The Future of ERM: 12 Hidden, or Not So Hidden, Threats
The Talent Gap in ERM: Why Yesterday’s Skills Cannot Conduct Tomorrow’s Symphony
For years the world of enterprise risk has carried a quiet assumption that its talent pipeline would naturally follow the same path it always had. People who excelled in compliance, internal audit, or governance would eventually migrate into ERM. They would learn the frameworks, master the documentation, attend the meetings, update the heat maps, and keep the system moving. It was never questioned because for a long time ERM behaved like an extension of those disciplines. It looked backwards. It emphasized control. It focused on checking that the notes on the sheet music matched what had been played.
But at some point ERM began to drift away from what it was meant to become. It was never designed to be the final inspector of yesterday. It was supposed to sit closer to the front of the orchestra, listening to the changing tempo of the marketplace and guiding leaders before the next movement arrived. Instead, it stepped into a role that was safer and more familiar. Like a section supervisor counting beats after the performance, it became comfortable in documentation and slow to move into interpretation.
To understand why the talent imbalance exists, we have to rewind to the early and mid-2000s. COSO, Sarbanes Oxley, and a series of governance requirements reframed risk into something that lived next to compliance rather than strategy. It was not entirely intentional. Regulations were tightening and someone needed to manage the related oversight. ERM appeared to be the natural host, so it absorbed these responsibilities even though they gradually transformed its intent. Before long many ERM groups were reporting into internal audit. Once that happened the expectations, language, and background of the function changed. Governance, risk, and compliance became bundled together even though their purposes were not identical. It was a merger based on convenience rather than design, and the talent pipeline shifted accordingly.
Hiring followed comfort zones. Leaders brought in people who spoke the same vocabulary and operated from the same mental model. The assumption grew that ERM should attract auditors, compliance associates, or individuals trained to test whether something passed or failed. Entire career paths were built around this one idea. Internal audit would feed into risk and risk would eventually feed into the CRO role. In that process the original intent of ERM faded. It slowly traded its aspirational identity as a strategic partner for one that lived in documentation, controls, and assurance.
The consequence of this shift is visible today. Many ERM teams are staffed with people who know how to protect an organization yet are rarely asked to perceive what lies beyond the horizon. They can verify the notes that were played, but they are not trained to hear changes in tempo before the first violinist begins to move. The protective posture became so dominant that it began to suffocate the perceptive one. ERM turned into a form of helicopter parenting for corporate risk. It hovered, it demanded perfect mitigation plans, and it insisted on neat diagrams that made the world look more stable than it actually was. Like parents who clear every obstacle from their child’s path, ERM believed that tight supervision would create safety. In reality it prevented the organization from developing its own agility, curiosity, and readiness for failure.
There is nothing wrong with the classic audit or compliance mindset. These roles are vital and they serve a clear and important purpose. Someone must validate controls, test processes, and ensure that obligations are met and in compliance. The issue is that the same training and experience is often not enough to interpret weak signals, scan for drivers, or understand the larger forces shaping a company’s future. The gap is not about intelligence. It is about orientation. Audit excels at the linear path from A to B to C. ERM needs people who can walk off the trail entirely and understand the landscape that surrounds it.
Consider the difference between downhill ski patrol and backcountry search and rescue. Both are guardians of safety. Yet their work could not be more different. Traditional audit roles resemble the downhill environment. The boundaries are marked. The hazards are known. The job is to watch for deviations from expected patterns. Backcountry work requires something else entirely. It demands people who can navigate unfamiliar terrain, read subtle environmental changes, anticipate how snowpack will behave, and interpret what might be developing long before it becomes visible. Many ERM challenges look far more like the backcountry than the ski resort, yet our hiring tends to prioritize people trained for groomed slopes.
This talent gap is not simply a list of missing skills. It reflects a missing philosophy. Many ERM groups have the rigor. What they lack is imagination. The capacity to interpret uncertainty rather than fear it. The ability to build a scenario that reveals possibilities rather than simply measure exposures. The patience to look beyond the risk register and explore how geopolitical shifts, cultural changes, technological disruptions, or emerging behaviors might alter a decision before that decision is made.
Most ERM functions today still treat uncertainty as an afterthought. They focus on what they can test and record, not what they can sense or interpret. They gather data points like someone watching a control panel with only three or four indicators. When one of those lights flashes they respond. Yet the real story might be unfolding across hundreds of small signals that never fit into a control framework. The person who sees the whole board will always detect the problem much earlier than the person who waits for a specific light to blink.
The world has moved into ambiguity. ERM stayed rooted in documentation. Leaders face decisions shaped by nonlinear forces that shift without warning. Yet many ERM groups remain focused on evaluating what happened rather than understanding what could happen next. They became masters of Monday morning quarterbacking, describing yesterday in great detail, while failing to offer meaningful insight about tomorrow.
If ERM wants to remain relevant it must rethink the kind of talent it seeks. The future ERM leader looks more like a strategist, facilitator, technologist, linguist, and pattern reader rolled into one. They understand systems, not just spreadsheets. They can guide a conversation, not just produce a report. They can translate uncertainty into something leaders can act on. They can sense emerging conditions and shape how executives interpret them. They are the conductor who can hear when the tempo begins to change and alert the orchestra before the next movement begins.
These individuals come from a wide variety of backgrounds. They might be intelligence analysts, futurists, strategic planners, scenario designers, game theorists, behavioral scientists, or storytellers. They might be experts in digital ethics or competitive intelligence. They might come from places where interpretation mattered just as much as execution. Unlike the traditional ERM pipeline, they are not bound to one department or one style of thinking. They bring fresh language and a new posture that is curious, exploratory, and grounded in possibility.
But bringing this talent into ERM requires more than a job posting. It requires a shift in narrative. Talent follows narrative. When ERM signals caution, restraint, and defensiveness, it attracts people who identify with those traits. When ERM begins to speak in the language of exploration, scenarios, preparedness, and early signals, it opens itself to people who see uncertainty as an opportunity to generate insight. HR must stop assuming risk equals auditing. Leadership must stop thinking ERM is only a heat map and a meeting no one looks forward to. The vocabulary itself must change because words shape perception and perception shapes who enters or stays in the room.
There are barriers of course. Some executives question why they need someone who thinks like a futurist. Others wonder what the return will be when the work seems abstract. Yet the return is clear. Earlier signal capture. Faster adjustment to strategic shifts. Fewer unpleasant surprises. More moments where the company is positioned to seize advantage because someone noticed how the tempo was changing long before the rest of the orchestra realized it.
You cannot build an anticipatory organization with retrospective talent. If ERM continues to hire from the same narrow pool, it will continue to produce the same narrow outcomes. It will remain the function that documents risks instead of helping leaders navigate them. It will stay relevant only to the portion of the business that cares about regulatory compliance. Eventually it will fade, or has already faded, into a necessary utility rather than a strategic partner.
The future needs something different. ERM’s mandate is shifting from stewardship to sensemaking. The leaders of tomorrow will not be measured by how well they maintain heat maps or ensure control effectiveness. They will be measured by how well they help the organization interpret the forces shaping its future. They will act as translators who turn weak signals into meaningful conversations to address uncertainties. They will work with strategists, innovators, and technologists to explore how decisions might unfold. They will build scenarios, guide debates, and create clarity out of confusion. They will be conductors who help the entire organization hear what is forming long before the next movement begins and before the decisions are made, not after.
The future does not need ERM to prove what already happened. The future needs ERM to prepare leaders for what is coming.
Let’s discuss how to keep your risk program moving forward without missing a beat. Click here to schedule a Discovery Session or use the Discovery Session button on my website.