Managing Complex Risks with an Intelligent ERM Program Powered by AI

Introduction

We are now operating in what the US military terms a VUCA environment, or a market context that is marked by Volatility, Uncertainty, Chaos, and Ambiguity. Modern risks are increasingly black swan events that have far reaching impact across sectors, geographies, and ecosystems. A threat in one corner of the world can set off a global chain reaction almost immediately.

These forces create a risk context that traditional risk management approaches cannot effectively address, because these programs tend to be reactive, threat or compliance-focused, with a narrow scope. They are not designed to detect threats of this kind or respond in real time. And they are ill-equipped to quickly identify or mitigate interconnected risks with the potential to escalate in magnitude. Risk leaders need more forward-looking strategies that can anticipate and prepare for emerging risks, and ensure a cross-functional, unified approach to risk management.

Risk Complexity Outpaces Decision-Making

The Systemic Risk Council identifies geopolitical instability, political uncertainty, macroeconomic disruption, and AI-driven security risks as the major interconnected risks for 2025. But interconnected risks are only one part of the problem. Organizations also need to watch out for strategic risk events that cause significant loss in market value.

Strategic risks emerge as a result of events, decisions, or situations that tend to tie to the strategic plan and can often impede an enterprise from achieving its goals and business objectives. These can be unexpected black swan events like the COVID-19 pandemic that disrupted supply chains and put global economies under unprecedented pressure. They can be strategic focus areas that can morph into operational crises, such as cybersecurity threats. Or they can even be geopolitical conflicts that disrupt critical sectors like energy, food security, and cause significant human suffering.

Regardless of the trigger, strategic risks are highly complex and unexpected. They often emerge and spread quickly, and their typical profiles often make it hard to predict or model their frequency or severity. There is less time to react, greater impact uncertainty, and higher stakes, all of which can impact decision-making and operational and strategic outcomes.

Why Legacy ERM Systems Fall Short

Traditional ERM systems operate on structured processes across established risk categories and are typically aligned with compliance requirements. They can meet regulatory mandates efficiently as they can handle known and more predictable risks. The trouble is, emerging strategic risks run the gamut from black swans to white elephants ¹ , both difficult to predict and thus difficult to mitigate. Traditional ERM systems simply cannot keep pace with evolving strategic risks, as:

• they offer limited visibility across business units;
• there is delayed access to real-time data, making proactive action impossible;
• there is siloed ownership of risks and fragmented governance;
• these systems cannot efficiently prioritize and quantify risks; and,
• they cannot deliver actionable insights into unknown risks.

Enterprises need to focus on forward-looking, predictive ERM rather than static, backward looking, compliance-oriented approaches, to meet the challenges posed by the current volatile and complex risk landscape.

The 3 Pillars of Intelligent ERM

An intelligent ERM strategy must use real-time data and advanced analytics not just to protect the business but also to help organizations benefit from faster, better decision making abilities. Here are the 3 essential pillars of intelligent ERM for managing strategic risks:

1. Cognitive
   • Enterprise risk management must leverage artificial intelligence (AI) and advanced analytics to detect patterns, anomalies, and emerging risks.
   • It should use predictive modeling to assess qualitative factors like likelihood and impact as well as quantitative ones like frequency and severity. The model should then provide the team with comprehensive, actionable insights.
   • It must ensure compliance-based tracking and deliver insights into possible future risks and foresight to guide effective mitigation planning.
2. Continuous
   • Enterprise risk management must ensure real-time risk monitoring and reporting so that organizations can respond proactively rather than reactively.
   • It must deliver the right information to the right people at the right time (RI+RP+RT)² , ensuring relevance and quick action.
   • It must be adaptive and quickly adjust to changing risks or emerging threats.
   • It must be able to continuously improve risk processes with agile change management capabilities for proactive decision-making and adaptive planning.
3. Connected
   • Enterprise risk management must break down silos between domains, functions, and business units to ensure a holistic view of enterprise risk.
   • It should facilitate intelligence sharing and documentation between risk owners, control owners, and decision makers.
   • It must ensure faster detection, precise mitigation, and even help identify opportunities that can be leveraged for better risk management.

