Why bother with Quantitative ERM — and why now?

Because emerging disclosure standards require us to show, in numbers, how our business holds up under structural shifts in policy, markets and technology.

Qualitative labels can’t express magnitude, likelihood or impact — which means we can’t demonstrate resilience in our future prospects or sustainability.

With IFRS S2 now in force across regional exchanges, ‘prospects’ are defined in hard terms: future cashflows, cost of capital and access to finance. And without the numbers — at least internally — to support your public assertions to investors and lenders, even the most elaborate sustainability narratives can’t help. The risk becomes fiduciary.

Sustainability teams have learned an impressively long list of new climate vocabulary. What often gets overlooked is that it all maps back to one core question: how regime-shift risks affect enterprise value. At its core, this is Enterprise Risk Management (ERM).

ERM is a control system. It regulates how risks are assessed, which shapes decisions, which then determines how the organisation runs its SOPs in pursuit of goals.

And by the Law of Requisite Variety (cybernetics), a control system must contain at least as much variety as the disturbances it aims to tame. A purely qualitative ERM approach can’t reach that threshold — it can’t function as intended. And that’s exactly where the risk of material misstatement in your corporate disclosures begins.

This one-page protocol helps anyone take the first step into quantitative risk while staying close to current qualitative practices — the familiar high-medium-low scales — but with a small upgrade in how responses are elicited and handled. Small upgrades, re-checked for auditability, make a very big difference

You can then evolve into more advanced models — using ALARP as a compliance cap, introducing dependencies, and applying Bayesian updating to refine expert priors with real data. Scenario-based regime shifts can reshape transition probabilities in a Markov model, which in turn influence future cashflows, cost of capital and terminal value. Judgement can be calibrated with Cooke’s method or behavioural adjustments from Prospect Theory. Joint risks can be modelled with Gaussian copulas. And much more.

You will start to see risk management as a model that helps you:

1. make decisions across operations and projects

2. price risks and their effect on enterprise value

3. guide capital planning and long-term sustainability

All backed by numbers.

As this capability matures, you’ll hit a supersystem constraint: the way auditors interpret assurance.Auditors are trained to sample historical data, which shapes their instinct for what a ‘safe’ assurance level feels like when signing off an audit. Statistically, that instinct maps onto a ‘confidence level’ and a corresponding ‘interval’ or range — a mental band of outcomes they feel comfortable defending. Also, decades of delivering qualitative ERM services further reinforce that band.

Quantitative, forward-looking models sit outside that comfort range. When auditors encounter them, their instinct is to widen the range to preserve the same feeling of reasonable assurance. That widening pulls the discussion back to broad qualitative statements, often framed as ‘professional judgement’, where their confidence level feels intact.

Boards, relying on big-name auditors as decision insurance, unintentionally reinforce this — creating a tone-at-the-top that misreads this comfort as validated, stronger governance.

So how do you navigate this?

Adopt IAASB’s ISAE 3000 and ISSA 5000 — profession-agnostic assurance standards that allow other domain experts to sign off on future-oriented EER information. External auditors then only need to assess whether these disclosures affect the entity’s current financial performance or position. They no longer control — or constrain — the method.