Legal risk management is a new way of thinking for many in-house legal teams. In the financial services industry, other departments and regulators now expect the Legal team to take part in formal risk management. Legal risk includes reputational damage, financial losses, and issues that affect business operations. This means the Legal team must go beyond their usual tasks to identify, manage, and reduce these risks.Legal risk includes risks related to laws, regulations, contracts, and non-contractual obligations. Managing legal risk follows the Enterprise Risk Management (ERM) framework, as outlined in ISO 31000. The level of legal risk management in a company usually matches the maturity of its ERM practices. As a company improves its risk management, legal risks become more clearly defined and are integrated into the overall risk management framework.
Key Elements of a Strong Legal Risk Management Framework:
Leverage technology to enhance risk visibility, oversight, and control across the organization.
Clearly define legal risk and its relationship with other types of risks.
Assess legal risks using a structured approach, including data analysis and scenario planning.
Set legal risk appetite at both individual risk and organization-wide levels, ensuring effective resource allocation.
Apply the three lines of assurance model to maintain accountability, independence, and oversight of legal risks.
Report legal risks to the board and relevant committees, measuring control effectiveness against a clear risk framework.
Use key risk indicators (KRIs) to objectively track and report legal risks.
How to Define Legal Risk?
Some companies define legal risk in a narrow way. They see it as risks linked only to the Legal team, such as:
Decisions about using in-house lawyers or law firms
The quality of legal advice
The conduct of lawyers
This narrow view ignores many legal risks that affect the business, such as:
Financial crime
Contract disputes
Intellectual property issues
These risks may be owned by other departments, but Legal still has a role in managing them. If Legal is not involved, important responsibilities might be overlooked. For this reason, many companies use a broad definition of legal risk, covering any business risk that has a legal aspect.
Surprisingly, many companies still do not have a definition for legal risk—41% of non-banking companies and 14% of banking companies lack one. Even where definitions exist, they vary widely because there is no industry-standard definition. In the past, companies did not consider legal risk as a category on its own. Instead, it was included under Operational Risk, Compliance, or Internal Audit. In financial services, this may be because Basel II grouped legal risk under operational risk.
Legal risk has often been seen as less important than other risks, such as:
Financial crime
Conduct and duty of care
IT and cyber security
These risks have a bigger impact on a company’s stability and finances. However, large fines in recent years have increased awareness of legal risk. More important than defining legal risk is identifying and managing it properly. A good risk management framework should clearly assign responsibilities to the Legal team, other departments, and the business. Legal risks include:
Narrow risks – Those directly managed by the Legal team
Broad risks – Business-wide issues like contracts, intellectual property, legal changes, and legal input on financial crime, employment, and technology risks
Understanding legal risk is not just about knowing the law—it is also about understanding the company’s rights and obligations. Legal risk can be narrowly defined as risks from Legal’s own operations. In this case, the General Counsel (GC) and Legal team are responsible for managing these risks. Under the Three Lines of Defense model, Legal acts as the first line, while Risk and Compliance take the second line role. However, a broader definition includes legal risks across the entire organization. Every department faces risks that may have a legal impact. Legal must work with other teams to identify risks, set risk appetite, and define responsibilities for managing them. GCs and risk experts should collaborate to create an effective risk management framework with proper controls to reduce the most serious risks. Ownership depends on the company structure and expertise. In a broader sense, business management owns legal risk, while Legal provides guidance and oversight. When business functions manage legal risks directly, Legal’s role is to set policies, raise awareness, and ensure controls are effective. Legal must also educate managers about what actions to take and the consequences of mismanaging legal risks. For multinational companies, Legal must monitor legal risks in different countries and how they may impact multiple regions. Some risks, like GDPR violations or corruption, can lead to severe fines or criminal charges. Legal should work with local teams to understand legal consequences and avoid high-risk regions if necessary. Some companies have shut down operations or stopped trading in certain areas to minimize legal risks.Legal must remain independent to provide objective advice. If Legal is in charge of risk management, a strong second line (e.g., Compliance or Risk) should oversee it. However, non-lawyers may struggle to review Legal’s work, which creates challenges in oversight. Policies help ensure clear accountability for managing risks. Legal teams often set policies for hiring law firms, legal referrals, and specialized legal areas. However, some risks, like Anti-Bribery or Conduct, may fall under Compliance. This highlights the need for clear roles and responsibilities between Legal, other departments, and the business to prevent gaps in legal risk management.
A unique aspect of legal risk is that when an incident occurs, its full consequences might not become clear for a long time—such as a lawsuit over a defective product that takes years to resolve in court. As a result, it’s typical for past incidents to linger on risk registers, since the event has occurred, but its complete impact remains uncertain. This often requires organizations to estimate the potential costs of various outcomes to set aside financial reserves in their accounts. These estimates are guided by accounting standards that categorize outcomes as probable, possible, or remote. Generally, organizations reserve funds for probable outcomes, include a disclosure note for possible ones, and omit any mention of remote possibilities.
Legal risk and technology
The adoption of technology to enhance legal risk management is an emerging field. Our survey found that the most widespread application of technology was the use of organization-wide operational risk systems to identify, evaluate, and report on legal risks and controls across the enterprise. Beyond this, however, technology was rarely utilized for managing legal risk. As technological advancements progress within the legal sector, we expect this area to see substantial growth.
Evolving Skill Sets As legal risk management gains prominence on corporate priorities and Legal departments refine their operational frameworks, technology is garnering more attention. This shift is evident in the hiring of technologists and data scientists, as well as the use of automation for certain tasks and the generation of detailed reports. Legal teams are likely to address their needs through a mix of specialized risk management tools and by embedding legal risk considerations into broader technological systems. For instance, contract management software could flag high-risk clauses or enforce restrictive controls aligned with the organization’s legal risk tolerance, preventing agreements that exceed acceptable limits. An example might be an organization specifying allowable asset types for contract collateral—if the operations team tries to finalize a deal with unapproved collateral, the system would block it.
High-Quality Data Technology also aids in monitoring and reporting by creating an auditable environment, improving data access, and speeding up responses to both preempt legal risks and handle those that materialize. Resource allocation tools enable Legal teams to analyze their workload and prioritize effectively. For example, technology could track the frequency of incidents tied to specific risks across the organization, allowing resources to be focused on monitoring and uncovering root causes of elevated legal risk areas. This enhances oversight and control, giving Legal greater visibility into organizational activities—far more than a manual, human-dependent approach could achieve.
Applications of Technology Technology is increasingly integrated into legal risk management in various ways, including:
Non-Compliant Event Reporting: With access to data, technology can transform incidents into actionable insights to bolster legal risk management.
Management Information (MI) Creation: This provides organization-wide visibility into risk areas, enabling better planning and risk mitigation.
Regulatory Communication: Sharing data with regulators to show compliance efforts are underway.
Fraud and Call Monitoring: Especially useful in high-transaction settings requiring quick reporting.
eDiscovery: Streamlining the process of identifying and retrieving electronic information for legal purposes.
Case Management Tools: Allowing cases to be assessed and rated based on risk.
Horizon Scanning: Analyzing vast amounts of online data to detect legislative changes.
Litigation Predictive Analytics: Leveraging case precedents to guide decisions on settling or contesting legal disputes.
Chatbots for Legal Policies: Offering insights into inquiries received by Legal, highlighting trends and potential risk areas.
Whistleblowing: Facilitating reporting mechanisms for internal concerns.
Legal risk standard
In 2020, ISO 31022, a new standard within the ISO risk management suite, was introduced, focusing specifically on risk management from a legal risk perspective.
This standard builds on the ISO 31000 Principles and adapts the core ISO 31000 process to emphasize legal considerations:
Define Context & Criteria
External Context: Includes laws, contracts, memoranda of understanding, third-party claims, and legal service providers.
Internal Context: Encompasses the organization’s legal structure, governance framework, current legal issues and claims, historical experiences, awareness initiatives, and duties of care obligations.
Criteria: Covers relationships with third parties, guidelines for acceptable legal risk levels, and the organization’s goals and priorities.
Assess Legal Risks
Identification: Sources include case law, common law, stakeholder input, and non-compliance incidents.
Appendix C: A guide for estimating the likelihood of legal risk-related events.
Appendix D: A method for assessing the consequences of legal risk events.
Appendix E: Key contract clauses to review, featuring a table of example clauses to reduce legal risks, covering areas like capacity, title transfer, cancellation, payment terms, damages, warranties, and indemnities.
Assess and control
Once a broad definition of legal risk is established, both the Legal team and the business share responsibility for managing it. The General Counsel (GC) must understand legal risk levels across the organization and ensure the right structure and skills are in place. This depends on factors like the industry, level of regulation, company structure (centralized or decentralized), and business strategy (e.g., intellectual property or acquisitions). Legal risk should be evaluated across all areas of the business. This process can be subjective, but using a standard framework with risk factors—such as regulatory impact, customer concerns, financial and reputational risks, and historical loss data—helps bring structure. Legal can also adapt methods from other risk functions like Operational Risk to improve the process. Some organizations define legal risk appetite (38% of survey respondents have or are developing a formal statement). Instead of applying one blanket risk tolerance, companies should set different risk levels based on:
Risk type (e.g., product liability, intellectual property, competition law)
Jurisdiction (some countries have stricter laws)
Business unit (different teams face different risks)
Some risks may be eliminated (e.g., canceling a high-risk product launch), transferred (e.g., using insurance), or managed either reactively (handling issues as they arise) or proactively (putting controls in place to reduce the risk). Once risks, owners, and appetite levels are identified, the company must decide how much control is needed.
Low-risk areas may not need strict controls. For example, a company with low intellectual property risk may only address IP issues when they arise.
High-risk areas (e.g., competition law) require stronger controls, such as clear policies, training programs, and legal oversight in business processes.
Not all legal risk controls belong to Legal. Some are managed by business teams, such as:
Contract templates (business teams must use them to reduce contractual risk)
Approval thresholds (e.g., requiring Legal review for contracts over a certain value)
Legal must still ensure these controls are effective and determine if more or fewer controls are needed. The organization must also check that Legal reviews are properly conducted, either by another lawyer or through external verification. All of these measures form part of the legal risk management framework, ensuring legal risks are controlled in a structured way.
Influence on Strategy and Operations
Determining where to allocate legal resources is crucial for shaping a company’s legal strategy and operating model. Organizations need to decide:
Which legal tasks should stay in-house and which can be delegated
The required legal expertise
The balance between internal legal teams and external counsel
How technology can enhance legal risk management
Working with Specialists
Legal teams should collaborate with experts rather than working in isolation. A strong legal risk management framework benefits from input from:
These experts also help identify legal risks associated with new technologies the company develops or adopts. While most organizations integrate legal risk management into company-wide operational systems, fewer than 10% use dedicated legal risk platforms.Some companies treat legal risk management as a leadership skill, rotating responsibility among legal staff to enhance expertise and career development.
Three Lines of Defense Approach
Many organizations follow the three lines of defense model for legal risk management, where:
Legal plays roles in both the first and second lines of defense.
It’s essential to avoid conflicts of interest, ensuring Legal does not assess its own risk controls.
This model also defines monitoring processes to keep legal risks in check.
Building Awareness Across the Organization
Legal’s role extends beyond direct risk management—it also involves educating other teams about legal risks in their operations. By raising awareness, organizations can prevent risks rather than relying on non-legal staff to follow rules without understanding their purpose. Additionally, risk and technology experts can train the Legal team on best risk management practices and emerging technologies. This knowledge-sharing ensures new legal risks are identified and addressed effectively.
Monitor and report
With a structured legal risk framework, organizations can implement monitoring and reporting systems to evaluate risk management effectiveness, detect emerging risks, and address failures.
Technology plays a key role, especially in operational risk management, but its use in legal risk monitoring is still developing.
Contract management tools can help assess legal risks by tracking deviations from standard contract clauses across the organization.
Regardless of technology, Legal must define what it wants to monitor from the outset.
In multinational organizations, monitoring is most effective when it is close to but independent of the business, allowing for:
A deeper understanding of the local context.
Faster and more relevant responses.
Avoiding delays or misfocused efforts that can occur with centralized monitoring.
However, centralized oversight ensures consistency in legal guidance, particularly in high-risk areas like competition law.
Evaluating Legal Performance
Assessing whether lawyers fulfill their responsibilities effectively can be challenging:
Standardized legal processes, such as contract drafting, allow for clearer controls and assurance testing.
Legal judgment-based decisions are harder to evaluate.
Some organizations adopt peer reviews or independent legal assurance teams to assess legal work. Other risk-based approaches, inspired by auditing practices, focus on:
Testing key controls that address legal risks.
Assessing control effectiveness through sample testing.
Reporting on Legal Risk
Effective legal risk management should be regularly reported to risk and audit committees, as well as the board. A clear escalation process should also exist for urgent risk issues.
Many organizations primarily report litigation risks to the audit committee.
A mature legal risk management approach includes reporting on additional risks such as contractual, intellectual property, competition, data privacy, and regulatory risks.
Key Risk Indicators (KRIs) help trigger automatic reporting, reducing reliance on subjective judgments by risk owners.
While many organizations have some form of risk reporting, data quality and accessibility remain major challenges. Legal teams should work with risk and technology specialists to:
Identify and access necessary data.
Interpret and present data effectively.
Ensure governance teams understand legal risk implications.
Interaction with regulators
The General Counsel (GC) is typically responsible for engaging with regulators, primarily on matters related to legal risk. However, the extent of this involvement varies:
In large, regulated organizations, legal risk, regulatory risk, and compliance risk are often handled by separate teams, with responsibilities shared between the GC, Chief Compliance Officer (CCO), and Chief Risk Officer (CRO).
In smaller or less regulated organizations, all three areas may fall under the Legal department, with the GC overseeing them directly.
The level of regulatory engagement by the GC depends on the industry’s regulatory landscape—more regulated industries require more frequent and proactive interaction with regulators.
Adapting to Regulatory Changes
Keeping up with new and evolving regulations—even those focused on operational matters—is crucial for managing legal risk. This requires:
Horizon-scanning at both global and local levels to track regulatory developments.
Understanding the growing impact of cross-border regulations, as many legal requirements now have transnational effects.
Building strong, transparent relationships with regulators, which can help in mitigating penalties across multiple jurisdictions in case of compliance failures.
Monitoring and Reporting
Organizations increasingly expect legal risk reporting to include:
Insights into emerging regulations and their associated risks.
Identified compliance breaches and their likely consequences.
A narrative on regulatory interactions and their implications for the business.
In industries like financial services, regulators are taking a greater interest in how organizations integrate legal risk management within their broader risk frameworks.
Health and safety risk management is an example of a specialized area within the broader field of risk management. As highlighted, risk management is a key competency in health and safety management, primarily aimed at removing hazards—essentially negative risks—through a diverse set of tools, techniques, and skills. Effective health and safety practices hinge on managing risks, with a particular emphasis on threats that could lead to harm. Unlike broader risk management, it typically focuses solely on mitigating dangers rather than opportunities. Most nations have laws requiring employers to implement specific controls, guided by proper risk management, to address health and safety risks. In the UK, for instance, the Health and Safety at Work Act of 1974 outlines the minimum obligations for employers, which include:
Identifying potential sources of injury or illness in the workplace (hazards).
Assessing the likelihood and severity of harm to individuals (the risk).
Taking steps to eliminate hazards or, if elimination isn’t feasible, controlling the associated risks.
The terms “hazard” and “risk” are distinct in this context, and this differentiation is critical in health and safety. It helps prioritize which risks need urgent attention and supports organizations in designing workplaces that minimize or eliminate hazards. Health and safety risk management mirrors the general process of Enterprise Risk Management but often employs specialized terminology and methods, such as:
Identifying hazards as part of understanding the context or pinpointing risks.
Using impact versus likelihood matrices to evaluate risks.
Applying risk management tools like bowtie diagrams, root cause analysis, and failure mode effects analysis to gain deeper insight into risks.
When it comes to controls, widely used concepts include the hierarchy of controls and the Swiss cheese model, which help structure and strengthen risk mitigation efforts. Many organizations, particularly those in heavy industries like construction, mining, and oil and gas, adopt a vision of “zero harm.” This is sometimes understood—or explicitly defined—as having no tolerance for harm. While the ideal is that no one should ever be injured at work, the reality is that some level of risk persists, and there’s always a possibility, however slight, that harm could occur when people are engaged in workplace activities. Though it’s a challenging topic, leaders, risk managers, and health and safety professionals must recognize that injuries can happen despite best efforts, and there are limits to what can be done to ensure absolute safety in a work setting. This leads to defining a realistic tolerance for harm, known in health and safety as As Low As Reasonably Practicable (ALARP).
Note: Some organizations and regions use As Low As Reasonably Achievable (ALARA) instead, but the two terms represent essentially the same idea.
Once the ALARP tolerance level is set, it must be upheld by allocating sufficient resources to maintain a controlled work environment—either by removing hazards entirely or managing risks to an acceptable degree. Health and safety specialists often rely on the hierarchy of controls, which prioritizes eliminating hazards as the most effective way to ensure workplace safety. When elimination isn’t feasible—such as in an existing workplace that can’t be redesigned—other controls are employed. These might include installing barriers to prevent contact with dangerous machinery or replacing high-risk materials (like hazardous chemicals) with safer alternatives that still meet operational needs. As a last option, controls that depend on individuals following instructions, such as procedures or guidelines, should be used. While the hierarchy of controls is well-suited for safety risks, it may not always apply to other risk types, such as those tied to finance, legal issues, or sustainability. The Swiss Cheese Model is another tool frequently used in health and safety risk management. It involves layering multiple controls to address a risk, a practice that’s common across various risk management disciplines.
12.2 Project risk management
All organizations, at some stage in their lifecycle, need to modify their activities, objectives, or strategies through efforts that extend beyond everyday “business-as-usual” operations. These modifications, whether modest or substantial, can be classified as projects. According to the Project Management Institute (2008), a project is “a short-term undertaking designed to deliver a unique product, service, or result.” Although project definitions differ, they consistently exhibit certain features:
Temporary: Projects have a clear conclusion (even if their starting point is sometimes vague).
Purpose-driven: Every project seeks to achieve specific advantages.
Change-focused: Projects are initiated to bring about transformation, impacting both the team implementing them and their target audience.
Complex: Even minor projects require coordination of related tasks, introducing complexity.
Distinctive: Each project carries an element of originality, as it hasn’t been replicated exactly before.
Rel reliant: Projects depend on collaboration, including internal support.
Assumption-dependent: Planning a project involves anticipating future scenarios and working within given limitations.
Projects come in diverse forms and sizes, and their successful execution hinges on meticulous project management. They can be short-lived, like opening a new retail outlet, or span multiple years, such as extensive IT overhaul programs. Generally, the longer a project lasts, the higher the associated risks. This stems from the fact that prolonged and complex plans often depend on numerous assumptions that might not hold true, potentially causing significant repercussions for the organization if those assumptions prove unreliable. Due to their defining traits, projects inherently involve risks, making risk management an essential aspect of project oversight. Structured risk management within projects has been practiced since at least the 1990s, steadily advancing to protect and increase project value. Projects are typically evaluated based on two primary metrics—completion on schedule and adherence to budget—commonly referred to as project constraints or goals. Most also incorporate a third vital measure, such as performance, quality, or functionality, forming what’s known as the “iron triangle.” Determining which metric—cost, time, or performance/quality/functionality—takes precedence helps shape the project’s framework and set realistic benchmarks for risk assessment. Additional success indicators might include delivering quality without accidents, complying with legal or regulatory standards, and preserving confidentiality (for instance, in pharmaceuticals, where new inventions must be shielded from competitors). As a project advances, progress can be measured against milestones, and the accuracy of initial assumptions can be reviewed. This enables updates to projections for timelines, budgets, and other measures of success or objectives.
Programmes
Programme management serves as a coordinating framework for multiple projects, ensuring that broader, overarching benefits are achieved. The Project Management Institute describes a programme as “a collection of interconnected projects managed together to secure benefits and control that wouldn’t be possible if handled separately. Programmes might also encompass related tasks beyond the scope of the individual projects within them.”
The advantages of programme management are numerous, including:
Enabling the simultaneous execution of several projects.
Leveraging similarities across projects for greater efficiency.
Facilitating the alignment of goals and resource use.
Offering a comprehensive view of projects, identifying gaps, overlaps, and the combined risks and rewards.
Enhancing the handling of interdependencies, such as when one project’s completion is a prerequisite for another’s start.
Refining project selection by ensuring they contribute to the organization’s strategic goals.
When thoughtfully planned, structured, and executed, programme management becomes a valuable skill that delivers significant organizational benefits.
Portfolios
The Project Management Institute highlights that project portfolio management differs significantly from project and programme management. While project and programme management focus on the execution and delivery of tasks—ensuring projects are done correctly—portfolio management emphasizes selecting the right projects to pursue at the optimal time. Projects drive change to support an organization’s strategy and goals, and programmes coordinate these efforts to align with broader objectives. However, portfolio management takes this further by ensuring that projects are fully in sync with the organization’s strategic vision. Portfolio management demands a distinct approach and is frequently mishandled, resulting in the selection of unsuitable projects or an overload of initiatives. When executed effectively, it bridges strategic planning with project implementation, directs limited resources to the most valuable projects, and empowers organizations to decline projects when necessary. In essence, portfolio management works alongside project and programme management by supporting “doing projects correctly” (project management), “doing projects collaboratively” (programme management), and “doing the right projects” (portfolio management).
Project Management Office
Many sizable organizations maintain a centralized group of management experts, often referred to as a Project, Programme, or Portfolio Management Office (PMO). This team serves the entire organization, assisting with tasks like drafting project specifications, defining inputs and outputs, setting timelines (commonly presented as Gantt charts), identifying dependencies, and creating cost plans. Collaborating with internal “clients,” the PMO helps ensure effective project risk management, aiding project, programme, and portfolio teams in meeting their goals.
For smaller organizations, an alternative to establishing a PMO is to hire external project managers, either on a retainer or per-project basis.
Key Standards
Various standards and best practice guidelines exist for project management, typically adopted based on an organization’s geographic location. Examples include:
Project Management Institute (PMI): Headquartered in the US with global chapters.
Association for Project Management (APM): Based in the UK.
Australian Institute of Project Management (AIPM): Located in Australia.
PRINCE2 (Projects IN Controlled Environments): A structured methodology and certification program originating as a UK government standard, widely used in the UK, Western Europe, and Australia.
Each of these bodies or standards has developed its own project risk management guidance:
PMI: The Standard for Risk Management in Portfolios, Programs, and Projects (2019).
APM: The Project Risk Analysis and Management (PRAM) Guide, 2nd Edition (2004).
PRINCE2: Management of Risk (M_o_R): Guidance for Practitioners, 4th Edition (2022). The M_o_R Guide aims to assist organizations in establishing a robust risk management framework across strategic, programme, project, and operational levels.
While the specific project risk management guidance varies, it aligns closely with enterprise risk management when distilled into four basic steps: establish context and objectives, evaluate risks, address risks, and monitor, review, and report. However, the focus and application differ slightly due to the unique nature and characteristics of projects.
12.3 Supply Chain
The supply chain forms an integral part of an organization’s value chain and is a key focus when outlining the extended enterprise of an organization. The supply chain refers to “a series of linked processes and resources that begins with acquiring raw materials and concludes with delivering products and services to final customers.” An organization’s value chain consists of all the steps it takes to transform a product or service from its initial concept to its ultimate use. Managing the supply chain involves multiple value chain components, such as procurement (a supporting function) and the core functions of inbound logistics, operations, and outbound logistics.
The extended enterprise is a model that enhances understanding of an organization’s internal and external environment. Within this model, supply chain elements are generally aligned with “inputs,” “core activities,” and “outputs.” Supply chain management is particularly critical when organizations outsource significant aspects of their operations or tasks. As highlighted, outsourcing serves as a method to address or mitigate organizational risk. However, it also introduces new vulnerabilities, such as risks related to third-party involvement.
Modern supply chains are becoming increasingly intricate and face unprecedented levels of unpredictability. Key sources of supply chain risk include:
Supplier Risk: Incidents like data breaches or business continuity issues affecting a third-party supplier or their own suppliers (nth-party risk).
Transportation Risk: Obstacles such as customs holdups, strikes by transport workers, theft of goods, or heightened regulations.
Natural Events: Disruptions caused by extreme weather.
Socio-Political Issues: Risks arising from security threats, corruption, sanctions, interstate disputes, or civil disturbances.
Enterprise Risk Management (ERM) supports supply chain management in the following ways:
Unified Coordination: ERM promotes collaboration within procurement and across all areas impacted by supply chain disruptions. Since supply chain management is often fragmented, ERM encourages better integration among relevant functions.
Consistent Framework: In organizations where supply chain complexity has evolved naturally, management practices may lack uniformity. ERM offers standardized approaches and terminology for evaluating and measuring supply chain risk, benefiting overall supply chain governance.
Holistic Perspective: With its methodical process for identifying and assessing risks, ERM ensures that significant yet less immediate supply chain risks are addressed alongside more urgent priorities.
A key focus in recent times has been on “nth party risk,” where risk managers and supply chain leaders are expanding their attention beyond third-party risks to include fourth-party risks and further, collectively dubbed “nth party risk.” During the COVID-19 period, notable weaknesses—or “blind spots”—emerged in the supply chain management setups of most organizations. Research indicated that slightly less than half of companies were aware of their tier-one suppliers’ locations and the main risks they faced. In contrast, only two percent had insight into the locations and critical risks of suppliers at the third tier and beyond. The report emphasizes that this gap is significant because many of the most urgent supply shortages today occur in these deeper supply chain levels. Data revealed that 40.2 percent of disruptions tied to COVID-19 originated from issues with tier-two suppliers and beyond, highlighting the need to have visibility into suppliers further down the chain. It’s widely acknowledged that achieving full transparency across the supply base is difficult, if not unfeasible, due to the intricate nature of modern multi-tier supply chains, which can involve hundreds or thousands of suppliers for a single product.
Several standards address various elements of supply chain management:
ISO 28000 Security Management Systems: This standard outlines the requirements for a security management system. It is relevant to supply chains as it emphasizes security measures that help ensure the safety and integrity of an organization’s supply chain operations.
ISO 20400 Sustainable Procurement: This standard describes sustainable procurement as an approach that maximizes positive environmental, social, and economic outcomes throughout a product’s life cycle. Sustainability is explored further in Unit 8.
ISO 9001 Quality Management: ISO 9001 is noteworthy because it is frequently used as a baseline standard for engaging with suppliers. Certification to ISO 9001 provides confidence that a supplier adheres to minimum quality standards in its operations.
Contractual approach
Risk management is essential in overseeing supply chain management, procurement, and contractual strategies. Various types of supply chain relationships exist, each carrying different levels of risk for both clients and suppliers. A critical choice for an organization is determining the nature of its relationship with a supplier. Hopkin and Thompson discuss options like strategic partnerships, joint ventures, and outsourcing, outlining the pros and cons of these arrangements from the viewpoints of both clients and suppliers. The contract established with the supplier serves as a vital mechanism for addressing the risks tied to these supply chain dynamics.
Contract type
Advantage to Client
Disadvantage to Client
Advantage to Supplier
Disadvantage to Supplier
Strategic partnership
Priority treatment, Continuity of supplier, Reduced Cost
Secured Market, Long term contract
Fixed cost, Reliance on one customer
Joint venture
Priority supply status, some management control of supplier, Deny competitor access to supplier, Reduction in head count greater flexibility, Reduced capital investment
Secure market, shared funding, shared risks
Reliance in one customer
Outsourcing
Transfer of some risks, Reduced costs, Greater level of experience from supplier, Reduction in head count greater flexibility, Reduced capital investment
Secured Market, Long term, Potential protected employment rights
The Kraljic Matrix
The Kraljic Matrix, created by Peter Kraljic, is a widely adopted tool among procurement and supply chain experts. It aligns procurement and supply chain strategies with the level of supply risk and the potential impact of disruptions on an organization’s profitability, as illustrated in the Kraljic Matrix.
Leverage Items: These items are essential to the organization, and there is an abundant supply. The organization should leverage its strong buying power through aggressive negotiation tactics, such as bulk purchasing at fixed rates or securing long-term contracts for better pricing.
Strategic Items: These products or services are crucial to the organization, but their supply is limited or scarce. Building long-term partnerships with these suppliers is recommended, and opportunities for collaboration or innovation with them should be carefully evaluated.
Non-Critical Items: These items are not vital to the organization, and supply is readily available. The focus should be on streamlining procurement processes, such as implementing automated purchasing systems, to boost efficiency.
Bottleneck Items: These products or services matter to the organization but are not essential, and their supply is unreliable. The organization should investigate alternatives with more consistent availability and, in certain cases, may support suppliers by encouraging them to stockpile scarce raw materials.
Enterprise Risk Management (ERM) in the insurance industry follows the same fundamental principles as in other sectors, focusing on uncertainties that may impact the achievement of business objectives. However, insurers face some unique challenges and considerations. At its core, an insurance company’s business model revolves around risk acquisition, making underwriting and fund investment the primary areas of risk exposure.
Key Additional Considerations for Insurers
Categorisation of Insurance Risks – Understanding different types of risks specific to the insurance sector.
