The Evolution of ERM: Adapting Risk Management for a Disruptive Age 

Two decades of upheaval have given rise to a new approach to managing risk. In today’s post we’ll look at the history and future of enterprise risk management (ERM). 

Related on MHA Consulting: Threat Intelligence: A Key Capability for Our Turbulent Times 

The Rise of ERM  

The attacks on the World Trade Center in 2001 made organizations everywhere aware of the potential for devastating blows to arrive out of a clear blue sky. They also made organizations mindful of the need to systematize their efforts to identify, assess, and mitigate the risks that have the potential to disrupt their mission-critical business processes.  

Since then, the financial crisis of 2008, the Covid pandemic, cyberattacks, the rise of extreme weather, and many other challenges have underscored the reality of an increasingly perilous environment.  

In such a world, the need for organizations to get serious about identifying  and mitigating risks hazards is self-evident.   

Enter enterprise risk management, the activity of identifying and mitigating the risks that threaten an organization, including natural, human, and technological threats as well as threats to the organization’s reputation and profitability and to the larger economy.  

The fact that many companies have recently created ERM departments is to be applauded. Unfortunately, many corporate ERM departments today suffer from the same shortcoming: lack of follow-through.  

In a typical situation, the department might reach out to the executives in doing an annual assessment of risks. It might even go so far as to identify the top five threats facing the company. After that it’s, “Great. Thanks. Talk to you next year.”  

The Four Risk Mitigation Strategies  

A proper ERM program has to go beyond identifying and assessing risks to include the thoughtful implementation of the four main risk mitigation strategies. The strategies are:  

• Risk acceptance. Involves a conscious decision to remain vulnerable to a potential harm, usually based on a cost-benefit analysis.  

• Risk avoidance. When organizational behavior is altered to eliminate a particular risk.  
• Risk limitation. When measures are taken to reduce risk, short of completely eliminating it. Incorporates a combination of risk avoidance and risk acceptance.  
• Risk transfer. When risk is passed on to another organization, such as by hiring a third-party vendor to perform the associated function.  

True enterprise risk management requires not just identifying and assessing threats but consciously applying risk mitigation strategies to bring them under control. To reflect the fact that organizations and environments change, the whole process should be conducted on an ongoing, cyclical basis. 

The goal of ERM is not to reduce risk to zero. This is usually either impossible, prohibitively expensive, or a waste of resources.  

The aim of ERM is for the organization to take ownership of its risks, making informed decisions about them, whether that involves living with them, reducing them, or handing them off to another organization.  

Predictions for the Future of ERM 

That accounts for the past and present. Let’s take a look at the future of ERM. Here are five predictions about what will happen in the practice of enterprise risk management over the next 10 years or so: 

1. Leaders will increasingly see ERM as must-have rather than nice-to-have. 

It’s highly likely that, over the next decade, the news will remind executives on a daily basis that their businesses are vulnerable. If these individuals are rational—and most of them are—they will begin to invest more resources in one of the few tools available to them to manage the increasing risks they face: enterprise risk management. They will also begin to see ERM as essential rather than optional. In a chaotic world, investing in ERM is the safest and most responsible course of action. 

2. Interest in ERM will grow as a result of companies’ fears of being attacked in social media. 

One of the things business executives are most afraid of today is getting torched in social media. One false step and a mob can spring up, destroying brands and companies it took years to build with Bud Light being only the most recent case in point.  

Executives’ fear of social media is legitimate and the basis for it is unlikely to go away soon. I think this will be a continuing and growing source of anxiety for business over the next 10 years. This anxiety is likely to compel many executives to begin exploring how ERM can protect them. 

3. Companies’ success in implementing ERM will follow the pattern seen with BCM.  

The wisdom of implementing ERM might be widely recognized among leaders. But their success in doing so is likely to adhere to the same pattern we see in companies’ adoption of BCM, business continuity management. A few will do a great job, investing the time, money, and resources needed to do ERM properly. Many will do an adequate job. And a large number will engage with ERM superficially at best, and pay the consequences if and when disaster strikes.  Thankfully the overall trend, as with BCM, is toward a more mature, proactive approach. It’s not a moment too soon. 

4. AI will deepen ERM’s insights and potency. 

AI and ERM were made for each other. The next decade will see powerful new AI-related tools coming to the field, often in the form of add-on tools to existing ERM dashboards. Soon companies will have real-time information saying, “I don’t know if you’re aware of this, but three months from now, one of your suppliers is going to be in trouble” or “I’m not sure if you know, but six months from now, you’re going to have a liquidity problem.” The quality of the alerts will depend on the quality of the data the system gets. Companies’ ability to take advantage of them will depend on how prepared they are in terms of people, training, and resources. 

AI-powered systems have the potential to help organizations navigate more safely, avoiding danger and finding opportunities. Of course, AI as deployed externally might also increase the threats companies face. 

5. A central preoccupation of ERM will be rising supply-chain insecurity. 

The supply-chain problem is likely to get worse moving forward. A main focus of ERM will be gaining visibility into the vulnerabilities of third- and fourth-party vendors—and the threat those pose to the organizations that depend on them. As a source of components and products, China is no longer seen as reliable. The future will likely see the geographic dispersal of supply chains, complicating the situation still further. ERM will have to look into all of the foreign entities a company relies on, scanning for risks related to currency valuations to political stability and everything in between.  

The Future of Enterprise Risk Management 

The evolution of Enterprise Risk Management (ERM) has been shaped by two decades of disruptions, pushing organizations to rethink their approach to risk. From the wake-up call of 9/11 to the recent social media firestorms, the need for ERM has transitioned from a nice-to-have to a must-have for businesses.  

In the future, AI-powered systems will become integral in helping companies identify impending challenges and opportunities, such as those posed by the increasing insecurity of the corporate supply chain. For leaders wise enough to take advantage of it, ERM offers organizations a potent tool for anticipating and mitigating risk. 

Further Reading

• The ABCs of ERM: The Rise of Enterprise Risk Management 
• Why BCM and ERM Should Be BFFs 
• Types of Risk: Don’t Forget to Keep Tabs on Your Long-Term Risks 
• How to Get Strong: Unlocking the Power of Vulnerability Management 
• Threat Intelligence: A Key Capability for Our Turbulent Times