Why Your Risk Program and Your Strategic Plan Don't Talk to Each Other

And What It’s Costing You

By Erin Sedor | Black Fox Strategy

Six in ten enterprise risk management programs report a connection to strategic planning. That sounds encouraging until you read the rest of the sentence. Most of those programs fail to connect ERM insights with actual strategic decision-making.

Let that land for a second. The connection exists on paper. The integration does not exist in practice.

Meanwhile, only 11% of senior finance leaders view their organization’s risk management as a strategic tool that delivers competitive advantage. Nearly two-thirds say it provides no or minimal advantage at all.

So, here’s what we’re dealing with: most organizations have built both a strategic plan and a risk program. They check both boxes. They report on both. They fund both. And still, those two functions operate in parallel universes—same organization, completely different conversations.

That’s not a minor operational gap. That’s a structural failure in how strategy gets built. And it helps explain why 90% of organizations fail to execute strategy successfully.

The Illusion of Integration

If you asked most CEOs whether their risk program informs their strategic plan, they’d say yes. And they’d believe it. Because in many organizations, risk shows up somewhere in the planning process. There’s a SWOT analysis. There’s a risk register. Maybe the Chief Risk Officer presents to the board once a quarter. The boxes get checked.

But here’s what I see over and over again in the organizations I work with: the risk program produces information. The strategic plan consumes none of it.

The risk team identifies threats and opportunities. Those findings go into a report. That report goes to a committee. That committee discusses it in the context of compliance and controls. And the strategic planning team—often a completely separate group of people operating on a completely separate timeline—builds the plan based on growth targets, market analysis, and whatever the board prioritized at the last retreat.

The two outputs might live in the same building. They rarely live in the same conversation.

This is what I call the illusion of integration. It looks connected from the outside. Internally, risk is still being treated as a function—something the organization does—rather than as a discipline that shapes how the organization thinks.

Why the Disconnect Persists

The reasons are structural, cultural, and historical. And none of them are mysterious.

First, risk and strategy live in different organizational silos. The risk team reports through compliance or finance. The strategy team reports through the CEO or the board. Their timelines don’t align. Their vocabularies don’t match. Risk speaks in probability and impact matrices. Strategy speaks in revenue targets and market share. Neither side is wrong. They’re just speaking different languages about the same organization.

Second, ERM programs were built for compliance, not for strategy. This is the legacy problem that the entire ERM industry is now wrestling with. Most enterprise risk programs were stood up to satisfy regulatory requirements or board governance expectations. They were designed to catalog and monitor risk—not to actively shape decisions about where the organization should go next. The architecture was never built for strategic input. So when leaders say they want ERM to be more strategic, they’re essentially asking a reporting engine to become a thinking partner. That requires a fundamentally different design.

Third, nobody owns the integration. This might be the most important one. There is no standard role, no defined process, and no established practice for making sure risk intelligence actually flows into strategic decision-making. The CRO doesn’t own strategy. The Chief Strategy Officer doesn’t own risk. And the CEO, who should be the bridge, is often too consumed with execution to facilitate the connection. The result is a gap that everyone acknowledges and nobody closes.

What It’s Actually Costing You

The cost of this disconnect isn’t abstract. It shows up in very concrete ways.

It shows up when your three-year strategic plan gets blindsided by a risk that your risk team identified eighteen months ago but nobody escalated to the strategy conversation. It shows up when you chase a growth opportunity without understanding the risk-reward tradeoff at a strategic level—not just a project level. It shows up when your board approves a direction that looks brilliant on paper but ignores the emerging threats your risk assessment already surfaced.

And it shows up in the numbers. When strategic misalignment wastes an estimated 60% of a company’s resources. When 67% of key functions are not aligned with business unit and corporate strategies. When 45% of executives report that their own planning processes fail to track execution of strategic initiatives.