Solvency II and National Regulations – Compliance with regulatory requirements, including the need to maintain reserves against potential risks.
Use of Internal Risk Models – In some cases, insurers can apply their own models to calculate risk and determine capital requirements.
Insurance companies tend to use a similar classification system to banks. They have an additional category of “insurance,” as shown in Table
Type
Description
Strategic
Uncertainties that could impact or arise from an organization’s business strategy and its strategic goals.
Credit
The risk of loss due to counterparty default. It is restricted to default or situations where the counterparty can but refuses to make payment when due.
Market
The risk of loss due to adverse economic changes in market conditions, rates or prices or fluctuations in volatility. Market risk includes price risk, volatility risk, interest rate risk and foreign exchange risk, among others.
Liquidity
The risk of not having adequate funds available to meet financial commitments as they fall due. This may be caused by local or foreign economic conditions, a reduction in the firm’s credit rating, or situations where the firm is interested in trading an asset but cannot do so because nobody in the market wants to trade that asset.
Operational
The risk of loss, direct or indirect, resulting from inadequate or failed internal processes, people, and systems or from external events. Thy are typically sub categorised as follows: Internal fraud – for example, an inappropriately authorised paymentExternal fraud – for example, supplying incorrect data to gain insurance coverEmployment practices and workplace safety – for example, fines resulting from harassment, discrimination, or constructive dismissalClients, products, and business practices – for example, a fine for a breach of the data protection ruleDamage to physical assets – for example, cost of repairing a buildingBusiness disruption and system failures for example, an IT failure Execution, delivery and process management for example, a service complaint
Insurance
Also known as underwriting risk. Insurance risk is the risk of a claim being made on an insurance policy or underwriting. Examples of classes of insurance risk include business interruption, cyber-crime, directors’, and officers’ liability, key person, motor (individual or fleet), property, professional indemnity, terrorism, unauthorised trading, as well as life and health policies.
Insurance risk: This type of risk falls under operational risk management when it stems from not adhering to policies or procedures, mistakes in actuarial calculations, or insufficient documentation.
Solvency II
The goal of regulating insurers is to ensure they maintain sufficient reserves (risk capital) to endure financial shocks and stay solvent, thereby keeping insurance functional within society. Without a global agreement, Solvency II serves as the standard regulatory framework for the insurance industry within the European Union. The European Insurance and Pensions Authority (EIOPA) provides extensive guidance on Solvency II. Similar to the Basel framework for banking, Solvency II is structured around a three-pillar system. Most nations with insurance markets follow a regulatory model comparable to Solvency II. The Solvency II framework is organized into three pillars, as outlined below:
Pillar 1 establishes quantitative standards, such as the amount of capital an insurer must hold (Solvency Capital Requirement – SCR) and a minimum threshold (Minimum Capital Requirement – MCR), below which regulators will intervene.
Pillar 2 defines qualitative standards, including governance, supervisory oversight, and the Own Risk and Solvency Assessment (ORSA). ORSA is the insurer’s risk management process, requiring it to evaluate its risks, manage them effectively, and determine the capital needed to operate.
Pillar 3 specifies reporting and transparency obligations under Solvency II, including the Solvency and Financial Condition Report (publicly disclosed) and the Report to Supervisors (submitted to regulators).
Bupa, in their strategic risk report, identify the five risks in order of the solvency capital required by their regulator to mitigate them, which are shown below in Table Bupa risks vs solvency capital required:
Risk
Description
Mitigating actions
Property
The risk of the volatility in values or the devaluation of properties held for own use (including owned care provision properties), or for investment purposes, resulting in adverse impacts. This includes capital associated with leased properties following the introduction of IFRS
By maintaining a geographic spread of businesses across a number of countries, we are able to diversify exposure to national or regional property markets and trading conditions.
Insurance
Risks relating to our insurance businesses. Risk of inadequate pricing and/or underwriting of insurance policies, and of claims experience being materially adversely different to expectations.
The relatively short-tailed nature of Bupa’s products allows us to respond to market changes quickly, although this can be limited by government-set pricing controls in some markets. There is a low exposure to reserving risk compared to underwriting risk due to the very short-term nature of our claims development patterns. We have extensive control mechanisms in place, including holding an appropriate prudence margin, to ensure that reserves are adequate to mitigate against the risk of higher-than-expected claims costs. The geographical diversity of Bupa offers further mitigation against insurance risk.
Currency.
Risk arising from changes in the level or volatility of currency exchange rates impacting on cash flows and assets held in currencies other than sterling, and on the financial statements.
Currency translation risk is mitigated through a hedging programme to a Board-approved level of risk. We limit currency risk exposure through asset liability matching in local currencies.
Credit spread and counterparty default.
Risk of a loss in value of bond assets and/or that a counterparty fails to meet its obligations in the face of adverse economic conditions. This also includes the risk of a loss in value of the bond assets held within the pension schemes.
Our bond portfolio is small in relation to our other financial assets and the majority is investment grade. Counterparty exposure is managed by dealing with highly rated counterparties with exposure limits defined by Group Treasury Policy.
Operational (including conduct risk and clinical risk)
Risk of loss arising from inadequate or failed internal processes, or from personnel, systems, or external events. This risk also includes conduct risk (the risk that our behaviours, actions or controls result in detriment or unfair outcomes for our customers), and clinical risk (the risk of injury, loss, or harm to customers in receipt of healthcare).
Maintaining internal control processes and governance frameworks, approving risk policies, and assessing compliance help to mitigate this risk. The Group Clinical Function, led by the Group Chief Medical Officer, is responsible for ensuring clinical quality and governance within the business
Risk calculation models used by insurers
To determine the risk capital an insurer must maintain, it can employ its own internal models instead of relying on a standard formula. Solvency II mandates the use of internal models in specific situations. These models account for the diverse nature and magnitude of risks an insurer faces. A key requirement is that the internal model must satisfy a “use test,” meaning it must be actively utilized in the insurer’s everyday risk management practices. According to EIOPA, the use test stipulates that insurance and reinsurance companies must show that their internal model is integral to their governance framework, as outlined in Articles 41 to 50 of Solvency II . This includes their risk management system (per Article 44) and decision-making processes, and their processes for assessing and allocating economic and solvency capital, including the evaluation described in Article 45. Furthermore, these companies must prove that the frequency of calculating the Solvency Capital Requirement (SCR) with the internal model aligns with how often they use it for the other purposes mentioned above. The administrative, management, or supervisory body is tasked with ensuring that the internal model’s design and functionality remain suitable over time and accurately reflect the risk profile of the insurance or reinsurance entity. The underlying idea is that an internal model, actively applied in daily management, provides a more accurate depiction of the insurer’s risk exposure. However, the ongoing use of such a model requires approval from the insurer’s regulator, as part of the supervisory review process under Pillar 2.
Insurance Types
The three reasons why an organization will wish to purchase insurance cover are met through the broad areas in which insurance operates are:
balance sheet/profit and loss protection (first-party protection).
mandatory legal and contractual obligations (third-party protection).
protection of employee assets (benefits insurance).
Different types of insurance are
Mandatory, legal and contractual obligations
Employers’ liability – compensation to employees injured at work
Public liability – compensation to the public or customers
Motor third party – compensation following a motor accident
Product liability – compensation for damage or injury
Professional indemnity – compensation to the client for negligent advice
Balance sheet/profit and loss protection
Business premises – damage to premises by adverse events
Business interruption – loss of profit and increased cost of working
Asset protection – losses, such as loss of cash, goods in transit, credit risk and fidelity guarantee (staff dishonesty)
Motor accidental damage – repair of own vehicles
Terrorism – compensation for damage caused by terrorism
Loss of a key person – compensation for the loss of a key staff member
Employee benefit/protection of employee assets
Life and health – benefits to employees that can include: life cover, critical illness cover, income protection, private medical costs, permanent health cover, personal accident and travel injury/losses
Directors’ and officers’ liability – legal and compensation costs
Captive Insurance
A captive insurance company is an insurer wholly owned by an organization that does not typically operate in the insurance industry.
Its primary role is to offer insurance coverage to the parent organization, utilizing the organization’s own financial resources to cover specific expected losses or claims.
More often, a captive insurance company functions as a reinsurer, providing additional coverage to the primary insurance provider selected by the organization.
11.2 Information Technology
Cyber security
Many organizations face increasing pressure to digitize their operations to remain competitive and meet the expectations of customers or service users. This shift heightens their dependence on robust cyber security measures to shield against cyber threats. Keeping cyber security systems current and staying informed about the latest risks and corresponding safeguards often feels like an overwhelming challenge.
Cyber Security Trends:
Demand for instant access to widespread data and information platforms continues to rise.
Cybercriminals are leveraging advanced tools like AI, machine learning, and other technologies to execute more complex and sophisticated attacks.
A constantly expanding regulatory environment, combined with persistent shortages in resources, expertise, and skilled personnel, will likely outstrip cyber security efforts. For IT professionals, reducing cyber security risks remains a top priority. McKinsey emphasizes that this demands: “…continuous monitoring and a systematic approach to ensure organizations actively assess their surroundings and adapt their cyber posture as needed.”
Organizations are increasingly adopting this three-step process:
Verify cyber controls – particularly new ones – through technical assessments to confirm preparedness for emerging threats and technological changes.
Reassess cyber strategy – update the plan by incorporating new capabilities and methods.
Implement a structured program – establish an official system to regularly evaluate the cyber strategy, tools, and processes in response to evolving cyber security trends.
IT Risk Standards
The ISO 27000 series is a collection of interrelated information security management standards designed to work together, offering a globally recognized framework for implementing best practices in information security management. ISO 27001 is widely adopted by international organizations to develop and audit their information security management systems or to assess risks tied to third-party vendors. For optimal effectiveness, the information security management system should be woven into the organization’s processes and overarching management framework, ensuring that security considerations shape the design of processes, systems, and controls. The implementation of such a system is expected to be tailored to the organization’s specific requirements.
ISO 27001 encourages the adoption of an Information Security Management System (ISMS), which consists of a set of guidelines an organization establishes to:
Evaluate, manage, and
Reduce risks related to its information security.
These guidelines are often expressed as security objectives. Under ISO 27001, these objectives focus on safeguarding three key elements of information:
Confidentiality: Robust access controls ensure that only authorized individuals can access data.
Integrity: Restrictions are placed on altering or destroying information to maintain its accuracy and reliability.
Availability: Authorized users must have access to data whenever it is required.
ISO 27001 includes multiple references to risk management, which are integral to its four-stage accreditation process. These references can be summarized as follows:
Compile Required Documentation – Several mandatory documents are required, with the following having the strongest ties to risk management: A. Risk Assessment and Management Plan, incorporating excerpts from corporate risk registers. B. Incident Response Framework and Management Plan. C. Business Continuity, Crisis Management, and Disaster Recovery Plan. These documents must be backed by proof of training, internal audits, maintained registers, and reporting to appropriate levels with evidence of follow-up actions.
Conduct a Risk Assessment – The risk assessment process aligns with ISO 31000 (previously discussed in Unit 3) and involves three steps: Identify, Evaluate, and Prioritize risks.
Mitigate Risks with Five Control Categories – The standard outlines five types of controls that an Information Security Management System (ISMS) should implement:
Technical Controls: Examples include backup systems, antivirus or endpoint protection tools, firewalls, patch management, configuration management, and other infrastructure-related safeguards.
Organizational Controls: These encompass policies like acceptable use, user permissions, identity and access management roles, organizational hierarchies, approval processes, and clearly defined responsibilities for all staff.
Legal Controls: Examples include non-disclosure agreements, service level agreements, data ownership contracts, and compliance with applicable laws or regulations.
Physical Controls: These involve equipment or devices to manage physical access and security, such as alarm systems, locks, and access codes, all of which should be implemented and documented.
Human Resource Controls: ISO 27001 mandates controls like security awareness training, internal auditor training, and other initiatives to boost employees’ understanding of information security.
Meet the Standard’s Mandatory Requirements – Clauses 4 through 10 of ISO 27001 outline a set of compulsory requirements that must be fulfilled to obtain certification.
COBIT Framework
COBIT, which stands for Control Objectives for Information and Related Technology, is a framework created by ISACA to support IT governance and management within organizations. It is versatile enough to be applied across any industry or organization. The framework helps ensure high-quality information, while enhancing the control and reliability of an organization’s IT systems. COBIT equips organizations with the structure needed to align their IT processes with their broader business goals. It is built on five core principles critical to effective IT governance and management:
Principle 1: Addressing stakeholder needs
Principle 2: Providing comprehensive coverage across the enterprise
Principle 3: Utilizing a unified, integrated framework
Principle 4: Promoting a comprehensive approach
Principle 5: Distinguishing governance from management
These principles underpin a holistic IT governance and management framework, supported by seven key ‘enablers’:
People, policies, and frameworks
Processes
Organizational structures
Culture, ethics, and behavior
Information
Services, infrastructure, and applications
People, skills, and competencies
Together, these principles and enablers help organizations align their IT investments with their strategic goals, maximizing the value derived from those investments. A key distinction of COBIT compared to other frameworks is its specific emphasis on security, risk management, and information governance. This focus is clarified in COBIT 2019, which provides sharper definitions of its scope. For instance, ISACA notes that COBIT is not intended for organizing business processes, managing technology operations, making IT decisions, or defining IT strategies or architectures. Instead, it is exclusively designed as a framework for the governance and management of enterprise IT throughout the organization.
Sustainable Development is described as “development that fulfills today’s needs without jeopardizing the ability of future generations to meet theirs.” Risk management plays a vital role in realizing the sustainability elements most pertinent to an organization. Sustainability—also known as ESG (Environmental, Social, and Governance), CSR (Corporate Social Responsibility), or Licence to Operate—is a fast-evolving field that encompasses climate change and emphasizes valuing not just financial profit but also people and the planet, reflecting core values for many. Given its complexity and inherent uncertainties, sustainability must be seamlessly woven into an organization’s fabric, requiring a tool adept at navigating such challenges. That tool is risk management, increasingly recognized in regulations and guidelines as essential for shaping and meeting sustainability goals. Techniques like materiality assessments and scenario analysis, common in risk management, support this effort. This definition remains relevant today, though it is expressed through various terms such as ESG, Corporate Social Responsibility, Licence to Operate, and Sustainability—each of which will be examined further below. Sustainability typically spans the natural environment, societal well-being, and the governance and distribution of wealth. Its success is gauged beyond mere financial metrics, often incorporating financial, natural, and social capital. These dimensions frequently clash, necessitating a method to assess the opportunities and risks of future scenarios. Risk management serves this purpose.
The breadth of sustainability is well-represented by the United Nations Sustainable Development Goals (SDGs), introduced in 2015. These 17 goals, backed by numerous targets and indicators, hold equal weight, though organizations may align more closely with certain ones. Many currently prioritize climate change (SDG #13), which presents significant physical and transition (non-physical) risks to and from organizational activities. Climate change risk management exemplifies how fully integrated enterprise risk management offers a critical approach for organizations of all sizes to address both the opportunities and threats posed by climate change.Sustainability and the way people describe it is evolving very quickly at the moment. Therefore, it is common for a mixture of language to be used in any organisation. It is sometimes considered a risk managers role to help to align on understanding regarding evolving areas, including where terminology changes rapidly. This many not necessarily be through aligning on the terms used, but rather helping people to understand that a variety of terms may be being used to mean the same thing.
sustainability often involves balancing competing priorities. To navigate these trade-offs effectively, organizations need a systematic approach for weighing the advantages and disadvantages of different situations — this is where risk management plays a crucial role. Ideally, sustainability-related risks should be fully embedded within your organization’s overall risk profile. This means that your key risks should explicitly reflect sustainability considerations.
More and more, regulations and frameworks — such as the Taskforce on Climate-related Financial Disclosures (TCFD) — emphasize risk management as a core tool to:
Understand both how the organization affects its surrounding environment (natural, social, and economic) and how these external factors, in turn, impact the organization.
Identify threats and opportunities that could influence the achievement of strategic objectives. In some cases, the focus may be on specific risks, like those related to climate change.
Assess and prioritize these risks to determine whether action is required. Where necessary, organizations should embed specific actions and clear accountability into their strategy and governance structures.
Implement appropriate risk responses.
Monitor, measure, and report on the effectiveness of risk management efforts — identifying both successes and areas needing more attention.
Establish and track relevant metrics and targets.
Ensure the organization’s strategy is well-aligned with sustainability principles and addresses related risks and opportunities.
Maintain strong governance and accountability, particularly at the executive and board levels, to ensure meaningful oversight and informed decision-making on sustainability matters.
Many organizations are currently undergoing a transformation in their approach to ESG (Environmental, Social, and Governance) and sustainability. They are shifting from a basic, compliance-driven mindset to a more advanced stage where strong ESG performance is viewed as a source of competitive advantage. Risk management plays a vital role in supporting organizations as they work toward higher levels of ESG maturity. It is important to recognize that most ESG-related frameworks and documents commonly refer to “risks and opportunities,” often using the term “risk” to mean only threats. As risk management professionals, we understand that this interpretation is technically inaccurate, but since it is widely accepted, we need to be mindful of this common usage.
ESG maturity can be described using a four-stage model, which classifies organizations along a continuum:
Minimalist
View ESG reporting as a compliance issue or has just begun ESG journey
Has no or limited public reporting
Largely Environmental issues
Pragmatic
Oriented to risk rather than opportunity
Has some public reporting but no science-based target
Has sustainability report and net zero target
ESG activities and reporting are segregated within the organization.
Responsibilities of ESG are below the C-Suite, and executive compensation alignment is limited
Strategist
Sees opportunities and risk in ESG
Has more mature disclosure and reporting, having science based targets.
Sees ESG as more than Net zero, inclusion and diversity.
ESG is integrated with business and financial strategy
ESG responsibility is C Suite level and partially integrated into operational and executive compensation.
Has ESG differentiated product and services.
Trailblazer
ESG is core to purpose , strategy and service/products
Has integrated financial and non financial reporting aligned to ESG metrics.
ESG is integrated across the organization
CEO is responsible for ESG
Publicly advocates for and participates in developing of standards and regulatory framework.
Each level represents a progression in how deeply ESG is integrated into the organization’s strategy and operations.
8.1 Evolution of sustainability
The concept of sustainability has continuously developed since the release of the United Nations’ 1987 report Our Common Future, produced by the Brundtland Commission.
In the 1980s, sustainability was typically framed around three core pillars: Social, Environmental, and Economic factors. This framework was formally captured in the Our Common Future report, which laid the foundation for sustainable development thinking.
In 1992, the Earth Summit in Rio de Janeiro marked a major milestone, where over 178 countries adopted Agenda 21, an action plan aimed at fostering global partnerships to improve human well-being while safeguarding the environment.
By 1994, John Elkington expanded the conversation with the introduction of the “Three P’s”: People, Planet, and Profit (sometimes referred to as Prosperity). This adaptation of the original three pillars resonated strongly within financial and corporate communities.
In 2000, the United Nations launched the eight Millennium Development Goals (MDGs), with the primary aim of reducing extreme poverty by 2015.
Another significant moment came in 2012 during the Rio+20 Conference, where UN member states adopted The Future We Want, a document that laid the groundwork for the Sustainable Development Goals (SDGs).
The year 2015 was particularly pivotal, marking the adoption of several key global frameworks:
The launch of the UN Sustainable Development Goals (SDGs)
The Sendai Framework for Disaster Risk Reduction, which became the leading standard for disaster risk management
The Addis Ababa Action Agenda on Financing for Development
The Paris Agreement on Climate Change, which we will examine in more detail later
Since then, global efforts have intensified around achieving the SDGs, with the term ESG (Environmental, Social, and Governance) increasingly used to describe the mechanisms for advancing sustainability objectives. Additionally, the annual COP (Conference of the Parties) gatherings have remained central to international climate and sustainability discussions. Notably, COP26 marked a shift where the financial sector began to take a more proactive role in addressing climate change risks.
Sustainable Development Goals
The United Nations introduced the Sustainable Development Goals (SDGs) in 2015, presenting a comprehensive and interconnected framework designed to balance the three key dimensions of sustainable development at the time: Environmental, Social, and Economic. While these three pillars continue to form the foundation of sustainability, there is now a growing view that sustainability is primarily advanced through the lens of Environmental, Social, and Governance (ESG) practices. The SDGs consist of 17 goals supported by 169 specific targets.
The 17 SDGs (adopted in 2015)
No Poverty End poverty in all its forms everywhere.
Zero Hunger End hunger, achieve food security and improved nutrition, and promote sustainable agriculture.
Good Health and Well-being Ensure healthy lives and promote well-being for all at all ages.
Quality Education Ensure inclusive and equitable quality education and promote lifelong learning opportunities for all.
Gender Equality Achieve gender equality and empower all women and girls.
Clean Water and Sanitation Ensure availability and sustainable management of water and sanitation for all.
Affordable and Clean Energy Ensure access to affordable, reliable, sustainable, and modern energy for all.
Decent Work and Economic Growth Promote sustained, inclusive, and sustainable economic growth, full and productive employment, and decent work for all.
Industry, Innovation, and Infrastructure Build resilient infrastructure, promote inclusive and sustainable industrialization, and foster innovation.
Reduced Inequality Reduce inequality within and among countries.
Sustainable Cities and Communities Make cities and human settlements inclusive, safe, resilient, and sustainable.
Responsible Consumption and Production Ensure sustainable consumption and production patterns.
Climate Action Take urgent action to combat climate change and its impacts.
Life Below Water Conserve and sustainably use the oceans, seas, and marine resources for sustainable development.
Life on Land Protect, restore, and promote sustainable use of terrestrial ecosystems, sustainably manage forests, combat desertification, and halt and reverse land degradation and halt biodiversity loss.
Peace, Justice, and Strong Institutions Promote peaceful and inclusive societies for sustainable development, provide access to justice for all, and build effective, accountable, and inclusive institutions at all levels.
Partnerships for the Goals Strengthen the means of implementation and revitalize the global partnership for sustainable development.
Many organizations are now including aspects of sustainability in their values, mission and vision with key metrics and targets being set. It is common for an organization to select certain SDGs or focus areas to address in the near term. It is also common for organizations to have a sustainability team, often led by a Chief Sustainability Officer. Every individual and organization have the potential to contribute to all 17 of the SDGs. Many organizations have formalized their contribution to the achievement of the goals since their launch in 2015. While the SDGs will be updated / replaced in 2030, they will continue to be core to much of the collaboration and values in place across the Globe today. It should also be remembered that all of the goals are in conflict with one another – i.e., we need to achieve all of them, not just one or two of them.
3 P of triple bottom line– People, plant and profit
the triple bottom line is a sustainability framework that examines a company’s social, environment, and economic impact. The original idea was encouraging businesses to track and manage economic (not just financial), social, and environmental value added or destroyed.
People: the positive and negative impact an organization has on its most important stakeholders. These include employees, families, customers, suppliers, communities, and any other person influencing or being affected by the organization.
Planet: the positive and negative impact an organization has on its natural environment. This includes reducing its carbon footprint, usage of natural resources, toxic materials and so on, but also the active removal of waste, reforestation and restoration of natural harm done.
Profit: the positive and negative impact an organization has on the local, national and international economy. This includes creating employment, generating innovation, paying taxes, wealth creation and any other economic impact an organization has.
The idea of evaluating an organisation’s value by considering not only its financial performance but also its positive contributions to society and the environment gained momentum in the 1990s. Expanding on the original three pillars of sustainability — Social, Environmental, and Economic — this approach led to the creation of the triple bottom line framework, often summarised as People, Planet, Profit. While this model appealed strongly to businesses, the concept of Profit was frequently misinterpreted. Instead of reflecting the broader economic perspective from the 1987 UN Brundtland Report (Our Common Future), which emphasised the fair distribution of wealth, many viewed Profit narrowly as a company’s financial earnings. To address this misunderstanding, the term Prosperity gradually started replacing Profit to better align with the original intent. This shift was notably reflected in the 2015 OECD Forum, which promoted the theme: Investing in the future: people, planet, prosperity.
Although more organizations are adopting the triple bottom line approach, regulatory and shareholder priorities remain largely centered on profitability. However, this is shifting as large British companies—and eventually major Canadian, European, and American firms—are now required to assess how climate change could affect their financial stability. Additionally, the mandate for large British businesses to evaluate their long-term sustainability pushes them to look beyond short-term profits.
Corporate Social Responsibility
Corporate Social Responsibility (CSR) is about the actions, impact, and culture an organisation creates to have a positive effect on society. Although CSR is not a legal requirement, many organisations, depending on their sector and location, regularly report on their CSR activities. CSR has existed in business since the 1960s. Over time, its meaning has shifted — from going beyond compliance to sometimes being seen as sacrificing profits. However, its real purpose is well described by the Business Dictionary as “a company’s sense of responsibility towards the community and environment (both social and ecological) in which it operates.” Companies show this responsibility by:
Reducing waste and pollution,
Supporting education and social programs, and
Generating fair financial returns from the resources they use.
You will notice that CSR aligns closely with the well-known structures of sustainability, such as the three pillars (Social, Environment, Economic), the three P’s (People, Planet, Profit), and ESG (Environmental, Social, Governance). CSR is sometimes explained as a four-level pyramid. When an organisation works according to sustainable development principles, it usually achieves good CSR as a result. Likewise, strong ESG performance often reflects good CSR. For this reason, CSR is often seen as part of broader sustainability and ESG efforts. In fact, some organisations even use the term CSR to describe their sustainability activities.
Environment, Social and Governance (ESG)
ESG is quickly becoming the main way organisations put sustainability into action. It involves clear actions with measurable results, and helps assign responsibility to individuals for completing specific tasks. However, ESG is sometimes misused, leading to practices like greenwashing or ESG-washing, where organisations give a false impression of being sustainable. The term ESG stands for Environment, Social, and Governance. It builds on earlier ideas like the 1987 Brundtland Commission’s Environment, Social, Economic model and John Elkington’s People, Planet, Profit (or Prosperity) model, also known as the Triple Bottom Line. The key difference with ESG is the strong focus on Governance. Over time, the Environment and Social topics have been updated to reflect today’s global challenges. The addition of Governance adds something new — accountability. Governance makes sure important issues like diversity and inclusion, compliance, anti-corruption, and formal risk management are properly addressed. More importantly, it focuses on organisational culture, making sure that individuals and teams are held responsible for delivering ESG, instead of leaving it to a specific department. As with all sustainability efforts, the three elements — E, S, and G — can sometimes create tensions. Improving one area might create challenges for another. These trade-offs create both risks and opportunities, which must be carefully managed. This is where risk management plays an important role.
SDGs
Environment
Social
Governance
Comments
1. No poverty
Direct
Indirect
Poverty is typically aligned with social, however good governance helps to ensure no poverty is a reality
2. No hunger
Indirect
Direct
Indirect
Hunger is typically aligned with social, however good environmental practices mean that food can be grown sustainably
3. Good health
Indirect
Direct
Health is typically aligned with social, however toxins within an environment will impact on both environment and society
4. Quality education
Indirect
Direct
Indirect
Education is typically aligned with social, however governance typically enables it. Good education will also help environment
5. Gender Equality
Direct
Direct
Gender is typically aligned with both Social and Governance
6. Clean water and sanitation
Direct
Direct
Water is typically aligned with both Environment and Social
7. Renewable energy
Direct
Direct
Renewable energy is typically aligned with Environment; however, it is Governance that makes it happen
8. Good jobs and economic growth
Direct
Direct
Jobs and growth are typically aligned with social bit also Governance
9. Innovation and infrastructure
Indirect
Indirect
Direct
Innovation and infrastructure can be viewed differently by different sectors
10. Reduced inequalities
Direct
Direct
Reduced inequalities are typically aligned to Social and Governance
11. Sustainable cities and communities
Direct
Direct
Direct
Can be aligned with all three areas
12. Responsible consumption
Direct
Direct
Direct
Can be aligned with all three areas
13. Climate action
Direct
Indirect
Direct
While this can be aligned to all three, the closest tie is to Environment, however it is Governance that enables it
14. Life below water
Direct
Most closely aligned with Environment
15. Life on land
Direct
Indirect
Most closely aligned with Environment, but with a tie to Social also
To set up strong risk management in an organization, you need skilled people who know what they’re doing. Risk management helps organizations succeed, but only if it’s backed by capable professionals who fit the organization’s size, type, and setup. This section looks at what skills risk management experts need, what abilities people in the organization should have, and how to check for gaps and plan improvements. It also covers specific skills these professionals often need—like leading discussions, analyzing data, and persuading others—and explains the worth they bring to the organization. A big part of this is the role of risk practitioners. Risk management isn’t just a list of tasks anymore; it’s a real profession. Like other jobs, it has certain skills that professionals need to do their work well. These skills split into two types: technical or management skills, and behavioral skills. Technical or management skills are the know-how and abilities required to handle the job. Behavioral skills are the personal traits and ways of acting that help them do it effectively.Businesses today face rapid changes from financial shifts, political events, new rules, governance demands, and technology advances. These create new risks, while digital growth shakes up companies and makes organizational life trickier and less predictable. A good reputation takes time to build but can be ruined quickly. Human resources and hiring practices are also evolving fast to keep up with these challenges.
