ERM vs. Traditional Risk Management

Traditional risk management approaches are focused on protecting the tangible assets reported on a company’s balance sheet and the related contractual rights and obligations. The emphasis of ERM, however, is on enhancing business strategy by ensuring corporate security is in line with business strategy. The scope and application of ERM is much broader than protecting physical and financial assets. With an ERM approach, the scope of risk management is enterprise wide and the application of risk management is targeted to enhancing as well as protecting the unique combination of tangible and intangible assets comprising the organization’s business model.


This part is very important… With market capitalizations often significantly exceeding historical balance sheet values, the application of risk management to intangible assets is critically important. Just as potential future events can affect the value of tangible physical and financial assets, so too can they affect the value of key intangible assets, e.g., customer assets, employee/supplier assets and organizational assets such as the entity’s distinctive brands, differentiating strategies innovative processes and proprietary systems. This is the essence of what ERM contributes to the organization – the elevation of security and risk management to a strategic level by broadening its application to ALL sources of value, not just physical and financial ones.


There are five sources of value with sub-assets within each value within traditional risk management:

The ERM process can lead to more comprehensive risk responses when management identifies potential future events (i.e. strategy) that could affect each category of assets critical to the execution of said strategy. This diagram illustrates categories of potential future events that might be considered during a risk assessment:

An enterprises sources of value, whether tangible or intangible are inherent, in its business model. They are affected be sources of uncertainty which must be understood and managed as an organization works to achieve its performance objectives. They may be external, internal or both. For example, environmental risk are uncertainties arising in the external environment affecting the viability of the enterprises business model. Process risks are uncertainties affecting the execution of the business model, and therefore often arise internally within the organizations business processes.

Because inadequate knowledge and information breeds more uncertainly, information for decision making risk are uncertainties affecting the relevance and reliability of information supporting management’s decision to proceed with a certain business strategy or direction.