Traditional ERM frameworks are struggling to keep pace with systemic disruption, leaving boards with reports rather than decision-ready insight. This article makes the case for Strategic Resilience Management - integrating risk, resilience and value creation - a shift that sits at the core of the #RISK Executive Forums, where senior executives engage in focused, peer-level discussion on how to redesign risk and resilience capabilities to support strategy, investment and performance in a permanently volatile world.
Traditional Enterprise Risk Management (ERM) is dead
In 2025, many of the most damaging organisational crises did not arise from black-swan events, but from familiar internal weaknesses: misaligned strategy, weak governance, fragile operations, and decisions that failed under pressure(1). External forces—geopolitics, cyber escalation, climate extremes, and regulatory fragmentation—did not create these problems; they simply exposed them faster.
Senior executives are increasingly asking a question risk teams have been grappling with for some time: is ERM, as it is currently practiced, helping leaders make better decisions? McKinsey(2) has noted declining confidence in traditional risk frameworks, particularly in addressing emerging and interconnected risks linked to technology, resilience, and long-term value. Looking toward 2026, volatility is no longer the exception but the baseline with board agendas being dominated by systemic cyber risk, AI governance failures, supply chain concentration, and persistent polycrisis conditions. In this environment, enterprise list management is no longer sufficient.
The answer is not to abandon ERM, but to evolve it. Risk management must be combined with organisational resilience in a practical and usable way. Strategic Resilience Management—Risk-ilience—repositions risk from a reporting obligation to a capability that actively supports the business.
A Risk Landscape That Has Outgrown Traditional ERM
ERM was designed for a more stable and predictable world. Today’s environment is defined by speed, interdependence, and cascading impacts. Hyper-connected supply chains, accelerating
(1) World Economic Forum (2025). Global Risks Report.
(2) McKinsey & Company (2024). From Risk Management to Resilience: Managing Uncertainty in an Era of Disruption.
AI adoption, persistent cyber threats, geopolitical fragmentation, and workforce disruption mean failures rarely occur in isolation.
In practice, this shows up in familiar ways:
- Risk registers grow longer, not sharpeRisk discussions remain disconnected from strategy and capital decisions
- Time is spent scoring risks rather than debating what truly matters
- Downside threats dominate, while resilience and opportunity receive less attention
- Analysis relies on historical data that no longer reflects current conditionsRisk appetite statements are difficult to apply in practice
- Likelihood scoring provides reassurance rather than insight
- ERM is seen as compliance support, not decision support
These challenges are not about effort or capability. The problem is fit for purpose: a model designed for stability is being stretched to manage complexity.
How Resilience Thinking Strengthens Risk Management
Resilience thinking does not replace risk management; it strengthens it by changing the starting point. Instead of asking, “What risks do we have?” it asks, “What outcomes must we continue to deliver, whatever happens?” That shift brings four practical concepts into play(3).
Essential Outcomes
We all know that organisations exist to deliver outcomes, not protect processes - customers want the hole, not the drill(4). Defining essential outcomes forces clarity about what really needs to keep working—even when systems, suppliers, or locations are unavailable.
The Five Capitals
Looking at financial, workforce, infrastructure, social, and environmental capital together provides a system view that most risk registers struggle to capture through impact categories. It makes dependencies visible and helps prioritise where resilience actually matters.
Plausibility Over Probability
Likelihood scoring is familiar, but often misleading. A resilience lens asks whether a scenario is plausible. If it is, it deserves attention, regardless of how often it has occurred before.
Impact Thresholds
Impact thresholds define how much disruption the organisation can tolerate, independent of cause. For practitioners, they provide a far more useful anchor for decision-making than KRIs tied to individual risk drivers.
(3) ISO (2019). ISO 22301: Security and Resilience – Business Continuity Management Systems. Deloitte LLP, National Preparedness Commission & Cranfield University (2021). Resilience Reimagined: A Practical Guide for Organisations.
(4) Levitt, T. (1960). Harvard Business Review. Marketing Myopia.
When ERM Sees a Risk, but Misses the System
A global manufacturer experienced a cyber incident that halted production across multiple sites for 12 days (7). “Cyberattack” had been a top-ten risk for years. Controls were in place. Heatmaps were updated.
Yet:
- The risk was assessed annually
- Likelihood was rated “low”
- Impact was framed as IT downtime
- BCM focused on system restoration, not production continuity
- No end-to-end stress testing had been conducted
The board rightly asked why a “known risk” caused such damage.
A resilience-led approach would have defined maintaining production capability as the essential outcome, set downtime thresholds, stress-tested severe scenarios, and integrated cyber, operations, workforce, and supply chain planning. ERM identified the risk; resilience would have protected the outcome.
(7) Norsk Hydro Annual Report 2019 – Cyber Attack Section, Microsoft Security Response Center (MSRC), “Lessons Learned from the Norsk Hydro Attack”, 2019, The Wall Street Journal, “Cyberattack on Norsk Hydro Shuts Down Production”, March 2019.
Strategic Resilience Management: The Risk-ilience Model
Strategic Resilience Management brings together the discipline of ERM and the adaptability of resilience into a single operating model based on four pillars:
- Integrated Intelligence – a short, focused view of material risks linked to essential outcomes, supported by scenario analysis, stress testing, digital twins, and leading indicators tied to impact thresholds. Where practical, intelligence hubs add value by using AI and analytics for horizon scanning and real-time monitoring.
