There’s a quiet reckoning happening in accounting. For generations, the profession has stood by the notion that our reports must present a “true and fair view” of an entity’s financial position. But as we confront climate risk, systemic fragility, and operational volatility, one wonders — is “true and fair” still enough? Or should we be aspiring to something more: a “true, fair and sustainable” view?

This isn’t simply an ethical debate. It’s a technical one too. Sustainability implies the ability to survive — and thrive — over time. And that requires us to engage with risks that haven’t yet struck but loom in plain sight. If a firm is sitting on a mountain of residual non-financial risk — cyber vulnerabilities, conduct exposure, climate liabilities — should its pristine balance sheet lull us into complacency?

Let’s reflect on Silicon Valley Bank. At year-end 2022, its audited financials showed pre-tax profits exceeding $2 billion. Then, within months, it collapsed in spectacular fashion. The failure wasn’t due to some unknown black swan. The bank had concentrated risk, an unbalanced funding profile, and poor hedging — all observables. But not, apparently, ‘accountable’.

And that’s where we hit a deeper problem. Accounting today is based on information provided to the auditor — not all information available. Auditors are not expected to scan the horizon; their duty is narrowly scoped to verifying what’s been placed in front of them. But in the age of real-time data, digital signals, and risk modeling, should that still be the case?

Imagine if auditors had a mandate like Know-Your-Customer in banking — an obligation not to remain willfully blind. When non-financial risk accumulates, and external data shows rising exposure, shouldn’t that prompt scrutiny? After all, we know from Basel’s BCBS 239 principles that aggregating risk data is a supervisory expectation. Shouldn’t it be a professional one too?

This brings us to a concept that might reshape our financial lens: Risk Accounting. At its core is the Risk Unit (RU)— a standardized metric quantifying residual non-financial risk. Think of it as a unit of post-control exposure. By capturing risks such as cyber threats, compliance gaps, or climate vulnerabilities in a quantifiable form, RUs let us translate the abstract into the actionable.

So how does this play out in double-entry terms? Let’s say a firm calculates its residual exposure to conduct risk at £5 million, using a defensible methodology. That amount — an expected future loss — is posted as a provision in the P&L.

Dr Risk Expense
Cr Risk Accrual (Balance Sheet)

Straightforward so far. But here’s where it gets innovative.

That risk accrual can now be tokenized. Tokenization refers to the process of converting a quantified risk exposure into a tradable digital asset — a Tokenized Risk Unit (TRU) — which can then be issued and sold on a regulated exchange. TRUs allow firms to transfer the financial burden of future risks to market participants willing to underwrite them. [More on this can be found in the RASB whitepaper.]

Now observe the double-entry:

Dr Cash
Cr Risk Accrual (Derecognition)

The balance sheet improves, not by hiding the risk, but by externalizing and funding it transparently. This isn’t securitization of fantasy assets; it’s risk transfer rooted in disclosure, standardization, and marketplace pricing. And because TRUs are based on quantified RUs, the pricing reflects actual risk levels — auditable, comparable, and reportable.

Far from conflicting with IFRS, this model enhances its logic:

• IFRS 8 encourages segment-level risk disclosures. RUs make that real, aligning residual risk to each operating unit.

• IFRS 9 is built on expected credit losses. RUs apply that forward-looking principle to non-financial domains.

• IAS 37 allows provisions where loss is probable and measurable. With RUs, both conditions are met.

This isn’t futuristic theory. The Risk Accounting Standards Board (RASB) has published frameworks showing exactly how these accounting treatments can align with international standards. Disclosures include staging models, assumptions, and sensitivity analysis — just as we do for credit loss provisions today.

What’s more, these practices speak to broader changes in regulation. As ESG mandates tighten — through mechanisms like CSRD in Europe — firms will be held accountable not just for emissions, but for risk readiness. That includes recognizing the cost of failing to address foreseeable risks. If your data privacy practices expose you to a probable fine, or your supply chain is geopolitically fragile, the market deserves to know. Risk Accounting gives you the language — and ledger — to say it.

So what does it mean for ethics? Quite a lot. Ethics in accounting has long centered on independence and integrity — values that remain non-negotiable. But today, ethical reporting also means refusing to ignore what is knowable. A sustainable accounting framework would not only record past performance but also signal looming threats. It would push boards to act before risks crystallize — and empower markets to price those risks intelligently.

