ERM vs. ORM – What is the difference? (Part 1)

February 5, 2019

This is the first in our series of posts on ERM and ORM: What is the difference and why does it matter? Most importantly in this series, we'll explore how to distinguish where your organization is on its risk journey and what best practices in ORM are.

One of the new buzz phrases is Operational Risk Management (ORM). Many viewpoints seem to believe Environment, Health & Safety (EHS) and compliance programs are the core fabric of ORM. Unfortunately, most "safety cultures" miss the key points in true enterprise level risk management:

  1. What is your risk profile as an organization?
  2. What are you doing to reduce risk over time?

The disconnect exists because a clear focus on EHS does not equate to true risk management. Enterprise Risk Management, or ERM, seeks to holistically identify the possible outcomes of interactions across an organization, and also to evaluate the probability and impact of those outcomes.

Let's take a minute and look at the relationship between ERM and ORM.

ERM involves the systematic identification, assessment and mitigation of risks that could impact an organization. This includes a framework for strategic planning and operational processes coupled with effective decision support processes and tools. Risk is defined as any event that impacts a company's ability to meet its objectives. That would include production losses and lost opportunities.

The goal of ERM is to mitigate financial, operational, and compliance risks to an acceptable level through policies, systems, and procedures. At the end of the day, every type of risk has a financial component because risk can impact a company's privilege and ability to operate. Therefore, ERM components are often interrelated.

ORM is a subset of ERM. More specifically, ORM addresses operational and compliance risks. In traditional ERM versus ORM language, ORM is focused on everything that is non-financial in nature… although as we've discussed, in reality all types of risk have the potential for financial impact.

The current view of ORM that seems to permeate the analyst community is primarily focused on traditional EHS compliance tactics and challenges such as Audit, PHA, Incidents, Corrective Action Management. Sometimes other tools such as bow-tie analysis or work permitting are added into the viewpoint… but the focus is still firmly on traditional, siloed tactics specific to EHS or compliance activities. Because EHS and compliance to do not focus on the risk of production loss through inefficiencies, poor asset management, workforce competency, and conduct of operations, the typical EHS-first view of ORM does not address real risks that can have significant impact on an organization's future.

Okay, so what DOES holistically address ORM?

Companies wanting to properly address ORM challenges must move beyond after the fact results-based EHS tools and to a comprehensive, integrated viewpoint.

Four key areas need to be addressed:

  • Asset Performance Management (APM)
  • Conduct of Operations (CoO)
  • Compliance (EHS/PSM)
  • Workforce Competency

Many companies are attempting to leverage legacy EHS IT solutions, but they lack functionality beyond "ORM Basics," and do nothing to help companies achieve Operational Discipline, leading to Operational Excellence.

What is the Maturity Roadmap?

Operational Risk Management - Maturity Roadmap graphic


Defining and using an accurate, comprehensive risk registry as threats emerge in real-time is integral to making this paradigm change. Realistically, companies are going to need to re-architect their data to move it out of data silos so the resulting interoperability of business processes can improve governance and auditability. It sounds daunting, but help is available. Once you understand the relationship between ORM and ERM, the benefits of an integrated, holistic approach become clear.