The Future of ERM: 12 Hidden, or Not So Hidden, Threats
When ERM Becomes a Checkbox Exercise, the Business Loses the Point
Nearly every organization can produce a tidy risk register. They can show heat maps, control attestations, and mitigation plans. The problem is not simply that the documents provide little value. The deeper issue is the behavior they reinforce.
When enterprise risk management becomes a task of completion rather than a practice of decision support, it slides from influence to form filling. ERM should help executives make faster, clearer, and more flexible choices. When it becomes paperwork for auditors or compliance teams, it creates comfort, not resilience.
Below are the signs you have, or are slipping into, checkbox mode, why it matters, and how to change course before a quiet failure becomes a loud one.
A Check-the-Box Moment That Failed A Decision
An executive team rushed to approve a new supply chain contract. The deal promised faster delivery and a modest margin improvement this quarter. ERM was asked for a quick review. The team sent back a standardized heat map and a long list of controls. The heat map showed moderate supplier risk and the controls were checked green. The board signed off.
Six months later several key suppliers missed delivery windows. Inventory shortages forced production slowdowns and missed commitments. The controls existed on paper. They did nothing to catch the weak signals that mattered: early signs of cash stress among suppliers, shifts in routing times, and a regulatory change in one jurisdiction.
The artifacts were complete. The decision support was missing because it mattered more to complete the register, heat map, and control effectiveness document.
Diagnosis: What Checkbox Mentality Looks Like & Why It Emerges
Checkbox ERM has a familiar flavor.
Boilerplate risk registers that get copied from quarter to quarter. Heat maps that are colored more for shock and awe and to symbolize completeness than to guide action. Controls designed for auditors, not operators. Meetings whose agenda is depth of documentation rather than depth of judgment. Products that are static and dated the moment they are published.
Why does this happen? Four forces push ERM into checkbox mode.
First, as we spoke about previously, incentives. If the reward is to avoid audit findings, teams will optimize toward tidy documents that reduce scrutiny and create the perception that things are managed well.
Second, resource scarcity. When compliance tasks consume time, there is little left for horizon scanning and scenario planning. People have products to sell, deadlines to hit, training to complete, and teams to manage.
Third, leadership signals. When executives ask for documentation rather than counsel, ERM becomes a validation point. And if documentation is created after decisions rather than informing them, it becomes CYA paperwork, not risk work.
Fourth, measurement. If ERM is judged on volume, completeness, and annual attestations, it will deliver volume, completeness, and annual attestations.
When ERM is positioned as a proof point for regulators or auditors, leaders treat it as a cost center rather than a strategic capability. That narrows invitations to strategy conversations and locks ERM into reacting after decisions are made, if it is invited at all.
Why Checkbox Mentality Is Dangerous
Checkbox work creates three harms that often compound.
First, false confidence. Clean reports and dashboards give the illusion of control. Leaders read a green heat map and assume exposure is low. They do not see the missing signals that were never surfaced because surfacing them carried career risk. That also means decisions get made on incomplete signals and insights.
Second, opportunity cost. Time spent updating templates is time not spent testing scenarios, pressure-testing assumptions, or scanning weak signals. When teams are busy checking boxes, they miss emerging shifts that materially shape the business.
Third, cultural drift. If people are rewarded for avoiding scrutiny rather than raising uncertainty, they stop bringing bad news. A culture that punishes wobble produces a workforce that aims to be invincible or invisible. Both are dangerous.
Put simply, if an engineer realizes a simple design tweak may make a product 10x faster and more cost effective to manufacture, but has been taught that no one listens, innovation dies. Imagine if a nurse notices a medication dosage error but doesn’t question the doctor. The patient suffers an adverse reaction because the culture punishes those who speak up and a preventable outcome becomes a crisis.
If your ERM materials are busy but your surprises are increasing, you have evidence that the function is performing for auditors rather than for leaders.
Reframe: What ERM Must Be Instead
ERM is not a compliance machine. Its purpose is to help leaders make decisions under uncertainty with clarity and speed.
First, ERM must be a decision enablement function. Deliverables should map directly to decision points. Heat maps may be fine, but only if they link to the choices executives are being asked to make. And the question of whether a heat map adds value remains.
Do you create a heatmap when you are making a personal decision? When you are comparing refrigerators, do you create a likelihood and impact of failure for your new refrigerator and read each manual closely to develop what controls are in place for each of them that may mitigate the potential risk of failure? Do you then create plans to determine if you will accept the issues, avoid them by simply not having a refrigerator, confirm your transfer plan for the warranty purchase and period, and finally develop a detailed list of mitigation plans (with owners of course) on who will replace the filters, vacuum any dog hair from underneath it, put it on a separate, special circuit to avoid power surges?
Maybe you do, and if so, I cannot imagine what buying a house or making a major decision may look like in your household. But if you are like most people, you are not creating a heat map, you are making a decision based on as much of the meaningful input you have (i.e., the signals, drivers, and insights). Let’s assume you read that a $2,500 refrigerator has all the bells and whistles but is almost certain to have problems within a year or two. Alternatively, you read reviews on a $1,000 refrigerator which has over 15,000 5-star reviews. I am not sure you need a fully developed heat map to tell you that you are likely okay giving up a few of the functions (that will fail anyway) for a more dependable machine.
Second, ERM must be forward-looking. Replace static measurement with Signals, Drivers, and Insights.
- Signals show where reality is beginning to shift.
- Drivers explain why the shift is occurring.
- Insights translate that movement into implications for choice.
Third, ERM must be a strategy partner. The function should sit upstream in planning, not downstream in checkbox season. That way ERM helps shape commitments, not audit evidence.
When ERM functions this way, leaders move faster with greater confidence and fewer blind spots.
Practical Playbook: Five Immediate Steps to Move ERM From Compliance to Influence
These are small and reversible changes. They do require discipline, action, and likely a different mindset.
- Reframe one deliverable. Replace a quarterly heat map with a two-page Signals, Drivers, and Insights brief tied to a current strategic decision. Track whether it changes the discussion.
- Embed ERM into decision moments. Assign short ERM products to upcoming planning gates. ERM’s role is to clarify uncertainty instead of stamping documents.
- Pilot rapid feedback loops. Run a one-month ERM pilot on a decision in motion. Show before and after.
- Change incentives. Reward those who surface early signals. Recognition must be visible and linked to career benefit.
- Clean house on documents. Audit your outputs. Keep only what changes behavior. Stop generating documents that serve CYA rather than leaders.
These actions are practical and simple. They reset what the organization rewards and what it pays attention to.
Closing Provocation & Call to Action
If ERM only produces tidy artifacts for auditors and compliance teams, it has created comfort, not resilience. The function becomes decorative, like books that look impressive but cannot be read or the hourglass on the desk that has not been turned in years.
Three questions to test whether ERM is performing or masquerading as an effective program:
- Is ERM invited into strategy conversations early, or only after the commitments are set
- Which ERM document has changed an executive’s decision in the last 12 months?
- What one decision this month could ERM sharpen, and how will you measure the difference?
Try this simple pilot. Replace one quarterly deliverable with a Signals, Drivers, and Insights brief tied to a high-stakes choice. Run it for one month. Share the results with leadership. If the briefing sharpened the decision, you have proof. If not, you have learning.
ERM’s job is not to eliminate risk. It is to strengthen the quality of decisions when uncertainty is present. When the function stops being a checklist and starts being a catalyst, the organization becomes faster, more resilient, and more capable of turning uncertainty into advantage.
Let’s discuss how to keep your risk program moving forward without missing a beat. Click here to schedule a Discovery Session or use the Discovery Session button on my website.