These aren’t risk failures. They aren’t strategy failures. They’re integration failures. The information exists. The intelligence exists. What doesn’t exist is the connective tissue between them.

And without that connective tissue, you’re making strategic bets with one eye closed.

The Real Problem Is Deeper Than Process

Most advice on closing the risk-strategy gap focuses on process fixes. Better reporting. More frequent updates. Cross-functional committees. And those things can help. But they don’t solve the root problem.

The root problem is how we think about organizations in the first place.

Traditional strategic planning treats the organization like a machine. Set the target. Build the plan. Execute the steps. Measure the outcomes. It’s linear. It’s mechanical. And it assumes a level of predictability that simply doesn’t exist in a complex, interconnected operating environment.

Traditional risk management does something similar—it tries to catalog uncertainty into neat boxes. Likelihood. Impact. Mitigation plan. Risk owner. It creates the appearance of control over things that are, by nature, dynamic and interconnected.

When you put two linear, mechanistic processes side by side, they don’t integrate. They can’t. They weren’t designed to talk to each other because they were both designed on the assumption that the world holds still long enough to plan in straight lines.

Organizations are not machines. They are living complex adaptive systems—webs of relationships, energy, and influence that behave according to the laws of nature, not the logic of flowcharts. Strategy and risk are not two separate disciplines. They are two expressions of the same fundamental question: Given who we are and where we’re going, what do we need to see, and how do we respond to what’s really happening?

Until organizations start treating that as one question rather than two, the disconnect will persist—no matter how many committees you create.

What Actual Integration Looks Like

Real integration doesn’t start with restructuring your org chart or buying a GRC platform. It starts with building a strategy foundation that inherently accounts for risk as part of the strategic thinking process—not as an add-on or afterthought.

This is the fundamental principle behind the way I build strategy with the organizations I work with. Purpose, Growth, and Evolution don’t exist in isolation. They exist in Equilibrium—a state of dynamic balance where each element continuously informs and adjusts the others based on what’s happening in reality, internally and externally.

Equilibrium is, at its core, a risk intelligence concept. It’s the discipline of knowing where the tensions live in your system before they become crises. It’s the practice of building strategy that anticipates the changing needs of everyone who serves and is served by the organization—not just responding to disruption after it hits.

When you design strategy this way, risk doesn’t need a separate seat at the table. It’s already embedded in the conversation. You’re not asking the risk team to inform the strategy team. You’re building strategy with risk intelligence woven into the fabric of every decision.

That’s the difference between a risk program that reports to strategy and a risk discipline that lives within strategy.

The Shift Leaders Need to Make

If you’re a CEO or executive director reading this and recognizing the gap in your own organization, the fix isn’t another integration initiative or cross-functional task force. The fix is a shift in how you think about what strategy is and what risk intelligence is for.

Stop treating risk as a compliance obligation that occasionally informs decisions. Start treating it as organizational intelligence—the early warning system that tells you where your strategy is vulnerable, where your assumptions are untested, and where your blind spots are hiding.

Stop building strategic plans in isolation from the people who understand where the organization is most exposed. Start designing strategy with the full picture—Purpose, Growth, and Evolution held in balance by a constant awareness of what could go right, what could go wrong, and what’s already shifting beneath the surface.

The organizations that get this right have a measurable advantage. Those with advanced ERM practices are two and a half times more likely to be top financial performers in their industry. Those with integrated risk and strategy are 30% more likely to achieve their strategic objectives.

The data is clear. The path forward is clear. The only thing standing in the way is the outdated assumption that risk and strategy are two different conversations.

They’re not. They never were.

And the organizations that figure this out first will be the ones still standing when the next disruption hits—not because they predicted it, but because their strategy was built to absorb it.

Erin Sedor is an executive advisor and strategic performance expert with 30+ years of enterprise risk and strategy experience. She is the creator of Essential Strategy and the Quantum Intelligence framework for building strategy that holds up under pressure—because it was built in the field, where the risks are real.