Complex Adaptive Systems: The Enterprise Risk Management Revolution We Refuse to Embrace

I was inspired by a short exchange with Tim Leech and Stefan Hunziker, PhD on the current state of the practice of Risk Management and Enterprise Risk Management and challenges it faces. I share my critical thoughts on the shortcomings of current RM and ERM practice.

I have spent years watching Enterprise Risk Management (ERM) professionals cling to outdated, mechanistic approaches while the business world evolves around them.

Despite the mounting evidence that organizations operate as a mix of Complex Adaptive Systems (CAS), where risks emerge, evolve, and interact unpredictably, ERM still obsesses over rigid frameworks, heat maps, and the simplistic use of control mechanisms that lull executives into a false sense of security. You should be aware that I think my comments are more appropriate for non-financial risk management - such as strategy, operations, reporting (financial and non-financial), and compliance - and might not be as useful for the financial risk management industry.

The ERM Status Quo: A House of Cards

ERM today operates under the illusion that risks can be neatly categorized, measured, and controlled with static frameworks. COSO and ISO 31000, while valuable in their intent, promote a simplistic reductionist view of risk: a linear cause-and-effect model that assumes internal control effectiveness translates into predictable outcomes. It doesn’t. Organizations are living ecosystems, not factory assembly lines (although they may include assembly lines in their business).

This obsession with categorization breeds complacency. Risks do not exist in isolation. A control designed for one risk often influences or creates new risks elsewhere. The entire concept of "inherent" and "residual" risk is laughably simplistic in an interconnected world where systemic shifts (economic downturns, AI disruptions, regulatory upheavals) cascade and interact through industries in ways no risk register informed by reductionist, linear thinking could ever predict.

Complex Adaptive Systems: The Real ERM Paradigm

If ERM professionals were serious about managing risk, they would embrace CAS theory. This means recognizing that organizations, like natural ecosystems, are composed of agents (employees, competitors, regulators, customers) acting independently and adaptively. These agents interact in unpredictable ways, creating emergent risks that cannot be managed through static control frameworks alone.

In others words, in a complex system, a small change in initial conditions can produce a wildly different result. The example often given is the famous “butterfly effect” in which the course of a tornado could be determined by the flap of a butterfly’s wings.

What ERM Needs to Do (But Won’t)

1. Ditch the Illusion of Predictability: Risk matrices and heat maps imply that risks can be forecasted / predicted with precision. They can’t. Instead, ERM needs to investigate and invest scenario-based modeling, real-time risk sensing, and adaptive decision-making that acknowledges uncertainty rather than pretending to control it.
2. Shift from Risk Management to Risk Navigation: Instead of designing controls for yesterday’s risks, ERM should focus on building organizational resilience, agility, and adaptive capacity. This means leveraging network science, agent-based modeling, and complex scenario planning to anticipate second- and third-order effects.
3. Acknowledge That Controls Are Not Solutions: Too often, risk professionals treat internal controls as an end-state rather than a temporary measure. In a CAS, risk evolves. Controls need to be constantly tested, challenged, and reworked. Static control assessments are worse than useless, they are dangerous.
4. Use AI and Data Analytics to Map Emergent Risks: Organizations collect vast amounts of data, yet ERM functions often fail to harness it effectively. Machine learning can identify weak signals of emerging risks long before traditional risk assessments catch on. There are also other ways of identifying emergent risk, such as, weak signal detection (more coming on this in a future article). Instead of retrospective audits, ERM should focus on real-time risk intelligence.
5. Stop Managing Risk in Silos: Risks do not obey corporate structures. Yet, it seems like ERM still operates within neatly defined business units, assuming that financial risk, operational risk, and strategic risk are separate beasts. In reality, they are deeply entangled. The failure to recognize cross-domain risk interactions is the Achilles' heel of modern ERM.
6. Encourage a Culture of Adaptive Leadership: Organizations need leaders who embrace uncertainty, complexity, and iteration. ERM should focus on cultivating adaptive leadership mindsets that empower decision-makers to navigate risk dynamically, rather than adhering to static policies that are likely to break under real-world conditions and in unexpected situations.
7. Recognize that Risk is a Function of Interconnectivity: The more connected an organization is, digitally, operationally, or through supply chains, the more it becomes susceptible to emergent, cascading risks. Instead of a one-size-fits-all approach, ERM needs customized risk architectures that flex based on industry, structure, and market conditions.
8. Learn from Other Disciplines: Risk professionals have much to learn from complexity science, behavioral economics, and systems thinking. Traditional ERM operates in a vacuum, failing to integrate insights from these fields that could drastically improve risk foresight and mitigation strategies.

The Harsh Reality: ERM Won’t Change Until It’s Forced To

Why hasn’t ERM embraced CAS theory? Because it demands a fundamental shift in mindset, one that most risk professionals are either too entrenched or too risk-averse to adopt. The illusion of control is comforting. Admitting that risk cannot be tamed, but only navigated, is an existential crisis for traditional ERM.

Unfortunately, it often takes a catastrophic failure for organizations to recognize that their risk management frameworks are insufficient. Some will learn the hard way, while others will proactively evolve.

But make no mistake: organizations that refuse to evolve their ERM functions will be steamrolled by systemic shocks they never saw coming. Those that integrate CAS principles will outmaneuver their competitors, survive uncertainty, and thrive in complexity.

So the choice is clear: clutch to your outdated risk registers and heat maps or evolve. The future of ERM belongs to those who embrace complexity, not those who fear it.

Note: See my article on Risk Culture and how the concept needs to evolve.

Unlock Your Organization’s Full Potential

Great leadership drives great outcomes. As an executive advisor and mentor, I specialize in empowering leaders and teams to navigate complexity, foster innovation, and achieve strategic transformation. Whether you’re looking to enhance leadership excellence, build stronger teams, or lead strategic systemic change, I’m here to help.

Let’s explore how our services can take your organization to the next level. DM me here on LinkedIn or email me at aarnw1@gmail.com for a free, no-obligation conversation.

#executivecoaching #teamcoaching #teamdevelopment #leadershipcoaching #systemicteamcoaching #teamleadercoaching #leadership #leadershipdevelopment #executivedevelopment #startupleadershipcoaching #startupcoaching #teamcoachingROI

Aarn Wennekers © 2025