Enterprise Risk Management (ERM) is now a detailed process woven into how organizations are run and governed. It demands a solid grasp of the business, its strategies, and its culture. A Chief Risk Officer (CRO) today needs to be a trusted teammate to the leadership, guiding the organization to take smart risks and foster a strong risk culture. To do this, the risk team must build good relationships and work closely and honestly with departments like compliance, operations, customer service, finance, HR, sales, and tech. This is a big shift from the old view of risk management as just number-crunching to avoid losses or ticking boxes for rules. Knowing how to handle the numbers side of risk management is still key, especially for those starting out. But senior risk experts now spend more time teaming up with other departments, focusing on things like risk culture, behaviors, rewards, project success, new risks, and preparing for crises. They’re also more involved with top leaders and the board on big business decisions. A CRO needs sharp people skills and emotional smarts to work with both the board and staff, ensuring the leaders set a strong example for risk ethics and culture. A big part of the job is explaining risk appetite—balancing risks and rewards as the organization chases its goals. The CRO helps the board think about uncertainties that could hit the business model, keeping it strong and sustainable over time. They also connect with outside groups like partners, suppliers, regulators, and investors. So, modern risk professionals need way more than just technical know-how to stay effective. While this discussion started with insurance, the changes it points out apply across industries. Still, building a risk team means balancing strategic leaders with technical experts who support them. Risk management is a fairly new field, and many organizations say there aren’t enough senior candidates who’ve grown up in it, earning qualifications and experience like accountants do. This shortage, combined with the need for leadership and change skills, has pushed some organizations to hire senior risk leaders from outside the field. This is especially tough in developing countries, where risk management expertise is scarce, and even regulated businesses are still figuring out what’s required.
12.1 Career levels
The framework is built around four career levels instead of focusing on specific job titles or roles: Leadership, Senior, Management, and Support. Each level includes different kinds of jobs. As people move up from the Support level to the Leadership level, they learn more about risk management standards. The importance of these roles can vary depending on the organization’s size, reach, and how advanced its risk management is. For example, the person in charge of guiding risk management might be at the Senior level in a small company or local government, but in a big international company, they’d likely be at the Leadership level.
At the Leadership level, people have the deepest knowledge and skills. They create the organization’s risk strategy, oversee risk issues, and guide the board and decision-makers on risk plans. They also help shape the future of risk management as a profession. Examples of jobs here include Chief Risk Officer, Director of Risk Management, Head of Risk Management, or high-level consultants.
The Senior level involves strong knowledge and skills too. People here develop risk policies and procedures, contribute to the risk strategy, and make sure it’s carried out. They also manage improvements to risk practices and work with people inside and outside the organization. Jobs at this level might be Risk Manager, Senior Risk Consultant, Senior Risk Analyst, or Head of Risk Management.
At the Management level, people fully understand risk concepts and how to use them. They manage and advise on putting risk processes into action and highlight why they matter. Examples include Risk Management Executive, Risk Management Officer, Risk Management Adviser, Risk Analyst, or Risk Consultant.
The Support level is for those with little or no experience. They focus on explaining why risk management is helpful and assist with setting up its processes. Jobs here could be Risk Management Assistant, Risk Management Officer, or Risk Analyst.
Technical Skills for Risk Management
Technical skills, as explained by Hopkin and Thompson, should match the PIML steps for setting up risk management. We already looked at these PIML steps in Unit 2 and on pages 92 to 98 of their book. Hopkin and Thompson list the specific technical skills tied to each PIML step in table 28.1. These skills also work for any plan that uses the plan-do-check-act approach.
The technical skills needed can vary based on the area where the risk professional works. Some examples of these areas are:
Strategy and performance,
The risk management process itself, and
Strengthening the organization’s abilities.
The skills required also depend on the risk professional’s level in the organization—like whether they’re at the Leadership, Management, or Support level.
The Framework are structured into four functional areas. Each of these is broken down into risk functional area components:
Insights and context: Uses knowledge of internal and external influences to ensure robust risk management in responsive and agile organizations.
Risk management principles and practice: Understanding the principles and practice of risk management and the relevance and use of theories, processes and tools.
Organizational environment: Understanding the internal environment of an organisation and its implications for risk management practices.
External operating environment: Understanding how the external environment influences an organization and its implications for risk management practices.
Strategy and performance: Develops a risk management strategy to meet organisational needs.
Risk management strategy and architecture: The development and implementation of risk management strategy and architecture.
Risk management policy and procedures: The development and implementation of proportionate risk management policy, guidelines, procedures and action plans.
Risk culture and appetite: The creation of a risk culture that is intrinsic to an organization’s culture
Risk performance and reporting: The development and implementation of a risk measurement performance and reporting framework.
Risk management process: Manages the risk management process.
Risk assessment: The identification, analysis and evaluation of the nature and impact of risks and opportunities.
Risk treatment: The development, selection and implementation of risk treatment strategies and controls.
Organizational capability: Develops and manages a skilled, agile and responsive risk organization.
Communication and consultation: The development and implementation of communication structures and plans
Change management: The management of risk within strategic and operational change.
People management: Systematic performance management and skills development to meet strategic needs.
1) Risk management principles and practice
Relevance of risk management
Leadership: Advocates risk management as a central part of an organisation’s strategic management.
Senior level: Educates an organization on the probability, nature and scope of risks and opportunities and their likely impact on an organization.
Management level : Advises on the selection and implementation of appropriate concepts and processes.
Support level: Explains different types of risks and possible responses to their treatment.
Tools and techniques
Leadership : Ensures resilience is incorporated into organizational strategy.
Senior level: Builds resilience across an organization to manage current and future risks, opportunities and uncertainties.
Management level : Analyses the suitability of the use of risk management tools and techniques and makes recommendations.
Support level: Explains risk management standards, concepts, theories, processes and approaches to risk management.
Principles of risk management
Leadership: Anticipates and influences risk management thinking at a national and/or international level.
Senior level: Advises on the appropriateness of different approaches to managing risks.
Management level: Champions the benefits of risk management to stakeholders.
Support level: Explains the value of risk management.
2) Organizational environment
Internal ethos
Leadership: Advises on the interface between an organisation’s overall vision, mission, objectives, culture and strategy and the risk management strategy.
Senior level: Assesses the influence of an organization’s strategic intent, internal context and governance practice on risk management.
Management level : Promotes the link between an organisation’s vision, mission, objectives, culture, strategy and organisational risk practices.
Support level: Explains the link between an organization’s vision, mission and its operational objectives and risk practices.
Internal influence through risk management
Leadership: Influences an organisation to adopt a comprehensive, consistent and collaborative approach to risk.
Senior level: Influences management decision-making to achieve the right balance of risk and opportunity.
Management level : Explains how to use organisational structures and processes to meet resilience requirements.
Support level: Explains an organization’s structures, systems and processes and their links to risk practices.
Organizational ownership
Leadership: Establishes an organizational structure that leads to the desired culture to facilitate an organization’s long term interests and viability.
Senior level: Embeds risk management into organizational strategies and policies.
Management level: Embeds risk management practices into operational processes.
Support level: Describes the factors involved in embedding risk management practices into operational processes.
3) External operating environment
External relevance
Leadership: Influences the impact of risk management across an industry sector and beyond.
Senior level: Assesses the potential impact of the external environment.
Management level: Identifies the factors in the external environment that may affect an organisation.
Support level: Describes the kind of factors in the external environment that may affect an organization.
External operating context
Leadership: Evaluates the strategic alignment of an organization’s risk management and its external operating environment.
Senior level: Aligns an organization’s risk management with its external operating environment.
Management level : Identifies opportunities within the external environment to maximize reward and minimize risk.
Support level: Explains the likely impact that external factors may have on an organisation.
Regulatory impact
Leadership: Evaluates the implications and limitations of the regulatory environment on an organisation.
Senior level: Analyses the impact of developments within the regulatory framework.
Management level: Implements risk management activities to meet regulatory requirements.
Support level: Describes the regulatory framework within which an organisation operates.
4) Risk management strategy and architecture
Mandate
Leadership: Achieves commitment and ownership from decision makers to a proportionate risk strategy and architecture.
Senior level: Evaluates the extent to which individual risk strategies are consistent with the overall risk strategy.\
Management level : Explains the purpose and role of a risk management framework, strategy and architecture.
Support level: Explains the components of a risk management framework, strategy and architecture.
Strategy
Leadership: Develops the risk management strategy and approach that optimises risk appetite.
Senior level: Assigns ownership and levels of authority that comply with the requirements of the strategy.
Management level : Makes recommendations for improvements to the risk management strategy.
Support level: Provides management information to support risk strategy development.
Structure
Leadership: Establishes a coherent, transparent and rigorous risk governance structure that supports an organisation’s risk strategy.
Senior level: Ensures consistency between an organisation’s risk management strategy, organisational strategies and its governance structure.
Management level : Communicates the requirements of the risk governance structure.
Support level: Describes the features of an effective risk governance structure.
5) Risk management policy and procedures
Policy
Leadership: Develops a risk management policy that is consistent with the risk management strategy.
Senior level: Implements plans and priorities to deliver risk management policy within agreed timescales and budgets.
Management level : Explains the purpose, role and benefits of embedding risk management policy and procedures into organisational policies and procedures.
Support level: Explains the purpose of risk management policy and procedures, and its components.
Roles and responsibilities
Leadership: Defines risk management accountabilities and methodologies that meet strategic requirements.
Senior level: Implements risk management policy ensuring that ownership and responsibilities are fulfilled within authority limits.
Management level : Advises on the appropriate use of methodologies, tools and techniques within the context of the risk policy.
Support level: Explains the features of methodologies, tools and techniques and their uses.
Resources
Leadership: Secures commitment and resources that will enable the implementation of the risk strategy.
Senior level: Reviews the effectiveness of risk management policy and processes and the use of resources, and makes recommendations.
Management level : Uses a range of resources to analyse management information to support recommendations for improvements to risk management policies and procedures.
Support level: Provides management information to support improvements to risk management policies and procedures.
6) Risk culture and appetite
Risk culture design
Leadership: Influences an organisation’s leadership in determining the desired risk culture.
Senior level: Fosters an organisation’s culture through the design of organisational systems, processes and behaviours.
Management level : Acts as a role model of the culture expected through personal behaviours and actions.
Support level: Explains an organization’s risk culture and acts accordingly.
Risk appetite
Leadership: Influences decision makers’ understanding of risk appetite and its implications.
Senior level: Nurtures the balance between risk taking, risk management and rewards in line with an organisation’s risk appetite.
Management level : Explains how an organisation establishes its risk appetite and tolerance.
Support level: Explains the factors that influence people’s perceptions of risk and opportunities and their impact on risk appetite.
Behaviours and values
Leadership: Ensures an organisation’s approach to risk management is aligned with its risk maturity and values.
Senior level: Embeds risk management approaches into organisational values.
Management level : Carries out reviews of the extent to which risk culture is demonstrated through individual behaviour and operational activities.
Support level: Identifies the level of risk maturity and its implications for risk culture and appetite.
7) Risk performance and reporting
Risk reporting systems
Leadership: Establishes a comprehensive risk reporting system that is aligned with other organisational performance management structures and processes.
Senior level: Reports on the strategic and financial impact of risks.
Management level : Ensures that risk reporting systems operate efficiently.
Support level: Explains the purpose of measuring and reporting risk performance and the use of technology to support effective risk management.
Risk performance indicators
Leadership: Defines organizational Key Risk / Performance Indicators (KRIs/ KPIs) for evaluating risk management performance, strategy, processes and controls.
Senior level: Specifies the design requirements of risk performance reporting systems.
Management level : Uses analytical tools and techniques to monitor changes to an organisation’s risks and opportunities; updates risk information.
Support level: Complies with legal, ethical and regulatory requirements in the gathering and recording of risk information.
Risk reporting protocols
Leadership: Ensures that risk reporting systems enable effective decision making and are capable of identifying actual and emerging risks.
Senior level: Reports recommendations for improvements based on systematic analyses of information at agreed intervals.
Management level : Produces risk management reports, highlighting areas of concern, change, emerging threats and opportunities.
Support level: Explains the uses of risk information; reports the potential consequences of poor risk reporting.
8) Risk assessment
Risk assessment process
Leadership: Defines the approaches to risk identification, analysis and evaluation; establishes the level of investment to be deployed.
Senior level: Interprets facts, patterns and trends to reach evidence-based decisions on the nature of risks and opportunities.
Management level : Uses a range of information sources and assessment tools and techniques to identify, analyse and evaluate risks and opportunities.
Support level: Contributes to the risk assessment process.
Analysis of risk impact
Leadership: Scopes the potential impact of aggregated risks and worst case scenarios quantitatively and qualitatively.
Senior level: Prioritises risks and opportunities in terms of probability, scale, significance, impact and distribution.
Management level : Explains the range of factors that can influence the perception of risk.
Support level: Explains how and why to use different risk assessment tools and techniques.
Evaluation of risk consequences
Leadership: Evaluates the impact and value of potential strategic risks and opportunities.
Senior level: Evaluates interdependencies between risks, uncertainties and opportunities, critical failure points and resource implications.
Management level : Advises on the use of risk assessment tools and techniques.
Support level: Explains how to display the results of risk assessments.
9) Risk treatment
Risk treatment and risk appetite
Leadership: Ensures an organisation’s approach to the treatment of risk is aligned with its risk appetite and strategy.
Senior level: Monitors the effectiveness of an organisation’s approaches to risk treatment and makes recommendations.
Management level : Implements controls to manage identified risks in accordance with risk treatment strategies and budgets.
Support level: Explains the suitability of different risk response options and control types.
Cost-effectiverisk treatment
Leadership: Determines risk treatment strategies and investment that align with an organisation’s approach to risk management.
Senior level: Develops, prioritises and resources suitable controls to treat identified risks and manage opportunities.
Management level : Supervises the quality of risk monitoring and mitigation actions taken, challenging and making interventions when issues arise.
Support level: Explains the costs and benefits of risk treatment activities.
Business continuity and crisis management
Leadership: Integrates business continuity strategies and crisis management within an organisation’s risk management strategies and plans.
Senior level: Ensures the continuing coordination of business continuity and crisis management strategies and plans with risk management.
Management level : Collates and analyses management information to support crisis management and business continuity plans and activities.
Support level: Explains the principles and features of crisis management and business continuity.
10) Communication and consultation
Risk communication procedures
Leadership: Establishes an organisation’s approach and infrastructure for communication about risk management.
Senior level:: Identifies media and methods for communicating the risk strategy that align with target groups.
Management level : Uses agreed media and methods to communicate risk matters.
Support level: Communicates risk matters to agreed stakeholders, adhering to organisational values and standards.
Risk communication contents
Leadership: Promotes the view that risk management is a universal responsibility and acts as a risk champion across an organisation.
Senior level: Develops risk communication interventions that further relationships with stakeholders and are consistent with organisational values and standards.
Management level : Provides stakeholders’ feedback on the effectiveness of the risk communication infrastructure and strategy.
Support level: Ensures that information communicated is accurate and complete, and complies with relevant regulations.
Stakeholder engagement
Leadership: Develops an organisational stakeholder engagement strategy that is consistent with the risk strategy.
Senior level: Manages stakeholders’ expectations in a way that is consistent with organisational values and standards.
Management level : Builds productive relationships with stakeholders through effective communication and consultation.
Support level: Supports risk communication and consultation processes within agreed guidelines
11) Change management
Embedding risk responsiveness
Leadership : Ensures that risk management is embedded throughout change programmes.
Senior level: Senior level: Advises on how to embed risk management throughout an organisation’s change activities.
Management level : Supports the embedding of risk management throughout an organisation’s change activities.
Support level: Explains the relationship of change management and risk management.
Developing change plans
Leadership : Achieves strategic and cultural change that optimises opportunities and mitigates risk through change programmes.
Senior level: Develops change plans that support agreed changes to strategies and policies.
Management level : Implements change plans in a way that minimises disruption to operations.
Support level:Supports others in managing risks in accordance with their role.
Implementing change
Leadership :Promotes the vision for strategic change in line with the risk culture and strategy.
Senior level: Ensures change-related risks and opportunities are managed proportionately.
Management level :Assesses the impact of the delivery of change plans, reporting any adverse effect or unexpected opportunities.
Support level:Contributes positively to tasks relating to implementing change.
12) People management
Fulfilling personal objectives
Leadership : Provides inspirational leadership that motivates and empowers people to fulfil their objectives.
Senior level: Provides support that incentivizes people to take responsibility for managing risks and opportunities within the limits of their role.
Management level : Influences the behaviour of others to ensure that risk management objectives and standards are met.
Support level: Explains the requirements of their own role.
Risk management capability
Leadership : Establishes an appropriately resourced structure that is capable of delivering the risk strategy.
Senior level: Deploys the right mix of competence and expertise to meet strategic and operational imperatives.
Management level : Supports operational teams and individuals on the practice of risk management.
Support level: Takes active responsibility for their own personal and professional development.
Risk management competence
Leadership : Plans the development of the knowledge and competence of the workforce to meet anticipated risk management requirements.
Senior level: Develops the knowledge and competence of the workforce for the management of risks and opportunities.
Management level : Provides risk management support to individuals that enables them to achieve their objectives.
Support level: Contributes constructively to the achievement of agreed goals and objectives.
Personal Skills for Risk Management
Behavioural competencies are the personal traits and actions that help someone do their job well. While technical skills—the know-how needed for the job—are about “what” to do, behavioural skills are about “how” to do it. Just like technical skills, these personal skills can be learned and improved over time. In fact, people should keep working on them throughout their lives. Organizations can support this by offering workshops, seminars, and encouragement to employees. We look for these behaviours when choosing people for roles in an organization where understanding risk management is important.The behavioural competency framework outlines the personal traits and actions that the risk management profession sees as vital. It focuses on qualities specific to risk management experts and doesn’t cover general frameworks like management, which are explained elsewhere. This framework can be used alongside other national or organization-specific guidelines. This framework helps meet professional standards. For example, improving “Collaboration and partnering” (a personal skill) supports the standard of “Building strong relationships with stakeholders through clear communication and teamwork.”
There are six key personal skills:
Courage and confidence
Achieves an appropriate balance between determination and stubbornness
Has courage and strength to admit mistakes and work on them
Stands by decisions and principles even in the face of strong opposition or threats
Is comfortable taking tough decisions and delivering difficult messages confidently
Backs up conclusions with evidence
Accepts responsibility and is accountable for the outcomes of work
Pursues a course of action tenaciously to achieve goals and objectives
Influence and impact
Adapts communication and behaviour according to the audience/readership
Uses knowledge and experience to influence others
Builds “behind the scenes” support for ideas
Structures the message and uses clarity and conciseness of expression so that others can understand the implications of an issue
Captures the attention of the audience/readership by fluent and convincing communication, appealing to stakeholders’ needs, perspectives and key wins
Identifies linkages, relationships and power structures and plays to decision makers
Integrity, ethics, and values
Adheres to code of professional conduct
Maintains consistently high standards of work, loyalty, honesty and commitment
Fulfils responsibilities to the highest professional and ethical standards
Never cuts corners or jeopardises appropriate risk management by taking “the easy option”
Remains independent and enables others to make informed decisions
Is approachable and open with information
Does not promise what cannot be delivered
Innovation and catalyst
Identifies innovative and insightful solutions from disparate areas of business that take into account stakeholders’ culture and motivations
Fosters an environment where change is welcomed and people feel confident about suggesting ideas
Maintains a systematic, but flexible, approach to problem solving and decision making, using past lessons to inform future actions
Generates practical and commercially/financially viable ideas for improvement that align with business objectives and strategy
Is quick to spot and capitalise on emerging trends that may affect an organisation’s future growth and alerts others to the implications of decisions, issues and developments
Leaves no stone unturned in seeking inspiration for viable ideas for improvement
Encourages others to seek opportunities for improvement and adopts others’ ideas
Building capability
Identifies individual and team development needs to meet business requirements and considers the needs of others beyond the team
Educates stakeholders on professional knowledge and expertise
Provides direction and support to others to achieve or exceed objectives and suggests appropriate development opportunities
Builds shared understanding of a business across different teams and encourages contributions from others
Strives constantly to improve professional knowledge
Seeks and exploits opportunities to develop skills and abilities
Collaboration and partnering
Makes every effort to find out stakeholders’ needs, expectations and motivations and to discover what can be provided
Establishes a rapport with strategic partners by adopting a friendly, open, knowledgeable and helpful attitude
Builds strong networks with key stakeholders and promotes resource-sharing
Treats stakeholders with equal courtesy, consideration and respect and exemplifies corporate culture and values
Appreciates the viewpoints of others, even if they are in contradiction
Negotiates diplomatically and seeks to find common ground, compromise and mutually acceptable solutions in disagreements
Offers viable and constructive responses in a timely manner
Each skill includes three parts:
A short explanation
Examples of good behaviors
Examples of unwanted behaviors
This setup lets users quickly see the behaviors they should aim for and recognize what’s not acceptable. These skills are described as actions you can observe. People using the framework—whether they’re checking themselves or being evaluated by recruiters or managers—should look for proof of whether these skills are shown or not. All risk management professionals need these skills, but which ones matter most depends on:
The specific job in risk management
The person’s level (like Leadership or Support)
The organization’s size and setup
The current needs of the job
Upcoming changes in the organization’s goals or structure
The person’s own interests (like a specific industry or risk type)
Depending on someone’s level, each skill might apply fully or partly. For example, in “Influence and impact,” Leaders should show all the positive behaviors, while at the Support level, only some might apply. At a minimum, Support-level people should:
Adjust how they talk or act based on who they’re addressing
Use their knowledge and experience to guide others
Share ideas clearly and confidently so others grasp the importance of an issue
On the other hand, Support-level people aren’t expected to show these higher-level behaviors yet, though they should know they’ll need them as they grow:
Gain quiet support for ideas behind the scenes
Grab attention with smooth, convincing communication that matches stakeholders’ needs and interests
Spot connections, relationships, and power dynamics to sway decision-makers
When judging how well someone shows these behaviors, you could rate them as:
Falling short of expectations
Doing better than expected
Meeting expectations
Risk management helps organizations succeed, but only if it’s backed by capable professionals who fit the organization’s size, type, and setup.
Two key questions for an organization are ‘what are the existing competencies?’ and ‘how far are these competencies away from what is advised by best practice?’ Approaches that can be taken to establish the gap between existing and desired competencies are a skills audit and the interview approach. A skills audit is useful to gather data on the existing competencies to enable a comparison with best practice competencies and skills. The interview approach can be used to gather data, when selecting risk staff and as part of the personal development and improvement appraisals for existing staff.
Competency roadmap
We’ll look at how to make a plan, or roadmap, to boost the skills within an organization’s risk team. The ideas here can also help improve risk management skills for all employees across the organization. A roadmap is a set of steps that moves us from where we are now to where we want to go. In a competency roadmap, it lists the actions needed to raise the skill level of a risk professional or team to a suitable point. The right level of risk management skills depends on how mature the organization and its industry are at handling risks. This target skill level is shaped by both the organization’s current risk maturity and the maturity level it aims to reach. As the organization gets better at managing risks, the skills needed also need to grow.
Creating a risk management competency roadmap follows the usual steps of a project:
Key Things to Think About
Starting the Project
Figure out and confirm where the skill gaps are in risk management.
Set a budget for the project.
Planning the Project
Decide which skills to improve first, based on the organization’s main risks and controls.
Find the best ways to fill these skill gaps, like on-the-job training or professional courses.
Carrying Out the Project
Make sure the roadmap fits with the organization’s regular risk management activities.
Finishing the Project
The roadmap should keep going over time, but specific tasks within it should have clear deadlines.
Once tasks are done, review what worked and what didn’t to learn for next time.
Upskilling
The goal of upskilling is to make sure employees have the abilities they need for their jobs in the organization. It’s best to plan upskilling as part of a competency roadmap so that any training or coaching matches the organization’s target level of risk management maturity. When upskilling fits into a broader skill-building plan, it can also show junior staff a clear way to grow their skills and experience, helping them move up in their careers. This clear path can make it easier to hire and keep good employees. The most popular ways to upskill are:
Training
Coaching and mentoring
Training
Consideration should be given to the types of training in relation to competency training for risk management professionals:
Sr No
Type of Training
Details
1
Academic training for example, international certificate in Enterprise Risk Management
Suitable for giving risk professionals a broad knowledge and understanding of enterprise risk management
2
Short courses for example, Practical risk appetite
Suitable for an in depth look at a particular subject with a focus on practical implementation
3
Hands on training / on the job training
Suitable for situations where there is an experienced supervisor passing on the benefit of their knowledge and experience
Coaching and Mentoring
Coaching and mentoring are key parts of an organization’s learning and growth plan and can be very helpful for building risk management skills. The Chartered Institute of Personnel and Development (CIPD) explains them like this:
Coaching: Coaching is a hands-off way to help someone improve how they do their job. It looks at both what the organization needs and what the person wants to achieve. It helps people figure out what they’re good at and where they need to grow. While personal traits might come up, the main focus is on how they perform at work.
Mentoring: Mentoring happens when a more experienced worker shares their know-how to help a less experienced colleague grow. Usually, the mentor and the person being mentored don’t work together daily or have a boss-employee relationship. Mentoring tends to last longer than coaching.
How Coaching and Mentoring Are Used Coaching and mentoring can fit into many situations, but they’re most often used for:
Helping manage and improve performance
Getting people ready for and guiding them through changes
Encouraging self-led learning and growth
The Facilitator’s Role
Before diving into how to run a successful risk workshop, we need to look at the key role of the workshop facilitator. The traits of a facilitator aren’t just special to risk workshops—they’re part of everyday management skills. There are three main styles of facilitation: Directive, Collaborative, and Supportive. A skilled facilitator can switch between these styles depending on what works best for the workshop. The choice of style depends on the workshop’s goal, the situation inside and outside the organization—like how urgent the workshop feels—and the organization’s culture and level of experience. Here are the key traits and skills a facilitator should have:
Work well with big, varied groups
Keep themselves and the group in a good mindset
Handle sessions in person or online
Manage disagreements
Use lots of different facilitation methods and tools
Keep people engaged
Steer groups toward results
Strong process-handling skills
Good people skills
Knowledge of the subject area
A responsive way of working
A flexible mindset
Awareness of what’s happening around them
Behavior that fits the situation
Running effective risk workshops
Risk workshops are a way to gather opinions and agree on the risks an organization faces, especially when identifying risks. Running a good risk workshop isn’t easy, so we’ll break it down in more detail. There are three main steps to running a successful risk workshop:
Planning Planning is likely the most crucial step. It can make or break whether the workshop works well or falls flat.
The Workshop Risk workshops should be:
Enjoyable
Exciting enough that people want more
Helpful to the team
Lead to decisions and clear next steps
Results
Keep an action log that covers the basics: what needs to be done, who’s doing it, and by when.
Share the results with everyone who attended.
Analytical Skills
When it comes to analyzing risks, math skills matter, but the real key is being able to think logically and show it in your work. Risk practitioners often deal with tons of information, spot trends, and explain what they find clearly and sensibly. These analytical skills are super helpful when writing reports, creating training, or leading risk workshops, like we talked about earlier. For these skills to work well, they need to lead to a decision or action—something risk practitioners especially need to focus on. Some people are quick to act, while others dig deep into analysis. Finding a balance between fast decisions and thorough thinking is important. Organizations now have more data than ever, which is both a chance and a challenge for risk practitioners. The Oxford English Dictionary describes “big data” as huge sets of information that computers can analyze to find patterns, trends, and connections, especially about how people act and interact. In the past, risk practitioners leaned on opinions from experts or small samples of data. But with bigger databases and better tools, they can now look at all the data instead.
Some big challenges with data include:
Making sure the organization’s needs drive how data is used, not just the tech.
Checking that the data is correct and useful.
Keeping data secure.
Following laws about data handling, like the GDPR rules in the EU.
In risk management, there’s also more data to handle. The risk register is like a database that holds everything the organization knows about its risks and how it controls them. As organizations grow and risks get trickier, they often need advanced software tools. These tools help analyze risk data and create reports or dashboards.
Here are some ways data can be used:
Looking at all the data instead of just small pieces.
Adding more risk details to databases—like incident logs, near misses, or control breakdowns—and sorting them.
Using databases that make searching and reporting easy.
Communication, Reporting, and Presentations
We’ll explore how communication, reporting, and presentations can be powerful tools to influence others. Influencing means getting people on board, sparking their interest, building connections, and capturing their imagination. Influencing involves skills like listening well, understanding how groups work, negotiating, and seeing things from stakeholders’ perspectives, even when their needs differ. At the heart of all this is good communication. Communication skills are super important for risk practitioners. Risk communication happens in two ways:
Informal – like chatting with stakeholders or holding risk workshops.
Formal – like writing risk reports or giving presentations.
Every type of communication involves some storytelling. For important talks, reports, or presentations, it helps to plan out what you want to say and how to say it. A big part of making it work is thinking about how the person hearing or reading it will take it in. For formal risk communication, the 5Cs can guide you: make it clear, short, logical, believable, and thorough.
In an Annual Report, you’ll usually see risk details in places like:
A section just for risk management.