The three-pillar approach helps establish a robust data and risk foundation across the enterprise with high levels of executive and board engagement. Most importantly, it embeds ERM into the heart of everyday decision-making across levels, helping establish a risk-aware culture that is critical for faster identification and mitigation of emerging risks.

AI-Powered ERM For Proactive Risk Management

It goes without saying that intelligent ERM needs artificial intelligence (AI) powered systems that can embed data-backed intelligence into every decision and enable real-time monitoring and adaptivity. AI enhances the organization’s ability to detect hidden risks that might otherwise go unnoticed and take risk management strategies from defensive to proactive, ensuring agility, resilience, and competitive advantage. An AI-powered ERM system must include:

• Adaptive frameworks and management processes that evolve along with the risk landscape
• Predictive scenario modeling and simulations to help prepare proactively for future volatility
• Comprehensive integration of previously disconnected risk management systems and processes to ensure unified visibility and actionability
• Real-time monitoring with dynamic dashboards that deliver actionable intelligence for short-term operations and long-term strategic planning Organizations are already tapping into the power of AI to transform ERM. 75 percent³ of enterprises already use or intend to leverage AI-powered risk management tools, especially for predictive analytics and compliance automation.

1. AI is being used to scale capabilities. For example, instead of running only a few simulations, teams are now using AI to model thousands of stress tests and scenario models, deepening their understanding of vulnerabilities and resilience.
2. AI is proving to be invaluable in mapping interdependencies. Risk leaders can now easily visualize how a singular disruption can snowball into a larger crisis impacting operations across markets and even ultimately damaging reputation.
3. Predictive regulatory intelligence is helping organizations to anticipate policy changes before they are implemented, giving them the time to adapt early.
4. Automated early warning systems can detect anomalies in near real time, reducing response times during crises, while richer datasets enable firms to quantify resilience by measuring agility and adaptive capacity.

Managing AI Risks with a Human in the Loop

While AI holds tremendous potential, it is critical to remain cognizant that it is a double edged sword reshaping the risk landscape itself. AI can introduce new risks like model drift, cybersecurity vulnerabilities, algorithmic bias, and ethical challenges. And it is already being exploited by threat actors to launch highly sophisticated attacks and to obscure reality from fantasy.

Organizations must establish the proper guardrails around the use of AI in ERM. This includes robust cybersecurity measures, governance frameworks, and human oversight. In fact, I would go as far as to say that AI models must always work with a human in the loop. AI, and especially emerging agentic AI models, will doubtless be used to automate routine tasks with efficiency as the target. But for more sophisticated, even strategic applications, review and approval must rest with humans. Most importantly, organizations must first identify gaps and use cases, then deploy automation for reporting and insights, and finally embed AI-driven orchestration across ERM process components, while maintaining human oversight and interpretation.

Final Thoughts

Traditional ERM approaches that worked well for decades are no longer enough to address fast-moving, interconnected risks. Enterprises must shift from static, reactive defenses to proactive, intelligent risk management strategies. By balancing the speed and foresight of AI with the intuition and judgment of human leaders, organizations can build resilience, safeguard reputation, and turn risk management into a true source of competitive advantage.

Join Chris Mandel at his exclusive workshop at the GRC Summit 2025 in Las Vegas on November 17-18. Don't miss this opportunity to deepen your understanding of complex risk management powered by AI. Register now to secure your spot and be part of the future of governance, risk, and compliance!

[1] https://jameslam.com/wp-content/uploads/2020/09/NACD-Cover-Article_Animal-Kingdom_Lam-Jan-Feb-2019.pdf

[2] source: Excellence in Risk Management, LLC

[3] Top 10 AI Tools for Enhancing Customer Data Risk Management in 2025: A Comprehensive Review - SuperAGI