Why it’s time to rethink enterprise risk management

Structural shifts are exposing the limits of backward looking ERM exercises. Reorient them around what truly matters with clarity — and AI.

In brief

• In a nonlinear, accelerated, volatile and interconnected world, traditional and annual enterprise risk assessments no longer deliver meaningful results.
• Leading organizations are returning to first principles, combining judgment, cultural change and AI enabled risk sensing to strengthen enterprise resilience.

Agentic cyberattacks. Iran. Tariffs. These are not headline risks; they are structural changes in the operating environment. What roles do enterprise risk management (ERM) and enterprise risk leadership play in helping organizations navigate this new world? In too many organizations, the uncomfortable truth is: very little. 

Over the years, ERM has too often become defined by rigid methodologies that add bureaucratic bloat without delivering strategic value. Consider the standard annual assessment: many teams spend 12 months calibrating a risk matrix, only to produce a backward-looking artifact that struggles to hold executive attention because it lacks actionable foresight. Encouragingly, we are beginning to see a shift emerge: a cohort of leaders we call “Risk Strategists” are challenging the status quo.

These change agents are working to reestablish the why and how behind ERM — a return to first principles. They’re stepping back from inherited models and asking foundational questions about purpose — what risk management is meant to enable — and whether today’s approaches are actually delivering it.

What is on the horizon? How do we identify signal through noise? How prepared are we for our worst day? These are the questions leaders must revisit and begin to answer in new ways.

Why traditional enterprise risk management is falling behind

Many global organizations still operate on long standing assumptions about the risk environment that no longer hold. From the financial crisis through the pandemic to the return of kinetic conflict, organizations are experiencing a pattern of disruption that does not unfold in isolation. This is a NAVI world — nonlinear, accelerated, volatile and interconnected — in a moment of structural, generational change.

In this environment, the assumption that risks can be comprehensively cataloged and scored on an annual cadence is a dangerous fiction. Take the US tariff rate in 2025: economists had put just 5% odds that it would rise to near 20%. Yet six months later, those 5% odds became a reality with the highest US tariff rate in a century. 

Legacy practices were designed for a period of greater stability and remain useful as baselines, but they were never intended to keep pace with rapid change. When relied on too heavily, they devolve into familiar outputs: two by two matrices, expansive risk registers and recurring committee cycles. The result is a process heavy on documentation that provides the illusion of completeness over strategic relevance.

One company we worked with illustrates the consequence. A small ERM team is responsible for managing 40 complex risks. When they meet with business leaders, the core question is: “What happened since the last time we spoke?” The conversation is backward looking and taxing to the risk owners they are intended to support. Strategists engage on much closer to an equal footing, engaging in sharp questions designed to probe blind spots, scenarios or emerging second order effects.

Return enterprise risk management to first principles

At its core, an enterprise risk function exists to help the organization execute its strategy, playing both a value protection (defensive) and value creation (offensive) role. Risk should build enterprise resilience: the ability to adapt strategy and maintain an organization’s fundamental commitments in the face of disruption.

Leading organizations are reassessing risk management through this lens, revisiting foundational questions to better prepare management to take informed risks and weigh strategic alternatives. Guided by a focus on prioritization, relevance and timeliness, executives are asking:

• Where are the risks to our strategy?
  Too often risk assessments are based on backward-looking, historical financials with the unit of analysis risk events over strategic assumptions. Risk Strategists are flipping the script: they put future commercial offerings, business model and market position as the starting point for everything from risk appetite to risk prioritization and action.
• What are the promises we can’t break?
  While Strategists work to protect the growth thesis, they also work to engineer the defensive floor: what do we need to do to ensure we can maintain our unique enterprise commitments? These commitments look different for each organization and can include earnings targets with investors, the provision of critical services to customers or adherence with regulation.

A cultural and technological revolution: three actions to take now

1. Demand a change in the culture around risk

The future of ERM is as much cultural as it is technical. Leaders must feel empowered to move beyond rigid frameworks toward assessments of impact, velocity and strategic relevance. For many organizations, this often means moving away from long risk registers toward a smaller set of enterprise level risks that leadership actively debates, maintaining necessary baselines while shifting emphasis from voluminous reporting to synthesis, judgment and dialogue.

One of our clients operated for nearly 70 years without a formal risk function until it was acquired. The new leadership team decided it was time to build one. Their core question: how do we protect ourselves without adding bloat? In many ways, starting fresh put them at an advantage: they could establish protections without inheriting the layers of process and glut of reporting that often accumulate in legacy ERM programs.

2. Use technology to combine strong baselines with continuous risk sensing

Periodic risk assessments, KRIs and reviews matter: they establish discipline and a shared view of exposure. But in a NAVI world, they must be complemented by continuous risk sensing that detects shifts between formal review cycles and identifies what is becoming consequential, not just what is already documented.

Leaders should demand an enterprise risk operating model that preserves governance while embedding near real time insight directly into planning, execution and performance discussions. Advances in AI now make that possible.

Across the risk lifecycle — identification, monitoring and response — AI can synthesize data at scale across domains, including satellite imagery, social sentiment, supply chain telemetry, dark web activity, geopolitical forecast markets and regulatory filings. Integrating external signals more dynamically, and modeling compound and cascading scenarios, is no longer theoretical.

3. Have the courage to be a change agent

It is easy to accept the established rhythms of ineffective ERM. Many activities appear constructive on the surface, even as they mask deeper gaps in relevance and timing. To seize what is now possible, leaders must have the confidence to question inherited practices and demand a better path for delivering value. Settling for anything less risks positioning the risk function as a constraint on resilience — rather than its enabler.