The strategic report.
The directors’ report.
The notes to the financial statements.
When looking at the risk info in an Annual Report you pick, ask yourself:
Is the risk info too broad or fuzzy to be clear or make sense?
Does it feel real and trustworthy, based on what you know about how risk management works in an organization?
What’s missing? What aren’t they telling you?
Complacency versus crisis
The competency framework lists traits of a risk practitioner with strong influencing skills, like:
Adjusting how they talk or act based on who’s listening or reading.
Using their know-how and experience to sway others.
Quietly building support for ideas behind the scenes.
Explaining things clearly and briefly so people get the point of an issue.
Grabbing attention with smooth, convincing talk that fits stakeholders’ needs and interests.
Spotting connections, relationships, and who holds power, then tailoring their approach to decision-makers.
When trying to influence stakeholders, risk practitioners need to find a middle ground. They focus on spotting patterns in incidents and risks and what these could mean for the organization. Problems can pop up in different ways—some hit fast, like a fleet crash or a fire, while others creep up slowly, like health issues from asbestos or harmful chemicals at work. This makes it tricky to avoid being too relaxed or too panicked. If risk info is always downplayed, it can make people too laid-back, leading to weak efforts to handle risks. But if it’s overly dramatic and stuck on worst-case scenarios, the risk practitioner might lose trust or push the organization into a habit of reacting to crises instead of planning ahead. A big plus of enterprise risk management is helping organizations make smarter, quicker decisions. This comes from the special spot risk practitioners often have—working across all parts, teams, and areas of the organization to make it work.
Risk practitioners help decision-makers by:
Running risk management tasks that give structured info to guide choices.
Talking with stakeholders to understand the situation and goals of the decision.
Sharing clear, to-the-point info that matters for the choice at hand.
Through their role in enterprise risk management, risk practitioners can nudge key people in the organization toward a mindset of growing value, rather than just playing it safe like in the old days.
The Worth of a Risk Management Professional
As a risk management professional, you can show your value to the organization in three main ways:
Make an Impact: Push risk management as something that adds value at every level of the organization.
Make a Difference: Join in on the organization’s big-picture strategy talks.
Engagement and Commitment: Be a reliable teammate to the organization’s leaders and managers.
The risk practitioner helps shape how risk is handled through the organization’s setup—like its risk architecture, strategy, and procedures. For these to really help, they need to work well at all levels of the organization. To add value, these risk management systems and steps should fit the organization’s current risk maturity level. If they’re too complicated or feel like endless checklists, you risk turning off leaders and managers. With a wide view of the whole organization, a risk practitioner can spot where things are weak—like in controls, teamwork, communication, or sharing info. Then, they can bring the right people together to fix those gaps in a positive way.
Being part of the organization’s strategy discussions is one of the best ways to stand out as a risk practitioner. The Chief Risk Officer (CRO), for example, is described as: “…a leader of the ERM process, the CRO pulls together different risk management efforts to make sure the company’s limited resources are used wisely.”
Senior risk professionals can make the biggest difference by focusing their time on key areas they can shape. Their role keeps growing and includes things like:
Creating quick stress tests and business plan predictions.
Checking the investment strategy.
Improving defenses against cyber risks.
Watching out for fraud more closely.
Tackling other day-to-day risks.
Updating and fixing risk models.
Teaming up with top leaders to rethink risk appetite and strategy.
Overhauling the risk behavior and culture setup.
Strengthening the company’s ability to handle reputation hits.
Boosting the organization’s understanding of big, widespread risks.
Building Trust and Dedication
To really make a mark and bring change as a risk practitioner, you need to earn the trust of the organization’s leaders and managers. Becoming that trusted partner can be tough, especially if the top bosses don’t see why risk management matters. As noted, “…the risk team, led by the CRO, needs to build solid ties and work openly and honestly with teams like compliance, operations, customer service, finance, HR, sales, and tech.” A great way to start getting closer to senior leaders and the board is by helping shape the organization’s risk appetite—how much risk it’s willing to take. You can also assist by looking at risks to the business model and dealing with outside groups like partners, suppliers, regulators, and investors.To keep proving your worth as a risk management professional and a reliable partner, you have to keep growing your technical skills and personal traits. This helps you stay on top of a role that’s always changing and growing.
Many organizations infrequently assess the suitability and efficiency of their risk management processes, resulting in disengagement, apathy, diminished value, and occasionally, the collapse of risk management efforts. By integrating these ideas, we can evaluate our performance in applying the purpose, components, timing, responsibilities, and methods of risk management. This is reflected in our risk management maturity, which refers to “the extent of our ability to handle risks effectively.”
Numerous risk management maturity models exist, and a brief online search reveals examples from consultants, regulatory authorities, government entities, risk management organizations, and more. These models span various fields—such as health and safety, treasury, third-party onboarding, and insurance—and cover industries like rail, healthcare, financial services, construction, accounting, project management, logistics, and beyond. A growing number of organizations recognize the value of assessing their risk management maturity. The advantages include:
Enabling an organization to gauge how deeply risk management is integrated into its operations.
Offering a comparison to industry best practices, peers, and sector standards where feasible.
Identifying deficiencies and redundancies in its application.
Revealing areas where enhancements can be made.
Risk management maturity is evaluated on a spectrum, ranging from “low” to “high.” A low maturity level suggests either an absence of risk management or the use of a generic process that is neither customized nor effectively implemented, merely serving to check a box. Conversely, high maturity reflects a risk-aware culture where skilled individuals actively apply risk management to safeguard, sustain, and enhance an organization’s value. Typically, maturity models feature 3, 4, or 5 levels, each with distinct labels. Lower levels might be described as very basic, immature, ad hoc, naïve, initial, informal, or nascent, while higher levels are often termed advanced, optimized, value-driven, natural, mature, explicit, or leading.
It’s worth noting that the language used to describe these levels can carry emotional weight. Organizations or individuals might resist acknowledging a “very basic” or “naïve” maturity level, which could hinder their engagement with maturity assessments. To address this, it may be wise to adopt neutral numbering (e.g., 1 to 5) or terms like “very low” to “very high” instead of potentially charged descriptors, similar to how risk impact and likelihood scales are handled. Risk management maturity is also assessed across various elements or factors that contribute to an effective process. The number and nature of these factors vary by model, often shaped by the model’s focus—whether it targets a specific industry, sector, or business area (though ideally, measurement should be uniform across an organization). Examples of these contributors range from broad to specific, such as:
People and tools.
Policy, framework, process.
Governance, process, reporting, and continuous improvement.
Framework, governance, process, systems, capabilities, and culture.
Framework, sustainability and resilience, process, performance, application, root cause analysis, and emerging risks.
While some models emphasize the process itself, most center on four primary contributors:
Culture – our mindset toward risk management and its purpose.
Process – the actions we take and their timing.
Experience – who participates in risk management.
Application – how we put risk management into practice.
These core contributors are underpinned by more detailed attributes, which include metrics tied to maturity levels (low to high). These metrics provide scores that reflect maturity across the different components.
Similar to evaluating risk culture, risk management maturity can be gauged through surveys or interviews, provided the questions and scoring remain consistent. Assessments of risk management maturity capture a moment in time, typically focusing on the present state of maturity. However, it’s essential to clarify the timeframe under review at the outset—whether it’s a survey, questionnaire, or interview—by specifying, for instance, that it addresses the current level, asking, “Where do we stand today?” Understanding an organization’s existing maturity level is critical for pinpointing areas needing improvement. Some organizations, especially those without prior maturity assessments, may also want to track how far their risk management has evolved, prompting questions about progress in culture, process, experience, or application up to now. Equally important is determining the organization’s target maturity level, which reveals not just where improvements are needed, but how much progress is required to deliver value. However, the priority lies in identifying an appropriate target level. Many organizations aim for the highest maturity tier, yet optimal value might be achieved at a slightly lower level, often with less cost, time, effort, and resources. By comparing the current maturity to this appropriate target, a gap analysis can highlight improvement opportunities and potential solutions, with roadmaps to maturity explored later in this unit. Balance across all measured contributors—such as culture, process, experience, and application—is vital. If an organization excels in some areas but lags in others, its overall maturity will remain low. Risk management maturity differs from risk management sophistication. Sophistication reflects deep expertise, extensive knowledge, or advanced complexity (e.g., in technology), and in risk management, it relates to enhancements driven by growing experience and understanding. Yet, sophistication should align with an organization’s needs to yield benefits—no more, no less. This connects to earlier points about desired versus appropriate maturity levels and the extent of progress required to maximize value from risk management efforts.
11.1 Risk Management Maturity
Every organization encounters risk and uncertainty, whether at the project or enterprise level, and there is growing acknowledgment of the need for formal, structured methods to address these challenges. Increasingly, organizations recognize that effective risk management is vital to the success of both projects and the broader business. As they grapple with uncertainties, there is a rising demand for support in crafting robust processes to identify, evaluate, and mitigate risks. However, despite widespread agreement on the value of risk management, successful integration into organizational practices remains rare. Those attempting to embed risk management into their operations experience mixed results, and many abandon the effort before realizing the anticipated benefits. Often, this stems from unrealistic expectations and a lack of clarity about what implementation entails or how it should be overseen. To adopt a formal risk management approach should treat the implementation as a project in itself, complete with defined objectives, success criteria, thorough planning, resource allocation, and diligent monitoring. To set goals, outline the process, and track progress, organizations must first assess their current risk management practices and define their target state. This requires benchmarking their existing maturity and capability against a widely accepted framework, enabling an objective evaluation of their current level and a clear path toward greater maturity.
EXISTING MATURITY MODELS
Maturity models are a well-established concept. The Software Engineering Institute (SEI) at Carnegie-Mellon University developed the Capability Maturity Model (CMM) for software engineering organizations, outlining five progressive levels: Initial (Level 1), Repeatable (Level 2), Defined (Level 3), Managed (Level 4), and Optimizing (Level 5). Each level is distinctly characterized, allowing organizations to evaluate themselves against a standardized scale and set improvement targets. While the SEI CMM is widely recognized, it applies primarily to software development, and efforts to adapt it to other project types have not gained broad traction. Another prominent model, the Business Excellence Model from the European Foundation for Quality Management (EFQM), defines nine criteria for excellence—Leadership, People Management, Policy & Strategy, Resources, Processes, People Satisfaction, Customer Satisfaction, Impact on Society, and Business Results. These criteria include success factors that enable organizations to assess performance, compare against European benchmarks, and devise improvement strategies. Both the SEI CMM and EFQM Model offer general frameworks for capability, maturity, and excellence but lack specific guidance for organizations seeking to implement or enhance formal risk management processes. Preliminary efforts to adapt the CMM for risk management in software development have focused narrowly on tools and techniques and have not progressed significantly. A universal, risk-specific maturity model would greatly benefit organizations aiming to establish or refine risk processes. Such a model could build on CMM and EFQM principles but tailor them to risk management across all industries.
THE RISK MATURITY MODEL FRAMEWORK
Organizations’ approaches to risk management range from having no formal process to fully integrating it into operations. The proposed RMM simplifies this spectrum into four clear levels. While some organizations may not fit perfectly into one category, the levels are distinct enough to classify most unambiguously. More than four levels could introduce unnecessary complexity without adding meaningful precision.
The RMM levels are:
Level 1 – Naïve: Unaware of risk management needs, with no structured approach to uncertainty. Processes are reactive and repetitive, with minimal learning from past events or preparation for future risks.
Level 2 – Novice: Experimenting with risk management through a few designated individuals, but lacking formal, generic processes. Benefits are recognized but not fully realized due to ineffective implementation.
Level 3 – Normalized: Risk management is routine, applied to most or all projects with formalized, widespread processes. Benefits are understood organization-wide, though not always consistently achieved.
Level 4 – Natural: A risk-aware culture prevails, proactively managing risk across all business facets. Risk data enhances processes and competitive advantage, addressing both threats and opportunities.
DIAGNOSING RISK MATURITY LEVEL
The RMM level descriptions offer a broad indication of maturity, but a detailed diagnostic tool is needed for consistent, objective assessment. Below is lists attributes under four headings—Culture, Process, Experience, and Application—allowing organizations to compare themselves against clear criteria. While some may straddle levels, the distinctions are generally sharp enough for clear classification. The assessed level can guide strategies for enhancing risk capability or benchmarking against competitors.
Level 1 – Naïve
Definition: No awareness of the need for risk management. No structured approach to handling uncertainty. Management processes are reactive and repetitive, with little effort to learn from past experiences.
Culture: No understanding of risk. Resistant to change and prefers sticking to existing methods.
Process: No formal processes in place.
Experience: No knowledge of risk principles or language.
Application: No structured application, dedicated resources, or risk management tools.
Level 2 – Novice
Definition: A few individuals experiment with risk management, but there is no structured or standardized approach. The benefits of risk management are recognized but not fully realized due to ineffective implementation.
Culture: Risk processes may be seen as extra work with unclear benefits. Risk management is applied only to selected projects.
Process: Some formal methods exist, but there are no standard procedures. The effectiveness of risk management depends on internal experts and external support.
Experience: Limited understanding, with only a few individuals having some exposure to risk management but little formal training.
Application: Application is inconsistent. Availability of staff and tools varies, and risk management methods are used in an unstructured way.
Level 3 – Normalized
Definition: Risk management is integrated into routine business processes. Most projects follow structured risk procedures. The benefits of risk management are recognized across the organization, though consistency may still be an issue.
Culture: A clear risk management policy is in place. Benefits are understood and expected, and resources are allocated to support risk management efforts.
Process: Standardized processes are applied to most projects. Formal procedures are embedded into the quality system, and risk budgets are actively managed at all levels.
Experience: The organization has a core team of trained professionals. Risk management tools and processes are developed and implemented systematically.
Application: Risk management is routinely and consistently applied across all projects. Dedicated resources and a structured set of tools and methods are in place.
Level 4 – Natural
Definition: A strong risk-aware culture is embedded throughout the organization. A proactive approach to risk management is applied in all business areas. Risk information is actively used to improve business operations and create a competitive advantage. Opportunity management is also emphasized.
Culture: Leadership fully supports and promotes risk management. A proactive approach is encouraged and rewarded.
Process: Risk-based processes are fully integrated into business operations. Risk management is regularly updated and improved, with continuous feedback mechanisms in place.
Experience: All employees are risk-aware and trained in essential risk management skills. Learning from past experiences is a key part of the process, and external training is regularly conducted to enhance expertise.
Application: Risk management is embedded in all activities. Decision-making is risk-based, supported by advanced tools and reporting methods.
PROGRESSING BETWEEN MATURITY LEVELS
Once maturity is assessed, organizations can plan steps to advance. Few, if any, organizations currently operate at Level 4. Many hover at Levels 2 or 3, or are transitioning from 2 to 3, while a significant number remain at Level 1. With risk management’s rising prominence and recognized benefits, organizations often start at Level 1 aiming for Level 3. Accurate self-assessment is critical, as jumping from Level 1 to 3 faces substantial hurdles, and a phased approach via Level 2 may prove more sustainable. Each transition presents unique barriers and strategies, outlined below.
Level 1 to 2 – Naïve to Novice
Naïve organizations face significant challenges:
Unfamiliarity with risk processes and terminology.
Unclear benefits and costs of implementation.
No internal expertise or experience.
Resource constraints due to ongoing crises.
Resistance to external advocates due to lack of context.
Novice organizations rely on a few advocates exploring risk techniques, often inconsistently applied to major projects. Progress to Level 3 requires overcoming:
Inconsistent processes.
Dependence on limited internal skills.
Overzealous advocates alienating peers.
Lack of support eroding morale.
Limited credibility without proven results.
Actions:
Strengthen senior management backing.
Provide formal risk training.
Leverage external expertise to expand scope.
Allocate sufficient resources.
Showcase benefits on key projects.
Publicize successes to encourage adoption.
Expose staff to external learning opportunities.
Formalize processes with clear policies.
Embed risk into routine operations.
Collect metrics to demonstrate value.
Level 3 to 4 – Normalized to Natural
Level 3 organizations routinely apply risk processes but may grow complacent, believing no further improvement is needed. Advancing to Level 4, where risk management is instinctive and opportunity-focused, faces:
Loss of momentum reducing quality.
Outdated processes amid changing needs.
Underinvestment in tools and skills.
Over-specialization limiting ownership.
Actions:
Review and refine processes regularly.
Invest in updates and training.
Apply risk management universally.
Foster a “think risk” culture.
Integrate risk into decision-making.
Counter fatigue with re-launches and rewards.
Refresh skills periodically.
Use external expertise for innovation.
Maintaining Level 4
Few reach Level 4, where risk management is intrinsic and proactive. Complacency threatens this state, requiring:
Sustained senior leadership commitment.
Regular audits to maintain standards.
Leveraging competitive advantages.
Pioneering risk applications.
Continuous process improvement.
Engaging stakeholders in risk processes.
Implementing risk management is a substantial, long-term endeavor, far beyond adopting tools or training staff. The RMM offers a four-level benchmark to assess and enhance risk capability, aiding organizations and their supporters in diagnosing maturity and crafting tailored strategies. Future refinements, such as a self-assessment questionnaire, could further sharpen diagnostics. For now, the RMM provides a practical tool for initiating or improving formal risk management approaches.
Critical success factors
Determining an organization’s desired and appropriate risk management maturity levels can be bolstered by defining what successful risk management looks like in practice. Drawing from ISO 31000, the COSO (2017) ERM Framework, and the Orange Book (2020), we’ve distilled key principles into five attributes of effective risk management, captured in the acronym PACED: Proportionate, Aligned, Comprehensive, Embedded, and Dynamic. These attributes have shaped the framework for an organization’s risk architecture, strategy, and protocols, while also aiding in the evaluation of the risk management process to confirm its effectiveness . Additionally, we’ve examined how assurance is provided for both risk management and internal controls. Across these dimensions, an organization must clarify its own vision of success. Critical success factors for project risk management, which are just as applicable to enterprise risk management. These factors align with the four contributors to risk management maturity discussed earlier:
Supportive organization (Culture) – encompassing a risk-aware culture, clear goals, and sufficient resources.
Simple, scalable process (Process) – featuring a customized process supported by policies and manuals.
Competent people (Experience) – marked by consistent terminology, skilled staff, and suitable attitudes and behaviors.
Appropriate methods, tools, and techniques (Application) – supported by infrastructure, software, training, and toolkits or factsheets.
By defining these critical success factors, an organization can clarify the purpose, structure, and practical application of its risk management efforts, as well as guide improvements. This foundation can then inform the creation of key performance indicators for risk management and metrics to assess both its current state and the ideal future maturity level.
Roadmaps to risk management maturity
Risk management maturity is not something that develops instantly. A gap analysis will reveal that reaching the ideal and suitable level of maturity for an organization requires time and involves multiple stages. One effective way to navigate this journey is by using an improvement roadmap. Roadmaps serve as strategic plans to steer an organization through a prolonged enhancement process. They should detail each proposed improvement, including the timeline and effort required for implementation, as well as the expected level of progress each step will achieve.
Every improvement should come with clear objectives that are specific, measurable, achievable, realistic, and time-bound (SMART) to provide a precise direction for the organization. However, similar to risk management itself, certain maturity levels can only be attained incrementally, as attempting to fully realize all objectives simultaneously may be impractical or unfeasible. To meet these objectives, roadmaps need to outline specific actions for each improvement, complete with timelines, necessary resources, and associated costs. These efforts should align with the organization’s broader strategy and integrate with existing or planned activities to ensure there is both the capacity and commitment to carry them out. Basic roadmaps typically highlight key areas for enhancement, setting short-, medium-, and long-term goals, and indicating the corresponding level of risk management maturity achieved at each stage. Knowing how mature an organization’s risk management is doesn’t just show the current level of risk control—it also helps create a plan for improvement.
Quick Win: Roadmaps can include short-, medium- and long-term tasks Short-term goals are commonly known as “quick wins.” Quick wins refer to changes that are noticeable and deliver immediate results. While these impacts don’t need to be transformative, they should bring tangible value to an organization. Examples of quick wins in risk management include:
Revising risk descriptions to clearly distinguish causes, risks, and consequences.
Evaluating controls to confirm they actively manage risks—rather than merely gathering data or offering advice—and ensuring they are effective.
Encouraging deeper scrutiny of risk management information.
Initiating conversations about “unknown knowns”—the obvious but unaddressed issues, or “elephants in the room.”
When quick wins are achieved, their collective influence often exceeds the sum of their individual effects. Drawing from the examples above, clearer risk insights and stronger control assurance can boost confidence and understanding among staff at all levels. This, in turn, fosters greater commitment to and engagement with the risk management process, heightening risk awareness and strengthening the organization’s risk culture. Nonetheless, quick wins are just one piece of the improvement roadmap and are not self-sustaining, as their scope is often confined to specific teams or areas. To reach enterprise-wide risk management maturity goals, broader improvements must also be strategically planned for the medium and long term.
Quick wins typically involve short-term tasks that demand minimal investment, particularly in terms of capital spending. In contrast, larger initiatives or those dependent on achieving a certain level of risk management maturity in specific areas are classified as medium- or long-term tasks. The duration of these tasks aligns with the roadmap’s overall timeline. For instance, in a one-year roadmap, a long-term task might span nine months or commence in the ninth month. Certain improvements may be substantial enough to necessitate a business case for capital funding. Consequently, many of these enhancements, by their nature, are treated as standalone projects. Once approved, they often integrate into project planning, design, execution, and handover phases. An effective risk management improvement roadmap must also account for shifts in the risk management landscape, as well as the organization’s context and goals. For example, UK corporate governance requirements for financial reporting are set to evolve post-December 2013. Similarly, expectations for operating within and reporting on Environmental, Social, and Governance (ESG) criteria are growing more defined and formalized. When such changes emerge during the planning of a risk management improvement initiative, they need to be incorporated. This could influence the roadmap’s outcomes, as resources might be redirected or adjustments to the plan become necessary. Regardless of the timeline or potential modifications to the risk management maturity roadmap, its completion often signals the start of the next one. Perfection is elusive, and enhancing risk management evolves into an ongoing cycle of continuous improvement.
Why Create a Risk Maturity Roadmap?
Risk maturity assessments help you understand how well an organization manages risk.
They allow you to focus on weak areas instead of spending effort on areas that are already strong.
A clear roadmap can help get leadership support for more resources.
If leadership wants to achieve a higher level of risk maturity than what current resources allow, this can justify asking for more investment.
A roadmap helps integrate risk management into daily business operations.
Comparing your organization’s risk maturity with others in the industry can help gain executive support.
These roadmaps can also speed up improvements.
Creating internal rankings can encourage competition between teams or departments, leading to faster progress.
Rewarding improvements with incentives can further motivate employees.
However, not all areas of a business need to reach the highest risk maturity level—sometimes, a “good enough” level is sufficient.
The highest maturity levels should be reserved for the most critical areas of the business.
Assessing Your Current Risk Maturity
Start by understanding the organization’s culture, current risk capabilities, and leadership’s expectations.
This helps set clear goals for what risk management should achieve.
External consultants might not fully understand your organization’s unique needs.
Their models might rate your organization’s maturity level lower than it actually is if they do not consider how your system is tailored to your business.
Building a Risk Maturity Roadmap
The assessment results should be presented in a dashboard and included in the annual risk review. A more detailed review can be conducted every two to three years.
To create a roadmap, look at where you were a year ago, where you are now, and where you expect to be in a year with current resources.
This can be visually represented using different colors for past, present, and future states.
Set clear criteria to measure progress, often using maturity levels ranging from one to four or five.
Define maturity criteria for all areas of risk management, including risk culture.
Use language that aligns with existing risk management frameworks.
Compare your progress with industry standards like ISO guidelines or benchmark against competitors.
Assessments should include both documentation reviews and practical evaluations of how risk tools and processes are used.
Interviews are the best way to gather information but should be informal to encourage open discussion.
Surveys can also help measure risk maturity but must be clear and concise.
11.2 Network and causal analysis
Risks and controls are not standalone elements; they are interconnected within and across an organization, playing a key role in managing information flow. This interconnectedness deserves deeper exploration when integrating and sustaining risk management within an organization. Even in the smallest or most straightforward organizations, risks are linked—one person’s risk might be another’s trigger or outcome, and controls may address overlapping or distinct risks throughout the entity. Understanding this web of risks and controls, and having the ability to trace causal relationships across the organization, strengthens the embedding of risk management. It also boosts engagement and support for the process by minimizing redundancies and gaps in risk management efforts, enhancing efficiency and reducing wasted effort. Risks and controls do not operate independently; they form a network of relationships within and across an organization, significantly influencing how information is managed. This interconnected nature warrants closer examination when embedding and maintaining risk management practices. Even in the simplest or smallest organizations, risks are interrelated—what one person perceives as a risk might be a cause or result for someone else, and controls may target either shared or separate risks across the organization. Grasping this intricate system of risks and controls, and being able to follow cause-and-effect chains throughout the organization, bolsters the integration of risk management. It also fosters greater participation and commitment by reducing inefficiencies, such as overlaps or gaps in risk management activities, thereby streamlining efforts and conserving resources.
Software tools exist to map these risk networks and connections. However, for some organizations, such tools are either unavailable or insufficiently equipped to establish or support these links. In such cases, a centralized risk management function becomes even more critical. This function ensures uniformity in applying risk management practices and fostering a consistent risk culture across the organization. With its comprehensive understanding of risks, it can uncover patterns and relationships that others might overlook. Even when advanced risk management software is in use, a central function can still reveal previously unnoticed connections. Beyond this, employing techniques that identify risk and control linkages proves valuable. Causal analysis can clarify how risk triggers are related and show how altering those triggers might impact a risk or cascade to others. Similarly, effect analysis examines the consequences of a risk materializing, revealing how changes in those outcomes could affect the risk itself or related risks. These methods, while integral to risk assessment, also enhance the embedding of risk management by equipping organizations to recognize and address interconnected, cross-cutting risks effectively. There are software solutions designed to chart these risk interconnections. Yet, for some organizations, these tools are either inaccessible or lack the capability to fully link or facilitate these relationships. In such scenarios, a centralized risk management function becomes indispensable. This unit promotes consistency in risk management practices and cultivates a unified risk-aware culture across the organization. Leveraging its deep insight into risks, it can identify trends and connections that might otherwise go unnoticed. Even with sophisticated risk management software in place, a central function can still spot previously undetected linkages. Additionally, using techniques that highlight ties between risks and controls is highly beneficial. Causal analysis sheds light on how risk origins are connected, demonstrating how changes to those origins might influence a specific risk or ripple out to others. Effect analysis, on the other hand, explores the fallout of a risk occurring, showing how shifts in those consequences could impact the risk itself or related ones. These approaches, essential to risk evaluation, also deepen the integration of risk management by enabling organizations to effectively identify and manage interwoven, organization-wide risks.
What challenges prevent businesses from recognizing and assessing interconnected risks?
Even when risk management is seen as essential, some leaders resist it due to insufficient information to contextualize risks properly. They may acknowledge a risk exists but lack a clear grasp of its implications or potential long-term effects on the organization’s success. Consequently, without a robust risk identification and analysis program, risk management practices within business units can falter.
Absence of dual-perspective risk assessments: Many organizations fail to adopt a two-way risk identification and assessment approach—top-down from leadership pinpointing strategic risks and bottom-up from operations spotting related breakdowns and trends. This bidirectional strategy enables both strategic and operational levels to adapt their plans effectively.
Reactive rather than proactive risk strategies: Risk management is often approached as a compliance task—creating rules for employees to follow—rather than a proactive tool integrated with strategic planning to address gaps and blind spots. This “check-the-box” mindset limits its potential as a decision-making aid.
No cohesive framework for analyzing and linking risk themes: Raw data alone doesn’t ensure sound risk decisions. A key hurdle for organizations is that, despite having risk data, they lack the expertise to extract actionable insights or understand risk interconnections. Data needs to be distilled into clear, digestible insights for the board, delivered through accurate, comprehensive reports to the right people at the right time. Effective reporting hinges on strong risk data aggregation, supported by solid infrastructure and governance.
Even now, businesses apply controls without fully considering their impact across different areas. Siloed control systems can result in excessive, overlapping, or redundant measures that drive up costs, waste time, and erode efficiency. An integrated risk management approach is vital to shift the focus from spending 80% of effort on data collection to prioritizing analysis. Risk management must advance to provide businesses with a deeper understanding of risks and their complex web of interconnections, as these linkages can magnify impacts, directly or indirectly.
Checklist for an Effective Risk Management Program
Create a structured program for identifying and assessing emerging risks tied to shifts in the business environment.
Establish risk and performance metrics aligned with organizational goals.
Promote data sharing and communication across business units.
Develop a unified enterprise risk taxonomy with consistent terminology organization-wide.
Gain deeper insight into risk relationships through cause-and-effect analysis.
Use a risk aggregation tool to spot trends, patterns, and critical risk areas.
Enhance automation in risk management to reduce repetitive data tasks, leveraging data-driven assessments.
Enable real-time monitoring to alert teams of looming risk events proactively.
Integrated Risk Management (IRM) builds on existing risk identification, assessment, and management practices, aiming to clarify connections between risk areas for proactive handling.