- Adaptive Capacity – resilience designed into operations, technology, and workforce arrangements, guided by the Five Capitals and focused on plausibility rather than probability
- Strategic Embedding – risk and resilience actively informing strategy, investment decisions, and board discussions.
- Value Creation – resilience treated as a source of advantage, not just protection.
This is not ERM with a continuity add-on. It is a different way of organising risk and resilience capabilities around how organisations actually function under pressure. On their own, neither risk nor resilience delivers what is needed: the ability to anticipate, absorb, adapt(5), and to thrive under stress. Risk insight without resilience leads to well-written reports but limited action. Resilience without risk insight leads to expensive controls applied without clear priorities. What is missing is integration.
(5) Resilience First & Cranfield School of Management (2024). Model for Organisational Resilience.
Recognising Value
The Risk-ilience blend moves risk management beyond maintaining lists and frameworks to enabling faster, more effective Executive and Board conversations and strategic decisions. By focusing on anticipation, absorption, and adaptation, organisations build the capacity not only to withstand disruption, but to evolve strategy through it and seize new opportunities. Regular exercising and scenario planning strengthen organisational capabilities and develop the ‘muscle memory’ needed to respond quickly to future challenges. For risk practitioners, this approach also increases professional relevance and influence by shifting the focus from risk reporting to outcomes, scenarios, and decision-ready insight. This brings risk teams into executive and board discussions earlier and more constructively, building credibility through input that supports clear, timely decisions under uncertainty.
Additional benefits of this blended approach include:
- Clearer decision support that highlights trade-offs and priorities amid uncertainty
- More targeted capital allocation, directing investments where disruption would have the greatest impact and avoiding unnecessary controls
- A refreshed narrative that engages sceptical stakeholders and clarifies roles and accountabilities
- Reduced impact of incidents, shortening recovery times and limiting secondary damage such as reputational harm or regulatory consequences
- Stronger alignment across risk, continuity, security, operations, and strategy teams, cutting duplication and improving crisis collaboration
- Greater confidence from Boards, regulators, investors, and customers, who now expect proven resilience capabilities—not just compliance checklists
- Enhanced organisational agility and culture, where risk is seen as an enabler rather than a barrier
Boards are raising their expectations. Regulators, customers, and investors are following suit. Yet many organisations remain unprepared for the next major disruption(6). Adopting Risk-ilience helps close this gap, positioning risk teams as strategic partners in building resilient, competitive organisations
Moving Forward
There are several immediate practical steps available to move towards Risk-ilience:
- Anchor risk discussions around essential outcomes
- Replace likelihood scoring with plausibility thinking
- Define impact thresholds and resilience indicators
- Bring together risk, continuity, security, and intelligence
- Use regulatory requirements to build capability, not just evidence compliance
ERM as enterprise list management is dead. Strategic Resilience Management—Risk-ilience—is the next step: integrated, adaptive, and focused on what truly matters.
(6) McKinsey & Company (2025). Resilience pulse check: Harnessing collaboration to navigate a volatile world.
ERM vs Resilience: Key Differences
| ERM | Resilience |
|---|---|
|
Risk-centric: Focuses on identifying, assessing, and mitigating risks. |
Outcome-centric: Focuses on protecting and sustaining essential outcomes across the five capitals (financial, infrastructure, workforce, social, environmental). |
|
Backward-looking: Periodic reporting based on historical data and known risks. |
Forward-looking: Anticipates change, explores uncertainty, and prepares for plausible future disruptions. |
|
Likelihood-based assessments: Relies on probability scoring and risk matrices. |
Plausibility-based assessments: Accepts that likelihood is often unknowable; emphasises severe-but-plausible scenarios. |
|
Long risk registers: Often devolves into “enterprise list management”. |
Short list of material vulnerabilities: Prioritises what threatens essential outcomes or breaches impact thresholds. |
|
Siloed functions: ERM, BCM, cyber, operations, and strategy operate separately. |
Integrated system: Cross-functional approach linking risk, BCM, operational resilience, strategy, and culture. |
|
Static risk appetite statements: High-level, often vague, rarely operationalised. |
Dynamic impact tolerances & resilience indicators: Quantified thresholds for normal and severe conditions. |
|
Focus on prevention and control: Seeks to reduce exposure to threats. |
Focus on anticipation, absorption, adaptation: Builds capacity to withstand and evolve through disruption. |
|
Linear, predictable worldview: Assumes risks can be catalogued and managed individually. |
Complex, interconnected worldview: Recognises cascading risks, interdependencies, and systemic shocks. |
|
Event-driven: Responds when risks materialise. |
Capability-driven: Builds readiness, responsiveness, recovery, and regeneration (the 4Rs). |
|
Periodic reviews: Annual or quarterly cycles. |
Continuous monitoring: Intelligence hubs, analytics, horizon scanning, and real-time data. |
|
Compliance-oriented: Often seen as a governance requirement. |
Value-creating: Positions resilience as a strategic asset and competitive advantage. |
|
Focus on returning to normal: Recovery of assets and processes. |
Focus on adapting to a new normal: Adjusts business models, strategies, and capabilities. |
Emma Price, Risk & Resilience Market Leader | Advisor to Boards & C-Suite on Strategic & Emerging Risk.
No comments yet