Skip to Content

Would Management Miss ERM if it Were Gone?

Blogs Muhammad Shahrukh, CIA, CA, CPA Jul 13, 2026

I sometimes wonder what would happen if I turned up to work and discovered that the enterprise risk management (ERM) function had disappeared overnight.

The risk registers are gone. The heat maps have disappeared. The risk appetite statements are no longer being updated. The quarterly risk reports are no longer being produced.

Some interesting questions emerge: Would management make decisions any differently? Would the CEO approach a major investment differently? Would the executive team evaluate strategic initiatives differently? Would the board find itself unable to discharge its responsibilities?

If the answer is no, then we should be willing to ask an even more difficult question: What value was the ERM function really providing?

That may sound harsh, but it is not intended to be. Most ERM professionals work hard and genuinely want to help their organizations succeed. The problem, at least from where I sit, is that in many organizations, ERM has become an exercise in maintaining the appearance of risk management rather than improving decision-making.

A comprehensive risk register is duly maintained. Yet when a company is considering an acquisition, entering a new market, launching a major project, or making a significant investment, how often does management reach for the risk register?

Risk management was never meant to be an exercise in maintaining a catalogue of things that could go wrong. Its purpose is much simpler than that. It exists to improve the quality of decisions and increase the likelihood that objectives will be achieved. Somewhere along the way, many organizations seem to have forgotten that.

The Incorrect Starting Point

A lot of ERM discussions begin with risks. I have always found that slightly backwards. Risks only matter because objectives matter. Without an objective, a risk is simply a bad thing that might happen.

The first question should not be, “What are our risks?” It should be, “What are we trying to achieve?”

If I were building an ERM function from the ground up, I would spend less time creating inventories of risks and more time understanding the objectives that matter most to the organization. I would start with the board, the CEO, the chief financial officer, and the strategy team and ask: What are the handful of outcomes that really matter over the next few years? The objectives the organization is most keen to achieve?

Once those objectives are clear, I would move down to the business units. Every department will produce a long list of objectives, but many have little connection to strategic success. I would focus only on those objectives that directly or indirectly support enterprise objectives.

The Laundry List of Risks

Organizations often fall into another trap: endless inventories of risks. The result is predictable. Everything becomes important. Which means nothing is important. In reality, the most critical objectives are threatened by only a handful of significant risks.

If I were responsible for ERM, I would identify the top three risks most likely to prevent each critical objective from being achieved. Not ten. Not twenty. Three.

Most of my attention would be spent understanding those few risks, evaluating the controls that matter, monitoring changes in exposure, and ensuring management considers them when decisions are being made. Attention, time, and management bandwidth are all finite. Risk management should treat those resources with respect.

What Actually Constitutes a High Risk?

Organizations tend to overuse the word “high risk.” In my experience, only a small number of events have the potential to threaten the survival or long-term viability of an organization:

  1. Severe cash flow or liquidity problems.
  2. Loss of a major customer or revenue source.
  3. Significant regulatory or legal non-compliance.
  4. A major cybersecurity incident.
  5. Serious reputational damage.

Reasonable people will disagree with the list, and perhaps they should. My point is not that these are the only risks that matter. My point is that organizations often spread their attention too evenly across risks that are not remotely equal in significance.

The true measure of ERM success

This brings me back to the original question: If ERM disappeared, would management miss it? The success of an ERM function should not be measured by the number of risks identified or the quality of its risk reports.

The real test is much simpler: Are decisions better because risk information is available? Are objectives more likely to be achieved because someone has helped management think clearly about uncertainty? If the answer is yes, the ERM function is creating value. If the answer is no, then no amount of documentation, reporting or framework maturity can compensate for that failure.

Then, sadly, the organization does not have an ERM function at all. It merely has the appearance of one.

The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of The Institute of Internal Auditors (The IIA). The IIA does not guarantee the accuracy or originality of the content, nor should it be considered professional advice or authoritative guidance. The content is provided for informational purposes only.

Muhammad Shahrukh, CIA, CA, CPA

Muhammad Shahrukh is the head of internal audit at SAL Saudi Logistics Services in Jeddah, Saudi Arabia.