For IRM to succeed, it requires alignment of people, processes, technology, and data within a unified ecosystem, all working toward a shared objective. However, risk identification and assessment alone fall short without measurable indicators. Thoughtfully designed metrics are essential to provide meaningful risk insights. While many assume IRM technology centers on deploying an enterprise Governance, Risk, and Compliance (GRC) tool, it demands broader consideration. IRM extends the GRC framework, weaving risk management seamlessly into compliance, cybersecurity, vendor risk, and business continuity efforts.
Activity touchpoints, including budget, strategy, and systems
Many organizations treat risks and controls as separate entities, often due to the structure of their risk registers or the design of their risk management framework and processes. Recognizing patterns or groups of risks—along with their causes, effects, and associated controls—is crucial, even if this is done manually through a centralized risk function. As highlighted in earlier discussions on critical success factors, risk management should be straightforward and adaptable, interacting with—or, per ISO 31000, fully integrated into—all organizational activities. This integration applies not only to managing risks but also to the risk management process itself, which is vital for embedding and sustaining risk management within an organization. This concept is further emphasized in Integrated Enterprise Risk Management. The COSO (2017) ERM framework underscores this by linking its core value chain to strategy, highlighting the risks of a strategy misaligning with an organization’s mission, vision, and values. COSO views strategy alignment within the ERM framework as equally important as identifying and managing risks. Notably, while many organizations assess risks that could derail strategy and objectives, few evaluate risks inherent in crafting that strategy. This gap often stems from the absence of a C-suite risk management leader. Strategic discussions about an organization’s direction—often sensitive or commercially confidential—can feel undermined by someone challenging decisions without a seat at the executive table. Some organizations turn to external risk management consultants for strategic input, but the resulting insights are rarely shared with the internal risk management team, leaving the broader impact of these decisions on organizational risks unclear. This disconnect between risk and strategy mirrors challenges in budget setting. Conversations about risk management often exclude those responsible for budgeting across the organization. Yet, most risk management decisions involve capital spending or contingency use, with ripple effects on financial resources and the capacity to address risks elsewhere. This issue extends to funding risk management itself. Hiring dedicated risk professionals, creating training programs, purchasing software, or engaging consultants incurs costs that may not align with an organization’s financial reality or strategic priorities. These expenses must be weighed against how much the organization is prepared to invest in controlling risks and enhancing its risk management maturity. This balance is especially critical when considering risk appetite and the understanding that not all risks warrant unlimited mitigation efforts. As previously noted, risks are not isolated, nor is risk management a standalone activity detached from broader business operations. Embedding risk management effectively requires attention to its key maturity drivers: culture, process, experience, and application. In many organizations, decisions about implementing risk management or addressing specific risks exclude input from budget owners or those accountable for objectives. Such exclusions can strain specific business areas or the organization as a whole, impairing risk management efforts. Oversight of both risk management’s implementation and its outcomes is essential to ensure the right risks are taken, at the right time, by the right people, in line with the organization’s risk appetite, tolerance, and capacity.
Why Budgeting Should Be Integrated into Your Risk Management Plan
Bringing risk management into your budgeting process offers numerous advantages. Viewing your organization holistically, rather than as a collection of separate units, allows you to identify priorities and allocate funds more effectively. The risk-versus-opportunity discussions typical in risk management are equally valuable for budgeting. Could a particular area drive growth? If so, how much investment is needed to capitalize on it? Is a department lagging or hindering broader company objectives? If yes, how can the budget be adjusted to support improvement? Additionally, monitoring budget outcomes and their impact on overall performance can reveal emerging risks. Rising costs in certain areas may signal developing risks that require attention and mitigation. Budgeting and risk management should collaborate closely to enhance the success of both functions.
How to Incorporate Budgeting into Your Risk Management Plan
Risk management involves anticipating future challenges, much like budgeting, where financial teams forecast funding needs and assess their impact on cash flow and profitability. An enterprise risk management (ERM) approach to budgeting should involve the entire organization, not just the finance team. When individual employees or departments focus solely on their own needs, they may overlook the broader company’s requirements. Examining how budget line items affect various departments ensures funds are distributed to maximize overall benefit while staying within financial limits. Consider adapting the typical risk assessment process for budgeting: identify potential risks, evaluate their company-wide impact, collect relevant data, and determine mitigation strategies—whether by reallocating resources or adjusting the budget. Regular financial reporting and continuous monitoring are also essential, providing consistent metrics to guide decisions for the next annual budget cycle.
Role of Software
We explored risk software as a component of the “Application” critical success factor, which encompasses suitable methods, tools, and techniques. Additionally, we addressed risk management information systems in Unit 2, Section 4, under risk protocols. Risk management software often plays a role in advancing an organization’s risk management maturity. However, when developing a maturity roadmap, it’s essential to weigh the cost and benefits of such software, as well as its compatibility with other systems used for different functions. Software can enhance risk management maturity when reliance on tools like spreadsheets leads to poor risk oversight, limited data analysis, or ineffective reporting. Furthermore, the traditional practice of conducting manual risk reviews every six months or annually no longer suffices to ensure risks are managed or controls remain effective. This challenge is compounded by the growing need to assess and discuss the evolving context, risks, and controls, necessitating an automated, ongoing system rather than a manual, periodic one. That said, software should only be considered after risk management processes are established and functioning. Organizations struggle to define their software needs if they lack clarity about their risk management goals and requirements. If an organization already uses software for related tasks—like incident or claims management or audits—and it offers most of the features needed for enterprise risk management (ERM), leveraging that system could be a practical starting point. However, if the existing software is too niche, overly rigid, or cumbersome, exploring other options may be necessary. When evaluating standalone risk software, its integration with existing related systems should be a priority—such as whether it can consolidate reporting outputs. Some organizations mistakenly assume that purchasing risk software automatically elevates their maturity, which is not true. Significant funds can be squandered on systems that promise comprehensive solutions but fail to align with the organization’s specific needs. Many software vendors tout automated ERM capabilities, yet their products may introduce unexpected constraints that hinder rather than help.
Risk management software should be easy to use. To get risk information in and out, it should be set up for “light users”—people who don’t work on the risk team—rather than just the risk team’s needs. This means the software needs to let these users enter data without making it hard for them. Usually, this is done with a simple form or portal that works on phones, tablets, or laptops. Getting data out is just as key because it helps make smart risk-based decisions. So, the software should have a flexible reporting tool that creates clear, visual reports to support decisions and goals. This might include ranking risks to focus on, tracking action progress, or watching new risks that pop up.
Many-to-Many Relationships: In the real world, risks aren’t separate events sitting alone. They connect like a web, where one person’s risk might cause another’s. Controls, actions, and plans might also apply to several risks at once. Older software designs often organize data in a strict top-down way, forcing risks into isolated boxes (one-to-many links). But software that can handle risks, controls, actions, incidents, goals, and people in a network—with many-to-many connections—better matches how risks really work. This avoids the need to force risks into categories or awkwardly “tag” their links across separate lists. Instead, the software can show how risks, controls, and actions relate clearly.
Automation: Software brings change by turning a manual process into an automatic one. To keep the change manageable and boost the odds of a successful rollout, the software should automate your risk management steps without forcing you to tweak them. Platforms that demand you adjust your current process because of their technical limits should be skipped. Good risk management software should adapt to your process without needing custom coding—changes to the software itself. Too much customization means the wrong tool was picked and could spell trouble when updating the software later.
Comparison of Risk Management Software products
Software Journey
Software Readiness: Checking if organizations are prepared to switch their risk management to an automated system.
ERM Consulting/Training: Helping organizations that aren’t ready to automate by offering expert advice or training staff, especially if there’s resistance to the risk management process.
Market Sweep: A fair review of available software options to find the best fit for an organization’s needs.
Product Demo: For organizations eager to automate quickly—faster than a full market review or Satarla’s four-step risk management process—they can see a demo of the process set up in software.
Source: Building a business case to justify the cost of the software.
Implement: Providing product and project management help to set up the software based on the organization’s specific needs.
Rollout & Training: Engaging users and teaching them how to use the newly automated tasks.
Troubleshooting: Offering admin support to fix any software-related problems.
Admin Support: Assisting other administrators to keep the software running smoothly.
User Support: Helping users directly with their questions or issues.
Induction Training: Training new administrators on how to use the software effectively.
Change Management
Organizational change often happens through projects, programs, and portfolios. The Association for Project Management (APM) (2022) describes change management as the overall method an organization uses to shift from its current state to a desired future state, working together with stakeholders in a planned and organized way. The Chartered Institute of Personnel and Development points out that change is a constant in many organizations, driven by internal and external factors. However, they note that many organizations struggle to achieve the results they want from change efforts, and poor change management can have serious, long-lasting negative effects. Change management works best when it’s carefully planned and matches the organization’s strategy and culture. But sometimes, unexpected events—like global disruptions in recent years—can outpace an organization’s plans, showing how crucial resilience and flexibility are for long-term success. Change management needs to be adaptable, not just a sudden reaction to events. The APM highlights that change management is often essential for survival or staying relevant. Since risk management involves organizational change, change management methods can help introduce and keep improving it. The APM explains that successful change requires shifts in people’s attitudes, behaviors, and culture—known as the ABC model. Key steps to make this happen include:
Understanding why the change is needed.
Managing stakeholder relationships.
Talking to those who will use the new system.
Figuring out training needs.
Highlighting the advantages of the change.
Finding supporters to champion it.
It’s also important to think about barriers to change, which are similar whether they’re about general operations, starting risk management, or making it better. As mentioned, treating change management like a project works well for medium- and long-term risk management improvements. Another approach is using small, ongoing improvements, a core idea in lean management. The Lean Project Management Foundation (2022) describes lean management as a culture focused on “supporting society and the planet’s sustainable development by creating high-quality, innovative products and services.” Lean and agile management are related ideas often used interchangeably, though they’re distinct. We explored agile management regarding resilience. Lean management originated in the Toyota Production System in the mid-20th century, built on two main ideas: continuous improvement and respect for people. Teams speed up work by managing its flow, rather than rushing small batches. A key lean technique is Kaizen, meaning “change for good.” It pushes employees to constantly find ways to boost their own performance and their team’s, encouraging a “bottom-up” approach where staff take charge of changes. This helps everyone question routine practices and seek improvements.
Kaizen also speeds up spotting improvements compared to waiting for a formal risk management maturity review. It’s useful for both quick fixes and starting medium- and long-term changes. Blending traditional change management with lean methods like Kaizen combines top-down and bottom-up strategies, supporting ongoing risk management improvement. Kaizen uses techniques similar to risk management but focuses them on the risk management process itself—like its steps, reporting, or risk register—instead of other business areas. For example, while the article mentions targeting a production process for a “rapid improvement event,” in risk management, the focus could shift to specific elements like the process or risk register. Though a full Kaizen event isn’t recommended, its approach can highlight improvement areas and involve staff across the organization, boosting participation. Plus, fostering a habit of questioning risk management practices enhances its effectiveness, culture, process, experience, and application—ultimately lifting its maturity.
Enterprise risk management, according to COSO, refers to the culture, skills, and practices that organizations integrate with their strategy development and implementation to handle risks while generating, maintaining, and enhancing value. It connects with and spans across all areas of risk management within an organization. Various risk management methods exist within organizations, tailored to specific regulatory or operational needs, such as those related to Information Technology; Health, Safety, Security, Environment, and Social factors; Portfolios, Programmes, and Projects; Insurance; Banking; Supply Chain; and Legal domains.
Enterprise Risk Management (ERM) in banking follows the same fundamental principles as in other industries, aiming to manage uncertainties that may impact the achievement of objectives. However, banks face unique challenges that require additional considerations. This section highlights several critical factors specific to the banking sector, but first, we provide a high-level overview of a bank’s core functions and key risks.The following additional considerations are dealt with in the coming lessons:
Conduct risk.
Banking categorisation of risks.
Basel and national regulation and the requirement for reserves against risk.
Banks can use their own risk calculation models in certain cases.
Banks usually follow risk categories set by regulators. This helps make reporting to regulators and the public consistent. The main risks are:
Type
Description
Strategic
Uncertainties that may affect or may be created by an organisation’s business strategy and strategic objectives.
Credit
The risk of loss due to counterparty default. It is restricted to default or situations where the counterparty can but refuses to make payment when due.
Market
The risk of loss due to adverse economic changes in market conditions, rates or prices or fluctuations in volatility. Market risk includes price risk, volatility risk, interest rate risk and foreign exchange risk, among others.
Liquidity
The risk of not having adequate funds available to meet financial commitments as they fall due. This may be caused by local or foreign economic conditions, a reduction in the firm’s credit rating, or situations where the firm is interested in trading an asset but cannot do so because nobody in the market wants to trade that asset.
Operational
The risk of loss, direct or indirect, resulting from inadequate or failed internal processes, people, and systems or from external events. They are typically sub categorised as follows: Internal fraud – for example, an inappropriately authorised payment.External fraud – for example, supplying incorrect data to gain insurance cover.Employment practices and workplace safety – for example, fines resulting from harassment, discrimination, or constructive dismissal.Clients, products, and business practices – for example, a fine for a breach data protection rules.Damage to physical assets – for example, cost of repairing a building.Business disruption and system failures for example, an IT failureExecution, delivery and process management for example, a service complaint.
Risk management is highly interconnected, requiring operational risk managers to collaborate with those overseeing other risk categories and justify why certain risks should fall under operational risk management. Even with clearly defined boundaries between risk types, situations may arise that are not covered by existing definitions, necessitating coordination with other risk disciplines. Some key boundary considerations include:
Credit Risk: Falls under operational risk if it arises from fraud in lending, procedural failures, inadequate collateral, flawed credit models, or improper loan sales practices.
Market Risk: Considered an operational risk if it stems from transactional errors, limit breaches, fraud, or inadequate collateral.
Liquidity Risk: Managed as an operational risk if it results from non-economic factors such as forecasting errors, mismatched investment strategies, model failures, or timing issues.
Insurance Risk: Becomes an operational risk if caused by failure to follow policies, errors in actuarial modelling, or inadequate documentation.
Strategic Risk: Considered operational risk when stemming from poor strategic decisions, weak corporate governance, incomplete due diligence, incorrect advice, or insufficient management oversight.
Basel III
The primary objective of bank regulation is to ensure that banks hold sufficient reserves (risk capital) to absorb financial shocks and remain solvent, maintaining the stability of the banking system. Regulation is continuously evolving, with much of it based on the Basel Committee on Banking Supervision (often referred to as Basel regulation). Established in 1974, this framework is widely accepted globally and continues to develop in response to past banking failures. Updates and regulatory changes can be monitored at www.bis.org.
The Three Pillars of Basel Regulation
Pillar 1 – Capital Requirements:
Defines how much risk capital banks must hold based on risk-weighted assets (RWAs).
Covers credit, market, and operational risks.
Outlines acceptable methods for calculating RWAs and eligible capital.
Pillar 2 – Supervisory Review:
Requires banks to conduct an Internal Capital Adequacy Assessment Process (ICAAP) to evaluate their capital adequacy and risk profile.
Regulators assess ICAAP reports, often referred to as Risk and Control Self-Assessment (RCSA), and may challenge banks’ conclusions.
Pillar 3 – Transparency and Disclosure:
Mandates banks to disclose their risk management framework, risk exposures, and capital adequacy to external stakeholders.
Requires the publication of a Pillar 3 Disclosure Report at least once a year.
Key Principles of Basel Supervision
Capital Adequacy Assessment: Banks must evaluate their capital needs based on their risk profile and maintain an appropriate capital strategy.
Regulatory Oversight: Supervisors review banks’ capital assessments and ensure compliance with regulatory capital ratios.
Capital Buffer Expectation: Regulators expect banks to operate above minimum capital requirements and may demand additional reserves.
Early Intervention: Supervisors should take proactive measures to prevent capital deficiencies and require prompt corrective actions when necessary.
Implementation and Emerging Challenges
Each country implements banking regulations based on the Basel framework. In the UK, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) oversee compliance. A key regulatory challenge is the rapid evolution of banking, particularly with the rise of cryptocurrencies and digital banks. While the same regulatory principles apply, these innovations introduce greater complexity and heightened operational risk.
Use of internal models
The risk a bank faces and the corresponding risk capital it must maintain are determined using either a standardized formula or the bank’s own internal models. Examples of these models are illustrated in discussions of internal models. To utilize internal models, a bank must adhere to certain overarching principles:
Senior management must comprehend the internal model, which should align with the bank’s business framework.
The model should aid and validate decision-making processes and be thoroughly and uniformly embedded within the risk-management system, addressing a broad enough range of risks to be effective for both risk management and decision-making purposes.
Additionally, the model should enhance the bank’s risk-management framework.
Many banks employ the Value at Risk (VaR) model to calculate market risk. VaR estimates the potential loss in a portfolio over a specific timeframe within a set confidence level, assuming typical market conditions and no trading activity. It offers a probabilistic answer to questions like, “What’s the most we might lose tomorrow (or over a week, month, or year)?” For instance, it might indicate a certain percentage chance that losses won’t exceed a specific amount over a given number of days. However, VaR doesn’t reflect the maximum possible loss. At a 95% confidence level, for example, losses will exceed VaR on 5 out of 100 business days, and on those days, the actual loss could far exceed the VaR figure—sometimes dramatically, as seen in the 2008 financial crisis when losses reached up to 100 times the VaR estimate. This prompted regulators to refine VaR-based risk capital calculations by introducing Expected Shortfall (ES), which measures the average loss exceeding VaR over the same period and confidence level. While ES, like VaR, doesn’t cap potential maximum loss, it typically yields a higher estimate.
Conduct risk revolves around two core aspects:
Ensuring equitable outcomes for customers, such as avoiding the mis-selling of products, and
Preserving market stability by refraining from actions that could disrupt the fair functioning of the banking market, like the Lehman Brothers collapse.
Since the 2008 financial crisis, regulators worldwide have sharpened their scrutiny of conduct within banks and insurers. The UK’s Financial Conduct Authority (FCA) provides insight into its focus on conduct risk frameworks, stating that given the recurring nature of conduct risks and related challenges in recent years, it expects firms to include a conduct risk framework in their Regulatory Business Plan. This should outline a structured approach to identifying conduct risks inherent to the firm’s operations. The FCA is particularly interested in:
How the firm defines conduct risk,
The tools it uses to detect such risks,
The role of the first line of defense and business units in identifying conduct risks, and
How conduct risk identification aligns across various business segments.
To strengthen conduct risk oversight, the UK regulator has established rules for individuals and senior managers in banks:
For Individuals:
Rule 1: Act with integrity.
Rule 2: Exercise due skill, care, and diligence.
Rule 3: Be transparent and cooperative with the FCA, the Prudential Regulation Authority (PRA), and other regulators.
For Senior Managers:
Rule 1: Ensure the business areas you oversee are effectively managed.
Rule 2: Take reasonable steps to ensure compliance with applicable regulatory requirements and standards in your areas of responsibility.
Rule 3: Delegate responsibilities to suitable individuals and oversee their execution properly.
Rule 4: Promptly share any information that the FCA or PRA would reasonably expect to be informed about.
The Banking Banana Skins 2021 (2015 ranking in brackets):
We will explore the concept of organizational resilience and its role in helping organizations cope with future shocks, disruptions, and significant incidents. We will also look at the importance of organizational agility and how resilience can be tested to provide stakeholders with confidence. As organisations recover from the effects of the COVID-19 pandemic—similar to the way many rebounded after the 2008/9 financial crisis—the idea of resilience has gained significant attention. Since resilience is a relatively new and evolving concept, it is useful to begin by understanding its meaning. According to ISO 22316 (2017) Security and resilience: guidelines for organisational resilience, organisational resilience is defined as an organisation’s ability to adapt within a complex and constantly changing environment. The IRM Innovation Special Interest Group (2021), in their publication Organisational resilience: a risk manager’s guide, highlights two key aspects of resilience: operational resilience and strategic resilience. Operational resilience refers to an organisation’s capacity to continue delivering critical operations during periods of disruption. In contrast, strategic resilience involves adapting organisational strategies in response to environmental changes, often providing a competitive advantage. This unit primarily focuses on organisational resilience as a framework to navigate an increasingly volatile, uncertain, complex, and ambiguous (VUCA) world. It is also essential to differentiate between organisational resilience and business continuity planning (BCP). While BCP is event-driven, focusing on preparedness and recovery from crises that disrupt essential operations, organisational resilience has a broader scope, addressing both operational and strategic challenges.
According to ISO 22316 (2017), resilience equips organisations with the ability to anticipate and respond effectively to both threats and opportunities, whether these arise from sudden disruptions or gradual shifts within their internal or external environment. The standard emphasises that building resilience should be viewed as a key strategic objective for any organisation. It outlines essential principles that serve as the foundation for designing, implementing, and evaluating a framework and strategy aimed at strengthening organisational resilience. These principles include:
Resilience is strengthened when organizational behavior aligns with a common vision and shared purpose.
It depends on maintaining an up-to-date understanding of the organization’s internal and external environment.
It requires the capacity to absorb shocks, adapt, and respond effectively to changes.
It is supported by strong governance and sound management practices.
Diversity in skills, leadership, knowledge, and experience contributes positively to resilience.
Collaboration and coordination across different management functions, along with input from technical and scientific experts, enhance resilience.
Effective risk management is a critical factor in sustaining resilience.
Evolution of organizational resilience
The concept of resilience first emerged in the field of Information Technology (IT) during the 1990s and later expanded into business continuity practices in the 2000s, leading to the establishment of the International Consortium for Organizational Resilience in 2006. The development of organizational resilience has evolved over time — starting with a focus on IT disaster recovery in the 1990s, shifting towards business continuity in the mid-2000s, and more recently adopting a broader, organization-wide approach. This contemporary view integrates multiple disciplines and engages a range of stakeholders to strengthen both protective and responsive capabilities. Several important standards have since been developed to guide organizational resilience, including:
BSI 65000 by the British Standards Institute, providing guidance on organizational resilience.
ISO 22316 (2017) by the International Standards Organization, which focuses on security and resilience for organizations.
In the financial services sector, regulators have placed greater emphasis on resilience, particularly in managing operational risks. Institutions are now required to maintain a risk capital buffer to address potential operational failures. Looking ahead, organizational resilience is expected to continue evolving, especially in light of the growing number of significant global risk events.
9.1 Building organizational resilience capability
The concept of resilience and how it connects to enterprise risk management (ERM), as outlined in the previous chapter, is not yet fully defined and continues to evolve. Measuring and managing resilience presents its own set of difficulties, primarily because its meaning remains unclear and also because it is a complicated idea, emerging from the behavior of dynamic systems. With this in view, the goal of this section is to present the best practices observed during this project to encourage discussion and improvement among risk professionals. To start, it’s crucial to understand that resilience, much like ERM, seeks to dismantle organizational silos, acknowledging that achieving future goals and strategic objectives demands effort across all areas due to their unpredictable and complex nature. This mindset should push risk experts to approach resilience capabilities in a comprehensive way, relying on an adaptable and cooperative workforce and processes. Now more than ever, it’s evident that companies must view their employees as their most valuable resource. For example, during the Covid-19 pandemic, employees had to be quick to adjust and dedicated to their work despite challenging conditions. Senior leaders had to act decisively, finding innovative solutions to sustain operations while keeping their teams motivated. Governments showed empathy by supporting the most affected through initiatives like furlough programs. Suppliers and customers depended on each other to find a new balance. In short, various stakeholders had to collaborate and foster a supportive environment to keep the economy moving forward. Recognizing this broader ecosystem in which businesses operate is vital for understanding its parts and making necessary changes. Beyond that, companies had to rapidly reassess their core values and priorities. Sadly, in many instances, profit became the sole focus. Yet, there were also inspiring examples where people united for a common cause—a special acknowledgment goes to the NHS and frontline workers worldwide who risked their lives and time with loved ones for the benefit of everyone.
These points collectively form the strategic components of resilience frameworks, characterized by their complexity, fluidity, ambiguity, and unpredictability. As a result, uncertainty is a natural feature of these processes. Questions like: Will people respond as anticipated? How might minor actions affect long-term risks or possibilities? Can positive progress be maintained, and if so, for how long? How do we strike a balance between immediate needs and future goals without undermining the latter? These uncertainties have lingered in the minds of executives and risk managers before, during, and after the pandemic. How can we ensure our organizations are genuinely resilient? While simulations can help us prepare for disasters, real reactions to unexpected or catastrophic events may differ significantly. This highlights the value of training, yet it’s the firsthand experience in the midst of a crisis that truly reveals human behavior, as all preconceptions fade when reality hits. We anticipate crises as defining moments, hoping our responses don’t worsen the situation. Still, those who are well-prepared and trained are more likely to excel compared to those less ready, though we must always watch for discrepancies between expected and actual outcomes. To address these discrepancies, benchmarks for assessing variations should be established in advance. In the thick of a crisis, critical choices take priority, and it may be too late to implement effective systems and metrics to manage the escalating ripple effects of interconnected disruptions across multiple areas.
To begin, organizations should take stock of the data they already possess to avoid redundant efforts that could lead to inconsistencies across departments or levels. Quality data is unified data—capable of validating or challenging other sources. This allows us to uncover hidden links, identify what’s working or not, and steer the system back toward the intended alignment. Fortunately, much of this information is already housed in ERP and CRM systems. That said, there’s a clear need to merge internal data with external sources and tackle the abundance of unstructured data still present in our systems. Our core advice in this guide is straightforward: start with what you have, then seek out what’s missing. As illustrated in Figure , organizational resilience at an operational level emerges from the overlap of various protective disciplines. Yet, silos often persist between areas like business continuity, crisis management, and conventional risk management practices. This lack of coordination and integration can result in a fragmented perspective on organizational performance and resilience strengths. Consequently, blending these and other protective disciplines is essential for organizations striving to embed resilience, as depicted in the accompanying figure:
The figure illustrates that organizational resilience arises from dismantling silos between preventive disciplines, embodying proactive, comprehensive, integrated, and advanced ERM practices. However, in reality, the way these disciplines intersect varies depending on each organization’s structure, capabilities, and risk tolerance. Thus, we should view these areas as fluid management and control mechanisms that can blend and overlap to address disruptions and shifts impacting a company’s operations and strategy. Treating organizational resilience as a quality that emerges from intricate management and control systems, risk management should embrace a flexible, all-encompassing, integrated, and value-focused approach to foster resilience, consistent with the ERM framework’s vision. Mature ERM programs need to move past simply spotting, analyzing, and judging risks or opportunities. They should also bolster the value of resilience across different levels and departments, drawing lessons from both triumphs and setbacks, whether triggered by external factors or internal dynamics. To achieve this, we must recognize that resilience is always a comparative measure, requiring us to define the desired level and the context it applies to. Everything has a threshold of resilience (or fragility), relative only to other entities or conditions. Traditionally, the focus has been on “structural resilience,” which seeks to preserve competitive standing by minimizing or neutralizing risks, often through tools like insurance. Yet, in today’s volatile, uncertain, complex, and ambiguous (VUCA) landscape—marked by a rise in emerging risks—organizations must also prioritize absorbing, responding, adapting, and recovering from crises. While business continuity management (BCM) and disaster recovery plans address “robust resilience” after the fact, they alone are neither sufficient nor efficient. As a result, organizations should pursue “dynamic resilience” through an ongoing adaptive process, growing stronger from challenges and adopting smarter, more adaptable business models and processes to continually refine their practices. Rather than attempting to anticipate every possible future scenario—an impossible task given the presence of unknown unknowns—the focus should shift to mitigating permanent losses. Leveraging existing ERP systems along with their KPIs and KRIs, companies can assess their resilience capabilities across various organizational dimensions, such as those outlined below:
OrganisationalElements
StructuralResilience
RobustResilience
DynamicResilience
1. Geography
Geopolitical stability
Diversified portfolio
Expansion into other countries
2. Market
Focus on existing competitors
Awareness of new entrants
Expansion through new partnerships (M&A)
3. Product
Maintain brand position
Range of product offerings
Innovations and disruptions
4. Customers
Threats of substitutes
Diverse client base
New demands and segments
5. Talent/People
Retention of talent pool
Dependency of talent (range)
Interdependencies of talent retention & staff satisfaction
6. Delivery
Strategic location
Punctual failures (BCM & DR)
Ability to scale up & down
7. Supplier
Supplier power
Contingency plans
Vertical integration
8. Finance
Gearing ratios
Funding availability and variability
New sources of finance
9. IT/Cyber
Reliance of data and cyber products and services
Cyber vulnerability evaluation
Leveraging data & technology
The table provided is neither exhaustive nor all-encompassing, as each organization will develop its own metrics and categories based on its specific goals for resilience. Nevertheless, it serves as a practical illustration of benchmarks that can be used to assess various facets of organizational resilience and gauge a company’s current standing. Not every company will strive for the highest level of resilience—nor is that necessary—but evaluations should allow Boards to determine whether existing practices fall within an acceptable range aligned with the company’s risk tolerance. In this context, resilience capabilities will fluctuate across these focus areas as actual performance is measured against anticipated outcomes or standards. While the initial table shows how existing KPIs and KRIs from ERP systems can help evaluate aspects of organizational resilience, true resilience requires more advanced, real-time risk management tools. The SoluxR model exemplifies this approach, offering tailored, timely, scalable, and automated visual tools that allow risk managers to track emerging risks as they unfold, exploring root causes and connections through graphical depictions of threats and opportunities. These RiskTech solutions deliver cost-effective, dependable, and dynamic risk assessments across diverse regions and organizational silos, integrating seamlessly into weekly performance tracking systems. They provide clear, evidence-based visual insights, highlighting predictable trends and enabling sophisticated scenario planning and testing that digs into the underlying data. Additionally, they cut costs tied to travel, labor-intensive analysis, meetings, and presentation prep by consolidating data onto a single platform, offering real-time reporting and decision-making support accessible via mobile devices, all while ensuring data integrity, governance, transparency, and auditability. As depicted in the figure below, the challenges businesses face today demand a fundamental shift in risk management—from handling straightforward, structured issues to tackling complex, unstructured ones.
