Let’s first put things in perspective. A traditional risk management model typically assesses an enterprises ability to adhere to existing frameworks or regulatory obligations. For example a traditional risk assessment (in various capacities which we will outline shortly) would be used to ensure compliance to regulatory obligations such as SOX, PCI or even HIPAA.
An Enterprise Risk management model broadens the focus of a traditional risk management to all significant sources of the Enterprise. For example, let take the scenario where an enterprise is doing an M&A or creating a new operating company. We would use the ERM model to measure and document the risks associated with completing the M&A or new operating company.
In information security & cyber security we use risk management models in various ways. Overall they are designed to measure levels of risk and to gage the overall success of the information security program.
Business Impact Assessment = BIA’s are a form of risk assessment commonly used in Business Continuity programs.
IT audits = IT audits use a framework like ISO 27001, ITIL. They could also be used to measure performance around contractual obligations to clients.
Regulatory Audits = Regulatory audits are risk assessments that gage the performance metrics around a specific regulatory obligation like SOX, PCI-DSS, HIPAA, EU-GDPR, etc.
Even in ERM (using the M&A or new organizational example) there could be the potential of impact around IT operations, IT security and even regulatory obligations.
Overall traditional risk management model is focused on managing uncertainties around physical and financial assets. ERM is focused on the enterprises entire asset portfolio, including its intangible assets such as its customer assets, employees and supplier assets, and such organizational assets as its differentiating strategies, distinctive brands, innovative processes and proprietary systems.
Very few companies have implemented a truly enterprise wide approach in all aspect of the business (Banking & Financial Services are arguably the exception). Companies at the early stages of developing a risk management program often lay a foundation with a common language, a risk management oversight structure focusing on a specific outcomes like BCP, regulatory audits and client contracts. Irrespective of its use traditional and enterprise risk management both have their common place and can be used to benefit the enterprise if used correctly.