ERM EXCHANGE Logo
610.304.3856
info@ermexchange.com

Incorporating AI in Enterprise Risk Management

AI in Enterprise Risk Management

Enterprise Risk Management (ERM) is at a critical crossroads.

According to the 16th State of Risk Oversight Report released by the Poole College of Management at NC State University, organizations are investing more than ever in risk management. However, the results are falling short. As an objective academic study spanning nearly two decades, this report offers one of the most credible benchmarks for evaluating ERM effectiveness.

And the findings are troubling.

Despite billions of dollars spent on ERM, the strategic value of risk management is not improving. As discussed during a recent Actio webinar, enterprise risk management programs are not effectively predicting or reducing potential risks in most organizations. 

How do you make your ERM program strategic?

As Risks Increase, ERM Must Evolve

ERM is fundamentally a strategic discipline. Its purpose is to help organizations balance risk and reward while achieving long-term objectives.

Yet the 2025 data reveals a stark contradiction:

  • Risk Complexity Is Rising:
    Over 65% of organizations report a significant increase in risk volume and complexity over the past five years.
  • Strategic Value Is Declining:
    Only 11% of respondents believe ERM delivers a “mostly” or “extensive” strategic advantage. In financial services, that number drops to just 8%.

Sixteen years of consistent data point to a clear conclusion. As the risk landscape continues to introduce significant new hazards, ERM programs are failing to deliver the strategic insights they were designed to provide for steady and secure operations.

ERM Is Failing to Predict Operational Surprises

The most alarming statistic in the report centers on operational surprises:

  • 74% of organizations experienced significant operational surprises in the last five years
    For public companies, that figure jumps to 87%

Every CEO shares the same priority: “No surprises for the board or investors.” Even organizations with mature ERM frameworks and extensive risk inventories continue to be blindsided.

Why?

Too often, ERM becomes an exercise in managing a static risk inventory. Risk teams spend months documenting hundreds of risks, narrowing them down to the top 20, and then treating that list as complete.

I recently served on a board where the Top 20 risks were meticulously tracked, but never re-evaluated or updated. Inflation, however, was nowhere to be found. When inflation surged to a 40-year high, it directly impacted 14 of those 20 risks. The organization failed to recognize the impact of inflation because the list of top risks never evolved.

Five Systemic ERM Failures

A May 2025 McKinsey report identified five systemic shortcomings holding ERM back:

  1. Lack of Integration:  Risk management sits under Finance, compliance under Legal, and boards receive disconnected, episodic updates.
  2. Technology Underutilization: 42% of leaders say their GRC systems need improvement. Most tools document past risks rather than anticipate future ones.
  3. Undervalued Risk Leadership: 44% of risk leaders report two or more levels below the CEO, reducing ERM to a tactical function.
  4. Weak Incentives: 68% of organizations do not link executive compensation to risk culture, compliance, or ethics.
  5. Failure to Advance Capabilities: Too little focus is placed on horizon scanning, scenario planning, and stress testing.

How AI in Enterprise Risk Management Can Reshape the Future

The biggest barrier to ERM progress today is technology underutilization. Too many organizations still rely on outdated approaches, failing to fully leverage modern ERM technology to support faster, smarter decisions.

AI in enterprise risk management has the potential to fundamentally change how ERM operates. AI enables organizations to move beyond static reporting toward:

  • Real-time horizon scanning
  • Dynamic stress testing
  • Continuous risk correlation analysis

By applying advanced ERM technology, AI can analyze the black box of enterprise data to uncover hidden relationships before those risks turn into operational surprises. For example, AI can evaluate how emerging economic trends could simultaneously disrupt multiple top risks.

AI in enterprise risk management can transform ERM from a reporting function into a true strategic decision-making tool for organizations.

Like all AI applications, training the AI model with accurate outcomes is paramount. The first step to incorporating AI into ERM for strategic decision making starts with your organization’s evaluation of risk factors.

The 10 Risk Factors Hiding Behind Polished ERM Frameworks

ERM will not improve by adding more risks to a register. The real shift must happen at the leadership and decision-making level, where the risk management framework is actively used to challenge assumptions, guide strategy, and inform execution, not just document risks.

Professor Mark Abkowitz identified 10 foundational risk factors that contribute to nearly every major organizational failure. Leadership teams should be actively questioning these factors as part of their ERM strategic execution. They should be embedded into their risk management framework to prevent predictable failures before they emerge.

  1. Design and construction flaws
  2. Deferred maintenance
  3. Economic pressure
  4. Schedule constraints
  5. Inadequate training
  6. Failure to follow procedures
  7. Poor planning and preparedness (scenario planning)
  8. Communication breakdowns
  9. Arrogance
  10. Political agendas

When these 10 factors go unchecked, adverse outcomes from preventable risks become inevitable, regardless of how polished the ERM framework and reporting appears.

Moving from Documentation to Decision-Making

The data from 2025 shows us that more investment doesn’t automatically equal better protection. True resilience comes from a framework that is dynamic, technologically empowered, and deeply integrated into the culture of the organization.

By incorporating AI in enterprise risk management, leadership can finally close the gap between reporting and predicting risks. Instead of being blindsided by the next sudden shift, AI-driven horizon scanning and stress testing allow boards to see the hidden connections between their top risks.

Ultimately, technology is the tool, but leadership is the driver. When you combine advanced ERM technology with a rigorous evaluation of the 10 foundational risk factors, you transform ERM from a tactical burden into your most powerful strategic advantage. It’s time to stop documenting the past and start securing the future.

About the Author

John Mclaughlin
John McLaughlin has over 30 years of corporate and consulting experience. Prior to founding The Audit Exchange and ERM Exchange, John was a partner with two mid-tier international accounting firms and a director with PricewaterhouseCoopers and earlier served as an Internal Audit Director for Aramark Corporation, as well as a controller for a national real estate developer. John began his career with two Big 8 accounting firms. John serves on the Board of a health services organization and is a former member of the Finance and Audit & Compliance Committees of the Board of Mercy Health System in Philadelphia. He is also a former long-standing member of the Institute of Internal Auditors International Committee of Research & Education Advisors. John can be reached at jmclaughlin@ERMExchange.com

Categories