A hand in a blue sleeve pulls a yellow block from a stack of red wooden blocks, with blinds and sunlight in the background.

Enterprise Risk Management and Decision-Making Under Uncertainty

Saddique Ansari 7 min read

Author bio

The global environment has changed. Global uncertainty does not merely represent background noise; it has become the operational environment itself. Increasingly, companies are being challenged to evolve their risk management processes away from compliance tasks toward more central roles, driven by rising cyber threats, disruptions in supply chain stability, new environmental regulations, and expanding compliance requirements.

Economic conditions are creating an environment in which firms must make decisions under increasing uncertainty, where outcomes cannot be predicted with confidence. As a result, businesses must continuously assess their risk exposure to manage operations effectively, rather than simply documenting risk on a periodic basis.

Companies that continue to focus on documenting operational risk on a quarterly basis are being outperformed by competitors that have adapted to operating under uncertainty, learning to work with it rather than merely record it. The remainder of this paper outlines how to develop an effective enterprise risk management process, which tools are currently most relevant, and where organisations continue to make recurring mistakes.

Why Risk Management Stopped Being Just a Compliance Function

In the past, the majority of businesses used to think of risk management as a stack of templates for auditors to follow; however, that mindset has broken down incredibly quickly over the last ten years due to several major incidents. The Colonial Pipeline ransomware attack in 2021 cut off fuel supply across the East Coast of the United States for several days. The SolarWinds hack allowed hackers to gain access to multiple federal agencies for an extended period before being detected. The semiconductor shortage created paralysis for Toyota, GM, and nearly every other automotive manufacturer at the same time. None of these incidents would have appeared on a company's top-ten list of risks prior to occurring.

Today, organizations are beginning to integrate risk management into their decision-making processes. On an economic level, companies are beginning to use dynamic systems that account for a company's developing risk profiles and potential trade-offs, rather than being large, static processes with no room for any changes. Companies such as DXC Technologyhave developed a whole new line of risk management consulting, moving from providing 'risk audits' years ago to providing companies with continuous risk monitoring solutions tied to their key performance indicators (KPIs), which illustrates the evolution of companies integrating risk into their overall enterprise optimization process rather than treating it only as a compliance or reporting function.

Another significant shift in the profession is the 2017 update of the Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management Framework (COSO ERM Framework), which represents the closest thing to a standardized methodology or approach used in our profession. The purpose of this update was to change the focus and link between internal controls and strategy development versus audit procedures to make risk management an integral part of the strategic development process of an organization. This was done to reflect a core economic principle: firms make resource allocation decisions under uncertainty, without full knowledge of future outcomes, and aim to optimize performance over the long run.

What's Actually Happening in the Market

AI in Risk Analysis — Beyond the Buzzword

According to Grand View Research, the GRC software market will surpass $75 billion by 2028, largely driven by AI. More than just a label placed on vendor products, AI is of real economic value due to the limitations on how much information can be processed when teams are assessing risk and the huge amount of unstructured data that creates internal information asymmetry between operational realities and decision-makers.

The organizations currently deploying GRC technologies are working to alleviate those frictions, including with:
• Automated classification of incidents and recommended actions to resolve them
• Algorithms used to detect patterns that alert to potential material regulatory non-compliance before it happens
• Real-time mapping of suppliers, contracts, and dependencies to see who has systemic exposure
• Use of natural language interfaces for analysts to access internal risk data in real-time

All of these tools have been created to lower the transaction costs associated with processing information — a principle based on Ronald Coase's work, and make coordination between groups inside a company easier.

A special mention needs to be made of DORA — Digital Operational Resilience Act — which took effect in the EU on January 1, 2025, and mandates that banks and insurance firms properly automate and document their risk reporting, particularly with regard to third-party dependencies on information communication technology. This regulatory requirement illustrates how authorities recognize the growing need to manage systemic risk as global economies become more interconnected.

GRC Platforms Worth Watching

Countless large enterprises continue using RSA Archer; however, there has been an ongoing shift in new implementations away from RSA Archer. A number of other platforms are gaining traction among organisations, as they help eliminate duplicated effort and better align risk controls with different regulatory requirements through technologies that support improved processes and predictive (rather than reactive) risk management capabilities. Ultimately, this transition can occur only when the underlying processes are strong enough to support it: technology cannot resolve the structural inefficiencies associated with existing processes on its own; rather, it enhances their visibility.

What the Enterprise Risk Management Process Actually Contains

Looking past the consulting jargon and the typical stages in enterprise risk management (ERM), the key point is that these phases are not intended to be executed sequentially; rather, they operate as continuous, interacting cycles that inform one another.

The most common method used by many organisations for identifying risks is to hold an annual exercise in which senior management gathers to create a list of risks, often by writing them on a whiteboard. In practice, this is more ceremonial than functional. More effective approaches draw on multiple sources simultaneously to identify risks in real time.

The channels used to identify risks typically include:

  • Automated external scanning from regulatory agencies, geopolitical developments, and industry news
  • Internal data, including process failures, customer complaints, and control exceptions
  • Communication with line managers, whose insight often precedes what appears in dashboards
  • Public incident disclosures from firms in the same sector, which signal emerging risks across the market

From an economic perspective, this stage of the risk management process reduces information asymmetry, as described by George Akerlof, by improving the flow of information within the firm.

