Strategic Risk Intelligence: The Missing Link Between ERM & Strategy

By Erin Sedor | Black Fox Strategy

Your risk team knows things about your organization that nobody else does.

They know where the operational cracks are forming. They know which dependencies are fragile. They know which processes are held together by one person’s institutional knowledge and a spreadsheet that hasn’t been updated since 2022. They have a panoramic view of exposure across every function, every business unit, every critical system.

And almost none of it is reaching your strategic planning conversation in a form that shapes decisions.

I’ve written before about why your risk program and your strategic plan don’t talk to each other. That piece addressed the structural gap — the fact that ERM and strategic planning were built as separate disciplines with separate frameworks, separate vocabularies, and separate reporting lines. If you haven’t read it, start there.

This piece is about what that gap is costing you. And more importantly, what becomes possible when you close it.

The Intelligence You’re Sitting On

Let me put a number on this. Only 11% of senior finance leaders view their organization’s risk management as a strategic tool delivering competitive advantage. That means 89% of organizations have an entire intelligence function that’s generating data, analysis, and insight — and the leadership team sees it as, at best, a compliance necessity.

That’s not a risk management failure. That’s a strategic intelligence failure. Your ERM program is an organizational nervous system. It’s sensing, processing, and flagging signals from across the enterprise. The problem is that those signals aren’t making it to the brain — or at least, not in a language the brain can use.

Meanwhile, the numbers on the strategy side are equally damning. Ninety percent of organizations fail to execute strategy successfully. Sixty-seven percent of well-formulated strategies fail due to poor execution. And the number one barrier to reinvention, cited by 35% of executives — more than any other factor — is the disconnect between planning and execution.

Now put those two realities side by side. On one hand, an enterprise risk function that generates intelligence no one uses strategically. On the other, a strategic planning process that keeps failing because it can’t see what’s coming, can’t identify what’s fragile, and can’t distinguish between the risks that threaten the plan and the risks that are operationally manageable. These aren’t two separate problems. They’re the same problem, seen from different ends of the organization.

What Your Strategy Can’t See Without Risk Intelligence

Here’s what I mean by “strategic intelligence failure” in practical terms. Most strategic plans are built around imperatives — the big initiatives and priorities that leadership has identified as essential. Expand into a new market. Launch a digital platform. Build internal capacity for AI integration. These are the bets the organization is making on its future.

But here’s the question that almost never gets asked in the planning process: which of these imperatives is sitting on a fragile foundation?

Your risk team can answer that question. They can tell you that the market expansion initiative depends on a supply chain that’s already showing stress signals. They can tell you that the digital platform rollout requires a talent pipeline that’s drying up in your geography. They can tell you that the AI integration everyone is so excited about runs on a core data platform that was architected fifteen years ago and can barely handle current loads, let alone what’s being asked of it.

This is strategic risk intelligence. It’s the difference between knowing what you want to accomplish and knowing whether the path to get there can actually hold the weight of the plan. And right now, in most organizations, that intelligence exists inside the ERM program but never makes it into the strategy conversation in a way that reshapes priorities.

The Distinction That Changes Everything

The missing piece isn’t more data. Your risk team has plenty of data. What’s missing is a filter — a way to separate the risks that are strategically critical from the ones that are operationally significant but won’t make or break the plan.

I call this filter keystone. In architecture, the keystone is the element at the top of an arch that holds the entire structure together. Remove it, and the arch collapses. In strategy, the keystone is any activity, asset, resource, service, or system that materially impacts the organization’s ability to achieve its strategic goals. It’s the thing that, if it fails or is compromised, takes the strategy with it.

Right now, most ERM programs capture risk without making this distinction. A supply chain disruption and an existential competitive threat get categorized, scored, and reported using the same scales and the same register. When the CEO or board looks at a risk heat map, everything is blended. They can see where risk is concentrated, but they can’t clearly see which risks sit on the critical path to their most important strategic outcomes.

The keystone filter changes that. It asks a different question than traditional ERM. Instead of “what could go wrong?” it asks “what could go wrong that would take the strategy with it?” That’s a fundamentally different conversation. And it’s the one your risk intelligence was always meant to inform.

The Strategic Design Flaw Hiding in Plain Sight

There’s a bonus in all of this that most leaders don’t expect.

