The Resistance to Objective-Centric ERM & Internal Audit Methods

Key Takeaways

• Organizational Inertia: Many organizations resist change due to deeply embedded legacy systems, policies, and mindsets, making the transition to objective-centric ERM challenging.
• Lack of Accountability: Objective-centric ERM exposes clear ownership of risks, which many leaders avoid in favor of the ambiguity provided by traditional risk lists.
• Siloed Roles and Comfort with Existing Structures: Internal audit, risk, compliance, and legal teams often work in silos, creating resistance to integrated, collaborative approaches that would drive more effective risk management.
• Perceived Complexity and Resource Demands: Transitioning to objective-centric ERM is often seen as complex and resource-intensive, despite the fact that it can streamline processes and improve decision-making.
• Psychological Biases: Confirmation and familiarity biases make it difficult for leaders to recognize that their current systems may be ineffective, leading to resistance against change.

Deep Dive

As organizations evolve and face increasingly complex risks, the shift toward objective-centric Enterprise Risk Management (ERM) and internal audit methods has been widely recognized as more effective. By focusing on the impact of uncertainty on mission-critical objectives, companies can take a proactive approach to managing risk and better align their risk management strategies with overall business goals. Unlike traditional risk list approaches, which often focus on identifying and mitigating individual risks in isolation, objective-centric ERM integrates risk management into the organization’s strategic planning process, ensuring that risks are assessed in the context of their potential impact on key objectives.

Despite these clear advantages, many organizations continue to rely on legacy risk management systems, often sticking to traditional risk list methods and audit practices. These methods may provide a sense of comfort but often fail to deliver the strategic insights needed to navigate today’s fast-moving risk landscape. Tim Leech’s recent conversation with AI sheds light on why many companies resist adopting forward-looking, objective-centric ERM and internal audit strategies.

The reasons are varied and stem from both systemic inertia and organizational mindset. From deeply ingrained practices to a lack of understanding at the leadership level, the barriers to adopting these more effective methods are significant. Understanding these challenges is crucial for organizations that wish to transition toward a more proactive and strategic approach to risk management.

The Barriers to Adopting Objective-Centric ERM and Internal Audit Practices

ChatGPT is unequivocal—objective-centric ERM/internal audit outperforms. Why aren’t more adopting it? I asked Chat.

ChatGPT: “Here are the top 10 reasons companies resist transitioning from risk list ERM and legacy internal audit methods to a forward-looking, objective-centric focus on assessing and managing the effect of uncertainty on mission-critical objectives:

1. Deep Organizational Inertia: Legacy ERM and audit methods are entrenched in policies, training, technology, and mindsets. Change requires effort, unlearning, and often institutional disruption—something many leadership teams avoid.
2. Compliance Mindset Dominance: Boards and executives often confuse regulatory compliance with effective risk oversight. Risk registers and audit deficiency reports feel “safe” and defensible—even if strategically unhelpful.
3. Fear of Accountability for Objective Failure: Objective-centric ERM exposes risk ownership and clarity on who is accountable for managing risk to major objectives. Many prefer the ambiguity of risk lists to avoid scrutiny.
4. Comfort with Existing Roles and Silos: Internal audit, risk, compliance, legal, and operational groups have carved out comfortable, siloed roles. A shift would require integration, collaboration, and possibly loss of turf.
5. Board and C-Suite Lack of Understanding: Directors and many executives aren’t trained to oversee ERM in an objective-focused way. They accept risk lists and red/yellow/green dashboards without questioning if they help ensure objective achievement.
6. Inadequate Incentives to Change: There is no regulatory or market pressure forcing organizations to move toward better-integrated, outcome-focused risk oversight. Without consequences or incentives, many stick to the status quo.
7. Audit Committee Overreliance on Deficiency Reporting: Audit committees often value legacy internal audit’s control deficiency reports as “proof of assurance,” even though they may demoralize managers and miss risks to mission-critical objectives.
8. Perceived Complexity and Resource Demands: Transitioning to objective-centric ERM is seen as complex. Leaders assume it will require expensive systems, retraining, and additional staff—even though it often streamlines processes and improves decision-making.
9. Lack of Clear External Guidance or Mandates: Standards like COSO 2017 hint at objective-centric ERM, but most consultants and regulators still accept checkbox ERM and list-based audits as adequate. There's little clear, enforceable direction.
10. Psychological Biases and Blind Spots: Leaders may genuinely believe their current systems are effective due to confirmation bias, familiarity bias, or fear of change. It’s difficult to accept that foundational practices might be doing harm.”

Boards are responsible for overseeing ERM/IA. Boards should be briefed and consciously decide on the board's purpose and what information they need from management/risk/IA. Regulators—stop legislating ineffective/harmful ERM/IA methods.

Boards must actively engage with management to decide on the purpose of ERM and internal audit, ensuring that they have the right information to make informed decisions. Furthermore, boards must be briefed on the benefits of adopting an objective-centric approach to risk management and understand the strategic value it provides.

Regulatory bodies also have a crucial role to play in shaping the future of risk management. Rather than continuing to legislate outdated, ineffective methods, regulators should encourage organizations to embrace more comprehensive, objective-driven frameworks. This shift would help organizations align their risk management strategies with long-term goals and improve resilience in the face of evolving risks.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.