Yes, there are complexities. Risk accruals must eventually crystalize or reverse. Tokenization demands governance, liquidity, and investor protections. But the broader arc is clear: when we quantify risk, we can manage it. When we manage it, we can report it. And when we report it, we invite solutions — whether internal mitigation or external transfer.

That is what a “true, fair and sustainable” view could look like.

Not just a snapshot of what was, but a dashboard for what lies ahead. Not just compliance, but foresight. Not just statements, but stewardship.

Maybe it’s time we let the ledger speak not only to profit and loss, but to possibility and preparedness.

Because the future won’t wait until year-end to reveal its risks — and neither should we.

“A sustainable financial view doesn’t distort reality — it reflects it.”

Steve Bailey FCCA, Chairman, Risk Accounting Standards Board

Risk Coalition Virtual Roundtable – 12 September 2025

Authors: Chris Burt, Halex Consulting/Risk Coalition, Vish Nayi, CyberQ Group, Carrie Stephenson, Brave LLP

Ransomware has become one of the most pressing threats to organisational resilience, disrupting critical services, damaging reputations, and testing board decision-making under pressure. At our September Risk Matters roundtable, the Risk Coalition convened non-executive directors, audit and risk committee members, and governance professionals to explore the “anatomy” of a ransomware attack: what happens before, during, and after, and how boards can prepare to respond.

The discussion was led by two subject-matter experts: Vish Nayi, Chief Solutions Architect at CyberQ Group, who brings extensive incident response experience, and Carrie Stephenson, co-founder of Brave LLP, who contributed perspectives on legal, compliance, and governance.

The Current Threat Landscape

Participants were reminded that ransomware is no longer a fringe issue. UK businesses face a cyberattack on average every 44 seconds, with ransomware affecting an estimated 19,000 businesses annually – roughly 52 each day. Phishing remains the dominant entry point, often serving as the precursor to more serious ransomware incidents.

As Vish noted, ransomware groups operate like multinational enterprises. They employ developers, negotiators, and managers; they track performance against KPIs; and they even offer “ransomware-as-a-service” to affiliates. In parallel, geopolitical factors – including state-sponsored activity – continue to fuel the scale and sophistication of attacks.

AI technology is creating new challenges. As Carrie explained, "Criminals are using AI to craft more convincing phishing and automate vulnerability scanning, while businesses rely on it for threat detection – creating a double-edged sword."

The financial impact is stark: the UK economy loses an estimated £27 billion annually to cybercrime. Yet for criminals, ransomware is a multi-billion-pound industry.

Before the Attack: Building Preparedness

The first theme of discussion was preparedness. Boards were urged to ask themselves whether they have:

• A clear understanding of their organisation’s “crown jewels” – the data and systems critical to survival.

• A defined risk appetite for cyber threats, recognising that “zero risk” is not realistic.

• An incident response plan that is not only written but rehearsed. Too often, boards sign off policies they have never read or tested.

Vish highlighted common pitfalls: response plans locked in digital systems that become encrypted during an attack; key roles assigned to a single individual who may be unavailable; and reliance on cyber insurance that may not pay out if the organisation has not maintained promised controls.

Carrie emphasised the governance dimension: “Boards must address cyber resilience before a crisis strikes. Debating whether to pay a ransom should not take place for the first time in the middle of an attack. Businesses must adopt a proportionate and proactive approach to cyber security and assess the risk as part of a larger risk management framework.” Establishing principles in advance – including the legal, regulatory, and ethical implications of ransom payments – enables calmer decision-making under stress.

She stressed the personal stakes for directors: "If you're a NED, you hold fiduciary duties as a director – this encompasses good cyber security risk management. You have personal liability – do not assume your D&O covers you. It might cover decisions and actions but not wider costs.

Carrie challenged boards to examine their current approach: "Are you following a proven framework like Cyber Essentials? Are you building in cyber resilience and business continuity planning? Is it on the agenda? If not, it should be. Who is the designated lead? If no-one, assign one."

During the Attack: Decisions Under Pressure

When ransomware strikes, pressure mounts rapidly. Data is encrypted, operations stall, and a ransom demand arrives – typically in cryptocurrency.

