Why Risk Must Sit at the Table — Before Strategy Is Set
We are operating in an age of deep uncertainty. Change is faster, risks are more interconnected, and shocks rarely arrive one at a time. Yet many organisations still manage risk as if the world were stable — through periodic assessments, static reports and long lists of “top risks”.
This approach creates comfort, not clarity.
Traditional ERM was built to catalogue risks. Today, that is no longer enough. The real task of risk management is to help leaders navigate uncertainty, not document it. Risk is not about predicting the future; it is about improving decisions made under uncertainty.
Strategic risk is where it matters
Most major value losses do not come from operational failures. They come from strategic risk — flawed assumptions, weak signals ignored, or strategies formed without fully understanding uncertainty.
Strategic risk is often narrow defined as the risk of executing the strategy in practice, but it is about much more than this. Importantly it includes how strategy is formed. If the assumptions behind a strategy are wrong, everything built on top of that foundation will be unstable. That is why risk must be involved before decisions are finalised, not after as a compliance check.
Put simply: strategy is risk, and risk is strategy
From reports to decision support
Risk functions still spend too much time producing reports and too little time supporting decisions. Reporting can increasingly be automated. Insight cannot.
Value comes from:
- Challenging assumptions
- Showing ranges, uncertainty and alternative outcomes
- Connecting weak signals across silos
- Helping leaders understand what could happen, not just what has happened
This requires a shift from deterministic forecasts to probabilistic thinking, from snapshots to dynamic risk management, and from hindsight to foresight.
A seat at the table — early
For ERM to remain relevant, risk functions need a strong mandate, professional competence, and direct access to executive management and the board. Most importantly, they must be positioned as strategic advisors, not compliance clerks.
Risk must have a seat at the table where decisions are made — and it must be there early.
Call to action
Ask yourself — or your board:
- Is risk actively shaping our strategic decisions, or merely reviewing them?
- Do we discuss uncertainty before choices are locked in?
- Does our risk function provide insight, or just information?
If the answer is unclear, it is time to rethink how risk management is positioned — and whether it truly has a seat at the table.
Martin Stevens from the Risk Management Network of IIA Norway held a presentation at the GRC conference of IIA Sweden in April 2026. This blog summarises his key message based on the Board Guidelines for Risk Management and ERM – Guidelines for the Risk Function published by IIA Norway.