Assessment and Prioritisation

The use of quantitative techniques for risk management is on the rise, and thus the majority of the old-fashioned 'probability/impact assessment method' work will now be done with quantitative methods. Examples of quantitative methods for formalising uncertainty include, but are not limited to: Monte Carlo modelling for financial impact analysis, conditional value-at-risk (CVaR) and Bowtie analysis. These example methods demonstrate an economic method of measuring risk through the use of an objective measurement, and can assist in predicting future events. Instead of using only subjective judgement to make risky decisions, businesses can also apply a probability distribution to each possible event; therefore determining the probability of each event occurring and assigning each one a weight.

Response and Control

There are four options for managing risk — avoidance, transfer, mitigation and acceptance; none is inherently best. Organizations with a very low level of tolerance for risk often over-insure and/or pay higher costs. Organizations which tolerate excessive amounts of risk will underestimate the possibility of tail events.


The trade-off between these two approaches reflects risk aversion as an economic concept; firms in general seek to balance expected returns, at a point in time, with the degree of variation in potential future returns, at a given time.

Monitoring and Reporting

There are four options for managing risk — avoidance, transfer, mitigation, and acceptance; none is inherently best. Organizations with low risk tolerance often over-insure and incur higher costs. Organizations that tolerate excessive risk tend to underestimate the likelihood of tail events.

The trade-off between these approaches reflects risk aversion as an economic concept; firms seek to balance expected returns with the variability of future returns.

Building an Enterprise Risk Management Strategy from Scratch

No single approach guarantees success. However, what commonly undermines an effort is the failure to account for a number of key principles.

Start with Risk Appetite

A common mistake is spending months developing a comprehensive list of risks before determining how much risk the business is willing to accept. This process should be reversed, beginning with a clearly defined risk appetite statement.

To quantify the level of uncertainty an organization is willing to accept in pursuit of returns, the risk appetite statement should be aligned with expected utility and strategic optimization.

Make Risk Part of Strategy, Not Adjacent to It

The separation of an organization's enterprise risk management (ERM) strategy from its corporate strategy creates a structural issue. For example, if a company plans to penetrate an additional geographic area, the organization's ERM risk analysis should be included within the business case for geographic penetration. By including both the ERM risk analysis and the business case together, principal-agent issues are reduced expediting decision-making by aligning incentives between decision makers and risk managers.

Governance That Actually Functions

A lack of accountability within the process creates structural weaknesses and unclear responsibility.

  • Board — Approval of risk appetite
  • Risk Committee — Operational oversight
  • CRO / Head of Risk — Ownership of methodology
  • Business Unit Risk Owners — Execution accountability
  • Internal Audit — Independent verification of compliance

The economic rationale for this structure is based on incentives, monitoring, and control mechanisms within an organisation.

Mistakes That Keep Recurring

There are different ways to fail at risk management:

  • Using the risk register as a goal rather than a tool
  • Operating in teams that do not communicate with revenue-generating functions
  • Treating interconnected risks as if they were independent
  • Failing to update the risk register in fast-paced environments
  • Failing to identify low-probability, high-impact events

Many of these failures stem from underestimating correlation and systemic risk, which economic models have consistently shown to be critical factors during periods of stress.

Regulatory Pressure Is Reshaping Enterprise Risk Management Strategy

The growing regulatory burden is continuously altering the design of how enterprise risk management strategies are developed.


As financial services have the greatest regulatory burden to bear, Basel III/IV and Solvency II define capital requirements based on risk exposure with regard to financial services. In addition, DORA requires that firms identify the technology that supports their ICT dependency through detailed mapping.


Within non-financial industries, the burden of ESG regulation is the main pressure point driving changes in enterprise risk management strategies. Also, the European Sustainability Reporting Standards require that firms assess long-term climate-related risks when evaluating their overall risk profile for their enterprise risk management strategies, thereby increasing the time-horizon of risk modelling significantly.


Overall, these changes are evidence of a wider global trend of firms internalising externalities and improving their transparency with respect to risk reporting.

Maturity Takes Effort, Not Just Time

ERM maturity requires time and effort to attain. Organizations that properly invest in developing their ERM systems will tend to have lower capital costs and lower volatility in their earnings, which should result in better long-term performance.

The one thing that no implementation platform will ever be able to replicate is an organizational culture that encourages risk information to flow freely throughout the organization. At an economic level, this will decrease the internal frictions that exist in organizations and improve their ability to coordinate effectively in order to respond to uncertainty.

For organizations that are either just starting out or are in the process of resetting a discontinued program, performing an honest maturity assessment compared to established industry benchmarks is a good first step prior to selecting software tools or redesigning teams.

Previous Post Your airline ticket price can vary considerably based on time of purchase and amount of baggage.

Why Airline Ticket Prices Fluctuate: Understanding Dynamic Pricing Strategies

Next Post Salary sacrifice car schemes show how incentives, tax incidence, and externalities influence labour supply and consumer choices.

Salary Sacrifice Car Schemes: Tax Incentives, Labour Supply, and the Economics of Electric Vehicle Adoption