The Horizon Challenge: Why ERM Must Now See What Hasn't Happened Yet

Enterprise Risk Management | William C Hord

This is the fourth and final article in a series that has traced a single thread through four interconnected challenges in enterprise risk management at financial institutions.

We began by examining how AI has embedded itself into risk workflows faster than governance frameworks can follow — and why most institutions cannot yet defend what their AI is doing when an examiner asks. We then turned to the data layer beneath that: how fragmented data architecture has transformed from a back-office technology challenge into a frontline regulatory exposure, creating what we called the lineage trap. In the third article, we confronted the structural reality that most institutions do not have a risk program in the truest sense — they have a collection of well-managed risk functions that cannot answer the questions that matter most when pressures compound across domains simultaneously.

Each of those articles examined a failure mode inside the institution — a governance gap, a data gap, a structural gap.

This final article steps outside the institution entirely.

Because while risk officers have been working to close the gaps within their programs, the external environment has been accelerating in ways that demand a fundamentally different posture from ERM. Not just better programs. A different concept of what ERM is for.

The challenge is not only that existing programs are incomplete. It is that they were designed to manage a risk environment that no longer resembles the one financial institutions are operating in today.

What Executives Are Actually Worried About

The 13th Annual Executive Perspectives on Top Risks report, produced by the Enterprise Risk Management Initiative at NC State University's Poole College of Management, surveyed 1,215 board members and C-suite executives worldwide and provides a direct window into what leadership is actually experiencing as the dominant risk picture of this period.¹

The findings are not subtle.

Economic conditions and inflation consistently rank among the top near-term concerns. Regulatory uncertainty — driven not just by new rules but by the pace, direction, and reversibility of regulatory change — has become a strategic variable in ways it was not a decade ago. Geopolitical disruption, once the province of multinational institutions with direct cross-border exposure, is now recognized as a systemic force that affects community banks and credit unions through supply chains, commodity prices, interest rate trajectories, and customer financial stress.

These are not tactical risks. They are not risks that a well-calibrated risk register, properly maintained and reviewed on schedule, is architecturally capable of managing.

They are macro risks. They are strategic risks. And they move faster and compound more unpredictably than the assessment-driven ERM frameworks that most institutions currently operate were designed to handle.

The Regulatory Confirmation

The regulator most directly responsible for the safety and soundness of community financial institutions has been explicit about this.

The OCC's Semiannual Risk Perspective for Spring 2026 specifically identified geopolitical tensions as a driver of elevated sanctions and money laundering risk — placing direct compliance pressure on institutions through channels entirely outside their operational control.² The Fall 2025 edition placed sustained emphasis on macroeconomic uncertainty and its compounding relationship with credit and market risk, noting that the speed of emerging risks now challenges traditional oversight models.³ The Spring 2025 edition stated directly that commercial credit risk was increasing, driven by growing geopolitical risk, sustained higher interest rates, and macroeconomic uncertainty — simultaneously and in combination.⁴

The FDIC's 2026 Risk Review documented a 2025 environment characterized by moderating growth, uneven risk exposure across institutions, and ongoing credit stress in commercial real estate and consumer portfolios — risks that were not created by any single institution's decisions, but that every institution must now manage.⁵

The pattern across these publications is consistent and deliberate. Regulators are not simply describing an external environment. They are signaling an expectation: that institutions understand how macro and strategic risks flow into their specific operational and financial exposures — and that their ERM programs are built to demonstrate that understanding, not just document risks that have already materialized.

The Gap Between What ERM Was Built For and What It Now Needs to Do

The three previous articles in this series identified internal structural failures. This article identifies an external alignment failure.

Most ERM programs at financial institutions were designed around the following implicit assumption: the risk environment changes slowly enough that periodic assessment cycles, quarterly reporting, and annual risk register reviews can maintain an adequate picture of institutional exposure.

That assumption has not been valid for some time. What has changed in the current period is that the invalidity is now impossible to ignore.

