Home » news »

What is risk management and why is it important?


Traditional risk management vs. enterprise risk management

Traditional risk management tends to get a bad rap these days compared to enterprise risk management. Both approaches aim to mitigate risks that could harm organizations. Both buy insurance to protect against a range of risks — from losses due to fire and theft to cyber liability. Both adhere to guidance provided For many companies, “risk is a dirty four-letter word — and that’s unfortunate,” said Forrester’s Valente. “In ERM, risk is looked at as a strategic enabler versus the cost of doing business.”

“Siloed” vs. holistic is one of the big distinctions between the two approaches, according to Gartner’s Shinkman. In traditional risk management programs, for example, risk has typically been the job of the business leaders in charge of the units where the risk resides. For example, the CIO or CTO is responsible for IT risk, the CFO is responsible for financial risk, the COO for operational risk, etc. The business units might have sophisticated systems in place to manage their various types of risks, Shinkman explained, but the company can still run into trouble “The pandemic is a great example of a risk issue that is very easy to ignore if you don’t take a holistic, long-term strategic view of the kinds of risks that could hurt you as company,” Shinkman said. “A lot of companies will look back and say, ‘You know, we should have known about this, or at least thought about the financial implications of something like this before it happened.'”

what is risk exposure and why is it important
Here’s a primer on risk exposure and how it is calculated.

In enterprise risk management, managing risk is a collaborative, cross-functional and big-picture effort. An ERM team, which could be as small as five people, works with the business unit leaders and staff to debrief them, help them use the right tools to think through the risks, collate that information and present it to the organization’s executive leadership and board. Having credibility with executives across the enterprise is a must for risk leaders of this ilk, Shinkman said.

These types of experts increasingly come from a consulting background or have a “consulting mindset,” he said, and possess a deep understanding of the mechanics of business. Unlike in traditional risk management, where the head of risk typically reports to the CFO, the heads of enterprise risk management teams — whether they hold the chief risk officer title or some other title — report to their CEOs, an acknowledgement that risk is part and parcel of business strategy.

In defining the chief risk officer role, Forrester Research makes a distinction between the “transactional CROs” typically found in traditional risk management programs and the “transformational CROs” who take an ERM approach. The former work at companies that see risk as a cost center and risk management as an insurance policy, according to Forrester. Transformational CROs, in the Forrester lexicon, are “customer-obsessed,” Valente said. They focus on their companies’ brand reputations, understand the horizontal nature of risk and define ERM as the “proper amount of risk needed to grow.”

Risk averse is another trait of traditional risk management organizations. But as Valente noted, companies that define themselves as risk averse with a low risk appetite are sometimes off the mark in their risk assessment.

“A lot of organizations think they have a low risk appetite, but do they have plans to grow? Are they launching new products? Is innovation important? All of these are growth strategies and not without risk,” Valente said.

To learn about other ways in which the two approaches diverge, check out technology writer Lisa Morgan’s “Traditional risk management vs. enterprise risk management: How do they differ?” In addition, her article on risk management teams provides a detailed rundown of roles and responsibilities. 

the ISO five-step risk management process


Related Posts

  • No Related Posts