By Dr. Philip Moulton | Strategic Risk Advisor | Chief Risk Officer

ERM and business resilience have traditionally functioned in parallel – but separate – programmes. One tracks strategic risk appetite and corporate exposures. The other ensures continuity when the unexpected hits.

But that separation is no longer just inefficient. It may also draw scrutiny from oversight bodies.

Today’s regulators, rating agencies, and boards expect more. Resilience isn’t just about bouncing back from a crisis – it is about continuing to perform during one. ERM and resilience need to work seamlessly together to optimize both programmes.

The New Expectation

This best-practice convergence is fast becoming the new baseline expectation.

Over the past 10 years, and across many industry sectors – financial services, healthcare, utilities, telecom, and more – regulators have been raising the bar.

  • The SEC’s Cyber Disclosure Rule requires public companies to disclose material cyber incidents within four days, alongside annual updates on governance oversight.
  • NAIC’s ORSA expects insurers to embed continuity planning into capital strategies.
  • NERC CIP, EPA’s AWIA, and CISA directives demand validated recovery planning for critical infrastructure sectors.
  • In healthcare and pharmaceutical industries, CMS and FDA require emergency preparedness, BIAs, and continuity testing that is consistent with risk-informed priorities.

The message from those charged with oversight responsibilities is consistent: Identifying risk and risk mitigation are not enough. Organisations must demonstrate that they can continue to operate when high-impact risk events occur.

Despite these expectations, ERM and resilience teams may remain disconnected, speaking different languages, using different data, and reporting through different channels and parts of the organisation.

That division will inevitably lead to misaligned goals, duplicated effort, and a fragmented view of risk and recovery.

By contrast, when ERM and resilience teams collabourate, organisations gain a strategic advantage. Risk appetite statements developed by the ERM team can turn into quantifiable recovery targets developed by the resilience team. Business continuity exercises can double as scenario stress tests. Boards get a cohesive and detailed narrative about both exposures to disruptive events and the operational capability to manage through them. And the resilience programme gets connected more closely with strategic and priority goals of the company.

Day-to-Day Challenges

One challenge in integration is that ERM and resilience teams operate differently day to day. ERM is scenario-driven, strategy-oriented, and often focused on financial, reputational, or regulatory issues and challenges. Business resilience is procedural, operational, and concerned with keeping people, processes, and systems running under stress. That may be an oversimplification, but in my experience, it’s not too far off the mark.

Moving from parallel functions in different swim lanes to an integrated risk and resilience programme doesn’t require a total rebuild and transformation effort. It can simply start with a few basic – but important – initiatives:

  1. Define “resilience” and “criticality” together. Shared definitions are foundational. ERM and resilience teams should jointly define what “critical” means for products, services, systems, and suppliers – and ensure that both the enterprise risk register and BIAs reflect the same assumptions.
  2. Establish a joint governance structure. A shared steering committee keeps risk and resiliency aligned with business strategy and ensures consistent communication up to leadership and the board.
  3. Leverage ERM data to prioritize BR testing. Use the enterprise risk register to prioritize resilience testing scenarios. For example, if a specific supplier or facility appears in the top risk tier in ERM, that should drive tabletop drills and recovery testing.
  4. Translate risk appetite into recovery objectives – ERM teams set the tolerances. Resilience teams operationalize them. Align recovery time objectives (RTOs) with stated risk appetite to bridge strategy to operational execution.
  5. Run joint exercises. Co-led exercises and after-action reports allow both ERM and resilience to validate assumptions, surface blind spots, and jointly communicate outcomes to executives and boards.
  6. Sync metrics and dashboards. Connect key risk indicators (KRIs) with operational recovery performance. Shared dashboards in GRC platforms can show when thresholds are breached – and how quickly the organisation recovers.

The Payoff for Syncing Up

Beyond syncing up governance and process, integrated reporting is where the payoff becomes tangible and highly visible to decision makers. When risk and continuity outputs are aligned:

  • Boards can see how stated risk tolerances tie to real operational capacity. For example, they can verify that approved risk tolerances for critical systems are consistent with the actual RTOs.
  • Regulators gain confidence in enterprise-wide governance and preparedness. On cyber risk, for instance, ERM can demonstrate a structured assessment across impact categories, while resilience shows how response plans address each of those categories.
  • Leadership sees where investments in resilience protect value. At a U.S. food company in late 2021, a joint ERM/business resilience workshop on geopolitical risks flagged that a key ingredient was sourced from Ukraine. The resilience team initiated optional supply contracts with Canadian vendors. As the Russia–Ukraine crisis escalated, those contracts were finalized ahead of the invasion, ensuring continuity while competitors scrambled.

The last example is the most compelling reason why we need to integrate. When a disruption does occur – or is about to – the organisation can move quickly because strategy, functions, and operations are in greater sync.

Too often, business resilience is seen as a document, a test, or a plan on a shelf. It is far more than that. Real resilience is an enterprise-wide capability – one that’s continuously informed by strategic risk insight and operational readiness.

By bringing ERM and resilience together, organisations build not only a stronger defence, but a smarter, faster response. Proactive solutions are surfaced earlier – before a disruption occurs. And in a world where crises are no longer rare, that’s not just a competitive advantage. It’s survival.

For a deeper look at uniting ERM and resilience, join our May 27th webinar, Taking a Cross-Functional Approach to ERM and Resilience, and cheque out Riskonnect’s ERM and Business Continuity & Resilience solutions.