Enterprise risk management often promises insight but delivers assurance. As boards push for clearer, risk-informed choices, risk leaders need to move beyond compliance-driven GRC workflows and towards decision-focused measurement that links risk to objectives, an approach Face the Risk is helping organisations put into practice.
In association with Face the Risk
How often have we heard that enterprise risk management is not meant to be about governance or blame, but about connecting information, data, decisions, and accountability in a way that looks ahead rather than backward? Most risk leaders agree with this in principle, but in practice are limited by ERM or GRC programmes that still operate in ways that prioritise assurance over insight and compliance over choice (Figure 1).
This is because most risk work is currently reliant on GRC platforms built around workflows that are very good at answering a familiar question: Are we in control? But they struggle to answer, with increasing urgency: What should we do next?
Strategic risk managers need to evolve past GRC workflows that institutionalise assurance and emphasise traceability over effectiveness and ROI against objectives. This means demanding workflows that move beyond treating risk as discrete items, emphasise likelihood scoring without consideration of impacts on objectives, and that measure success through compliance completion rather than real risk reduction. In short, workflows need to drive better data quality so that risk registers can fuel strategic decision-making.
In 2026 risk leaders, CFOs, COOs and board members can help shift the focus from risk tracking to risk-informed decision making in 2026 by demanding five strategic actions from their team that can drive strategic risk decisions. (Figure 2).
Organisations that adapt their risk methods to use existing decision science measurement methods can move beyond risk identification to true risk measurement that lets leadership see their relative risks, in ROI terms. More importantly, risk decisions can be justified on the basis of contribution to objectives, instead of mere likelihood reductions.
1. Size risk across the enterprise or project, require measured estimates
Demand that risk “estimates” can be compared across silos. Usually, risks are typically labelled using nominal or ordinal tags such as high, medium, low, or 1 through 5. Even when GRCs succeed in establishing uniformity of process, these “labels” are often improperly multiplied or added in ways that do not permit true sizing of risk in a meaningful manner and invalidate simulation and optimization capabilities.
Leaders should now be demanding the use of decision-analysis techniques and AI-enabled modelling to deliver real measures of risk without oversimplification. Today, it is possible to express risk for the enterprise, for a project, or even for a single event using ratio-scale metrics that allow anyone in the organisation to understand how much risk exists and by how much a risk reduction scenario will reduce that risk (Figure 3).
2. Ensure your risk analysis considers impact on objectives in addition to likelihood of occurrence.
Too many risk assessments over-emphasise the likelihood that a risk will occur. That’s understandable: GRC systems and other databases provide a great deal of actuarial data on likelihood of occurrence, and there is a plethora of treatment databases that explain how to reduce the likelihood of risk events.
On the other hand, very few GRCs consider the impact on organisational objectives, and even when they do, they do not measure that impact in a way that allows senior leadership to conduct sensitivity analyses or compare scenarios. Just as any other project within an organisation must specify how much it will contribute to the achievement of organisational objectives, risk leaders should require clarity on how much exposure stems from threats to organisational objectives versus event probability alone. Ask your risk management team to document how they quantify the degree to which the likelihood of risk events could be reduced (the left hand side of the Figure 4 below) versus which alleviate the impact on organisational objectives (the right side of Figure 4 below).
3. Distinguish compliance-driven treatments from strategy-driven activities
Determine the degree to which your current risk efforts focus on the right risks. Not all controls exist for the same reason. Some are mandated by regulation; others exist to enable strategic outcomes. Leaders should insist on transparency around this distinction and understand how much risk reduction each category delivers.
Your risk team should be able to explain the degree to which the cost-benefit of “mandated treatments” or “MUSTS” align with treatments that deliver strategic benefit. Insist that your risk team compares control portfolios that are optimised to deliver ROI against your current control portfolio. Use portfolio optimisations to compare funded versus unfunded controls that meet objectives, subject to custom constraints.
Even better, when treatments are required “MUSTS” by regulators or GRC tools, insist that your team considers treatment levels that may exceed basic regulatory requirements while simultaneously delivering impact against objectives.
4. Prioritise and optimise risk treatment portfolio for return on investment
A mature risk function should show how exposure changes under different treatment choices. This includes identifying redundant controls, reusing treatments across silos, and understanding how risk changes with and without mandatory GRC requirements. The goal is effective controls that, beyond mere compliance, are also designed to be shared (the military refers to this as inheritance and reciprocity) and optimised against resource constraints.
When your risk team “mandates” a new control, citing legal or regulatory requirements, are they also delivering an analysis that shows the standalone risk reduction versus the cost of implementing that control? Will that new, often manual, control exist in perpetuity, or should it be entered into an optimiser to determine whether it is truly warranted?
5. Model risk reduction scenarios under real budget constraints
Boards understand how to allocate capital; they do not need to be bothered with control inventories. That said, risk teams should deliver reporting that shows how exposure to risk changes at different funding levels for control portfolios, highlighting which controls deliver the greatest marginal benefit and enabling informed trade-offs.
Trade-off techniques and efficient frontier optimisations (Figure 6) exist today that allow the comparison of control portfolios at different along an efficient frontier across funding levels, making it easier to communicate the benefits of a risk programme to the CFO and COO.
From assurance to advantage
Although GRC platforms remain essential for compliance, they are not currently built to guide strategic decisions under uncertainty. In 2026, the strongest risk leaders will be those who demand strategic risk functionality that ensures risk information focuses leadership on governing risk actions that measurably matter most to organisational objectives.
This is where Face The Risk plays a role—helping organisations translate enterprise risk insight into clear, prioritised actions for leadership under real-world constraints.