Consider what the macro risk environment has introduced in a compressed timeframe:

Inflation at levels not seen in four decades — followed by the most aggressive interest rate tightening cycle in modern memory — followed by a rate reduction cycle now complicated by renewed inflationary pressure from geopolitical and trade disruptions. Each transition created a distinct set of risk exposures for financial institutions: credit stress, repricing risk, liquidity dynamics, and balance sheet complexity that interacted with each other in ways that institution-specific risk registers, built to document known risks, were not designed to surface.

Geopolitical disruption that is no longer episodic but structural. The OCC's Spring 2026 Semiannual Risk Perspective identifies geopolitical tensions not as a background condition but as an active driver of sanctions compliance exposure, money laundering risk, and supply chain stress affecting borrower financial conditions.⁶ A community bank in Indiana is now operationally exposed to geopolitical events in the Middle East through the energy prices that affect its commercial borrowers, through the supply chain disruptions that affect its small business customers, and through the regulatory compliance requirements that flow from sanctions regimes that change faster than annual vendor reviews can track.

Regulatory uncertainty as a risk category in its own right. The NC State/Protiviti survey ranks regulatory uncertainty as one of the top concerns among board members and executives globally.¹ This is not uncertainty about whether a rule will be enforced. It is uncertainty about what the rules will be, when they will change, and in which direction — uncertainty that directly affects strategic planning, product development, capital allocation, and vendor selection.

An ERM program built to document known risks, assess them against historical parameters, and report them on a committee schedule cannot manage this environment. It can describe it, retrospectively. It cannot help an institution navigate it, prospectively.

From Historical Tracking to Forward-Looking Intelligence

The COSO ERM Framework — Integrating with Strategy and Performance, the current authoritative standard for enterprise risk management practice — explicitly establishes that ERM must be integrated with strategy and performance, not operated as a parallel governance function.⁷ The framework's emphasis on strategy and objective-setting as the starting point for risk identification is a direct challenge to programs that treat ERM as a compliance documentation exercise.

What COSO describes as the appropriate role of ERM is closer to what regulators are now testing for: a function that helps leadership understand which strategic choices carry which risks, how external conditions affect the institution's risk profile, and what combinations of events would create compounding exposures that no single-domain assessment would surface.

This is scenario analysis — not as an occasional exercise but as a continuous operating posture.

The distinction matters enormously in practice.

Most institutions have conducted scenario analysis. They have run stress tests. They have prepared for examiner questions about interest rate sensitivity and credit deterioration under adverse conditions. They know how to model a specific scenario when asked.

What most institutions have not done is build scenario analysis into the ongoing ERM workflow — as a continuous input to risk identification, risk rating, and board reporting — rather than as a periodic exercise conducted in preparation for an examination or in response to a regulatory requirement.

The difference between those two approaches is the difference between an institution that can tell an examiner what its risk picture looked like under the last stress scenario and an institution that can tell an examiner what its risk picture looks like right now — given current macroeconomic conditions, the current geopolitical environment, the current regulatory posture, and the current operational dependencies that connect all three to the institution's specific balance sheet and customer base.

What This Requires of the ERM Program

The first three articles in this series each identified a specific structural requirement for a modern ERM program: AI governance with full traceability, data architecture that supports real-time lineage and aggregation, and connected risk functions that can answer enterprise-level questions across domains simultaneously.

Each of those requirements is a prerequisite for what this fourth article describes.

You cannot conduct meaningful forward-looking scenario analysis if you cannot govern the AI that is helping to generate or evaluate risk inputs. You cannot assess how macro conditions affect your enterprise risk profile if your data architecture cannot aggregate across credit, operational, vendor, and cyber risk domains in real time. You cannot understand how geopolitical disruption flows through to your specific institutional exposure if your risk functions are reporting in separate silos to separate committees with separate taxonomies.

The macro and strategic risk challenge does not add a new requirement to ERM. It reveals why all the previous requirements matter.

