ERM EXCHANGE Logo
610.304.3856
info@ermexchange.com

Enterprise Risk Management from Incentives to Controls​

Enterprise Risk Management from Incentives to Controls​

Enterprise Risk Management (ERM) is often framed as a discipline of frameworks, controls, and governance structures. But in practice, one of the most powerful drivers of enterprise risk sits outside formal risk registers: how people are incentivized and paid.

Insights from risk practitioner John McLaughlin highlight a consistent reality seen across large organizations: when compensation systems are misaligned with risk appetite, ERM failures are not accidental—they are structurally encouraged.

Academic research strongly supports this view. Empirical evidence from financial economics shows that incentive design directly influences managerial risk-taking behavior, sometimes in ways that systematically increase firm-level risk exposure. For example, a study published in the Journal of Financial Economics finds that compensation structures tied to performance outcomes can significantly alter risk preferences and lead to measurable changes in corporate risk-taking behavior.

What Happens When Bonuses Are Expected Instead of Earned?

A pattern seen in long-standing organizations: incentive plans that consistently pay out at ~99% achievement.

At first glance, this suggests strong operational execution. However, from an ERM perspective, it signals something more concerning:

  • Incentives are no longer “incentives”
  • They become embedded expected compensation
  • The system loses its ability to differentiate performance and risk-taking

When this happens, employees begin to assume bonuses are guaranteed. The behavioral effect is subtle but powerful: the link between performance, effort, and risk-taking weakens.

How do Compensation Incentives Produce Risk?

Incentives do not just reward outcomes, they shape how those outcomes are achieved.

We can all learn from recent major corporate failures such as:

  • Wells Fargo, where aggressive cross-selling targets contributed to the creation of millions of unauthorized accounts
  • Volkswagen, where emissions targets incentivized manipulation of environmental compliance systems

In both cases, the compensation logic was clear: hit the target, earn the reward.

But ERM logic was absent:

  • No effective risk guardrails
  • No adjustment for behavioral distortion
  • No constraint on how results were achieved

When pay is strongly tied to performance metrics, managers may increase exposure to hidden or tail risks in order to secure short-term outcomes. This often shifts risk into the future or outside formal measurement systems.

How Do Management Silos Create Incentive Risks?

  1. STRATEGY is owned by executive leadership. Strategy asks: Did we deliver results?
  2. COMPENSATION is owned by HR and the board compensation committee. Compensation asks: Should we pay the bonus?
  3. RISK is owned by the risk or finance function. Risk asks: Did we exceed risk appetite to get there?

When these systems are not integrated, organizations lose the ability to evaluate the full trade-off between return, behavior, and risk exposure.

This separation explains why incentive systems often unintentionally create risk: no single function is responsible for the combined outcome. The key insight is that people optimize what they are measured and paid on, even when it conflicts with broader enterprise risk objectives.

How to Rethink Incentives with Enterprise Risk Management?

The core challenge is not whether to use incentives, but how to ensure they do not silently undermine risk appetite. A more integrated enterprise risk management backed incentive model requires:

  • Clear alignment between strategy and compensation
  • Explicit incorporation of risk constraints into incentive design
  • Recognition that some risks require hard, non-negotiable thresholds
  • Awareness that incentives shape behavior long before risk reports detect issues

Risk management cannot operate as an external control layer. It must be embedded in how performance is defined. The Managerial Incentives and Risk-Taking paper shows that compensation schemes influence not just effort, but also the risk profile of decisions themselves, particularly when upside rewards are strong and downside consequences are limited or delayed.

Not all risk alignment requires complex models and not all risk should be optimized. Some risks are better managed through absolute constraints than through weighted incentives and some risks must be eliminated through design.

Incentives are not just a performance tool, they are a critical element of risk architecture.

Contact John McLaughlin at the ERM Exchange to audit your incentive program through the eyes of enterprise risk management.

About the Author

John Mclaughlin
John McLaughlin has over 30 years of corporate and consulting experience. Prior to founding The Audit Exchange and ERM Exchange, John was a partner with two mid-tier international accounting firms and a director with PricewaterhouseCoopers and earlier served as an Internal Audit Director for Aramark Corporation, as well as a controller for a national real estate developer. John began his career with two Big 8 accounting firms. John serves on the Board of a health services organization and is a former member of the Finance and Audit & Compliance Committees of the Board of Mercy Health System in Philadelphia. He is also a former long-standing member of the Institute of Internal Auditors International Committee of Research & Education Advisors. John can be reached at jmclaughlin@ERMExchange.com

Categories