Shortly after the Covid-19 pandemic struck the global economy, some pointed fingers at risk management for failing to avert the crisis. However, the pandemic ultimately prompted businesses and individuals alike to rethink the knowledge and mindset needed to address emerging risks. Most existing risk management frameworks and systems are built to handle “Slow Risk Clockspeed” risks—those where ample information is available beforehand to prepare for extreme events. Yet, many extreme or long-tail risks don’t fit this mold. This calls for a “Fast Risk Clockspeed” approach to better grasp and manage emerging risks. To address this, the clock speed risk model was introduced years ago and has since been refined to distinguish between simple and complex risk solutions based on fast and slow risk timelines. Conventional risk management tends to target straightforward, structured issues, where processes can be crafted with abundant information in a predictable, manageable setting. This allows for clear rules to be set and enforced, ensuring compliance through the consistency of contained, closed operational systems. But today’s reality doesn’t align with this simplicity—current challenges are far more intricate than once assumed. Consequently, risk solutions must be reimagined and realigned with this complexity; we can’t force reality to fit outdated approaches. At its core, risk management should stem from a strategic view of business models and operations, with people as the central focus. Their actions need to align with intended goals and organizational objectives, though human behavior remains unpredictable and hard to fully control. In complex systems, information can be scarce and unclear, making rigid controls and predictions difficult. Still, this doesn’t rule out solutions or progress. Risk managers must think creatively, setting guiding principles for individual and organizational behavior while continually assessing whether results stay within the expected range of open, unbounded systems. These systems, by their dynamic nature, may frequently stray from set parameters rather than neatly aligning with them. In essence, organizations must learn to operate on the more complex, adaptive side of this framework—not just the simpler, structured one. Over time, as more data emerges, improved solutions become possible, as shown in the figure below:
As depicted in the figure, the shift in perspective needed to address emerging risks hinges on the nature, amount, and quality of information and how it evolves over time. The diagram highlights the contrast between the initial signals and responses to emerging risks and the options available once risks become more defined on a company’s radar. These distinctions relate to the reliability of information, the frequency of observed events, the sophistication of risk management practices, and regulatory reactions. In essence, emerging risks are typically marked by faint hints of their potential, surrounded by uncertain data that lacks the precision needed for predictive modeling due to their unclear origins and development. In contrast, traditional “risks” come with clearer, more dependable signals, allowing us to assess their positive and negative impacts and foster deeper, more meaningful discussions. The information for these established risks is widely accessible and trustworthy, and as events accumulate, data and databases grow more accurate, paving the way for refined risk management processes that tackle threats and opportunities while engaging broader stakeholders. Over time, these well-defined risks often lead to regulatory frameworks, which may evolve through reactive legal precedents. The key challenge for resilience and disruption response lies at the tipping points between normalcy and crisis. While the need for a shift may be obvious in retrospect, it’s often murky looking forward. This makes it tempting to leap to selecting KPIs, but harder to determine what data truly informs decisions and who’s making them based on what. With emerging risks—where the risk is recognized but supporting knowledge is thin—traditional risk management, reliant on impact and likelihood, falters. We might foresee a major impact, but sparse data makes likelihood hard to pin down, and fixating on “likelihood value” can stall action. Shifting to scenario analysis, a common tool for such cases, lets us consider something “plausible” even without a precise likelihood figure. Thus, we might need to ask “why” before “how,” weighing whether a scenario is “possible” and “plausible” rather than waiting for a quantifiable likelihood. Embedding resilience into decision-making requires balancing cultural actions with metrics. Conversations about organizational resilience, both internal and external, should stress that building resilience adds value—prevention costs less than repair, and crises reveal the worth of resilience investments (and perhaps insurance). Convincing managers and Boards of this value during calm periods is tough, as control measures don’t directly generate revenue. Still, forward-thinking preparation equips organizations and individuals to handle challenges when they arise. RiskTech’s dynamic forecasting tools can provide valuable data for resilience-building. Unlike traditional reports that merely compile known information, RiskTech apps—through daily or weekly targeted surveys—enable risk managers to “forecast forward” with timely, precise analyses, tracking risk speed, likelihood, and impact nearly in real time, while refining financial predictions for 5, 10, 20, or even 50 years ahead. Horizon scanning and scenario exercises can simulate disruptions and test capabilities periodically, tailored to specific organizational needs. Combining quantitative self-assessments with detailed qualitative insights into threats and opportunities can shed light on the emergence and pace of risks. Risk managers must therefore stay attuned to market shifts, the digital transformation driven by risk technologies, and global supply chain links. At its heart, resilience reflects an organization’s values and purpose. The push for long-term sustainability through resilient organizations echoes longstanding risk management ideals, particularly ERM’s focus on interconnectedness, integration, and a comprehensive view of corporate financial health.
9.2 Organizational resilience maturity levels
In today’s global landscape, defined by volatility, uncertainty, complexity, and ambiguity (VUCA), threats often emerge unexpectedly. The deep interconnectedness of global markets amplifies risks, heightening pressure from regulators who demand effective risk management. Traditional models face skepticism and scrutiny, while organizations grapple with the tension between “performance and protection goals.” Consequently, recent years have seen a growing push to shift focus from risk to resilience. The core idea is to be ready for disruptive events—whether expected or not. This raises a key question: Does risk management fuel organizational resilience, or does resilience shape risk management practices? This debate has surfaced in our discussions as well. Since resilient organizations don’t emerge spontaneously, we need to explore the roots of resilience more deeply.
The journey of organizational resilience has evolved over time: from a focus on IT disaster recovery in the 1990s, to the rise of business continuity in the mid-2000s, and more recently, a broader, company-wide approach that integrates multiple disciplines and stakeholders, blending protective and responsive strategies. Resilience combines proactive ERM processes—aimed at ensuring continuity amid disruptions and long-term sustainability in shifting internal and external contexts. Acknowledged across industries and formalized in documents like the UK Civil Contingencies Act (2004), British Standard 65000 (2014), and ISO 22316 (2017), resilience encompasses operational and strategic dimensions as distinct yet linked elements. This requires cohesive, ongoing planning and integration. While operational resilience is increasingly viewed externally—focusing on minimizing impacts on services and products—recent regulatory and sector trends also highlight its role in safeguarding and creating value across critical sectors, infrastructure, and service hubs.
It’s essential to differentiate risk management and resilience from other protective fields. For instance, while business continuity is typically event-focused, ERM provides a broader strategic lens for viewing resilience as a company-wide goal. In practice, preventive disciplines overlap and shift in relevance at various stages—before, during, and after disruptions—depending on a company’s model and structure. This “resilience universe” comprises proactive and reactive elements: proactive resilience seeks to limit downside risks and boost upside potential through tools like strategic planning and self-assessments, fostering ongoing capability growth; reactive resilience, meanwhile, sets thresholds that, when crossed, trigger responses like business continuity or crisis management to counter threats to organizational objectives. The specific disciplines and their weighting within this universe vary by organization, with each defining its own “resilience universe.”
Risk management has always been integral to this universe, and ERM serves as a critical glue binding these disciplines together. ERM establishes thresholds for proactive and reactive resilience, evaluates extreme risks and their impacts, and pinpoints priority areas. It fosters a shared framework for aligning perspectives, ensuring resilience efforts produce tailored results that keep capabilities within the organization’s risk appetite and tolerance. By unifying efforts and data, ERM supports consistent decision-making, enabling organizations to explore options through horizon scanning and scenario analysis of acceptable risks and responses—covering both preventive and corrective measures. This positions risk professionals as key connectors and integrators across protective disciplines.
Mature and well-integrated risk management practices are the key to building and strengthening organizational resilience. These practices require fostering cooperation and teamwork across silos and areas of specialization. According to the 2015 E&Y report, risk managers must identify emerging vulnerabilities to develop adaptable corporate structures and operations rooted in a unified, resilient risk culture. While various components come together to shape resilient practices tailored to each business, a comprehensive risk governance framework is vital—one that mitigates known risks while proactively scanning for plausible, significant emerging threats and opportunities. Additionally, overly complex corporate hierarchies often need streamlining to enable swift decision-making rather than relying on excessive control measures. For these shifts to be meaningful and lasting, cultivating commitment, ownership, and accountability for risk management is essential, alongside emphasizing the importance of calculated risk-taking to maintain a robust and resilient risk culture. In many cases, the necessary resources are already available but underutilized. Understanding the company’s current operations, strengths, and weaknesses is therefore critical. Risk managers, collaborating with specialists from various fields, can piece together a complete view of what makes an organization resilient. This might include input from crisis management teams, business continuity experts, and subject matter specialists—such as epidemiologists during a pandemic or environmentalists, activists, and regulators in the context of climate change. In short, resilience is a collective effort requiring diverse perspectives. To achieve this, we should focus on forming collaborative teams to build a wider, more integrated vision of the desired future. Resilience Committees can also play a key role during crises, bringing together trained staff from different departments with complementary skills. For major projects, decentralized decision-making can be supported by judgment calibration techniques, such as general knowledge quizzes for individuals and teams, to evaluate confidence levels and biases related to risk and resilience. These weaknesses can be addressed through surveys and training workshops, improving project forecasting accuracy. Subject matter experts can also be monitored against project timelines and outcomes, allowing for ongoing refinements and enhancements. Interviews with managers and Board members revealed varying stages of organizational resilience across companies. Those with more advanced ERM and resilience practices have leveraged past crises as catalysts to refine their approaches. These organizations prioritize education to deepen understanding of practices and gain buy-in for necessary changes. Chief Risk Officers (CROs) in such cases have been instrumental in uniting teams and promoting cross-company collaboration, using analytical tools to reveal interconnections. Ultimately, Board backing has proven crucial in sustaining this mindset and aligning mature ERM practices with resilience frameworks.
Successful organizations have shown traits that have bolstered their resilience over time. These include:
Gaining the foresight to spot issues before they escalate.
Embedding diverse, flexible structures to adapt to both negative and positive shifts.
Dismantling barriers and hierarchies to ensure risk information flows freely, avoiding blind spots.
Establishing quick-response mechanisms to keep incidents from spiraling into crises.
Learning from their own and others’ past missteps, making necessary adjustments.
In essence, organizational “resilience” emerges from a well-implemented, company-wide risk strategy, distinct from the event-focused nature of business continuity. ERM provides a lens to see resilience as the ultimate goal. Moreover, framing resilience positively—as a driver of “competitiveness, transformation, growth, and strength”—highlights its role as an opportunity for organizations. However, it’s undeniable that some organizations fall short of achieving this ideal resilience. This often stems from a disconnect between less-developed risk management practices and the Board’s vision. Here, Boards are forward-looking, expecting risk management to be a strategic pillar of the business. They seek insight into what lies ahead, the broader context, and the intricacies of decision-making. For them, resilience isn’t just about bracing for crises but ensuring agility before, during, and after disruptions. This aligns with IRM and ERM principles, shifting the focus from merely mitigating downside risks to seizing the potential upside of uncertainties. Thus, risk managers and CROs must move beyond compliance-driven thinking, making room to tackle the unexpected or uncomfortable. They need to offer solutions and equip teams to act in line with Board expectations, internal policies, and proven best practices during such events.
Yet, not all risk managers have met these Board demands or embraced risk management as a value-adding endeavor. This can signal immature risk cultures and ERM practices within organizations. It also reflects a lack of leadership emphasis on the importance of risk management and resilience. Some managers note that, in other companies they’ve observed or worked at, resilience gains traction more readily after setbacks—echoing insights from successful CROs. Before such failures, risk management might feel like a shallow compliance exercise. Until a crisis hits, these managers may opt to “keep dancing to the tune,” focusing on past events to explain what went wrong rather than strategizing for the future. This leans toward an operational, not strategic, approach. For them, “resilience” means readiness and sturdiness in a simple, cause-and-effect framework, missing the nuanced complexity of future uncertainties. Here, resilience feels like a future goal for risk management, while compliance remains the priority. Consequently, these risk managers become trapped in checklists and risk registers, disconnected from Boards that seem out of reach. Organizational resilience doesn’t happen instantly—it’s a gradual maturity process driven by mindset shifts and tailored to specific organizational aims. That said, not every organization will target the same resilience level, as it’s both resource-intensive and time-consuming. Progress should align with overarching goals and Board expectations. For example, the Cranfield report suggests companies may exhibit five distinct resilience levels. Thus, organizations will pursue varying degrees of resilience within their practices, as it’s just one piece of their broader strategic objectives.
Organisational resilience maturity levels
Resilience serves multiple purposes: it’s a tool for continuous stress testing, a way to underscore the value of mature risk management and preventive measures, and a means to unify metrics that look ahead. The disconnect between Board expectations and risk management practices can, and has been, a catalyst for change. Some Board members, however, may not fully understand—or have been briefed on—how risk management is woven into their organization. They might also be unaware of specific shortcomings or the potential scale of impact if risks turn into real issues. This can foster a false sense of security and an overconfidence in control, far exceeding their intended risk appetite and tolerance. Resilience initiatives can help risk managers bridge this divide, aligning Board expectations with actual risk management practices and vice versa. That said, organizations may not aim for the pinnacle of resilience maturity but instead weigh the costs and benefits of options based on their risk appetite and tolerance (more on achieving this balance will follow in the next section). The challenge lies in organizations often relying on aspirational response plans that outline intentions and needs but lack clear implementation steps. These plans frequently fail to align with relevant risks, appetites, and tolerances. Crisis management setups may fall short in managing information flow and decision-making, and teams are often undertrained and unpracticed for crisis readiness. In short, the systems to support and sustain resilience are often missing. When push comes to shove, it’s well-prepared people and teams, working through cohesive, thoughtful plans, that make the difference. This lack of integration within a solid resilience framework has tripped up many organizations recently, forcing them to abandon poorly crafted plans.
9.3 Risk management and resilience
Enterprise risk management (ERM) and organizational resilience are closely linked. Resilience integrates proactive ERM with business continuity management. This idea is echoed in ISO 22316, which emphasizes that organizational resilience depends on effectively managing the risks an organization encounters. ERM focuses on handling uncertainty’s impact on achieving organizational goals, meaning that steps taken to address risks inherently bolster resilience. ERM is a central component of an organization’s “resilience universe,” , which highlights ERM’s significance within the broader resilience framework. This critical role stems from several key aspects:
ERM takes a proactive approach to risk management, in contrast to more reactive disciplines like crisis management and business continuity management.
ERM works to align the organization’s risk response across all departments and functions, offering a comprehensive, company-wide perspective that accounts for interconnected and related risks.
ERM establishes a structure for overseeing and evaluating the effectiveness of the organization’s control environment.
True resilience reflects a coordinated capability spanning proactive and reactive disciplines, grounded in robust risk management and uniting various business areas to build strength. It thrives when proactive measures prevent crises and reactive ones enable effective responses. This vital, holistic balance ties resilience tightly to risk and its management, cautioning against an overreliance on business continuity alone for handling disruptions. Resilience brings together people and processes, proactively balancing perspectives and resources. From this analysis of the interplay between risk management and resilience, it’s clear that risk managers must recognize the distinctions and synergies between control and management practices, including their own. Not all Boards are equally attuned to the importance of resilience-building, so risk managers must act as educators and unifiers, boosting awareness of mature risk management’s value, processes, structures, and the need for cross-silo collaboration and communication. It’s also key to note that not every organization should target the same resilience maturity level. The critical task is aligning Board expectations with the practical control and management on the ground. Given that organizational resilience is a dynamic, emergent trait of complex systems, this remains an ongoing effort for risk managers today. In essence, resilience plays diverse roles within companies. Those engaged in “infinite games” prioritize long-term competitive edges. ERM can weave together practices to cultivate and strengthen organizational resilience.
A FERMA (Federation of European Risk Management Associations) survey on Covid-19’s effect on corporate resilience found that executives observed “risk management now includes the wider scope of resiliency management. It’s embedded in long-term strategy formulation at leading organizations, enabling them to adapt to a much more unpredictable operating landscape.”
9.4 Organisation disruptors
A disruptor is someone or something that interferes with an event, activity, or process by creating a disturbance or issue. An innovative disruptor introduces a product, service, or approach that upends the dominance of current market leaders, potentially overtaking them as the top player in the field. Often, these disruptors are entrepreneurs, outsiders, or visionaries. While they’re frequently associated with the fast-paced tech sector, disruptors can emerge in nearly any industry. Conversely, a negative disruptor typically has the opposite effect of an innovative one and is commonly used to describe major global shocks, such as those in health, geopolitics, natural disasters, and similar areas. Let’s examine a few notable past disruptors and explore the risk management lessons they offer:
Covid-19 – Public Health
2007/8 Financial Crisis – Banking
Suez Canal Blockage – Goods Supply Chain
Social Media – Communication
1) Covid-19
Event: In late 2019, a novel virus, severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), surfaced in Wuhan, China, leading to an infectious illness officially termed COVID-19 by the World Health Organization on February 11, 2020. The disease rapidly spread worldwide. Although its impact was felt globally, the effects varied widely. The outbreak’s severity and its economic fallout differed in timing and scale across nations, sectors, companies, and individuals. The OECD (Organisation for Economic Co-operation and Development) released a 2021 report titled Strengthening Economic Resilience Following the COVID-19 Crisis: A Firm and Industry Perspective, offering guidance for policymakers. Key points included:
An analysis of how the crisis impacted firms differently across industries through various channels.
Identification of country-specific factors that could either cushion or intensify these effects, influencing resilience to this and future shocks.
Examination of how the crisis affected different population groups and the resulting policy implications.
In its Executive Summary, the OECD (2021) emphasized, “As nations rebound from COVID-19, it’s critical not to overlook other pressing global challenges. The recovery phase is a chance not just to rebuild stronger, more resilient systems, but also to leverage strategic policies and enhanced international collaboration to tackle issues like inequality, climate change, and digital transformation. Governments and businesses should seize this unique moment to reconstruct in ways that advance these pressing global priorities.”
Risk Management Observations:
Here are some risk management insights to consider and whether they contribute to embedding resilience and adaptability in your organization:
Many organizations had to revisit their core objectives, prompting a reassessment of their risk strategies.
The pharmaceutical industry, tasked with vaccine development, embraced the opportunity, often expanding their risk appetite to meet the challenge.
New risks surfaced, especially concerning employee well-being, such as mental health challenges. The IT sector faced intense pressure on firewall security as remote and hybrid work surged, opening numerous access points. This tested resilience, and in most instances, systems held up well, showcasing the agility of IT teams.
2) 2007/8 Financial Crisis
Event: The Chartered Finance Institute (2022), in its article 2008-2009 Global Financial Crisis, described this downturn as “the severe financial crisis that gripped the world from 2008 to 2009.” Dubbed “The Great Recession,” it profoundly affected individuals and institutions globally, with millions feeling its impact. Financial entities began to falter—some were swallowed by larger firms, while others relied on government bailouts to survive. The crisis didn’t emerge suddenly. It stemmed from a housing market bubble fueled by an overload of mortgage-backed securities tied to risky loans. Lax lending practices triggered a wave of defaults, and as these losses piled up within bundled securities, numerous financial institutions crumbled, necessitating government intervention. Many who had taken subprime mortgages couldn’t repay, causing significant losses for financial firms. This led to some of the biggest corporate failures of that era, including Lehman Brothers in the United States and the Royal Bank of Scotland in the United Kingdom, among others.
Risk Management Observations:
Here are some risk management insights to consider and whether they help embed resilience and adaptability into your organization:
Bank regulators lost substantial trust in financial institutions, posing a severe reputational risk for both banks and their overseers.
Excessive dependence on complex risk exposure models backfired. Regulators shifted their stance, permitting such models only when bankers, their overseers, and auditors could prove a deep understanding of the models, their inputs, and their results.
Banking operations saw a shift in focus toward Conduct Risk, emphasizing fair treatment of customers (e.g., avoiding product mis-selling) and market stability (e.g., preventing threats to the banking system).
Boards began dedicating more effort to shaping organizational culture and enhancing resilience to better endure unexpected shocks.
3) Suez Canal Blockage
Event:
In 2021, the Ever Given—a 400-meter-long, 220,000-ton ship chartered by Evergreen, surpassing the Eiffel Tower in length—became lodged in the Suez Canal for six days. Carrying 17,600 containers, it halted traffic in both directions, creating a jam of over 400 ships. This incident disrupted global shipping, stalling nearly $10 billion in daily trade. For the shipping industry, it was a stark reminder of the risks posed by massive modern freighters navigating narrow passages. Richard Meade, editor-in-chief of Lloyd’s List, a maritime intelligence outlet, called it “a wake-up call” for the sector.
Risk Management Observations:
Here are some risk management insights to consider and whether they contribute to fostering resilience and adaptability in your organization:
Many organizations relied on a “just-in-time” inventory approach, which minimized obsolescence and streamlined stock management. However, the significant delays exposed weaknesses in supply chain controls, prompting a reevaluation and a push for greater local resilience.
The event highlighted concentration risk for organizations overly dependent on supplies from one region.
Numerous companies found it challenging to devise creative solutions for customers due to their heavy reliance on a single supply chain, revealing a lack of agile alternatives.
4) Social Media
Event:
As of January 2022, around 4.2 billion people—roughly half the global population—were active social media users, making it a preferred resource for many. According to Statista’s 2022 article Social Media as a News Source Worldwide, between 35% and 70% of people, depending on their country, rely on social media as their main news outlet.
Key risks tied to social media include:
Cyberbullying
Privacy breaches
Identity theft
Children encountering inappropriate content
Predators using platforms to target vulnerable users
Risk Management Observations:
Here are some risk management insights to consider and whether they help foster resilience and adaptability in your organization:
The rapid rise of social media has opened a powerful window for delivering instant news. Media organizations that capitalized on this shift gained a chance to stay highly relevant to their audience, showcasing an impressive agile response.
The unchecked expansion of social media has fueled the spread of fake news and algorithmic bias, tailoring content to reinforce existing beliefs or limit perspectives. This poses a daily challenge for those seeking unbiased information to make well-rounded decisions.
The risk of unauthorized or unethical access to online data underscores a major weakness in data security, emphasizing the need for strong, resilient systems to protect against threats from both external and internal sources.
4) Potential future disruptors
By its very nature, predicting future disruptors with confidence is a challenging task. Nonetheless, organizations are constantly on the lookout for the “next big thing,” which could either open doors to new possibilities or pose significant risks. When considering potential future disruptors, various tools can aid the process, such as:
Knowns and unknowns: Recognizing:
Unknown unknowns – unexpected surprises.
Unknown knowns – risks that are present but ignored, often called the “elephant in the room.”
Horizon scanning – a method to explore the potential consequences of emerging trends, particularly in areas like sustainability.
The European Parliament’s “Future Shocks” report identifies key risks for Europe by 2030 (assessed by likelihood and impact), including:
Energy price volatility
Extreme weather events
Rising social divisions
Migration challenges
Risks tied to Russia
Political risks from China
Public debt pressures
Semiconductor supply shortages
A faltering economic recovery
There are many different sources of information on future disruptors.
Resilience is the preventative actions that keep the organisation away from breaches of controls, and Agility is the fast recovery actions that help an organisation recover after an event or incident.
The Four Managers and the Shock
Annie, Freddy, Poly, and Tommy are close friends, each holding management roles in different companies. They frequently gather to discuss how they manage risks within their organizations. This tale reveals how each handled a sudden “shock” that tested their abilities.
Agile Annie is a forward-thinker. She prepares for potential disruptions by putting reasonable safeguards in place to strengthen her company’s resilience. By running simulations and stress tests, she ensures her team can bounce back quickly when trouble strikes, showcasing her agility.
Fire-fighting Freddy also invests in prevention, but when a shock hits, he reacts with a burst of energy and urgency. His flurry of activity gets results, but it’s chaotic and lacks a clear recovery plan, making him less adaptable in the long run.
Procrastinating Poly feels paralyzed when a shock occurs. She responds by setting up a group to study the problem and consults others for insights. While these steps could be useful, her timing is off—her company’s performance plummets as she delays, leaving her little room to recover.
Tumbling Tommy assumes shocks are beyond his influence, so he waits for external solutions, like government action, rather than taking initiative. Though many events—like the Covid-19 crisis in 2020—are indeed uncontrollable, organizations that adapted creatively during such times thrived. Tommy’s inaction, however, risks letting his company falter due to a lack of agility.
Moral: The lesson here is to emulate Annie—proactive planning and swift adaptability are the keys to overcoming challenges successfully.
The Four Managers and the Supply Chain Crisis
Once upon a time, in a thriving industrial town, four friends—Prepared Priya, Rushing Ravi, Cautious Clara, and Idle Ian—each led their own businesses. They often met over coffee to share their strategies for managing risks and staying resilient. One day, a massive supply chain crisis struck, halting the flow of critical materials their companies depended on. Here’s how each friend responded to this unexpected challenge.
Prepared Priya was always ready for the unexpected. She had diversified her suppliers and built backup plans for disruptions like this. When the crisis hit, she quickly shifted to alternative sources and adjusted operations with ease. Her proactive approach kept her business running smoothly and even allowed her to support struggling clients, turning a challenge into an advantage.
Rushing Ravi didn’t hesitate to act. As soon as the crisis emerged, he scrambled to find new suppliers and redirected resources on the fly. His quick moves kept his business from collapsing, but the lack of a solid plan led to confusion among his team and higher costs than necessary. His reaction worked, but it was far from efficient.
Cautious Clara preferred a careful approach. She convened her leadership team to assess the crisis and explore every possible option. While her thoroughness was admirable, it took too long—by the time she decided on a course of action, her competitors had already adapted, and her business lost significant ground.
Idle Ian saw the supply chain crisis as an external problem he couldn’t fix. He waited, hoping industry leaders or regulators would step in to resolve it. As weeks passed with no action, his company’s production stalled, and customers turned to rivals. His passivity left his business vulnerable and on the brink of failure.
Moral: In times of crisis, being like Priya—prepared and adaptable—is the path to success. Anticipating risks and acting decisively ensures not just survival, but the chance to thrive when others falter.
Business Continuity Management
The globally accepted benchmark for business continuity, ISO 22301:2019 Security and Resilience – Business Continuity Management Systems, describes business continuity as an organization’s ability to maintain product and service delivery within acceptable timeframes and at predetermined levels during a disruption. The standard urges organizations to “identify and choose business continuity strategies that address options for before, during, and after a disruption.” Expanding on this framework, it’s useful to view business continuity management as unfolding in three phases:
Planning and preparation
The initial reaction to the crisis
The restoration following the crisis
a) Planning : This model aligns with the broad stages of assessing risks, preventing disruptions, and preparing for action.
Assess / Know Your Organization Understanding your organization’s context is key, including its internal dynamics. This involves grasping the company’s culture and its awareness of resilience. Sections 4 and 5 of ISO 22301:2019 provide relevant guidance here. Risk assessment tools come into play to pinpoint and analyze potential risks that could interrupt operations. A critical step is conducting a Business Impact Analysis (BIA), which evaluates the effects of disruptions on each organizational function and activity. The BIA determines the significance and priority of these functions to the organization’s overall operations. Its goals are to:
Highlight mission-critical activities.
Assess the potential impact and resources needed for recovery. ISO 22301:2019, in Section 8.2, clarifies the difference between risk assessments and BIAs.
Prevent / Mitigate / Develop Business Continuity Strategies Prevention is emphasized as a distinct phase—don’t assume disruptions to vital functions, processes, and dependencies are unavoidable. Proactive steps can make a difference. Section 8.3 of ISO 22301:2019 offers direction on identifying, choosing, and resourcing contingency strategies and solutions to reduce risks.
Prepare Create detailed plans specifying the steps to take during a disruption or crisis. ISO 22301:2019 addresses planning in this context. Regularly test these plans, recovery processes, and systems, as outlined in Section 8.5 of the standard. Testing options include:
Checklist: Share plans for review, though this doesn’t confirm their effectiveness.
Structured walkthrough: Carefully examine each plan step-by-step.
Scenario planning: Simulate realistic scenarios to practice recovery actions.
Parallel exercises: Conduct a full test without halting core business operations.
