10. Juli 2026

Enterprise Risk Management

ERM has two tasks

Risk management has two tasks. Many systems are built for only one. In many organisations, disappointment in risk management comes less from poor execution than from executing the wrong task.

ERM has two tasks
Generated with OpenAI Media Service API

By Prof. Dr. habil. Stefan Hunziker

In many risk management systems, I see confusion. Financial resilience and strategic decision quality are treated as if they followed the same risk management logic.

The first task is to protect financial resilience by assessing whether the organisation can absorb aggregated losses arising from unfavourable developments without exceeding its financial capacity. This is the domain of risk-bearing capacity.

The second task is to improve strategic decision-making under uncertainty by clarifying which strategic decision is at stake, which assumptions must hold for it to work, and how we would notice early that an assumption no longer holds.

Quantification matters in both tasks, but its function differs. The capacity task helps assess whether aggregated losses remain within financial capacity. In the decision task, it helps structure uncertainty, make ranges visible and improve the decision conversation by making assumptions explicit, clarifying trade-offs, identifying robust alternatives, defining early signals and agreeing on decision triggers.

The two tasks are connected. Strategic decisions reshape risk-bearing capacity, and capacity limits strategic room. The hinge between the two is the risk appetite implied by important decisions. Connected, however, is not identical: they follow different logics and need different tools, rhythms and success measures.

The consequences show up in two opposite ways. In some organisations, risk management is reduced to risk registers, heat maps and annual ranking exercises, with no aggregation, no capacity view and no meaningful discussion of financial resilience.

In others, often the more sophisticated, the opposite happens. The standards of the capacity task are applied everywhere, every risk is quantified, every judgement translated into a distribution, and every strategic uncertainty pressed into the same machinery as insurable losses. The result may look rigorous while leaving strategic decisions unchanged, and the modelling effort can crowd out the conversation that the decision task requires.

This is why the debate between qualitative and quantitative risk management is misleading, because it compares methods before clarifying the task. Quantification is constitutive for resilience and useful for decision-making, while judgement remains necessary in both. So before discussing the maturity of a risk management system, ask the prior question: which task is it supposed to perform?

Many risk management implementations I have seen were executed carefully, but they served the wrong task.

Kommentare

0 Kommentare

Kommentar verfassen

Danke für Ihren Kommentar, wir prüfen dies gerne.