The Rise of Risk Roles Across Organisations
Enterprise Risk Management is under the spotlights, with a new surge of positions appearing on more and more organisational charts. Across both public and private organisations, we’re seeing the allocation of more resources and the formation of dedicated risk units, with newly appointed heads of risk and risk teams, and internal frameworks being put into place. That, in theory, should be good news.
Behind the Trend: The Quiet Limitations
But there’s another side to this trend. One that deserves more attention.
In many organisations, these teams are primarily tasked with operational activities coordinating workshops, compiling reports, maintaining registers, and producing risk heat maps. They apply well-known frameworks such as ISO 31000 and the COSO ERM Framework, including efforts to align compliance risk practices with the principles in Enterprise Risk Management – Integrating with Strategy and Performance. They do what’s expected of them.
They keep the wheels turning. But over time, a familiar question starts to surface: what is the real contribution of ERM activities, and what’s next?
When Risk Teams Are Stranded Without Strong Mandate
Often, there’s no clear answer to this. With little strategic guidance or room to grow, risk teams run out of ideas and keep repeating the same routines over and over again. While their efforts are well-intentioned, they often reflect a function struggling for relevance without the mandate or capability to influence where it matters most.
Without genuine top-level commitment and vision, many risk functions become stranded.
They aren’t given the authority to challenge strategy or reshape decision-making processes. Instead, they’re confined to managing the basic mechanics, without a seat at the table where risk trade-offs are discussed and choices are made.
Capability Gaps That Remain Unspoken
But this isn’t just a leadership issue. It’s also a capability one.
Too often, risk professionals are expected to “learn on the job.” And while experience matters, it rarely offers the structured exposure or deep development needed to function as an internal strategic risk advisor. At the same time, some individuals are hired into senior risk roles based on what their resumes say about their previous responsibilities – titles, tasks, and project involvement. In such cases, the expectation is no longer to learn, but to lead and deliver.
Yet without broader exposure, intentional continuous upskilling and deeper mentorship, even experienced professionals may find themselves navigating unfamiliar challenges. Even widely used frameworks like ISO 31000 or COSO, while valuable in setting direction and structure, don’t prepare someone to apply risk thinking effectively across diverse and evolving business and operational contexts. This mismatch between expectations and actual readiness often goes unaddressed, leaving both the individual and the organisation exposed.
What Risk Professionals Really Need to Succeed
To be effective, risk professionals need more than just an understanding of risk principles and knowledge of standard methodologies. They need to build real-world capabilities in areas such as:
-
Risk landscape scanning and strategic alignment
-
Tools for assessing emerging risks and driving innovation
-
Understanding and implementing enterprise risk frameworks
-
Risk and performance integration
-
Business continuity and operational resilience
-
Stakeholder communication and influence
-
Psychology of risk and fostering a risk-aware culture
-
Designing and refining internal processes for decision support
These are not just academic knowledge topics. They’re practical, applied competencies that shape how risk professionals engage with leadership, influence outcomes, and add value across the organisation. Without this depth, even the most dedicated teams can find themselves stuck, replicating templates, recycling reports, and rotating across roles without ever shifting the needle.
A Call to Build Risk Depth with Purpose
The future of risk work depends on whether we invest in building this depth intentionally, comprehensively, and with clear expectations about what sound and effective risk management looks like.
Risk professionals are not there to decorate the org chart or to check the compliance box. They are there to guide the organisation through uncertainty, to ask the questions others miss, and to anchor decisions in long-term thinking.
But they can only do that if we give them the space to grow, the mandate to lead, and the training to thrive.
Looking to strengthen your ERM capabilities with structure, clarity and relevance?
Want to be thoroughly trained and certified like our alumni from AON, KPMG,SingHealth, Ministry of Home Affairs, Changi Airport Group, Airbus and many more?
Explore the Certified Professional Risk Manager (ARiMI-CPRM™) Program programme and start building the skills that matter.