When Purpose Changes the Risk Equation
Enterprise risk management has long asked a familiar question: Will we achieve our strategy? But once an organization adopts a purpose, that question is no longer sufficient.
Purpose introduces a more fundamental test: Are we delivering on why we exist — and what risks and opportunities arise from our purpose? Most risk frameworks, governance practices and management systems have not caught up to this shift. Consequently, many organizations face a new set of largely unexamined exposures: risks to their purpose, risks arising from it, and risks created by not having a purpose at all.
When purpose reframes the risk question
When purpose becomes the organization’s reference point, it reshapes how risk should be understood and managed. Risk is no longer only concerned with uncertainties that could prevent the achievement
of objectives or strategy. It must also account for whether the organization knows why it exists, whether it is delivering on that purpose, and what risks and opportunities arise as a result.
Risk Category What it Means
Absence of purpose Lack of clarity creates drift and missed opportunity. Risks to purpose Barriers to achieving purpose outcomes
Risks arising from purpose Exposure created by purpose delivery
Opportunities from purpose Innovation, trust, resilience, performance gains Risks of weak purpose integration Lost value from misalignment across the organization
How purpose reshapes organizational risk
Purpose changes and organization's risk profile.
This table illustrates how purpose changes the organization’s risk profile – including risks and opportunities arising from purpose, risks that threaten delivery, and risks associated with its absence.
These exposures are rarely visible in traditional risk registers because they sit above — not within — strategy.
Historically, risk has been oriented around strategy. Its role has been to identify, assess and manage uncertainties that could prevent the organization from achieving its objectives. Once a purpose is adopted, however, strategy and objectives are no longer the highest reference point. Risk must expand its line of sight to embrace the purpose.
Why existing risk frameworks don’t go far enough
Most enterprise risk frameworks, including ISO 31000, are designed to assess the effect of uncertainty
on objectives and strategy. They were not built to test whether an organization is delivering on its
purpose — or to surface the risks that arise once a purpose is adopted.
This is not a critique of enterprise risk management. It is an observation that purpose introduces a
governing construct that reframes how risk should be understood and managed.
This gap has been acknowledged by leading practitioners. A Deloitte report argues that risk and internal audit functions should play an important role in navigating both the risks of purpose and the risks to purpose — and in ensuring robust board oversight once a purpose is adopted.
What is social purpose risk management?
As set out in Enhancing Risk Management Practices: A How-to Guide for Social Purpose Companies,
social purpose risk management treats purpose as a governing reference point for risk, ensuring risks
and opportunities related to why the organization exists are visible to management and boards.
Using a condensed version of the ISO 31000 risk process, the guide outlines five practical steps: risk
identification, risk assessment, risk treatment and optimization, risk monitoring, and risk reporting. It
lays out a number of risks and mitigation strategies to address them – concluding that to mitigate
purpose risks organizations need to double down on their purpose, not step back from it.
Purpose doesn’t sit outside enterprise risk — it changes the question risk leaders are paid to ask.
This is why risk is a compelling partner in operationalizing purpose. Risk leaders already operate at the intersection of governance, strategy and accountability. When purpose becomes the organization’s
North Star, risk provides a practical entry point for embedding purpose into decision-making, oversight
and execution – ensuring it doesn’t remain purely aspirational or a marketing slogan.
Several Canadian organizations illustrate what this looks like in practice.
Purpose risk in practice
BCLC provides a governance-led example. Its board terms of reference explicitly include oversight of
purpose-related risks and opportunities. Purpose is embedded into its enterprise risk management
policy and charter, and a social purpose risk assessment informed business planning. Risk is defined as anything that could affect the organization’s ability to deliver on its purpose.
Co-operators shows how purpose shapes risk response. With its purpose centered on “financial security
for Canadians and our communities”, climate change presents a direct threat to its purpose. The
organization responded by investing in research, developing insurance products supporting climate
resilience, and offering incentives that reduce exposure — managing purpose risk through innovation.
Coast Capital demonstrates the next frontier of purpose risk management: purpose disclosure. In its
Purpose Impact Report (2024), the organization explicitly identifies risks to achieving its purpose and risks arising from it, and explains how those risks are being addressed.
Importantly, disclosure itself plays a role in mitigating purpose risk. By measuring, monitoring and publicly reporting on progress against its purpose, Coast Capital addresses many of the risks that can undermine purpose — including credibility gaps and accusations of purpose-washing. In this way, purpose disclosure functions not only as accountability, but as a risk management tool.
The overlooked risk: not having a purpose at all
Perhaps the most underappreciated risk is this: organizations without a clearly articulated purpose face risks they cannot name, assess or manage.
Without a purpose, strategy lacks a clear reference point. Decision-making becomes fragmented. Risk
functions are left protecting objectives without clarity on whether those objectives are aligned with why the organization exists.
A new entry point for risk leaders
Purpose governance and management remain nascent practices. Many organizations do not yet know
how to move from purpose statements to execution.
Risk leaders are uniquely positioned to help bridge that gap.
By asking new questions — What risks threaten our purpose? What risks arise from pursuing it? What
risks exist because we don’t have one? — risk professionals can provide a powerful entry point for
operationalizing purpose across the organization.
Enterprise risk management is no longer only about protecting strategy. It must also account for
whether the organization can deliver on why it exists — and what is at risk if it cannot.
Get the latest insights, trends, and innovations to help position yourself at the forefront of sustainable business leadership—delivered straight to your inbox.
Coro Strandberg is President of Strandberg Consulting, which provides strategy advice to companies and industry associations that seek to integrate social and environmental considerations into their purpose, governance, operations and supply chains to create business value and societal benefit.
Published Mar 6, 2026 5am EST / 2am PST / 10am GMT / 11am CET