When you take your existing strategic imperatives and examine them through a more holistic lens — specifically, by mapping them against Purpose, Growth, and Evolution, the three interdependent dimensions at the core of my Essential Strategy framework — something interesting happens. Patterns emerge. And gaps become visible that the original planning process never surfaced.

In my experience, most strategic plans are heavily weighted toward Growth. Revenue targets, market expansion, product launches, capital investment. That’s not wrong — Growth is essential. But it’s incomplete. When the plan has no Evolution imperatives, the organization has no deliberate mechanism for adapting to a changing world. When Purpose is defined only in external terms — what we deliver to customers, what we achieve in the market — with no internal dimension addressing what it means for the organization to thrive from within, you have a strategy that asks people to execute a vision they have no personal stake in.

These imbalances are strategic design flaws. They’re the kind of blind spots that traditional planning processes routinely miss because they were never designed to look for them. And they are among the most significant risk factors an organization faces — not because something bad is going to happen, but because the plan was built lopsided from the start.

This is the kind of insight that transforms the risk function from a reporting discipline into a strategic one. When risk intelligence can identify not only which external threats are most dangerous but also which internal design flaws make the strategy structurally vulnerable, the conversation at the leadership table changes entirely.

From Risk Register to Strategic Risk Intelligence

The shift I’m describing is not a technology problem. It’s not about better GRC platforms or more sophisticated analytics. Fifty-nine percent of ERM programs still rely on basic tools like Word and spreadsheets, and while better tools can help, they won’t solve a design problem.

The shift is conceptual. It’s about moving ERM from a reporting function — one that catalogues what could go wrong — to a strategic intelligence function that tells leadership which risks matter most to the outcomes that matter most. That requires two things your current process probably doesn’t have: a strategic framework that defines what “matters most” in terms both disciplines can share, and a mechanism that crosswalks risk intelligence against strategic imperatives to reveal what’s keystone and what’s not.

I call this practice crosswalking — starting from the strategy itself, from the imperatives that define the organization’s most critical priorities, and working downward to identify which risks from across the entire enterprise portfolio have the potential to disrupt the keystone path. It’s the reverse of how ERM traditionally operates. Instead of building risk profiles from events upward and hoping someone at the top connects them to strategy, you start with the strategy and let it tell you which risks demand the most attention, the most resources, and the most rigorous monitoring. It doesn’t replace the bottom-up operational view. It adds the top-down strategic view that has always been missing.

This is exactly what the Essential Strategy Risk Appetite (ESRA) Framework was built to do. It asks four strategy-grounded questions — about investment capacity, speed to value, willingness to change, and threats to the keystone path — and uses enterprise risk intelligence to inform the answers. It doesn’t replace your ERM program. It gives your ERM program somewhere strategic to go.

The data makes the case. Companies with advanced ERM practices are 2.5 times more likely to be top financial performers in their industry. Organizations with integrated ERM are 30% more likely to achieve their strategic objectives. And organizations treating risk management separately from strategy have three times higher failure rates during market disruptions.

The intelligence is already inside your organization. The question is whether your strategic process is designed to use it.

What This Means for You

If you’re a CEO or executive director, here’s the honest assessment. You have a risk function producing intelligence that could materially strengthen your strategy. And you probably have a strategic planning process that can’t absorb it because the two were never designed to connect.

You don’t need to start over. You need a lens that lets you see your existing plan differently and a framework that gives your risk intelligence a strategic home. The keystone distinction gives you the filter. The PGEE mapping gives you the diagnostic. And ESRA gives you the bridge.

I’ve put together a detailed guide on this — Connecting Strategy & ERM: The Missing Link Between Enterprise Risk and Strategic Performance — written specifically for senior risk leaders and the CEOs who work with them. It walks through the three structural reasons ERM stalled at the strategy doorstep, introduces the keystone concept, and lays out a practical approach for layering Essential Strategy onto your existing plan without starting from scratch.

You can find it on the Resources page at ErinSedor.com.

Because strategy without risk intelligence is just wishful thinking. And risk intelligence without a strategic home is just a filing cabinet.

Ready to connect your risk intelligence to your strategic plan? Let’s talk. Reach out at erin@erinsedor.com or visit ErinSedor.com.

Erin Sedor is an executive advisor and strategic performance expert with 30+ years helping organizations build strategy that actually works. She is the creator of Essential Strategy and the ESRA Framework for connecting enterprise risk intelligence to strategic performance.