How well are you implementing enterprise risk management (ERM) in your organisation? How is the increasingly risky landscape of globalised business influencing your organisation’s approach to risk management?
Enterprise risk management vs. risk management: a traditional approach to risk
Historically, the most conscientious of organisations would treat risk management as a necessary appendage to project and programme implementation. Risk managers would be part of the Project Management Office furniture and would carry the majority of the burden of accountability for managing risk in a given programme. Risks would be defined as part of programme initiation, and measures built into the management approach to mitigate obstacles to delivery, cost, timescales, benefits and success throughout the project lifecycle.
In other cases, organisations might approach risk management as a check-box exercise of compliance. This was to miss the point of risk management, often with awful consequences for the success of projects, programmes and the organisation as a whole.
Both scenarios expose serious flaws in the traditional risk management approach.
Let’s take a look at a few ways in which ERM addresses risk management differently.
5 key differences in enterprise risk management
1. Enabled by technology
The digital transformation revolution has brought brand new ways for companies to configure and conduct their business and enterprise risk management best practices.
Platforms such as Microsoft 365 and its associated suite of applications have brought increased collaboration, interconnectedness, automation and reliability.
The ability to capture and share a consolidated source of truth through easy-to-navigate user interfaces granting employees role- and responsibility-appropriate levels of access, is a game-changer for ERM. It means organisations can thoroughly empower their people to focus on more influential stuff than just fulfilling procedure.
Enterprise Risk Management software is one of the most important of these focal points. Supported and enabled by technology, people within an organisation can bring greater intellectual skill to bear on mitigating risk, spotting opportunities and achieving desired outcomes.
2. Data dependent
Traditional risk management is dependent on the human experience and bias of Risk Managers within the Project Management Office.
This has two problems. Firstly, it puts the onus of risk management entirely on the shoulders of named individuals operating with minimal control in an inflexible and limiting organisational structure.
Secondly, it is dangerously psychology-dependent. Risk management ought not to be subject to the optimism or pessimism of its managers. The management and mitigation of risk ought to be based on realistic scenarios and outcomes presented in the best historical organisational data.
Having a means to collate, store, interrogate and analyse data actively and passively ensures that risks are identified, assessed, prioritised and dealt with in the most appropriate and effective way.
3. Holistic involvement
Making one person responsible for organisational risk is nonsense. Especially in the age of collaborative technology, more stakeholders can and ought to be involved in understanding risks as well as identifying the opportunities this can reveal.
Whilst many organisations have taken advantage of the cost benefits of digital transformation, they continue to maintain their traditional hierarchical and functional silos, thus failing to maximise the collaborative capabilities of the platform they have implemented.
As an illustration, imagine if, in 1928, Dr Alexander Fleming had come back to his laboratory from holiday and chose to do nothing about the new effects he could observe in the petri dish he’d left on his bench. Imagine if he’d just let it sit there and worked around it.
Despite the technology to prepare and observe bacterial behaviour being well-established, Fleming would have failed to isolate penicillin, the most beneficial antibiotic known to humankind.
Similarly, without changing organisational behaviour in response to readily available and familiar technology, enterprises are jeopardising the discovery of their own ‘pathogens’ of risk, as well as their cure.
4. Proactive and preventive
A key difference in the ethos of enterprise risk management in contrast with traditional risk management protocols is that of proactivity and prevention.
In a 2024 article Ramesh Pillai, Chairman of the Institute of Enterprise Risk Practitioners (IERP) states: “Traditional crisis management focusing on response and recovery is no longer sufficient.”
Enterprise risk management best practices encourages technologically enabled organisations to pool their data and their intelligence to find valuable ways of mitigating risks and preventing disaster. In this environment business continuity is more about proactively building away from risk, enabling organisations to thrive rather than limp along in survival mode.
Artificial Intelligence and machine learning provide useful tools in this regard, working constantly in the background to analyse and detect risk factors within organisational data. Automation technology can then push notifications and alerts to appropriate decision-makers and actions taken to avoid or mitigate imminent risks.
5. Objective-driven
Traditional risk management is often criticised for being a box-ticking process merely to satisfy compliance demands.
Unfortunately paying only lip-service to risk management approaches is becoming increasingly difficult as regulatory bodies require greater evidence of an Enterprise-wide framework.
As IERP Chairman Pillai says: “Organisations need to evolve their risk management frameworks to anticipate, assess and address their risks in real-time… You cannot be doing your normal risk management. You need to be doing enterprise risk management. You have to look forward and adopt objective-centric approaches in line with ISO 31000 or COSO 2017.”
To illustrate, the ISO 31000 Risk Management standard requires enterprise risk management to be dynamic, continuously improving and inclusive of stakeholders, as well as driven by the best available data, in a structured and customised way comprehensively integrated into an organisation’s processes.
This requires enterprise risk management best practices to be closely tailored to the organisation’s internal and external objectives, including human and cultural factors. It also requires capitalising on the capabilities of technology to bring the culture into the 21st Century.
Enterprise risk management vs. risk management – the future is ERM
To understand how your organisation can benefit more from your technology platform to make the shift from traditional risk management to enterprise risk management software, talk to us today.