Full interruption: Replicate a disruption up to the point of stopping primary activities. Audit the business continuity plans to ensure they’re solid and suitable, as covered in Section 9 of ISO 22301:2019. Continuously refine and enhance the organization’s business continuity management and planning, per Section 10 of the standard.
b) Reaction to crisis :ISO 22301:2019 describes a disruption as an “incident, whether expected or unexpected, that results in an unplanned, adverse shift from the anticipated delivery of products and services aligned with an organization’s goals.” A particularly difficult element of any disruption or crisis is its speed or rate of onset. Typically, a crisis is seen as a abrupt event requiring instant response, resolving quickly, and followed by a recovery phase—think of a car crash. Yet, crises can also unfold slowly and linger, which outlines the four different paces at which a crisis can emerge and subside.
C) Restoration : When a crisis or disruption strikes, an organization’s priority shifts to restoring normal operations, aiming to regain its usual standards of service quality and operational costs. Several key factors come into play for organizations during recovery from a crisis or disruption:
Should the organization reassess its prior benchmarks for service quality or operational costs post-crisis?
A crisis or disruption often serves as a strong push for organizational change, acting as a spark to overhaul processes, procedures, work habits, or broader activities.
What insights can be drawn from the crisis experience?
Are new controls or procedures needed? How well did the organization handle the crisis?
Did the business continuity plan prove successful?
What does the crisis response reveal about the organization’s culture?
Did the response align with the resilience expectations set by senior leadership and the board?
Innovation
Risk management and innovation can work hand in hand to benefit an organization in various ways:
Risk management can pinpoint strategic vulnerabilities, such as over-reliance on a single product or service, which innovation can then address. In this sense, risk management sparks the drive for innovative solutions.
A well-defined tolerance for innovation-related risks gives creators the freedom to experiment within safe boundaries. Accepting that some risks may lead to setbacks can encourage bolder creativity and breakthroughs.
Strong risk management accelerates the innovation process. A solid control framework allows an organization to take calculated risks confidently, knowing that safeguards will prevent negative outcomes from spiraling.
Risk management brings structure and clarity to innovation efforts. An organization’s culture heavily shapes its capacity for innovation. In environments where blame dominates—where mistakes are penalized or successes are overly glorified—the fear of failure stifles risk-taking. Innovators in such settings tend to stick to proven, low-risk options rather than exploring uncharted territory. However, risk management can shift this dynamic. In organizations with a mature risk culture—where taking risks within defined limits is normalized—innovation and creativity thrive. By fostering a balanced approach to risk, risk management supports an environment where new ideas can flourish without undue fear of repercussions.
9.6 Testing for resilience
Scenario Analysis
Scenario analysis is a strategic method used to prepare for various potential future events, helping organisations reduce uncertainty and improve their chances of achieving desired outcomes. This process requires significant investments in people, time, and financial resources. Creativity also plays a role, as managers must explore and develop possible courses of action to minimise risks and enhance organisational value. Scenario analysis originated during World War II as a military planning tool. It was used to outline different possible futures, synthesise key variables into clear narratives, and explore multiple strategic choices that could influence outcomes. The method transitioned into the corporate world after the war, with Shell Oil Company pioneering its use to assess oil price fluctuations and consumption patterns, enabling smarter capital investment decisions. Today, scenario analysis is widely used across various industries. Beyond business, the approach is applied in urban planning to anticipate population growth, in engineering to design adaptable structures, and in scientific research to predict experimental outcomes. Even political campaigns use it to model electoral strategies by analyzing voter behavior, turnout trends, and demographic shifts.
The Scenario Analysis Process
Scenario analysis involves evaluating future uncertainties and exploring different pathways to a desired outcome. It requires an assessment of internal capabilities—such as operational strengths and weaknesses—alongside external factors, including emerging opportunities and threats in the broader business environment. Unlike forecasting models that rely on historical data, scenario analysis does not attempt to predict a single future outcome. Instead, it highlights multiple potential developments, offering alternative paths to success. While it cannot eliminate uncertainty, it clarifies what is realistic and helps decision-makers prepare for a range of possibilities. By identifying different future conditions, organisations can develop both strategic actions (long-term planning) and tactical responses (immediate reactions) based on the evolving situation. Since uncertainties increase over longer time horizons, scenario planning helps organisations adapt by defining plausible futures and assessing potential trade-offs.
Key Steps in Scenario Development
Defining Uncertainties: The first step is to ask critical questions that define the scope and limits of possible future scenarios. A common challenge in this stage is relying too heavily on past experiences, which may not be applicable to future conditions. Managers must actively challenge assumptions by considering, “What if these assumptions are wrong?” Encouraging diverse perspectives and playing devil’s advocate helps build robust scenarios.
Determining the Number of Scenarios: Typically, organisations develop multiple scenarios, including:
A best-case scenario
A worst-case scenario
One or two moderate scenarios in between
Each scenario involves trade-offs, but none should be dismissed outright, as even worst-case scenarios provide valuable insights for risk management.
Assessing Probabilities and Risks: After defining scenarios, organisations must evaluate the likelihood of each one occurring. Even low-probability scenarios should be considered if they pose significant risks. This step helps leaders compare options and make informed decisions to mitigate uncertainty.
Applying Scenario Insights to Decision-Making: Once the analysis is complete, organisations can adjust their strategies accordingly. For example, one company used scenario analysis to assess security risks and financial viability when expanding its locations. As a result, it opted for fewer but more secure sites, leading to improved risk management and revenue outcomes. The process also helped security teams demonstrate their strategic business value.
Four key features make scenario analysis particularly effective in decision-making:
Expanding Strategic Thinking: By outlining different possible futures, scenario analysis challenges the assumption that the future will closely resemble the past. This helps organisations prepare for rapid and unexpected changes.
Reducing Groupthink: In hierarchical organisations, employees often hesitate to challenge senior leaders’ opinions. Scenarios create a structured way to consider multiple perspectives, making it safer for contrarian ideas to be explored.
Challenging Status Quo Bias: Many companies resist change, but scenario analysis provides a structured approach to question existing assumptions and adapt strategies accordingly.
Enhancing Preparedness for Extreme Events: Scenarios help organisations navigate major disruptions such as natural disasters, pandemics, cyberattacks, and geopolitical crises. By offering a balanced approach between rigid forecasting and reactive decision-making, scenario analysis improves resilience in uncertain times.
When executed effectively, scenario analysis provides organisations with a sophisticated understanding of risk and opportunity, enabling better strategic planning and decision-making.
While it is understandable that organisations were unprepared for disruptions caused by major global events—such as the 2007–2008 financial crisis, the COVID-19 pandemic in 2020, and the supply chain disruptions following the Ukraine invasion in 2022—it raises the question of whether better foresight and horizon scanning could have mitigated these impacts. Horizon scanning is a structured approach to identifying potential sources of uncertainty, ensuring preparedness, capitalising on opportunities, and mitigating threats. However, it is not about predicting the future. Instead, it serves as a key tool in enhancing organisational resilience by helping decision-makers anticipate and prepare for emerging risks.
The Three Horizons Model
Horizon scanning is often structured around a three-horizon model, which provides different perspectives on future developments:
Horizon 1: Focuses on immediate actions and current challenges, impacting the organisation today and in the near future.
Horizon 2: Identifies visible trends that require strategic consideration in the short to medium term.
Horizon 3: Highlights emerging uncertainties and long-term trends that may not yet be well understood but require proactive planning.
Each horizon provides valuable insights, helping organisations balance short-term decision-making with long-term strategic planning.
Benefits of Horizon Scanning
Enhancing Understanding: Helps organisations grasp the key drivers influencing future policy and strategy decisions.
Identifying Knowledge Gaps: Highlights areas where further research is needed to better understand emerging trends.
Building Stakeholder Consensus: Facilitates agreement among diverse stakeholders on key challenges and potential solutions.
Clarifying Policy Choices: Makes explicit the difficult trade-offs and decisions that may need to be addressed in the future.
Strengthening Strategic Resilience: Enables the development of adaptable strategies that can withstand external changes.
Mobilising Action: Encourages stakeholders to take proactive steps in response to anticipated risks and opportunities.
Horizon Scanning Process: Six Key Steps
Step
Description
1. Identify Key Stakeholders
Ensure a diverse range of perspectives is included in the process.
2. Initiate the Process
Define the purpose, objectives, and expected outcomes of horizon scanning.
3. Conduct Research
Assign specific, time-bound research topics to team members.
4. Gather Outputs
Regularly collect and review research findings.
5. Synthesize and Validate
Compile insights, present findings, and secure stakeholder agreement.
6. Monitor and Review
Continuously track key risks and reassess priorities as conditions evolve.
While horizon scanning is a valuable tool, organisations should be mindful of potential challenges, such as overly long timeframes, excessive reliance on trend analysis, outdated risk assessments, misjudging the severity of risks, and the influence of groupthink or media-driven hysteria.
Integrating Horizon Scanning into Risk Management: Three Lines Model
To ensure horizon scanning effectively supports risk management, organisations can integrate it into the Three Lines of Defence Model, which consists of:
First Line (Frontline Operations): Assess the potential impact of emerging risks from an operational perspective.
Second Line (Risk Management Function): Evaluate risks at an organisational level and identify potential control gaps.
Third Line (Internal Audit): Review the control environment’s effectiveness in responding to the identified risks.
This process involves:
Identifying relevant sources and emerging topics.
Feeding these topics into the three lines of defence for analysis.
Reviewing the output to determine if additional risks should be considered.
Using the findings to shape future organisational strategy and risk mitigation efforts.
By incorporating horizon scanning into risk management, organisations can improve their ability to anticipate and adapt to future challenges, ultimately enhancing long-term resilience.
Stress Testing
Stress-testing is a critical exercise used to evaluate a bank’s financial resilience under adverse economic conditions. Regulators mandate periodic stress tests of varying severity to ensure banks can withstand future economic shocks. If a bank’s capital, under stressed conditions, falls below the regulatory minimum, it may be restricted from distributing capital through dividends or stock buybacks. Some stress tests, such as the US Federal Reserve’s Comprehensive Capital Analysis and Review (CCAR) and the Dodd-Frank Act Stress Test (DFAST), as well as those conducted by the Bank of England, are conducted annually. Others, like the European Banking Authority’s EU-wide stress test, occur biennially. A key element of stress-testing is the use of macroeconomic scenarios. Regulators define financial parameters such as GDP fluctuations, unemployment rates, and commodity price changes. Banks then model their financial performance under these conditions to determine their capital adequacy. The required capital buffer depends on the severity of the stress scenarios applied. Beyond financial metrics, stress tests also evaluate a bank’s risk governance and control frameworks. An effective stress-testing framework should clearly define:
Responsibilities for model development and validation
The design and selection of stress scenarios
The application of stress test results in decision-making
The reporting and review process to ensure robust oversight
By integrating both quantitative and qualitative assessments, stress-testing helps strengthen the overall stability and resilience of the financial sector. Stress testing evaluates an organization’s ability to endure a variety of potential challenges. A common dictionary definition describes it as a test, often lab-based, to measure how much stress, strain, or wear a product or material can handle. In practice, stress testing involves subjecting an organization to realistic yet extreme risk scenarios until it nears collapse, helping to define risk tolerance thresholds and establish preventive measures to avoid failure. In banking, stress testing assesses financial resilience, with regulators mandating periodic tests of varying intensity to ensure banks can weather future economic downturns. These tests rely on macroeconomic scenarios, where regulators specify shifts in broad indicators like GDP, unemployment rates, or commodity prices. Banks must then simulate their performance under these conditions, with the results determining the capital reserves they need to maintain—higher severity scenarios demand more capital. Regulator-led stress tests occur at least yearly and can lead to impactful decisions, such as:
Limiting business activities, like capping new loans.
Requiring more risk capital, potentially necessitating new funding.
Selling off high-risk business segments (e.g., trading operations) to protect core functions like consumer lending.
Curbing dividend payouts to shareholders.
A robust stress-testing framework incorporates qualitative elements, such as Clear roles and responsibilities for developing and validating models, designing scenarios, applying test results, and reviewing outcomes. While these lessons stem from banking, the concepts are adaptable across industries, with risk professionals increasingly borrowing best practices from one sector to apply to others. At its core, stress testing supports various facets of risk management, as outlined in the table below:
#
Risk Area
Stress Testing Examples
1
Objectives
Scenarios altering internal/external contexts; testing shifts in strategic direction
2
Appetite & Tolerance
Assessing impacts of significantly raising or lowering appetite and tolerance levels
3
Risk Identification
Using risk taxonomies to verify the thoroughness of risk identification
4
Risk Treatment/Management
Evaluating the strength of controls
5
Reporting and Assurance
Employing internal audits for stress tests to provide independent validation
9.7 – Viability statements
After a series of corporate collapses, the UK’s Financial Reporting Council (FRC) reviewed whether the disclosures provided by directors in Annual Reports and financial statements adequately informed stakeholders about an organization’s risk profile and its capacity to remain operational. Companies were already required to provide a “going concern” assessment, confirming their ability to meet debt obligations as they arise. However, this assessment only covers a 12-month period following the signing of the annual financial statements. The FRC’s review led to a new mandate for directors to include a Longer-Term Viability statement in the annual report and financial statements, extending the focus beyond the short term. Although this rule applies specifically to UK listed companies, FRC guidelines often evolve into widely adopted best practices across other industries and nations. Initially introduced in 2014 under the UK Corporate Governance Code, the longer-term viability requirement fell under Principle C: Accountability, which used alphabetic labeling. The 2018 revision of the code switched to numeric referencing for its principles.
The following are the relevant extracts from the FRC (2018) Code on disclosure requirements:
Principle O:
The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take to achieve its long-term strategic objectives.
The disclosure requirements:
The board should carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated.
Takingaccountofthe company’s current position and principal risks, the board should explain in the annual report how it has assessed the prospects of the company, over what period it has done so and why it considers that period to be appropriate. The board should state whether it has a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, drawing attention to any qualifications or assumptions, as necessary.
Key aspects of the above including:
Appropriate period of time.
Principal risks.
How risks are managed and mitigated.
Ability to continue in operation and meet liabilities as they fall due.
Making an assessment
1) Appropriate Time Period: The duration to be covered should be decided based on various considerations, such as:
The board’s duties as stewards of the company.
Prior statements made, particularly those tied to capital-raising efforts.
The type of business and its current developmental phase.
The timelines for its investment and planning cycles.
This period must extend well beyond 12 months from the date the financial statements are finalized.
2) Principal Risks: The principal risks are those that could trigger events or conditions jeopardizing the company’s business model, ongoing performance, solvency, liquidity, or reputation. Organizations must evaluate whether they’re accounting for all credible threats to their survival, including emerging risks and significant uncertainties. Directors should reflect on what long-term shareholders would reasonably expect them to monitor as potential hazards.
3) Managing Risks: The board’s approach to handling and reducing risks is a factual matter that should be included in the risk description provided. Risk-taking is inherent to business operations. The viability statement offers a chance to show shareholders that the board grasps and balances risk versus reward on their behalf. The board must ensure routine operational risks are managed effectively, allowing scenario planning to zero in on realistic, transformative events.
4) Liabilities: When assessing the organization’s ability to keep running and meet obligations as they arise, directors are urged to take a wide-ranging view:
Identifying factors that could undermine future performance.
Assessing impacts on the ability to stay operational.
Ensuring long-term viability.
Directors should also weigh risks to:
Solvency – the ability to fully cover financial obligations.
Liquidity – the capacity to pay debts when due, which could be a timing challenge even if solvency holds long-term.
Other threats to the company’s sustainability.
5) Making an Assessment: The FRC’s guidance highlights stress testing and reverse stress testing as foundational methods for evaluation. Stress testing involves applying pressure to a scenario—using severe yet believable conditions—to see if the company can endure. Reverse stress testing determines the stress level needed to “break” the company and checks if that threshold remains plausible.
Three analytical approaches are possible:
Qualitative analysis: Low complexity and minimal data needs, but unlikely to suffice alone for a “robust” outcome as required.
Scenario planning: Moderate complexity and data demands; likely the preferred choice outside financial services.
Modeling: High complexity and data-intensive; common in financial services for regulatory compliance, but less feasible elsewhere without substantial resources.
In 2020, the UK’s Financial Reporting Council (FRC) evaluated how UK listed companies were handling longer-term viability reporting. This review also touched on going concern reporting, though that aspect falls outside your current studies. Key takeaways from the review include:
Assessment Period When companies shorten their viability assessment timeframe due to uncertainties like Covid-19 or other factors, the FRC expects a transparent rationale for the adjustment and justification for the new, shorter period chosen. Most companies reviewed assessed their viability over a three-year span.
Risks and Uncertainties Viability statements didn’t always address all principal risks and uncertainties. For instance, one company highlighted three risks chosen for intensified stress testing, while another noted that although all identified risks could affect group performance, only certain ones threatened its financial stability. This clarity was valuable, showing which risks most endangered viability. Top-tier disclosures tied specific scenarios directly to particular principal risks and uncertainties. Some firms offered vague assurances about applying mitigating actions or simply pointed to mitigations listed elsewhere in the strategic report’s principal risks section.
You should be able to locate disclosures meeting these standards:
The board must perform a thorough evaluation of the company’s emerging and principal risks, confirming in the annual report that this has been done. This should include a rundown of principal risks, details on processes for spotting emerging risks, and how these risks are being managed or mitigated.
Considering the company’s current standing and principal risks, the board should outline in the annual report how it evaluated the company’s future prospects, the timeframe used, and why that period is suitable. The board must also indicate whether it reasonably expects the company to remain operational and meet its obligations as they arise over that period, noting any caveats or assumptions as needed.
Sustainability involves complex issues that can be both good and bad for an organization. These issues often clash with each other and bring both opportunities and challenges. Because of this, strong risk management is essential. It helps organizations achieve and handle sustainability goals. Sustainability can stir strong feelings—some people think climate change isn’t real, while others see it as the biggest problem we face today. A skilled risk manager can unite people with different opinions and help them agree on a plan. Risk management also sets clear tasks, goals, and responsibilities. That’s why sustainability rules and guidelines, like the Taskforce on Climate-Related Financial Disclosure (TCFD), mention risk management so often. In the end, sustainability risks should be treated like any other risks in a company. It’s easier for organizations to see sustainability as just one of many risks they need to manage.
Risk management helps make sustainability possible by checking each UN Sustainable Development Goal (SDG) to figure out if it’s good or bad for the organization and the area around it. Some SDGs can bring benefits, like having leaders from different backgrounds, making nature better when building new places, or knowing all companies must follow the same rules. Other SDGs can cause problems, such as polluting water through company actions or getting into legal and reputation trouble if unfairness happens. Often, one SDG can be both a chance to gain and a risk to avoid, and the risk manager has to handle both sides carefully. When thinking about sustainability, companies might decide to do things that don’t seem worth it just for profit but still make sense overall. How a company works on these SDGs depends on whether it sees them as risks or possibilities—for risks, it tries to stop bad things from happening; for possibilities, it tries to make good things happen. Also, different people connected to the company might see its role in reaching these goals in different ways.
Social materiality
In sustainability, the word “materiality” is used a lot, but it can mean different things depending on the context. Risk managers need to understand these differences to effectively work with various people and viewpoints when deciding which risks or issues matter most. To determine what’s important, two main questions need to be answered: How do we decide what counts as important, and who is it important to?
1. Deciding What Is Important (Materiality Criteria)
When figuring out what’s important, we often look at how big or serious a risk could be. This is similar to how risks are sorted in a chart that compares their impact (how much harm they could do) and likelihood (how likely they are to happen). In this approach, the most “material” risks are usually those with the biggest potential impact or those that are both very likely and very serious. For sustainability, though, it’s not enough to just think about money or reputation. The criteria should also cover the environment, people (social factors), and how the organization is managed (governance).
2. Who It Is Important To (Dynamic Double Materiality)
The second question is about who cares about these risks or issues. In finance and law, something is “material” if knowing about it would change a typical person’s decision. In finance, that person is usually a shareholder; in law, it’s more like an everyday person you might meet. In sustainability, it’s more complicated because many different people—called stakeholders—might be affected and have different concerns. So, we use “double materiality” to think about two things: how an issue affects the organization’s goals and how the organization’s actions affect other people’s goals. This matters because if we impact others, it could eventually affect us too, depending on how they respond. It’s called “dynamic” double materiality because the situation keeps changing, and what’s important to people can shift over time.
Focusing on Social Materiality
Now, let’s look at “social materiality,” which is about what matters to people. A common way to figure this out is by asking different groups what they think about a set list of topics—like risks or issues that the organization cares about. Two groups are usually involved: one representing the organization itself and another representing people who might be affected by what the organization does. Each group rates the topics from “not important” to “very important.” Then, their ratings are compared to see which topics stand out as most important to both sides. This helps prioritize what really matters socially. Materiality in sustainability is about understanding what’s important, how to measure it, and who it affects. By considering a wide range of factors and perspectives—and knowing these can change—risk managers can better handle sustainability challenges.
In measuring social materiality, the social materiality matrix can be taken as a step further, considering the alignment of perceptions of what is important to stakeholders and to the business / organization. While the material topics are those positioned in the top right-hand corner of the matrix – A typical social materiality matrix, it is often more useful to consider those in the top left and bottom right corners of the matrix,
Understanding what matters to different people in a changing world is the first two steps of the four-step risk management process. We can use tools to figure out the situation we’re in, what different groups want to achieve, and what risks or opportunities they think are important. These tools also help decide which risks or opportunities need action. Risk managers should lead or team up with others to make sure this information is complete and fits into the risk management system. Sustainability often looks at what’s important in different ways. As risk managers, we need to help different groups understand a few key points:
Different fields have their own trusted ways to figure out what’s important, but they might not know other fields do it differently.
Materiality means understanding what matters and, when needed, sharing and acting on that information.
Different groups will care about different things for their own reasons, and all those views should be respected. What’s important varies between groups, but we should combine all these perspectives so everyone is heard.
Emerging sustainability risks
The idea of emerging risks helps people think beyond their usual ways of looking at risks or how far ahead they plan. Many organizations see sustainability risks as emerging because they are:
New: The organization hasn’t thought of them as threats or possibilities before.
Complicated: It’s hard to figure out what the real danger is.
Uncertain: No one knows how big the impact might be, now or later.
Some organizations don’t deal with a risk until it’s fully clear and official. This works for some risks, but sustainability risks are so tricky that we might never know everything about them. If we wait for all the details, it could be too late to take control and fix things. Take climate change as an example. Experts say global temperatures might rise 4-6 degrees above old levels by the 2040s. By then, seas could rise a lot, some areas might lose farmland to deserts, and parts of the world might get too hot to live in without special technology. If we wait until these things happen, we can’t stop them anymore. To avoid this, most countries have agreed to cut emissions close to zero by 2050. This plan slowly stops the planet from heating up too fast by thinning out the layer of greenhouse gases built up since the industrial age. Lower emissions mean slower warming, which slows down ocean heating, ice melting, and changes to plants worldwide. Reducing emissions—by making less and removing some carbon—will take years to work. If we wait to see if the science is right and the planet is warming because of human actions, it’ll be too late to act by the time we’re sure. So, we need to manage climate change risks now, even if we’re not 100% certain. Doing nothing until the proof is clear could leave the world much worse for people in the future. Even though climate change is still an emerging risk, that doesn’t mean we should ignore it. Many sustainability risks are emerging, but the key question is when to start managing them. Sometimes, we have to act even if we don’t fully understand the risks yet.
Just Transition
Working toward all 17 Sustainable Development Goals (SDGs) at once is challenging because pushing hard on one goal can sometimes harm others. For instance, if we focus only on SDG 13 (Climate Action) and forget about the other 16 goals, we might accidentally make things worse for SDG 1 (No Poverty). That’s why we need to find a fair balance. Climate change is a pressing issue that’s rushing us toward sustainability, but we have to tackle it without breaking the other goals. This careful way of handling climate change—especially how we produce energy—is called the “Just Transition.” The name “Just Transition” comes from “just,” meaning fair and rooted in justice. People see it in different ways, though. For some, it’s about helping workers in industries like oil, gas, or coal switch to new jobs as energy changes. But for most, it’s a bigger idea: using this shift to create opportunities, like spreading wealth more evenly, boosting education, and fighting diseases. To make the Just Transition happen, we have to spot where goals clash and figure out how to balance them. Good risk management plays a big role here, helping us weigh the ups and downs of our choices so we can keep everything in harmony. This version keeps the key ideas—SDG conflicts, the Just Transition’s purpose, its varied meanings, and the importance of risk management—while making the language straightforward and easy to follow.A just transition isn’t just about achieving sustainability—it’s about people too. By prioritizing fairness and inclusion, it ensures that the journey to a sustainable future benefits everyone, not just a select few.
A just transition refers to the process of shifting to a more sustainable economy in a way that is fair and inclusive, ensuring that no one—particularly workers and communities affected by changes in industries like energy or manufacturing—is left behind. It’s a concept rooted in sustainability and climate change efforts, aiming to address environmental challenges while preventing economic and social disruption. Essentially, it balances the need to protect the planet with the need to support people, ensuring that the move toward a greener future is equitable.
To make a just transition successful, several key steps are necessary:
Stakeholder Engagement: Involve everyone who might be impacted—workers, unions, businesses, and local communities—in the decision-making process. Their input helps identify concerns and tailor solutions to their needs, ensuring the transition feels fair and collaborative.
Planning and Support: Governments and companies should proactively plan for changes in the workforce. This includes offering retraining programs, financial assistance, or other support for workers whose jobs may disappear or evolve due to the shift to sustainable industries.
Investment in Sustainable Opportunities: Create new jobs and industries to replace those that are phased out. For example, investing in renewable energy, green technology, or sustainable manufacturing can provide employment opportunities that align with environmental goals.
Protection for Vulnerable Groups: Safeguard communities that might be disproportionately affected, such as low-income populations or indigenous groups. Special measures, like targeted funding or tailored programs, can ensure they aren’t unfairly burdened by the transition.
Monitoring and Adaptation: Continuously evaluate how the transition is unfolding. By tracking its impacts and adjusting policies as needed, we can address any unintended consequences and keep the process equitable and effective.
Individual thinking: Risk management can be used to help individuals think more broadly than might otherwise be the case. Tools such as horizon scanning, scenario analysis, emerging risks, etc. can be used to aid this thinking. Sustainability affords every organization with the opportunity to re-think its potential threats, opportunities, and strategy. Risk management is key to supporting this “re-think.”
Accountability
Many companies and initiatives face accusations of “greenwashing,” where they present themselves as environmentally and socially responsible while doing little to genuinely support sustainability—instead using these claims primarily for financial gain. Terms like sustainability, ESG (Environmental, Social, and Governance), and CSR (Corporate Social Responsibility) are often criticized as part of such greenwashing, undermining their potential benefits. To be meaningful, sustainability efforts must focus on real action and measurable impact in addressing sustainability-related risks and opportunities. From a risk management standpoint, this means prioritizing actual controls over mere data collection and guidelines. Additionally, performance measurement should be transparent and verifiable. Currently, most sustainability reporting relies on self-assessment surveys, which often emphasize checkbox-style compliance—such as having policies or tracking emissions—rather than tangible progress. However, there is a positive shift toward assessing real-world impact, supported by independent, verifiable data sources like satellite-based emissions monitoring. These third-party datasets enhance credibility, offering stakeholders (such as investors) reliable information to evaluate sustainability performance. Investors increasingly incorporate ESG ratings into their decision-making, alongside traditional financial, legal, and technical due diligence. Post-investment, sustainability KPIs and KRIs (Key Performance and Risk Indicators) may be monitored regularly, reflecting growing expectations for investor stewardship. Accountability for genuine sustainability impact extends beyond companies to investors, insurers, suppliers, and customers—all share responsibility in ensuring organizations deliver real benefits rather than just greenwashing. Several ESG rating agencies have emerged, using proprietary methods to assess and rank companies. While their methodologies have strengths and weaknesses, they provide investors with material insights that can influence investment decisions. A notable example of ESG criticism came from Elon Musk, who in 2022 called ESG a “scam” and accused it of being misused by “phony social justice warriors.” His frustration followed Tesla’s removal from the S&P 500 ESG Index, despite its role in electric vehicle production. The exclusion was based on factors like Tesla’s lack of a clear low-carbon strategy, workplace discrimination allegations, and safety concerns related to its autonomous driving systems. This highlights that ESG evaluates not just a company’s products (e.g., electric cars) but also its operational practices. While creating sustainability plans and standards is important, real impact comes from their execution—aligning with the principle that true controls modify risk (whether threats or opportunities). Given the evolving state of corporate sustainability, ESG’s full impact is still emerging. Reporting should emphasize actual progress rather than future promises. Risk management plays a key role in holding organizations accountable, ensuring ESG targets are realistic and properly supported.
Sustainability and resilience
n the past, “sustainability” and “resilience” were often used to mean the same thing. Some organizations still use them interchangeably to suggest long-term survival. However, these terms now have distinct meanings, causing confusion.
Defining Resilience: ISO 22316, the international standard on resilience, defines it as an organization’s ability to adapt to change, recover from disruptions, and continue achieving its goals.
Sustainability vs. Resilience A sustainable organization improves the planet and society for future generations. A resilient organization survives shocks and adapts to change.
While a sustainable organization is likely resilient, a resilient one isn’t necessarily sustainable.
Key Differences
Resilience focuses on survival—how an organization handles internal or external shocks.