Forward-looking ERM requires three things that build on everything the previous articles established:

First: A risk register that is connected to strategic objectives, not just operational domains. If your risk register captures credit risk, operational risk, and compliance risk but has no mechanism for identifying how a shift in the external macroeconomic environment changes the probability or severity of those documented risks, it is not performing the function that regulators and COSO now expect of it. The connection between strategic objectives and risk identification is not a philosophical point. It is an architectural one — the risk register must be structured in a way that allows strategic-level changes to cascade into operational risk assessments automatically, not through a quarterly human review process.

Second: Scenario analysis embedded in the workflow, not conducted as an exercise. The institutions that will define best practice in the next examination cycle are not the ones that conduct the most sophisticated stress tests on an annual basis. They are the ones that have integrated scenario thinking into how risks are identified, rated, and reported on an ongoing basis — so that when an examiner asks how the institution's risk profile has changed in response to recent geopolitical developments, the answer is not a description of a scenario that was last formally run eighteen months ago.

Third: A board and leadership reporting framework that reflects current conditions, not last quarter's assessment. The board of a financial institution bears ultimate responsibility for strategic risk oversight. It cannot fulfill that responsibility if the risk information it receives is structured around historical assessment cycles rather than current conditions. The shift from compliance reporting to decision support — which the third article in this series identified as the fundamental reorientation that forward-looking institutions are making — is nowhere more important than at the board level, where strategic risk decisions are made.

The Series in Summary

Four articles. Four interconnected gaps. One underlying challenge.

The first article established that AI is already inside the risk function — and that governance, traceability, and defensibility are not keeping pace with adoption. The examiner's question is no longer whether an institution uses AI. It is whether the institution can explain, govern, and defend what the AI is doing.

The second article established that data integrity is not a technology challenge. It is a risk function problem. Fragmented data architecture makes real-time risk aggregation impossible, and regulators now expect institutions to demonstrate traceable, defensible lineage for every material risk metric — not in a matter of days, but in a matter of minutes.

The third article established that a collection of well-managed risk functions is not the same as an enterprise risk program. The silo architecture that most institutions operate — separate domains, separate taxonomies, separate reporting — cannot answer the questions that examiners, boards, and the current risk environment are now asking.

This fourth article establishes that all three of those internal structural gaps are exposed — and made more consequential — by an external risk environment that is more volatile, more interconnected, and more strategically consequential than the assessment-driven ERM frameworks most institutions operate were designed to manage.

Closing the governance gap, the data gap, and the structural gap is necessary. It is not sufficient.

The institutions that will lead on ERM in the next cycle are not simply the ones that have better documentation, more connected data, and more integrated reporting. They are the ones that have reoriented their ERM programs from evidence of governance to instruments of leadership — from systems that explain what happened to systems that help leadership understand what is forming, what it means for the institution specifically, and what decisions it informs right now.

That is the horizon challenge.

And solving it is what enterprise risk management, properly conceived, has always been for.

References

¹ Enterprise Risk Management Initiative at NC State University & Protiviti. Executive Perspectives on Top Near-Term and Long-Term Risks: Insights from the 13th Annual Executive Risk Survey. February 2025.erm.ncsu.edu

² Office of the Comptroller of the Currency. Semiannual Risk Perspective, Spring 2026. May 2026.occ.treas.gov

³ Office of the Comptroller of the Currency. Semiannual Risk Perspective, Fall 2025. December 2025.occ.treas.gov

⁴ Office of the Comptroller of the Currency. Semiannual Risk Perspective, Spring 2025. June 2025.occ.gov

⁵ Federal Deposit Insurance Corporation. 2026 Risk Review. April 2026.fdic.gov

⁶ Office of the Comptroller of the Currency. Semiannual Risk Perspective, Spring 2026. May 2026.occ.treas.gov

⁷ Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management — Integrating with Strategy and Performance. 2017.coso.org

This is the fourth and final article in a series on the evolving state of enterprise risk management at financial institutions. Previous pieces examined AI governance and defensibility, data integrity as a core risk function, and the structural failure of siloed risk programs.