The Future of ERM: 12 Hidden, or Not So Hidden, Threats
This is the first in a twelve-part series exploring the future of Enterprise Risk Management. Each post will unpack one threat that could keep ERM from realizing its potential if left unaddressed. Additionally, and equally important, this series seeks to address how risk leaders can turn that challenge into a chance to lead.
#1 – The Future of ERM: From Risk Register to Strategic Partner
We begin here, with what may be the most fundamental question of all: Will ERM stay stuck on the sidelines, or step into the center of strategy?
ERM Has Matured, But Risks Being Relegated
Over the past two decades, ERM has grown more formal and structured. COSO (a globally recognized framework along with ISO; and a topic we will cover more in the third threat) even introduced a framework in 2016 to guide integration of ERM with strategy and performance. Yet almost ten years later, many organizations are still grappling with basic questions: Should ERM have a seat at the table? What role should it play once there? And how much value does it actually add to the strategy process?
Too often, ERM is still treated as a defensive function. Its practitioners are seen as monitors of compliance, focused on controls, incidents, and mitigation. In many organizations, ERM was originally housed with or treated similarly to Audit, Compliance, or Information Security. Functions whose job it is to look for what might go wrong or address the issues when they did go wrong. That legacy has reinforced the idea that ERM is about downside protection, not upside potential.
The result is a persistent negative connotation. Executives worry ERM will slow things down or introduce unnecessary caution. A risk committee exists, but not a revenue committee. Reports are created, but the connection to growth feels tenuous. This view is not only outdated, but it also misses the opportunity for ERM to be a catalyst for sharper, more resilient, and ultimately more competitive strategic choices.
ERM should not be defined by what it prevents. Done well, it is equally focused on opportunity, on asking the “what if” questions that help organizations see possibilities competitors overlook. It should be a bridge between the disciplines that look for problems and those that pursue growth, enabling leaders to view both risks and opportunities in a unified way.
The core issue is simple: too many organizations still treat ERM as a parallel activity, rather than a driver of strategy.
ERM on the Sidelines
When ERM is confined to risk registers, surveys, and colorful dashboards, it risks being seen as administrative overhead rather than a value creator. These tools have their place, but they are a starting point, not an end state.
Many risk teams fall into a cycle of producing reports for executives without connecting them to real choices. They catalogue risks, rank them on heat maps, and present updates to committees. The work is tidy and structured, but it does not change how capital is allocated or how bets are placed. In some cases, it even distracts business units from their actual work, drawing time into workshops and surveys without translating the output into strategic decisions.
Boards and executives do not make choices based on a static list of risks. They make choices on trade-offs: where to expand, where to cut, which markets to pursue, which acquisitions to consider. A risk register, no matter how sophisticated, cannot substitute for insight into which uncertainties matter most for those bets and why. The gap between what ERM produces and what leaders actually need is where many functions stumble. Leaders want to know: What is the business trying to achieve? What could accelerate that outcome? What could derail it? What are the options, and what do we gain or lose with each? Unless ERM can frame its work in these terms, it remains adjacent or absent, but certainly not integrated.
The Board’s Lens
Boards of directors are charged with guiding growth, stewarding capital, and ensuring long-term resilience. They care deeply about return on investment, but they also have a fiduciary duty to act in the best interests of the organization and its stakeholders.
What boards do not need is another lengthy report filled with abstract risk scores. They want clarity about which uncertainties could most affect the company’s strategic path. If a market entry depends on regulatory shifts, they want to understand that exposure. If a merger carries cultural integration challenges, they want confidence those are being addressed. If a product launch could spark both rapid growth and reputational blowback, they want to see that both sides of the equation have been weighed.
Importantly, boards also need someone in the room who is willing to challenge assumptions. Executives are under pressure to deliver quarterly results. Strategy teams are rewarded for bold moves. Both can develop blind spots. ERM can serve as a constructive contrarian, asking whether the upside is being overstated, whether the downside is being underestimated, and whether the trade-offs have been fully considered.
This role is not about saying “no.” It is about broadening the lens, ensuring decisions account not just for shareholders but for employees, customers, society, and the environment. Short-term gains that ignore these dimensions often create long-term risks. ERM can help boards balance purpose with profit by ensuring that the full set of stakeholders is considered in every major decision.
Linking Risk to Strategy
To shift from adjacent to embedded, ERM must anchor its work directly to strategic objectives. That requires a few key shifts in mindset.
First, risks should always be framed in relation to growth initiatives. If the company is pursuing expansion into a new geography, ERM should illuminate both the exposures and the accelerators. If capital is being invested in digital transformation, ERM should highlight not just the cybersecurity concerns but also the opportunities to leapfrog competitors.
Second, risk conversations should be explicitly linked to capital allocation. Every strategic initiative has a price tag, and every trade-off has financial implications. ERM can help boards and executives weigh whether the resources devoted to a particular bet are proportionate to the upside and downside it presents.
Third, ERM should focus on uncertainty management rather than simple oversight. Strategy is inherently uncertain. The most valuable contribution ERM can make is to help leadership anticipate possible futures, test the resilience of plans, and prepare for alternative outcomes.
By framing its role in this way, ERM stops being the function that audits yesterday’s risks and becomes the partner that equips leaders for tomorrow’s opportunities.
Timing Is Everything
Integration is not just about what ERM brings to the table, but when. Too often, risk teams are asked to review a decision after it has effectively been made. Their role becomes monitoring and reporting, rather than shaping and influencing.
The earlier ERM is engaged, the more constructive its role can be. Being in the room at the outset allows risk leaders to support bold moves while also asking the right questions: Why this strategy? Why now? Why in this form? What assumptions lie beneath it, and how might they be tested?
This timing shift is not about mandating ERM’s presence in every planning session. It is about executives and boards wanting ERM in the room because they see the value in its perspective. That requires trust, credibility, and a track record of constructive engagement.
When ERM builds relationships across functions, demonstrates curiosity about the business, and frames its input in terms leaders care about, it stops being an obstacle and becomes a partner.
Practical Moves
There are practical ways to make this shift tangible. Scenario modeling can test the resilience of strategies under different conditions. Pre-mortems can help leadership imagine why an initiative might fail before it begins, uncovering vulnerabilities that can be addressed early. Structured “red team” exercises can surface contrarian perspectives in a safe and constructive way.
The specific tools matter less than the posture they represent. Each reinforces the idea that ERM is not about reporting, but about preparing the organization for uncertainty and enabling sharper choices. Some practitioners have even begun to experiment with reframing the discipline entirely. Instead of Enterprise Risk Management, terms like Strategic Opportunity Management or Enterprise Strategic Management emphasize that the focus is as much on upside as downside. Whatever the name, the aim is the same: to ensure ERM is not a parallel process, but an integrated engine of strategic clarity.
Bringing It Together
ERM that fails to integrate with strategy risks irrelevance. The future of the discipline depends on its ability to move from risk registers and compliance dashboards to the center of strategic decision-making.
That shift requires a constructive posture: less about blocking moves, more about sharpening them. Less about risk as a dirty word, more about opportunity as a companion concept. Less about being told to monitor, more about being sought out as a partner.
This is only the beginning. In the months ahead, I will explore eleven more threats that stand in the way of ERM’s evolution, from over-reliance on frameworks to missteps that erode trust with leadership. Each post will offer not just the problem, but a path forward. For now, the question is simple: Is your ERM function part of the growth engine, or still standing in the hallway with a clipboard?
Let’s discuss how to keep your risk program moving forward without missing a beat.
Click here to schedule a Discovery Session or use the Discovery Session button on my website.