In a recent NeuGroup for Enterprise Risk Management roundtable, more than 20 senior risk, audit, and compliance leaders came together for a candid conversation about the state of enterprise risk management. This group of practitioners sat down to compare what is actually working and where traditional approaches are falling short. What was clear is that ERM is being pushed to evolve faster than ever. Risk is moving faster, expectations are rising, and leaders are being asked to deliver insight, not just activity. Here is what stood out. Why ERM Is Being Rewritten Right Now Risk leaders are operating in an environment defined by speed and complexity. Teams are expected to cover more ground with limited resources while keeping leadership informed on what matters most. Boards and executives are asking better questions. They want to understand what is changing, what it means for the business, and what actions should follow. Traditional ERM models, built around static risk registers and periodic reporting, are struggling to keep up. As one participant shared, the goal is no longer to document risk. It is to make risk meaningful to the business. That shift is driving a fundamental change in how ERM programs are designed and delivered. Reclaiming Time and Focus One of the most consistent challenges discussed was time. Risk teams are spending too much of it maintaining processes instead of generating insight. Leading organizations are addressing this by simplifying how risk information is captured and used. In one example, a team implemented short, repeatable assessments that take just minutes to complete. These inputs automatically connect risks to owners, mitigation actions, and downstream processes like audit and reporting. The goal is not to add another layer of work. It is to plug into existing workflows and make risk part of how decisions already happen. This shift also changes how risk teams show up internally. Several leaders emphasized moving away from the role of “compliance cop” and toward becoming educators and partners to the business. When risk is embedded into everyday processes, it becomes easier to maintain and more valuable to the organization. Building Adaptive Risk Culture If there was one idea that resonated across the group, it was that risk ownership cannot sit with one team. High-performing organizations are building cultures where risk is understood and owned across the business. That requires both top-down alignment and bottom-up engagement. Some organizations are structuring their programs across multiple levels, such as project, regional, and enterprise, each with distinct risks and perspectives. Others are focusing on how they communicate risk, tailoring the message so it is relevant to different audiences. One story shared during the session captured this mindset well. A farmhand who could sleep through storms was not ignoring risk. He had prepared for it ahead of time. The work was already done. That is the goal of an adaptive risk culture. Teams are not reacting in the moment. They are ready because risk has already been considered, discussed, and built into how they operate. This kind of culture does not happen overnight. It requires consistent effort, clear ownership, and the ability to adjust as conditions change. Future-Proofing ERM Programs As organizations mature, many are looking beyond ERM as a standalone function and focusing on how it connects with the rest of the business. One of the most important shifts is the move toward tighter integration across ERM, internal audit, and compliance. Rather than operating in silos, these functions are increasingly connected through shared data, workflows, and priorities. This alignment improves visibility across the organization and strengthens conversations with executive stakeholders. This visibility gives leaders a clearer view of where risk is emerging and what actions are needed. It also enables a more proactive model, where risk insights help guide audit focus and compliance activities earlier, rather than reacting after issues occur. As these connections mature, organizations are better positioned not only to respond to risk, but to demonstrate the impact of their programs, including what potential issues were avoided through earlier intervention. There is also growing interest in how technology, particularly AI, can support ERM programs. Today, adoption is pragmatic. Leaders are using AI to analyze trends, surface insights, and improve efficiency. At the same time, there is a strong emphasis on validation. As one participant put it, teams are in a “trust but verify” phase. The focus is on building a strong data foundation and helping teams become comfortable with new tools before expanding their use. Organizations that take this approach are positioning themselves to take advantage of more advanced capabilities as they mature. What High-Performing ERM Programs Have in Common Across the discussion, a few clear patterns emerged. The most effective programs are: Built to enable the business. Risk teams act as partners and educators, helping teams make better decisions instead of enforcing compliance. Connected across functions. ERM, internal audit, and compliance share information and work toward common goals. Embedded into existing workflows. Risk processes align with how the business operates, reducing friction, and increasing adoption. Designed for adaptability. Programs evolve with changes in the business environment, leadership, and external risk factors. Focused on demonstrating value. Teams are showing not just what happened, but what was prevented and how risk management supports business outcomes. These characteristics reflect a broader shift toward integrated risk management, where data, workflows, and insights are connected across the organization to support faster, more informed decisions. From Risk Management to Strategic Enablement The role of ERM is expanding. As expectations grow, risk leaders have an opportunity to move beyond reporting and become more directly involved in shaping strategy. When risk insights are timely, relevant, and clearly tied to business outcomes, they become far more valuable to executive decision-making. Leading teams are increasingly focused on showing not just what happened, but what was prevented. Thus demonstrating how earlier visibility and action reduced exposure or avoided disruption altogether. That ability to quantify and communicate impact is what elevates ERM from a reporting function to a strategic partner. It is also what creates momentum for a more integrated approach, where risk, audit, and compliance operate as a connected program rather than separate activities. Organizations that invest in this foundation are better positioned to adapt, respond, and lead through change. Explore how to modernize your ERM program with an integrated approach. See how Origami Risk connects ERM, audit, and compliance in one platform to give you the visibility and flexibility to act with confidence.