In 2025, many of the most damaging organisational crises did not arise from black-swan events, but from familiar internal weaknesses: misaligned strategy, weak governance, fragile operations, and decisions that failed under pressure. External forces – geopolitics, cyber escalation, climate extremes, and regulatory fragmentation – did not create these problems; they simply exposed them faster.
McKinsey has noted declining confidence in traditional risk frameworks, particularly in addressing emerging and interconnected risks linked to technology, resilience, and long-term value. Volatility is no longer the exception but the baseline with board agendas being dominated by systemic cyber risk, AI governance failures, supply chain concentration, and persistent polycrisis conditions. We believe enterprise list management is no longer sufficient. The answer is not to abandon ERM, but to evolve it. Risk management must be combined with organisational resilience in a practical and usable way.
A familiar story
Weaknesses in risk management show up in all too familiar ways:
- Risk registers grow longer, not sharper
- Risk discussions remain disconnected from strategy and capital decisions
- Time is spent scoring risks rather than debating what truly matters
- Downside threats dominate, while resilience and opportunity receive less attention
- Analysis relies on historical data that no longer reflects current conditions
- Risk appetite statements are difficult to apply in practice
- Likelihood scoring provides reassurance rather than insight
- ERM is seen as compliance support, not decision support
These challenges are not about effort or capability. The problem is fit for purpose: a model designed for stability is being stretched to manage complexity.
We believe resilience thinking does not replace risk management; it strengthens it by changing the starting point. Instead of asking, “What risks do we have?” it asks, “What outcomes must we continue to deliver, whatever happens?” That shift brings four practical concepts into play.
Focus on the essential strategic priorities
Organisations exist to deliver strategic objectives and outcomes, not to protect processes. Defining these drives clarity about what really needs to keep working. Resilience is what underpins the delivery of these outcomes, even when processes or systems fail.
Strategic Resilience Management brings together the discipline of ERM and the adaptability of resilience into a single operating model based on four pillars:
- Integrated intelligence – a short, focused view of material risks linked to essential outcomes.
- Adaptive capacity – resilience designed into operations, technology, and workforce arrangements.
- Strategic embedding – risk and resilience actively informing strategy, investment decisions, and board discussions.
- Value creation – resilience treated as a source of advantage, not just protection.
This is not ERM with a continuity add-on. It is a different way of organising risk and resilience capabilities around how organisations actually function under pressure.
Delivering value
Strategic Resilience Management moves risk management beyond maintaining lists and frameworks to enabling faster, more effective Executive and Board conversations and strategic decisions. By focusing on anticipation, absorption, and adaptation, organisations build the capacity not only to withstand disruption, but to evolve strategy through it and seize new opportunities. Regular exercising and scenario planning strengthen organisational capabilities and develop the ‘muscle memory’ needed to respond quickly to future challenges.
For internal audit and risk practitioners, this approach increases professional relevance and influence by shifting the focus from risk reporting to outcomes, scenarios, and decision-ready insight.
Imagine being invited into executive and board discussions earlier and more constructively, with credibility through input that supports clear, timely decisions under uncertainty.
We believe this approach provides:
- Clearer decisions support that highlights trade-offs and priorities amid uncertainty
- Targeted capital allocation, directing investments where disruption would have the greatest impact and avoiding unnecessary controls
- A refreshed narrative to engage sceptical stakeholders and clarifies roles and accountabilities
- Reduced impact of incidents, shortening recovery times and limiting secondary damage such as reputational harm or regulatory consequences
- Alignment across risk, continuity, security, operations, and strategy teams, cutting duplication and improving crisis collaboration
- Confidence from Boards, regulators, investors, and customers, who now expect proven resilience capabilities—not just compliance checklists
- Organisational agility and culture, where risk is seen as an enabler rather than a barrier
Boards are raising their expectations. Regulators, customers, and investors are following suit. Many organisations remain unprepared for the next major disruption. Moving to focus on outcomes and resilience will close the expectations gap, positioning internal audit and risk teams as strategic partners in building resilient, competitive organisations
Moving forward
We believe you could take the following steps:
- Anchor risk discussions around essential objectives and outcomes
- Rethink likelihood scoring and move toward plausibility thinking
- Define impact thresholds and resilience indicators
- Bring together risk, continuity, security, and intelligence
- Use regulatory requirements to build capability, not just evidence compliance
ERM as enterprise list management is dead. Strategic Resilience Management is the next step: integrated, adaptive, and focused on what truly matters.