Keynote Address
Ramesh Pillai, Chairman, Board of Governors, IERP®
5th August 2025
In his keynote address at the recent IERP Global Conference 2025, Ramesh Pillai, Chairman of the Board of Governors, IERP®, started by pointing out that the expression ‘fundamental uncertainty’ was a term that economists have been using for a long time. Then, as now, there was no certainty about many things. While not knowing may affect the decisions that have to be made, it has grave implications in today’s business environment. “When you do not know what is coming next, there is no logical calculus you can bring to bear,” Ramesh said.
This means that rational decision-making processes are ruled out, and the rational decision-making doctrine that many learn in business school no longer applies. What is needed, therefore, is resilience. Defining resilience as the capacity to respond, the ability to react appropriately, and to deal with things, he stressed, “In a world where we don’t trust the ground we stand on, what really counts in adaptation or resilience.” An economy can adjust, almost automatically, to some degree of fundamental uncertainty.
But in an uncertain world, there will always be surprises and upheavals, and nothing is ‘for sure’ any more. This has also affected the entire risk management landscape. “Modern risk management is not a checklist,” he said. “It is a labyrinth.” Risk management trends are shifting rapidly, and tick-the-box compliance is no longer sufficient. Businesses were now facing ‘riskflation’ – a disproportionate surge in the number and severity of risks. Operational risk trends are changing, driven by digitisation, evolving regulations, and new threats that did not exist a decade ago.
Basic compliance checklists and periodic audits are outdated. Companies are having to contend with a wider spectrum of threats, including health & safety compliance, cyber risk, data breaches, sustainability mandates, and sudden regulatory changes. Each of these areas is expanding, and the consequences of failure are severe. The digital footprint of businesses has grown, and so has the impact of digital threats. Regulatory burdens are also intensifying internationally. New frameworks and regulations need technical controls, and mapped, proactive risk management strategies.
It is no longer enough to react when something goes wrong; organisations need to anticipate, prepare and embed resilience into their core business continuity planning. SMEs, particularly, are under increasing pressure. They often lack the appropriate resources to build comprehensive risk management frameworks, and have to search for cost-effective solutions. Many depend on third-party providers and specialised compliance software, or outsource when it comes to specialised requirements.
The interconnectedness of systems, the rise of e-commerce, and new regulations mean that risk management must be dynamic and forward-looking. “Business continuity planning is no longer a back-office function,” Ramesh said. “It is a strategic imperative. In the era of riskflation, resilience depends on preparation, mapped controls, and smart outsourcing, not outdated checklists.” However, some organisations still treat risk and compliance as just another box-ticking exercise, despite the increasing severity of financial consequences of unchecked threats.
Proactive risk management strategies continue to be undermined by the myth that they do not deliver meaningful returns on investment; businesses continue to be exposed to avoidable losses. In reality, research has shown that robust compliance and adherence strategies – particularly those focused on cybersecurity threats and regulatory requirements – can deliver significant cost savings by preventing incidents before they escalate. “The financial toll of a major breach or regulatory penalty can far exceed the upfront investment in risk management software, training, and controls,” he said.
Additionally, while the need for cyber risk programs and regulatory compliance is clear because firms want to avoid fines and breaches, sustainability initiatives face a different kind of scrutiny. Many firms are sceptical about the ROI of environmental, social, and governance (ESG) programs, as regulatory requirements fluctuate. Organisations have sometimes overestimated the benefits of sustainability initiatives, leading to accusations of greenwashing, and a more cautious approach to future investments.
“The challenge lies in quantifying the benefits of sustainability in the same way as the cost of a data breach or compliance failure,” Ramesh said. “As a result, sustainability programs are often the first to face cuts when budgets tighten.” He mentioned that the belief that all risks were created equal, was a misconception that further diluted focus and resources, and made it harder to justify investment in truly effective measures. While the impacts of some risks are clear from the outset, the impacts of other risks do not become apparent until it is too late.
“This can leave organisations vulnerable to emerging threats that don’t fit into traditional risk categories,” he said. “Ultimately, the decision of where to invest in risk management strategies is about more than compliance. It is about building resilience that protects the organisation’s financial health and reputation.” Enterprise risk management (ERM) is undergoing significant transformation. With operational reliability and business continuity planning at the forefront, companies were scrutinising every link in their networks to ensure resilience.
ESG reporting was spurring demand for robust third-party risk management; the focus was on verifying qualifications, accreditation and overall suitability of suppliers and partners. Companies were asking tougher questions, such as if the supplier had the right licenses; or if they could deliver reliably under pressure; or if their data security and AI governance protocols were up to standard. “These questions reflect a broader trend,” he said. “Organisations are embedding risk management strategies into their core business planning.”
Organisations were also investing in advanced analytics platforms and risk monitoring tools, which allow continuous assessment of key risk indicators. This helps companies detect anomalies and respond proactively. The integration of AI tools further enhances decision-making, particularly as new risks emerge. Urging companies to map every risk, Ramesh also urged them to hire early, hire smart, and ensure every process left a clear, defensible data trail because “The pressure on business continuity planning is real,” he said.
Organisations that thrive will be those that treat third-party risk and supply chain oversight as dynamic, data-driven disciplines. The rapid evolution of riskflation and emerging threats is forcing organisations to rethink their entire approach to risk. Regulatory developments are shaping the compliance landscape, and research shows that customers and auditors alike are demanding clear, transparent, holistic risk management policies. They want to know how risks are being managed and mitigated.
“The era of treating ERM as an optional extra is over,” he said. “The most resilient organisations will be those that embrace these demands and requirements, and embed them in their core risk management strategies. ERM means preparing for the unexpected. Building resilience is less about budgets, but more about grit, coordination, and a willingness to confront hard truths. Keep your data close, your cyber partners closer, and always question whether your risk strategy is just a box, or actually a buffer.”
