Every business leader today navigates a world that feels increasingly unpredictable. From natural disasters and cyber threats to changes in regulations and reputational risk, challenges are no longer isolated; They are interconnected, fast-moving, and often overwhelming. What were previously considered “black swan” events, rare and unpredictable, are now becoming recurring realities. Typhoons, data breaches, regulatory changes and public scrutiny are part of the daily backdrop for Philippine enterprises.
This is the new normal, and in this environment, resilience is not built overnight. It is built through foresight, preparation and a culture that accepts risk as part of growth. In this environment, flexibility is not just a buzzword. It's a survival strategy – and at the heart of that strategy is Enterprise Risk Management (ERM).
ERM is a structured, organization-wide approach to identifying, evaluating, and managing risks that affect strategic objectives. Unlike traditional risk management, which often operates in silos, ERM integrates risk thinking into decision making across all functions, transforming uncertainty into insight and flexibility.
beyond the big picture
Imagine a forest. On the surface it looks lush, green and prosperous. But walk through it, and you'll see uneven terrain, hidden predators, fallen branches, and the fragile ecosystem beneath the canopy. This is the difference between strategic oversight and operational reality.
Many boards and executives operate from the top level and focus on growth, performance and a long-term vision. But without a clear understanding of what's happening on the ground, they risk missing the subtle but important threats that lie beneath: compliance gaps, reputational risks, operational disruptions, or emerging stakeholder concerns.
ERM works like a drone flying in the forest, not just hovering above, but scanning in layers. It helps leaders connect what's happening at the top to what's happening at the bottom. It encourages scenario planning, stress testing, and cross-functional collaboration across organizational levels. This prompts leaders to ask:
• What are our blind spots?
• Where are we most vulnerable?
• How can we reduce the risks identified?
• How can we avoid jeopardizing the future while pursuing development?
In my experience, the most successful organizations are those that treat risk not as a threat but as a strategic partner. They understand that resiliency is built not just by vision, but by visibility.
What ARM can and can't do
Enterprise risk management empowers organizations to deal with uncertainty with clarity, structure, and confidence – but it is not a magic solution.
ERM helps leaders look at risk holistically rather than in isolated areas. For example, when an energy company noticed increased customer complaints and online criticism about service reliability and rate adjustments, its ERM framework flagged these as emerging reputational risks. The company activated its response plan, coordinating between legal, communications and customer service teams and engaging stakeholders before the issue turned into a full-blown crisis. By treating reputational risk as a strategic concern and not just a PR issue, the company protected its brand and strengthened public trust.
ERM also enables organizations to prioritize what is most important. For example, one retail company identified supply chain disruptions as an increased risk ahead of the holiday season. Instead of waiting for delays to impact store shelves, the company used ERM to secure alternative suppliers, improve inventory visibility, and coordinate with logistics partners. This proactive approach minimizes revenue loss and maintains customer trust.
By combining risk appetite with strategy, ERM supports bold decisions with thoughtful safeguards. It strengthens governance by embedding accountability in daily decisions. And when organizations proactively manage risk, they build trust internally and externally by showing stakeholders that they address uncertainty rather than ignore it.
ERM is a framework – a compass, not a map. Its value lies in how deeply it is embedded in the organization's culture, how consistently it is implemented, and how seriously it is supported by leadership. But ERM cannot eliminate risk. It will not predict every crisis or prevent every failure. It does not take the place of leadership decisions. During the pandemic, even the most robust ERM frameworks could not anticipate every disruption, but organizations with embedded ERM adapted faster and communicated more effectively.
When adopted with intention, ERM becomes more than a tool. It becomes a mindset that empowers teams to move forward with confidence, even when the path ahead is uncertain.
Building a risk-ready culture
Culture is the invisible force that shapes the way risk is understood and managed. In many organizations, risk is still viewed as a barrier to innovation or a burden to be assigned. ERM challenges that mindset.
By incorporating risk thinking into everyday decisions from procurement and project planning to marketing and stakeholder engagement, organizations develop a proactive, transparent and learning-oriented culture. This is especially important in the Philippine setting, where trust, relationships, and reputation play a central role in business success.
A risk-ready culture doesn't eliminate uncertainty, but it prepares people to navigate it with confidence.
a call to action
ERM is not a one-size-fits-all framework. It should be tailored to the context, maturity and strategic goals of the organization. But what is universal is the need to start over.
Whether you're a fast-growing startup or an older enterprise dealing with complexity, the question is no longer “should we invest in ERM?” But “Can't we do this?”
If you are in a position of influence in strategy, operations, finance or governance, now is the time to ask:
• What risk is inherent in our decision making?
• Do we have a clear view of our top risks and how they link together?
• Are we building a culture that sees risk as a source of strength?
ERM is not just a framework or set of documents – it is a mindset and approach. And resilience begins when leaders choose to lead and inspire their teams while taking risk into account.
The views or opinions expressed in this article are solely those of the author and do not necessarily represent those of Isla Lipana & Company. The content is for general information purposes only and should not be used as a substitute for specific information.fiC advice.
Grace Ababatayo is a Manager in the Office of the Chief Risk Officer of Isla Lipana & Co., the Philippine member firm of the PwC Network.
+63(2)8845-2728
mary.grace.abatayo@pwc.com
