I am not sure yet how the final process will look, we are working at designing it, but I had a few comments and questions with them:
- I reminded them that ERM is about reporting in a consolidated manner to the board and in the Annual Report and Accounts.
- I also reminded them that it is the Traditional Risk Management process that actually takes care of the incidents.
- I asked: how does the board find out about key safety incidents, fraud, compliance, if not through ERM?
- How do rating agencies score the risk management framework, if not through ERM section in the Annual Report and Accounts?
If the difference is not well understood and, equally important, communicated, the ERM objective is at risk. There are significant benefits from implementing an ERM framework and the success of the programme depends also on explaining this difference.
One response to “[ERM toolkit #1]: What is the difference between ERM and traditional risk management?”
well done! finally I get it – the difference between those two definitions.
how about objective centric risk framework, have you considered this approach, in your ERM?