The Future of ERM: 12 Hidden, or Not So Hidden, Threats
#2 The Future of ERM: ERM is Too Slow
The complaint is not new. ERM moves too slowly. It builds reports that arrive after the conversation has already shifted. Leadership teams make decisions before the data or recommendations are ready. By the time the analysis is complete, the business has moved on.
This is not just an operational flaw. It is a credibility problem. When risk management lags behind decision-making, it feels irrelevant. Executives see it as thoughtful but disconnected, useful but too late to matter.
The Speed of Decision-Making
The pace of business today is faster than ever. Strategic choices that once took months are now made in days. Supply chains, technology, and market expectations shift with little warning. Leadership teams respond to signals almost immediately, because waiting often means losing ground.
ERM has not kept up. Most programs still rely on annual or semiannual cycles that worked in more stable times. They collect surveys, hold review meetings, and publish summaries that capture what was true at a point in time. But that point is often already behind the present.
When executives move faster than ERM, they stop waiting for it. They make choices based on instinct or limited information, and the risk report becomes an afterthought. It is not that they reject risk discipline. They just no longer see it as a tool for real-time support.
The Cost of Lag
A slow risk function has consequences. When risk assessments and reporting fall behind, organizations react rather than anticipate. Emerging threats go unnoticed until they materialize. Strategic opportunities are avoided because no one has time to assess them properly.
Delay also weakens trust. Executives learn to see risk management as procedural rather than practical. Meetings become filled with templates, checklists, and requests for data when what leaders want is perspective. Every time ERM asks for more time, it reinforces the belief that it cannot keep up.
Once that perception sets in, it is difficult to recover. Leaders tune out. Risk reports become background documents. The organization goes through the motions of oversight without getting real insight from it.
Why ERM Is Slow
Part of the problem is design. ERM was built to provide structure, documentation, and control. It came from a time when predictability mattered more than speed. The frameworks, governance models, and approval chains that ensure consistency also create inertia.
The standard annual risk assessment is a good example. It requires coordination across functions, careful analysis, and layers of validation. Each step adds time. By the time results are consolidated and presented, the operating environment has changed.
Culture adds to the delay. Many risk teams sit outside the core business, aligned more with audit or compliance calendars than with operational timelines. The emphasis on completeness encourages more analysis rather than quicker decisions. Accuracy becomes the goal, even if it costs relevance.
That caution is understandable. Risk professionals do not want to be wrong. But in a world where conditions shift every quarter, a perfect answer that arrives too late is less useful than a good one that arrives on time.
If ERM Goes Agile, What That Really Means
Speeding up ERM does not mean rushing or ignoring rigor. It means adapting to how decisions are actually made. “Agile” in this context is not a method. It is a mindset.
An agile ERM program uses shorter feedback loops. Instead of large, slow assessments, it runs smaller, continuous reviews that capture changes as they occur. Risk priorities are updated as new information appears, not just once a year. This makes risk awareness a living process rather than a scheduled exercise.
Embedding risk discussions into daily operations also matters. Instead of waiting for formal meetings, risk leaders can sit in on project reviews, product launches, and planning sessions. Their input becomes part of the decision flow, not a separate step.
Technology can support this shift. Dashboards, automated indicators, and data feeds can provide near-real-time signals. But the key is how those signals are used. The goal is not to overwhelm executives with more data, but to translate it quickly into judgment and action. Tools can highlight issues, but people must interpret them and respond.
Agility also requires a different view of precision. Not every decision needs exhaustive analysis. Sometimes, a directional sense of the risk is enough to guide action. A short assessment that outlines the main exposures, likelihood, and options can help leaders move forward with awareness instead of hesitation.
Lessons from an Agile ERM Strategy
Strategy has already gone through a similar transition. Long planning cycles once produced static roadmaps that were outdated within months. Organizations adapted by introducing rolling plans and faster feedback. They learned that planning is not a one-time event but a continuous process.
ERM can take the same path. Instead of building a static register, risk teams can maintain a dynamic view that updates as conditions change. Instead of delivering thick reports, they can share brief updates aligned with business milestones.
The aim is to move at the same rhythm as the organization. If executives review performance weekly, risk indicators should update on that same schedule. If a new venture is launched, ERM should be able to assess its exposures within days, not weeks.
Balancing Speed and Rigor
A faster approach does not have to mean less discipline. The difference is in timing and sequencing.
Rigor comes from verifying assumptions and maintaining accountability, not from the length of analysis. In an agile process, validation happens in smaller steps. Each iteration improves the accuracy of the last. The result is not a single comprehensive report but a series of informed updates that build over time.
Boards and audit committees can still receive formal summaries. The difference is that those reports reflect a living system, not a static one. Instead of focusing only on a snapshot, boards can see how risks evolve and how management responds. That dynamic perspective provides more insight than any one-time assessment.
The Human Factor
Speed depends as much on relationships as on process. The stronger the connection between risk professionals and business leaders, the faster information moves. Informal conversations, quick calls, and short scenario discussions can surface issues long before they reach a formal report.
Embedding risk people in business units helps close the gap. When they share the same timelines and objectives as the teams they support, they gain visibility early. They can identify patterns, test assumptions, and influence choices before risks harden into outcomes.
This requires a mindset change within ERM. The goal is not to control from the outside but to guide from within. Risk management becomes less about slowing things down and more about helping the organization move safely at its chosen speed.
Balancing Speed and Rigor
A faster approach does not have to mean less discipline. The difference is in timing and sequencing.
Rigor comes from verifying assumptions and maintaining accountability, not from the length of analysis. In an agile process, validation happens in smaller steps. Each iteration improves the accuracy of the last. The result is not a single comprehensive report but a series of informed updates that build over time.
Boards and audit committees can still receive formal summaries. The difference is that those reports reflect a living system, not a static one. Instead of focusing only on a snapshot, boards can see how risks evolve and how management responds. That dynamic perspective provides more insight than any one-time assessment.
Redefining Value
The problem with being slow is not just inefficiency. It is the loss of relevance. When insights arrive too late to matter, ERM becomes a formality rather than a strategic partner.
Speed is now part of value. Risk management that can respond quickly helps leadership act with confidence. It allows the organization to take calculated risks rather than avoid them out of uncertainty.
This does not mean abandoning discipline. It means using discipline to stay ready. The most effective ERM programs are those that see risk awareness as a rhythm, not an event. They listen for change, update continuously, and provide guidance while decisions are still forming.
A Closing Reflection
If ERM wants to stay credible, it must move at the speed of leadership. The purpose of risk management is to support decisions, not to document them after the fact.
Speed does not have to come at the expense of depth or accuracy. It comes from aligning with how the business already moves and being willing to engage earlier, even with incomplete information.
The shift requires trust, flexibility, and a willingness to trade certainty for relevance. But when ERM adapts to that tempo, it becomes more than a safeguard. It becomes a strategic enabler, one that helps organizations move faster, but also smarter.
Let’s discuss how to keep your risk program moving forward without missing a beat.
Click here to schedule a Discovery Session or use the Discovery Session button on my website.