Why Enterprise Risk Management Is Breaking Down—and What 2026 Demands Instead: A Perspective

Enterprise Risk Management was designed for a world that no longer exists.

For years, ERM has promised coherence: identify risks, assign owners, monitor controls, and reassure boards that uncertainty is being managed. That model worked reasonably well when risks were discrete, regulations were stable, and technologies evolved at a pace that organizations could absorb. In 2026, this logic is strained. This is not because organizations are careless about risk but because risk itself has become faster, more interconnected, and harder to locate within traditional governance structures.

What many leaders describe today as “ERM challenges” are better understood as symptoms of a deeper breakdown: the assumption that risks can be neatly categorized, owned, and mitigated within functional silos.

The New Risk Reality: Everything Is Connected

Three forces are converging to stretch the ERM beyond its design limits.

First, AI has transitioned from being a tool to an infrastructure. Algorithms influence hiring, grading, research prioritization, credit decisions, and cybersecurity defenses. However, many organizations still treat AI risk as a subset of IT or compliance. The result is familiar: ethical concerns sit apart from operational risks, which sit apart from strategic ones, while the algorithm itself cuts across all three.

Second, regulatory complexity has intensified risk exposure rather than clarified it. Frameworks such as the EU AI Act and DORA do not merely add reporting obligations; they redefine the concept of accountability. Transparency, human oversight, and lifecycle risk management are no longer aspirational principles; they are enforceable expectations. For executives, particularly CISOs, CROs, and board members, personal liability is no longer a hypothetical concern. It is embedded in fragmented governance systems that struggle to present a unified view of exposures.

Third, organizational ecosystems are inseparable from risk. Cloud concentration, third-party AI models, data supply chains, and research collaborations indicate that risk increasingly resides outside institutional boundaries. However, ERM structures remain inward-looking, optimized for assets, and processes that organizations directly control.

The problem is not that ERM is failing to keep up with the latest developments. It was never designed for a world where risk is systemic rather than siloed.

Dr. Raul Villamarin Rodriguez

Why Siloed ERM No Longer Works

Most ERM frameworks still assume that risks can be categorized—strategic, operational, compliance, and cyber—and addressed through ownership and escalation. In practice, this creates a blind spot.

Consider AI governance. Bias is often treated as an ethical issue. Opacity is a technical issue. Regulatory exposure is framed as an issue of legality. However, in reality, these risks are inseparable. An opaque model can introduce bias, which can trigger regulatory scrutiny, and regulatory failure can damage institutional trust and financial stability. When risks are managed separately, the system behaves unpredictably.

Higher-education institutions illustrate this challenge vividly. Universities face declining enrollments, tightening finances, deferred infrastructure maintenance, and growing regulatory scrutiny while simultaneously embedding AI into teaching, research, and administration. Cybersecurity teams focus on breaches, compliance teams on audits, academic leaders on pedagogy, and research centers on innovation. ERM exists, but often as a reporting mechanism rather than a strategic integrator.

This result does not indicate a lack of risk awareness. This is a lack of risk coherence.

AI Governance Is Stress-Testing ERM

AI governance exposes the limitations of traditional ERM more clearly than any other domain.

Regulators now expect organizations to understand not only what AI systems do but also how they evolve over time, how data are sourced, models are trained, decisions are explained, and outcomes are monitored. This requires cross-functional collaboration among legal, technical, academic, and operational leaders. However, most ERM processes are not designed to support this level of integration.

In practice, organizations respond by adding layers, such as new policies, committees, and dashboards. Ironically, this often increases the risk by slowing decision-making and obscuring accountability. When everyone is responsible, no one is truly responsible.

AI governance does not demand more control but a different way of thinking about risk—one that treats AI as a living system embedded in organizational purpose, not a static asset to be audited annually.

The Leadership Challenge: Accountability Without Visibility

Perhaps the most uncomfortable shift in ERM is at the leadership level.

Boards and regulators increasingly expect executives to demonstrate foresight, anticipate risks before they materialize, and prove that governance systems are effective in real time.

Dr. Hemachandran K

However, many leaders operate with incomplete visibility, relying on fragmented GRC platforms and lagging indicators. Accountability is increasing faster than insight.

This gap is particularly pronounced in environments such as business schools and research centers, where academic freedom, ethical responsibility, and regulatory compliance coexist.

Leaders are asked to encourage innovation while preventing misuse, promote access while ensuring equity, and deploy AI while proving the necessary control.

Traditional ERM offers reassurance to stakeholders. Leaders now need risk sense-making.

Toward ERM as Strategic Sense-Making

The future of ERM is not about perfect predictions or total control. This is about integration.

Organizations that navigate 2026 effectively will treat ERM less as a compliance function and more as a strategic capability that can create value. This means:

1. Designing governance structures that cut across silos, rather than reinforcing them.

2. Viewing AI, regulation, and ecosystem dependencies as interlocking risk systems, not separate domains.

3. Shifting from periodic risk reporting to continuous risk interpretation—where leaders understand not just what is happening, but why it matters now.

In higher education, this requires embedding ERM into institutional strategy: linking enrollment risk to digital transformation, AI adoption to pedagogy and equity, and compliance with long-term resilience. In research environments, this means governing innovation without suffocating it.

Most importantly, it requires leaders to accept that risk management is no longer about minimizing uncertainty. It involves building organizations capable of operating responsibly within them.

The Path Forward

ERM is not obsolete; however, its underlying logic is.

In a world shaped by AI, regulatory acceleration, and interconnected ecosystems, risk cannot be managed at the edges of an organization. It must be at the center of strategic thinking. Institutions that succeed will be those that stop asking how to control risk and start asking how to understand and integrate it.

This shift is less about new tools and more about new leadership assumptions. This may be the most important governance challenge that organizations face in 2026.

Dr. Hemachandran K (Vice Dean and Director of AI Research Centre, Woxsen University, Hyderabad, India)
&
Dr. Raul Villamarin Rodriguez (Vice President, Woxsen University, Hyderabad, India)