The Future of ERM: 12 Hidden, or Not So Hidden, Threats
# 3 Over-Reliance on Frameworks and Tools
Enterprise Risk Management has grown up alongside frameworks like COSO and ISO. They provide structure, language, and credibility. They give companies a way to measure progress, demonstrate maturity, and align with regulators and auditors. Risk systems and dashboards serve a similar role, providing reporting and visualization that feels authoritative and precise.
There is no doubt that frameworks and tools have value. The danger comes when they move from being guides to being the entire definition of ERM. At that point, organizations risk mistaking process for outcomes.
When Frameworks Become the Goal
The attraction of COSO or ISO is clear. They are recognized standards, updated periodically, and easy to present to boards or auditors. The challenge is that they evolve more slowly than the risks businesses face. Cybersecurity, AI, climate change, and geopolitical instability are shifting faster than any framework update cycle. A company may show strong alignment with COSO and/or ISO while still struggling to prepare for its most pressing exposures.
This creates what I call the maturity trap. Progress is measured by adherence to the framework, not by the ability to make better, optimized business decisions. Risk registers get longer, reporting gets more polished, and executives get more charts and dashboards. Yet the function itself may not be more effective in helping leadership understand and act on what matters most.
The Illusion of Tools
The same risk applies to systems and dashboards. They create an appearance of sophistication, but often overwhelm executives with metrics that lack practical meaning. A dashboard can become the destination instead of the starting point for discussion. If leaders walk away with more data but no clearer insight, the investment has not delivered value.
I have seen companies celebrate the rollout of a new risk tool or point proudly to COSO or ISO alignment, only to find that leaders still do not turn to ERM when making strategic decisions, or even have them in the room. The presence of the tool or framework becomes a substitute for impact. At that point, even the most polished PowerPoint or dashboard is little more than a parlor trick. Impressive visuals masking the absence of real value.
The Missing Ingredient: Culture
Frameworks and tools may give ERM structure, but culture is what makes the discipline come alive. A strong risk culture encourages open and transparent dialogue. It makes it safe to bring forward concerns, to challenge assumptions, and to ask hard questions.
Too often, employees hesitate to raise risks because they fear being labeled negative or disruptive. Yet organizations should welcome these so-called nonconformists. They are often the ones who see cracks before others do. In the same way, ERM should create space for people to question opportunities. Why wouldn’t we take more risk here? What would the upside and downside look like if we took a more aggressive approach? These questions are as important as the ones focused on mitigation.
Risk culture is built when reporting risks and opportunities is rewarded, not punished. When leaders treat risk discussions as part of value creation, not a barrier to it, ERM moves beyond compliance and becomes a catalyst for better decisions.
ERM Is Not Audit
Another risk of leaning too heavily on frameworks and tools is that ERM starts to resemble Internal Audit. But they are not the same. Internal Audit is focused on assurance and control testing. ERM is focused on facilitating conversations that lead to better choices.
That does not mean ERM avoids accountability. On the contrary, ERM should hold risk owners, executives, and business units accountable for managing risks and opportunities. But ERM itself does not own those risks. Its role is to convene, to interpret, and to challenge in a constructive way.
Collaboration is key. ERM works alongside Audit, Compliance, and Information Security, respecting their expertise while bringing its own. Where they bring technical depth, ERM brings a cross-cutting perspective that ensures risks and opportunities are seen in context. Done well, ERM becomes a positive, solution-oriented partner, not a checkpoint that slows things down.
Bringing It Together
Frameworks and tools are critical to launching and sustaining ERM programs. They are a foundation, but they are not the finished structure. What matters is how people use them to drive action.
The future of ERM depends on creating a culture where risks and opportunities are openly discussed, dissenting voices are valued, and leaders are empowered to make informed decisions. It depends on drawing clear lines between ERM and other functions, while also collaborating closely with them.
ERM is not defined by COSO binders, ISO checklists, or polished dashboards. It is defined by the quality of conversations it sparks and the value it creates in helping organizations balance opportunity with protection.
Let’s discuss how to keep your risk program moving forward without missing a beat.
Click here to schedule a Discovery Session or use the Discovery Session button on my website.