This paper examines the differences between traditional risk management and enterprise risk management (ERM), tracing the historical evolution from pure-risk, insurance-focused approaches to the broader financial and operational risk frameworks that emerged in the 1970s. It explores how shifting economic conditions — including volatile exchange rates, inflation, and interest rate instability — drove organizations beyond hazard-based risk management. The paper also analyzes two core ERM recommendations: establishing risk response strategies (mitigation, acceptance, and transfer) and developing internal communication and reporting protocols, with particular attention to how risk tolerance guides organizational decision-making.
The paper demonstrates chronological comparative analysis: it traces the development of risk management practices across time periods, using historical economic conditions (post-1970s exchange rate volatility, inflation) as explanatory variables for why ERM supplanted traditional approaches. This technique situates academic arguments within a cause-and-effect narrative rather than simply listing definitions.
The paper is organized into two analytical sections. The first contrasts traditional and enterprise risk management, moving from definition to historical context to causal explanation. The second section pivots to practical application, outlining the ERM recommendation framework for risk response — mitigation, acceptance, and transfer — each defined with criteria for application. Citations from Damodaran (2008) anchor the historical narrative, while Tonello and the Conference Board (2007) support the applied strategy section.
Enterprise risk management (ERM) represents a significant evolution from traditional risk management practices. Understanding this evolution requires examining how the scope of risk management expanded over time — from a narrow focus on insurable, hazard-based risks to a comprehensive framework that encompasses financial, operational, and strategic uncertainties. This paper explores that historical transition and analyzes two key ERM recommendations: developing risk response strategies and establishing effective internal communication and reporting protocols.
Traditional risk management focuses on pure risks. In this context, pure risks are defined as risks involving either losses or no losses — the condition of a pure risk does not allow for an outcome more favorable than the current situation. Owning a home is a typical example of a pure risk: the home might be struck by an earthquake, burn down, or be damaged by insects. If none of these events occurs, the owner simply avoids a loss rather than gaining any benefit (Damodaran, 2008).
Traditional risk management focuses on pure risks for several reasons. The concept of risk management was largely developed and taught by professionals who worked in the insurance field, so the focus naturally tended toward risks that insurers would be willing to underwrite. The job duties of many risk managers were limited to purchasing insurance, as few other options were readily available for exploration. This pure-risk focus also proved advantageous because short-term risks most directly represented the financial position of an organization. A fire, for example, could easily force a company out of business (Damodaran, 2008).
Efforts aimed at reducing the likelihood of fire, minimizing the damage it caused, or developing contingency plans could enable a company to continue operations — and were therefore traditionally beneficial for businesses. Additionally, when the field of risk management was first developed, there were limited options or compelling reasons to address financial risks such as foreign exchange rate fluctuations, volatility in equity markets, or changes in interest rates (Damodaran, 2008).
At the time enterprise risk management began to emerge, foreign exchange rates were globally recognized as a concern, inflation rates were a significant issue, and interest rates were relatively stable — but all remained pressing matters for most corporations. Under traditional risk management, primary risks consisted of hazards such as windstorms, fire, and property damage. Environmental risks had not yet advanced into sources of significant financial loss, and pension plans were neither regulated nor guaranteed (Damodaran, 2008). Because hazards represented the primary risks confronting companies, traditional risk management remained focused on those categories.
In the wake of the 1970s, enterprise risk management gained prominence because financial risks had become the most significant source of business uncertainty. New tools to manage financial risks soon emerged, allowing these risks to be handled in ways similar to how pure risks had been managed previously. Developed countries signed agreements to stabilize exchange rates, yet variations in exchange rates continued to cause operating results and balance sheets of companies engaged in global trade to fluctuate — exerting considerable influence on corporate performance (Damodaran, 2008).
The emergence of this new risk domain did not automatically expand into corporate risk management frameworks. For that to happen, corporations were required to develop literacy in financial instruments and to move beyond the categories of risk traditionally covered by insurers. Innovators who introduced these risk management tools had to take bold steps, and when those efforts failed, the costs were borne both by individual corporations and by the broader field of risk management (Damodaran, 2008). With the rise of ERM, traditional risk managers were gradually pushed into a broader spectrum of risk analysis — including financial risk management alongside other forms of risk analysis.
Organizations must determine risk response strategies and develop effective internal communication and reporting protocols. Risk response strategies refer to the approaches used to address risks once they have been identified and quantified. Risks must be evaluated in terms of their probability and potential impact in a manner that enables organizations to rank risks in a hierarchy of importance — a process commonly referred to as assessing severity, or the integration of probability and impact. Risk response strategies are fundamentally grounded in an organization's risk tolerance, which defines the threshold above which risks are unacceptable. Several strategies have been introduced to address identified risks (Tonello & Conference Board, 2007), including mitigation, acceptance, and transfer.
Enterprise risk management represents a significant expansion of the traditional risk management framework, moving beyond pure and hazard-based risks to encompass financial, operational, and strategic uncertainties. This evolution was driven largely by the economic volatility of the 1970s, which made financial risks as consequential as physical hazards. By developing structured risk response strategies — mitigation, acceptance, and transfer — organizations can systematically address risks according to their severity and in alignment with their defined risk tolerance. Effective ERM ultimately depends on both identifying risks accurately and responding to them in a manner proportionate to their potential impact on organizational performance.
You’re 72% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.