Sustainability looks beyond survival to positive impact—how the organization affects society and the environment.
Materiality Perspective
Resilience = Single materiality (How risks affect the organization).
Sustainability = Double materiality (How the organization affects the world, and vice versa)
Climate change
The management of climate-related risks encompasses diverse approaches, with this discussion concentrating specifically on the transformative financial disclosure requirements introduced through the mandatory adoption of the Task Force on Climate-related Financial Disclosures (TCFD) framework, as established during COP26 in Glasgow (2021).
The financial sector is undergoing significant transformation. Entities seeking capital investment are now expected to demonstrate their consideration and management of climate-related factors. In the United Kingdom, this requirement is fulfilled through TCFD compliance reporting. Numerous other jurisdictions – including the European Union, Canada, and the United States – are developing comparable regulatory frameworks, with all indications suggesting these will maintain substantial alignment with TCFD standards. While multiple climate reporting mechanisms exist, the TCFD framework currently represents the focal point for substantial reforms in financial risk disclosure practices.
Historical Development of TCFD:
2015-2016: The G20 Finance Ministers commissioned the Financial Stability Board to evaluate climate change as a systemic risk to global financial stability
2017: TCFD released its inaugural recommendations, enabling financial institutions to systematically identify and incorporate climate risk assessment into core financial operations
Subsequent implementation required banking institutions, insurance providers, and investment firms to evaluate potential climate-related financial impacts across their portfolios
2020: The Network for Greening the Financial System (NGFS), a consortium of central banks, issued comprehensive guidance for long-term (30-year horizon) climate scenario analysis
November 2021: The UK government mandated TCFD reporting for all large corporate entities
TCFD Reporting Framework Components:
Governance – Climate risk oversight structures
Strategy – Climate impact integration into business planning
Risk Management – Identification and mitigation processes
Metrics & Targets – Performance measurement and objective setting
Strategy and risk management
The TCFD governance mandate necessitates structured board-level engagement with climate change matters, including rigorous discussion and challenge processes. In organizations lacking dedicated sustainability committees, this responsibility typically resides with the risk (and audit) committee, as these forums facilitate the most comprehensive integration of climate considerations with broader enterprise risks. It is critical to recognize that governance structures must be tailored to each organization’s specific operational context. Effective governance must align with and support organizational strategy. Climate-related considerations should be formally embedded within the core business strategy rather than treated as a separate initiative. This integration typically occurs through a structured process involving:
Comprehensive materiality and risk assessments
Control evaluation and action planning
Continuous performance monitoring and strategy refinement
This cyclical approach enables progressive optimization of climate strategy implementation. TCFD specifically recommends scenario analysis as the primary methodology for evaluating potential climate risks and informing strategic responses. The framework provides particularly valuable guidance on categorizing climate-related risks:
Physical Risks:
Sea level rise
Drought conditions
Extreme weather phenomena
Wildfire incidents
Transition Risks:
Carbon pricing mechanisms
Insurance availability and affordability
Regulatory compliance requirements
While TCFD terminology distinguishes risks (exclusively negative) from opportunities, organizations may concurrently assess both elements using conventional enterprise risk management methodologies. This dual perspective allows for comprehensive threat mitigation while capitalizing on emerging prospects in the transition to a low-carbon economy.
Scenario analysis
The Taskforce on Climate-Related Financial Disclosures (TCFD) asks companies to do a scenario analysis. This means looking at risks (and opportunities—TCFD uses both terms) for the medium term (about the next 7 years) and the long term (about the next 25 years). TCFD doesn’t say exactly how to do it, so it’s usually up to the risk manager to pick the best way. Scenario analysis is a tool used when figuring out risks is too tricky or costs too much. Climate change is complicated and uncertain, so it fits this approach. A scenario is like a story that shows how things might turn out—it’s not a guess about what will happen or just the most likely result. Instead, it helps companies imagine different possible futures. The Network for Greening Financial Systems (NGFS) has created some trusted scenarios with solid data behind them. They update these regularly. Most companies start with these scenarios because they’re reliable and match what others are doing. Doing the scenario analysis is useful, but the real benefit comes from what happens next: the actions it sparks, the changes to plans, and the goals and measures set to track progress.
Climate change – metrics and targets
Organizations track many different things related to climate change—like water use or how diverse their leaders are—but right now, most focus on emissions.
Types of Emissions
Emissions are split into three groups, called scopes:
Scope 1: Direct emissions from things the company owns, like its buildings or cars.
Scope 2: Indirect emissions from energy the company buys, like electricity or heating for its own use.
Scope 3: Other indirect emissions, split into:
Upstream: Things like goods and services the company buys, fuel use, shipping, waste, business trips, employee commutes, and leased items.
Downstream: Things like shipping sold products, how products are used, or what happens to them when they’re thrown away, plus investments or franchises.
For example, an investment bank might have tiny Scope 1 and 2 emissions but a huge Scope 3 footprint because of the emissions from the companies it invests in. Ideally, every organization should measure and report all three scopes. Emissions include all key greenhouse gases, not just carbon dioxide. The big aim is for all organizations to hit net zero emissions—and keep it that way—before 2050. They’ll do this with a transition plan that tracks their progress. The term “net zero” can be tricky and changes over time. Right now, it means cutting emissions as much as possible and using offsetting (like buying carbon credits) when cutting more isn’t an option. This balances things out so the organization adds no extra emissions to the air. Buying carbon credits to offset emissions is a growing market. By 2030, experts think a ton of carbon in the U.S. might cost between $100 and $200. The rules, markets, and prices are still unclear, which makes this tricky. With so much uncertainty about rules, costs, and markets, risk management is key. It helps organizations handle the risks and possibilities tied to climate change over the coming decades.
Strategy serves as a critical foundation for enterprise risk management. Establishing and comprehending organizational objectives stem from the strategy, with risk management concentrating on the uncertainties that could impact the realization of those objectives. Strategy is emphasized in the initial stage of the ISO 31000 process (defining scope, context, and criteria) and in the second element of the updated COSO ERM Framework (strategy and objective setting). It is also a key component of the risk management (RASP) framework. A clear grasp of an organization’s mission, vision, and core values, along with the formulation of its strategy and objectives, is essential for identifying, understanding, and managing risks in alignment with the organization’s risk appetite. We will explore strategy and objectives in depth, presenting approaches to crafting business strategy and expanding on this foundation to examine the interplay between risk and strategy processes. Lastly, we will assess the role of risk within various strategy models.
Business strategy outlines what an organization aims to accomplish and the methods it will use to do so, rooted in decisions about its future direction. It articulates where the organization envisions itself in three to five years, often expressed through strategic objectives. A well-defined business strategy allows the organization to fulfill its mission, objectives, strategies, and plans. According to the Oxford English Dictionary, strategy is a plan designed to achieve a specific goal. It is a vital component of success for both individuals and organizations. While a solid strategy doesn’t ensure success, it significantly boosts the likelihood. Effective strategies typically feature four key aspects: clear long-term goals, a deep understanding of the external landscape, a sharp evaluation of internal resources and strengths, and strong execution. Strategy is a recognized business discipline that has been extensively studied. Notable insights on strategy include:
Lee Bolman: “A vision without a strategy remains an illusion.”
Lewis Carroll: “If you don’t know where you are going, any road will get you there.”
Stephen Covey: “Begin with the end in mind.” Grasping the concept of strategy is fundamental to enterprise risk management.
7.1 The board’s role in defining strategy
A primary goal of a governance structure is to ensure that an organization’s strategy is effectively executed. The strategy originates with the organization’s Shareholders, Members, or Trustees. By establishing and sustaining the organization, they define its fundamental purpose. They delegate the responsibility of overseeing this purpose to a board of directors, who establish the strategic objectives. The board, leveraging its authority, then empowers the executive team to develop and implement a plan to achieve these strategic goals. As such, when discussing risk management, it is crucial to revisit and understand the strategic objectives set by the board on behalf of the Shareholders, Members, or Trustees.
Formulating Strategy
Strategy develops over time and varies in focus depending on an organization’s lifecycle stage. To guide the development and evaluation of strategy, organizations employ a range of management models. The following widely recognized management models assist in designing, validating, implementing, and reviewing organizational strategy:
Design – crafting potential strategic pathways for the organization:
Ansoff Model
Business Model Canvas
CORR (Customer, Offering, Resources, and Resilience)
Validation – evaluating strategic options to determine the most suitable course of action:
Review and Repurpose – periodically assessing existing strategies and objectives to ensure ongoing relevance:
BCG Matrix
Kotter’s “Our Iceberg Is Melting”
McKinsey 7S Model
Typically, organizations establish a 3-to-5-year strategy to fulfill the vision and mission set by shareholders, which is then endorsed by the board. Alongside this, they create an annual plan and financial budget, which form a shorter-term subset of the broader strategy, focusing on immediate goals. The 3-to-5-year strategy documents and annual plans are generally internal resources and not publicly released. However, many organizations issue a strategy statement or report, often included in their annual report. In larger organizations, there may be legal or regulatory obligations to disclose strategy details. In the UK, the Financial Reporting Council’s “Guidance on the Strategic Report” outlines requirements for what must be included in a strategic report. This ensures shareholders receive a comprehensive and clear overview of the organization’s business model, strategy, development, performance, position, and future outlook, including a description of key risks and their potential impact on future prospects. While the FRC guidance is tailored to UK public limited companies, it has been widely adopted as a best practice standard across other countries and organization types. Organizations are often hesitant to share detailed strategy documents broadly, even internally. Publicly available strategy statements tend to emphasize marketing angles and are sometimes referred to as business plans. Many smaller organizations lack formal strategy statements or documentation altogether.
A critical aspect of strategy is how an organization manages its reputation. To evaluate an organization’s reputation and understand the potential sources of reputation risk, it’s useful to break down and map out the elements that shape its reputation. Reputation risk is a major concern for business leaders because it acts as a meta-risk—capable of emerging and escalating rapidly from both internal and external sources. For organizations with a strong reputation or those that depend on it to draw investment and talent, reputation risk poses a significant threat. Organizations possess a ‘reputation premium,’ which reflects their earning potential beyond what is accounted for in their brand or net assets. Many leading global brands rely heavily on this premium. Should this organizational value be jeopardized or undermined, the consequences could be severely damaging.
The board and strategic risk
7.2 Risk Management Strategy
Having explored organizational strategy, we now examine how risk management integrates with it. Below is a straightforward 4-step process for managing risk. When aligned with an organization’s strategy, it appears as follows:
Step 1 – Evaluate the context, strategy, and objectives, and determine the level of risk the organization is prepared to pursue or tolerate to meet these goals (risk appetite).
Step 2 – Identify and evaluate the risks tied to achieving the strategy and objectives.
Step 3 – Implement the necessary controls and measures to address these risks.
Step 4 – Continuously monitor and reassess the risks and controls, reporting to stakeholders on their impact on the strategy and objectives.
This 4-step process is cyclical. If the proposed risk management approach does not align with the organization’s risk appetite, a strategy review may be necessary. In such cases, two options emerge:
Adjust the strategy, objectives, and/or risk appetite, or
Enhance the management efforts, such as increasing investment in controls.
ERM – four easy steps
When examining how strategic risk is handled within organizations, it’s critical to recognize that the board should either take ownership of or maintain close oversight over the organization’s strategic risks. In certain organizations, a dedicated strategic risk register exists, typically managed by the Chief Risk Officer or a similar role, reflecting the connection between the board and the organization’s risk data.
The following strategic risk categories are typical examples found in strategic risk registers:
Succession planning for the CEO and key C-suite executives.
Risks posed by competition.
Existential threats or evolutionary shifts within the industry.
Arrangements for shareholder exits.
Boards should address four essential strategic questions regarding risks to the strategic plan:
How do we align enterprise risk management (ERM) with the organization’s strategic direction and plan?
What are our primary business risks, both those arising from the strategic plan and those that could either jeopardize or bolster it?
Are we accepting an appropriate level of risk?
Are we aware of which risks, if effectively managed, could enhance or diminish the organization’s value or performance?
These questions are part of a broader set of board inquiries designed to steer discussions toward ensuring that risk management processes and frameworks are suitable for achieving the intended ERM goals, rather than merely confirming compliance with those processes and frameworks.
Strategy and Risk Management standards
Risk management standards place significant emphasis on strategy. We reviewed key standards, primarily ISO 31000 and COSO, both of which underscore the need to comprehend an organization’s context and objectives, including its strategy.
In ISO 31000, strategy is addressed within the “Scope, context, and criteria” phase of the risk management process. This step involves:
Outlining the purpose and scope of risk management efforts.
Assessing the organization’s external and internal context.
Establishing risk criteria by determining the acceptable level and nature of risk.
Setting criteria to assess risk significance and aid decision-making.
The COSO (2017) framework highlights the centrality of strategy in enterprise risk management (ERM), noting that “enterprise risk management is as much about understanding the implications from the strategy and the possibility of the strategy not aligning as it is about managing risks to set objectives.” COSO elaborates on strategy and objective-setting with the following components:
Analyzes Business Context – The updated framework evaluates the business context, considering internal and external stakeholders. It stresses that management must account for risks arising from shifts in the business environment and adjust strategy execution accordingly.
Defines Risk Appetite – The organization sets its risk appetite in the context of creating, preserving, and realizing value. This appetite is factored into strategy formulation, articulated by management, endorsed by the board, and embedded throughout the organization.
Evaluates Alternative Strategies – Different strategies rest on varying assumptions, which may be vulnerable to change. The organization assesses strategic options, selecting one that enhances value while factoring in risks tied to the chosen strategy.
Formulates Business Objectives – Management defines objectives at various business levels that align with and support the strategy, ensuring they reflect and conform to the organization’s risk appetite.
Other standards addressing strategy and its associated risks include:
Banking – Basel III
Insurance – Solvency II
Health and Safety – ISO 45000 family (Occupational Health and Safety)
Legal – ISO 31022 (Guidelines for Managing Legal Risk)
Business Continuity – ISO 22301 (Business Continuity)
Projects – Association for Project Management PRAM Guide
UK Public Sector – The Orange Book 2020
While risk registers typically list numerous operational and project-related risks, it’s critical that they also include high-level strategic risks, which are a priority for senior management and the board. In some organizations, due to confidentiality concerns, a separate strategic risk register may be maintained by the Chief Risk Officer or a similar role.
RASP
RASP stands for Risk Architecture, Strategy and Protocols. Strategy in the context of RASP refers to the risk management strategy that the organisation has adopted. This is not the overall strategy of the organisation itself but the strategy for how risk will be managed in the organisation. The strategy an organization chooses can shape its approach to risk management. This strategy is typically influenced by the organization’s current stage in its lifecycle, as illustrated in the Organizational Lifecycle figure. For instance, during the startup and growth phases, the strategic emphasis is usually on expansion and development. Operations at this point are often streamlined and flexible, with risk management largely handled by frontline teams and limited centralized support. In contrast, during the maturity stage, the focus often shifts to boosting margins for existing products or services and fostering innovation for new offerings. By this stage, organizations typically have established a more structured risk management framework, including a strong, professional risk function within the second line of defense. Thus, as an organization progresses through its lifecycle stages, there is an opportunity for its risk management practices to evolve and mature accordingly.
Risk management framework consists of
Risk management Architecture
Committee structure and teems of reference
Roles and responsibilities
Internal reporting requirements
External reporting controls
Risk management assurance arrangement
Budget and agreement on resources
Risk Management strategy
Risk Management Philosophy
Arrangements for embedding
Risk management
Risk appetite and attitude to risk
Benchmark tests for significance
Specific risk statements/policies
Risk assessment techniques
Risk priorities for present year
Risk Management Protocol
Tools and techniques
Risk classification system
Risk assessment procedures
Risk control rules and procedures
Responding to incidents, issues and events
Documentation and Record keepings
Training and communications
Audit procedures and protocols
Reporting/disclosures/Certificate
Up to this point, we’ve examined the risks stemming from an organization’s strategy and its strategic objectives. Another significant way strategy impacts risk management is through the establishment of the organization’s risk appetite. Risk appetite refers to the level of risk an organization is prepared to pursue or tolerate to achieve its goals. To fully leverage the benefits of risk management, it’s essential that the strategy and risk appetite statements are in sync. This alignment is typically evident in the formal delegation of powers and authority within the organization.
7.3 Strategy Model
Organizations are increasingly integrating enterprise risk management (ERM) into their strategy-setting processes. Rather than developing a strategy and then identifying the risks it generates, they are incorporating risk considerations directly into the strategy formulation stage. We explored this interplay between risk management and strategy within the COSO (2017) ERM Framework.
The COSO (2017) ERM Framework highlights that “the role of risk in strategy selection” involves making decisions and embracing trade-offs. Applying ERM to strategy is logical, as it provides a structured way to balance the art and science of informed decision-making.
Risk often plays a role in strategy-setting, but traditionally, it is assessed mainly for its potential impact on a pre-established strategy. Discussions typically center on risks to the current plan: “We have a strategy—what might undermine its relevance or feasibility?” However, organizations are improving at asking broader, proactive questions: “Have we accurately forecasted customer demand? Can our supply chain meet deadlines and budgets? Will new competitors arise? Is our technology infrastructure sufficient?” These are daily challenges for executives, and addressing them is essential to executing a strategy effectively.
In this section, we merge strategy and risk management, exploring: How can risk management shed light on the application of strategy models? How can risk management tools aid in strategy development?
We examine how risk management can enhance our understanding of strategy models across the following stages:
Design – Generating potential strategic options for the organization:
Ansoff Model
Business Model Canvas
CORR (Customer, Offering, Resources, and Resilience)
Validation – Assessing the identified strategic options to choose the most suitable one:
Review and Repurpose – Periodically evaluating existing strategies and objectives to ensure they remain appropriate:
BCG Matrix
Kotter’s “Our Iceberg Is Melting”
McKinsey 7S Model
1) The Ansoff Product / Market Grid Model
The Ansoff Model is a tool for crafting strategy. Various models are available to organizations for strategy design, and in this course, we’ve chosen models widely applied across industries globally. The design phase typically occurs in these situations:
Launching a new organization – Depending on the size and complexity, strategy design might involve a highly structured, formal process or a more casual approach that develops as the concept for the new organization solidifies.
Introducing a new product or service, or
Experiencing a major shift in the organization’s internal or external environment.
This model provides a systematic approach to defining the scope and direction of an organization’s strategic growth within the marketplace. It serves as a framework to pinpoint growth directions and opportunities. From a risk management standpoint, the Ansoff Model pairs effectively with the positive aspect of risk (opportunities) and aligns with risk appetite considerations. For instance, if the chosen strategy is Market Development, the organization may need to embrace a higher risk appetite to pursue greater risk. The model is illustrated below.
2) Business Model Canvas
This model provides a structure for designing and evaluating how an organization interacts with its market, utilizes its resources, and delivers its customer offerings. It outlines the process by which an organization generates, provides, and secures value. The framework consists of nine elements: customer segments, value propositions, channels, customer relationships, revenue streams, key resources, key activities, key partnerships, and cost structure. From a risk management perspective, this model supports risk identification by examining the organization through nine distinct perspectives, each presenting its own set of risks. It also aids in considering critical controls—specifically, what actions are necessary to ensure each component functions effectively.
3) CORR
This tool is used for shaping strategy. CORR, which stands for Customer, Offering, Resources, and Resilience, views an organization’s business model as centered on delivering specific customer offerings. These offerings are supported by the organization’s resilience and mechanisms to ensure its long-term sustainability. The model can be broken down as follows:
Customer encompasses analysis of customer segments, acquisition, retention, and the methods for delivering products or services.
Offering refers to the value proposition for customers and the associated benefits provided to them.
Resources cover the organization’s data, capabilities, assets, as well as its partnerships and networks.
Resilience reflects the organization’s reputational strength (rooted in ethos and culture) and financial stability (based on revenue and expenditure).
From a risk management standpoint, this model promotes a perspective focused on risk resilience within the organization.
4) SWOT
This model aids in validating proposed strategies by providing insight into how well the strategy’s key components align with the organization’s strengths and opportunities. SWOT, an acronym for Strengths, Weaknesses, Opportunities, and Threats, is a framework—sometimes called situation analysis—used to assess an organization’s competitive standing. It evaluates both internal and external factors, offering a lens to examine current capabilities and future possibilities. The model is effective in brainstorming settings and is relatively easy to grasp and apply. From a risk management perspective, it effectively highlights the internal and external context related to risk and serves as a valuable tool in risk workshops to encourage discussions about risk.
5) Porters five forces
Porter’s Five Forces is a tool for evaluating the competitive landscape surrounding an organization. It considers factors such as the number and strength of competitive rivals, the threat of new entrants, the influence of suppliers and customers, and the availability of substitute products or services. These elements shape the competitive environment and, consequently, affect an organization’s capacity to generate value, as illustrated. From a risk management viewpoint, this model encourages a thorough assessment of strategic risks arising from external competition. It also informs risk appetite decisions by prompting consideration of competitive areas where significant risk-taking might be necessary to secure market share.
PESTLE analysis offers a structure for recognizing external influences impacting an organization. Represented by the acronym, it covers six key external factors: political, economic, sociological, technological, legal, and environmental. These elements can significantly influence an organization, with effects that vary in scope, such as short-term or long-term impacts.
“PESTLE” stands for:
Political Risks – Risks arising from changes in government policies, regulations, political stability, trade restrictions, and other factors related to government actions that can impact the organization’s operations. Tax policy, employment laws, environmental regulations, trade restrictions and reform, tariffs and political stability are some examples.
Economic Risks – Risks related to economic conditions, such as inflation, currency fluctuations, economic growth or recession, interest rates, and unemployment rates, which can affect the organization’s financial health and market conditions. Economic growth/decline, interest rates, exchange rates and inflation rate, wage rates, minimum wage, working hours, unemployment (local and national), credit availability, cost of living, etc are some examples.
Social Risks – Risks associated with societal changes and trends, such as shifts in demographics, cultural values, consumer behaviors, and lifestyle changes, which can influence demand for the organization’s products or services. Cultural norms and expectations, health consciousness, population growth rate, age distribution, career attitudes, emphasis on safety, global warming are some examples.
Technological Risks – Risks stemming from changes in technology, including advances, cyber threats, and technology obsolescence, which can affect operational efficiency and competitive positioning. Technology changes that impact your products or services, new technologies, barriers to entry in given markets, financial decisions like outsourcing and supply chain are some examples.
Legal Risks – Risks related to changes in laws, regulations, and legal actions that could impact the organization’s compliance, liability, or operating environment. Changes to legislation that may impact employment, access to materials, quotas, resources, imports/exports, taxation, etc are some examples.
Ethical or Environmental Risks – Risks associated with Ethical or Environmental aspects, environmental factors, such as climate change, natural disasters, resource scarcity, and sustainability pressures, which can affect operations, reputation, and compliance.
From a risk management perspective, PESTLE supports the development of a risk taxonomy or classification system within the organization. It also enhances the thoroughness of risk identification by providing diverse external perspectives.
7) VMOST
VMOST is a tool for putting strategy into action, particularly when we explored the objectives and purpose of risk management within an organization. The VMOST Analysis helps a business assess whether its core strategies are supported by corresponding activities. It addresses this by examining five key components: vision, mission, objectives, strategies, and tactics. Notably, while the COSO (2017) ERM framework positions objectives as part of strategy, VMOST reverses this, treating strategy as a component of objectives. From a risk management perspective, this model is effective for identifying key risk indicators (KRIs). It bridges strategy and objectives to actionable steps (tactics), enabling the creation of a robust top-down framework for measuring risk management.
8) Value chain analysis
The value chain model, used for executing strategy, outlines the complete set of activities an organization undertakes to deliver a product or service from its conception to its final use. This includes functions such as research and development, human resource management, production, marketing, and distribution. The model enhances organizational efficiency by optimizing these activities. It’s worth noting that the Extended Enterprise offers a simplified version of an organization’s value chain. From a risk management standpoint, the value chain model is useful for assessing risks within internal processes. Many organizations consider risks tied to “the customer journey” or the “front-to-back process,” making this perspective valuable for ensuring operational processes align with the strategy. It serves as an effective foundation for identifying the controls required at each stage of the process.
9) BCG Matrix
The Boston Consulting Group (BCG) matrix, employed for reviewing and refining strategy, assists an organization in determining which products to retain, sell, or further invest in. While it is commonly applied by commercial entities, its principles are also applicable to services offered by government and non-governmental organizations (NGOs). From a risk management perspective, this model aids in establishing key risk appetite and tolerance thresholds for an organization’s products and services. It’s critical that risk reporting and monitoring stem from the insights and decisions generated by this model, with those decisions subject to ongoing review.
10) Kotter Model
The Kotter Model, a framework for reviewing and repurposing strategy, is an 8-step change management approach crafted by John Kotter, a Harvard Business School professor, to guide organizations in achieving effective transformation. It highlights the importance of leadership, urgency, and engaging stakeholders.
Kotter’s 8-Step Change Model:
Create a Sense of Urgency – Highlight the need for change to motivate action among stakeholders.
Build a Guiding Coalition – Assemble a group of influential leaders to steer the change effort.
Develop a Vision and Strategy – Formulate a clear vision and strategy to direct the change process.
Communicate the Vision – Consistently share the vision across various platforms to secure support.
Empower Employees for Action – Eliminate barriers and authorize employees to enact the change.
Generate Short-Term Wins – Achieve and celebrate early victories to sustain momentum.
Sustain Acceleration – Leverage initial successes to fuel ongoing progress.
Anchor the Change in Culture – Integrate the change into the organization’s culture for lasting impact.
From a risk management perspective, this model supports risk scenario planning and stress testing by prompting the organization to explore plausible yet challenging future scenarios.
11) McKinsey 7S model
The McKinsey 7S Model is a review and repurpose tool that evaluates an organization’s design by analyzing seven critical internal components—strategy, structure, systems, shared values, style, staff, and skills—to determine if they are well-aligned to support the organization’s goals. Developed by McKinsey & Company, this strategic framework helps align these elements to drive success, making it valuable for organizational change, strategy execution, and performance enhancement.
It is commonly applied in scenarios such as:
Managing organizational transformation.
Adapting the organization to a new strategy.
Supporting mergers or acquisitions.
Boosting company performance.
Anticipating the impact of future internal changes.
The 7 Elements of the McKinsey 7S Model: The model categorizes elements into Hard and Soft groups: Hard Elements (more tangible and manageable):
Strategy – The organization’s approach to securing a competitive edge.
Structure – The framework of hierarchy and reporting lines.
Systems – The processes, workflows, and procedures that drive operations. Soft Elements (less tangible but vital for success):
Shared Values – The core beliefs and culture of the organization.
Style – The approach to leadership and management.
Staff – The workforce’s capabilities, skills, and growth potential.
Skills – The expertise and competencies of employees.
How to Apply the 7S Model:
Evaluate the current condition of each element.
Detect any misalignment among the elements.
Pinpoint necessary adjustments to achieve alignment.
Execute changes and track progress.
From a risk management perspective, this model is helpful for assessing control design, implementation, and effectiveness. It addresses both the “hard” aspects (such as design) and the “soft” aspects (like implementation and effectiveness, which depend on human factors).
7.4 Risk management tools
Risk management can significantly contribute to shaping strategy. During the strategy development process, organizations often reach a stage where they have more strategic options or initiatives under consideration than they can realistically pursue. At this point, they must select the options or initiatives that offer the greatest value. Several risk management tools can assist in evaluating the comparative advantages of different strategic options or initiatives. The two most pertinent tools are:
Suns and Clouds
Impact vs. Manageability
1) Suns and Clouds
Vaughan Evan’s Suns and Clouds chart, created in the early 1990s, provides insight into two key aspects of strategy:
The presence of significant risks or opportunities, and
Whether the overall mix of risk and opportunity is advantageous.
The tool involves two steps:
For each strategic option, identify the primary threats (clouds) and opportunities (suns) it presents.
Map these threats and opportunities on a chart, with their potential impact on the organization’s value on the y-axis and their likelihood of occurring on the x-axis.
This produces a visual representation of the threats and opportunities tied to the strategy. For instance, a cloud positioned in the upper right corner might indicate that the strategy carries excessive risk. Like many risk management tools, the real benefit lies in the discussions sparked by determining the placement of suns and clouds. These conversations help ensure alignment among participants regarding the potential threats and opportunities each initiative might pose to the organization. Moreover, if a cloud represents a critical strategy for the organization, the task becomes figuring out how to effectively manage that risk.
2) Impact vs. Manageability
This risk management tool, also developed by Vaughan Evans, employs a matrix to evaluate risks linked to a strategic option or initiative based on two factors:
The potential impact a risk could have on the anticipated value the initiative might deliver to the organization (y-axis), and
The ease or difficulty of managing that risk (x-axis).
The matrix categorizes manageability into four levels:
High – The risk can be easily managed.
Medium – The risk is manageable with effort.
Low – The risk is challenging to manage.
Zero – The risk is effectively unmanageable.
If the risks tied to a strategy fall into the unmanageable category, it may be prudent to abandon that strategy. Conversely, if the risks are manageable, the organization can address them, making the strategy more viable. When analyzing this model, it’s also important to consider the effort or resources needed to manage the risks effectively.
