In recent years, businesses have had to navigate a string of large-scale disruptions, underscoring that resilience is essential. As a result, enterprise risk management (ERM) is evolving from a compliance exercise into a strategic advantage. A structured, systematic approach to assessing and managing a broad range of strategic, operational, financial and compliance-related risks across an organization, ERM helps businesses stay ahead of volatility.
With rapidly advancing technologies, shifting regulatory environments and increasing interconnection among global markets, a proactive, risk-informed culture is now critical. These seven considerations can help risk professionals enhance their organization’s ERM approach:
Cultivate a Risk-Informed Mindset Across the Organization
At its core, ERM aims to build resilience and align risk with strategic growth. That begins with mindset, which involves understanding an organization's risk profile and aligning risk tolerance with strategic objectives.
A risk-informed mindset must start at the top and cascade through the entire organization. Corporate boards should engage in risk-based discussions to ensure organizational security and work with management teams to integrate ERM into organizational strategy. In turn, management should foster a risk-aware culture, educating employees about the importance of risk management and encouraging proactive risk identification.
Understand the Organization’s Risk Profile
Effective ERM starts with the risk management team having a deep understanding of the organization’s internal and external risk profile, supported by risk assessments that gather insights from a wide set of stakeholders. Often supported by audit committees, risk managers must conduct ongoing assessments that incorporate input from across the organization. This threat detection process empowers the team to analyze and implement risk mitigation strategies that enable the organization to thrive.
It is essential that the risk management team work closely with the organization’s board to ensure they are aware of the most consequential risks facing the organization, such as market trends, regulatory changes and supply chain disruptions. Understanding the operational threats and overall risk landscape will help ensure the board is making well-informed decisions that enhance resilience.
Risk managers should also familiarize the board with the risk management strategies already in place. This awareness ensures that board actions and decisions support ongoing risk mitigation efforts and create opportunities to strengthen the risk management team.
Align Risk Tolerance and Appetite
Once the board and risk management team understand the risk profile, it is important to solidify the organization’s risk tolerance and risk appetite. Before formulating an updated response plan, it is essential for the board and risk managers to reach a consensus on the level of risk they are comfortable taking on to maintain desired performance levels.
It is equally important for other internal stakeholders to comprehend the agreed-upon risk tolerance and appetite. Although the board does not need to be involved in every decision, it is vital that the risk management team and other leaders are aware of the board's stance, enabling them to make informed strategic decisions that align with the established risk tolerance level.
These discussions should be approached as opportunities for organizational enhancement and alignment. Given that risk is defined as future uncertainty with both positive and negative potential outcomes, companies must manage both the upside and downside of risks. By reframing risks as opportunities for positive change rather than merely consequences to avoid, organizations can remain prepared to capitalize on organizational changes.
Plan for Black Swan Risks
Traditional risk analysis typically relies on two criteria: the impact of a risk and the likelihood of its occurrence. During risk assessment, equal weight is often given to both factors, but this approach can be short-sighted and may ultimately hinder progress toward the organization’s strategic objectives.
Assigning equal importance to impact and likelihood tends to minimize black swan events—rare occurrences with extreme consequences. Recent global crises have demonstrated that the improbable is possible, and black swans cannot be ignored. The COVID-19 pandemic and the 2024 CrowdStrike outage are examples of foreseeable yet unlikely events that significantly disrupted business operations. While many organizations had identified these events as possible risks, they under-prioritized preparation or mitigation due to the low likelihood assessment. That approach left organizations unprepared for these black swan events, which profoundly affected both internal and external stakeholders.
To effectively address potential black swan risks, risk managers must shift from probability-based thinking to impact-based planning, preparing for extreme outcomes even if their likelihood seems low. Resilient organizations develop contingency strategies that encompass the full risk environment—not just the most likely events.
Adopt a Collaborative Approach to Risk Assessment
Risk managers must understand the importance of conducting risk assessments for identifying, analyzing and prioritizing risks to avoid strategic missteps, missed opportunities and worst-case loss scenarios. However, traditional risk assessment methods often come with challenges in ensuring timely representation of all stakeholders and gathering meaningful, actionable data. Most risk assessments rely on manual methods like interviews and surveys to gather insights from various stakeholders and external sources. This process can be cumbersome and prone to errors, focusing mainly on threats while neglecting opportunities.
Collaborative methodologies and tools can address these challenges, enhance the risk assessment process, and enable organizations to proactively mitigate risks and uncover growth opportunities. As risks become more interconnected, managing them in isolation is impractical. Traditional ERM methods often use impact and likelihood criteria, which provide a limited view and overlook risk tolerance and strategic goals. An improved collaborative approach offers a holistic perspective by leveraging historical data, industry benchmarks, continuous monitoring and communication. This approach involves stakeholders across the organization, which can enhance early detection of emerging risks and effective prioritization, boosting resilience and fostering a stronger risk culture.
Leverage Technology-Enabled Collaboration Tools
Relying on traditional ERM methods to conduct a collaborative risk assessment that involves multiple stakeholders and up-to-date insights can be difficult, costly and time-consuming. Leveraging collaboration tools can help enhance an organization's approach to ERM.
Technology-based collaboration tools allow for quicker, more efficient risk assessments with higher-quality outputs and facilitate remote collaboration, allowing broader stakeholder inclusion and enriching risk identification with diverse perspectives. These tools can also capture risk information anonymously, encouraging diverse input and providing a voice to all stakeholders. Real-time collaboration automates repetitive tasks, which can enable teams to focus on outcomes and foster deeper discussions and better alignment on key risks.
Develop an Enhanced ERM Approach
Enhanced risk assessments necessitate collaborative methodology and technology-enabled tools. Effectively leveraging collaborative tools can significantly enhance both the risk assessment process and the quality of the data it produces, enabling organizations to continuously plan for what is on the horizon.
Enhanced ERM can be broken into the following three phases:
Data collection: In this phase, the focus shifts from merely identifying risks to informing strategy. This involves questioning how the organization measures success and identifying significant roadblocks. Technology-enhanced assessments leverage a risk universe tool that lists 80 to 100 sector-relevant risks to broaden perspectives and gather richer data.
Risk analysis and prioritization: Collaboration software can help engage individuals, prioritize risks and build consensus quickly, reducing the traditional data collection period. The analysis and prioritization phase takes risk tolerance, management preparedness and risk velocity into consideration, emphasizing high-impact events and necessary responses.
Outcome and reporting: Technology-driven collaboration tools assess risk scenarios, foster stakeholder consensus and quantify impacts. These tools automate reporting, providing timely and insightful analysis that shapes response plans and guides strategic decisions.
Enterprise risk management is not about avoiding failure—it is about enabling, agility, insight and growth. By fostering a risk-aware culture and leveraging collaborative, tech-enabled tools, organizations can not only weather uncertainty but transform it into a strategic advantage.