Key dilemmas for boards include:

1. Ransom payments – who has authority to decide, and on what basis? While some organisations pragmatically negotiate, government proposals now point towards tighter restrictions and mandatory reporting.

2. Communications – how to handle regulators, insurers, employees, customers, and the media in the crucial first 24 hours. Misinformation or premature statements can magnify reputational damage.

3. Law enforcement engagement – while support and guidance are improving, technical interventions are often limited once encryption has occurred.

The discussion also reflected on real-world examples, from large retailers forced to disclose outages, to smaller firms negotiating instalment payments on the dark web. These illustrate both the diversity of responses and the intense moral, legal, and financial pressures boards may face.

After the Attack: Recovery and Learning

Even if ransom is paid, restoration is uncertain. Criminals may not provide decryption keys, or they may strike again. True resilience lies in restoring systems independently and learning from the incident.

Boards should ensure:

• Backups are offline, secure, and regularly tested.

• Legal obligations – including mandatory reporting under emerging regulation – are understood and actionable.

• Lessons learned feed into strategy, culture, and governance.

Carrie noted that new legislation, including the forthcoming Cyber Security and Resilience Bill (CSRB), will require boards to demonstrate more proactive oversight. The Bill is expected to expand regulatory scope into the value chain, impose stricter incident reporting (within 72 hours), and give regulators sharper enforcement powers.

Carrie highlighted the significance of these changes: "We're seeing a step-change in UK cyber regulation with the CSRB. This moves away from voluntary frameworks to encourage a culture of accountability, with compliance obligations that could result in significant penalties."

Policy and Legal Context

The roundtable considered the UK Government’s July 2025 consultation response on ransomware. Key proposals include:

• A targeted ban on ransom payments for public bodies and critical national infrastructure (supported by 72% of respondents).

• Exploration of an economy-wide prevention regime, though views were mixed.

• Introduction of a mandatory reporting regime, strongly backed by respondents, to improve government visibility of ransomware threats.

The reality of ransom restrictions is becoming clearer. As Carrie warned, "Ransom payments may be a thing of the past for CNI providers and public sector organisations. The question becomes: how do you recover in the absence of being able to pay a ransom? We await answers from the government on what happens when there are no technical restoration options. 

For boards, the implication is clear: decisions about ransom payments and incident handling are moving from discretion to regulation.

Key Takeaways for Audit and Risk Committees

Several practical actions emerged from the session:

1. Preparedness and validation – Incident response and continuity plans must be read, rehearsed, and printed. Boards should regularly test them through realistic simulations.

2. Decision-making clarity – Authority for ransom payments (if legally permitted) should be pre-defined.

3. Insurance scrutiny – Verify what is actually covered and under what conditions. Cyber insurance transforms operational risk to credit risk, rather than eliminating it.

4. Supply chain resilience – Critical suppliers, including managed service providers, must be part of the resilience equation.

5. Legal foresight – Understand the implications of AML, data protection, and emerging cyber legislation before an attack occurs.

6. Culture of learning – Every incident must inform future governance and risk oversight.

Carrie emphasised the expanded regulatory focus on supply chains: "The CSRB extends due diligence requirements. Businesses that rely on external IT or security providers will be required to conduct due diligence, which means you need to be checking contractual agreements reflect security expectations."

Conclusion

Ransomware is not an IT issue alone – it is a strategic business risk. Boards cannot outsource responsibility; they must understand the threat, set clear principles, and test their organisation’s resilience.

The Risk Matters roundtable underscored that the anatomy of a ransomware attack involves more than encryption and extortion. It is about governance, legal, compliance, financial resilience, and the ability of directors to lead under pressure.

As new legislation reshapes the regulatory landscape, the imperative for boards is clear: move beyond compliance and embed cyber resilience at the heart of risk oversight.

Useful links:

National Cyber Security Centre – a great source of advice and guidance National Cyber Security Centre - NCSC.GOV.UK

NCSC Cyber Governance for Boards – board focused cyber resources Cyber Governance for Boards - NCSC.GOV.UK

NHS Cyber Security Guide for NEDs Cyber security guide for non-executive directors - NHS England Digital

UK Government Cyber Governance Code of Practice Cyber Governance Code of Practice - GOV.UK

📅 The next Risk Matters roundtable will be held at 9am (UK) on Friday 12 December 2025. We encourage audit and risk committee members to join the discussion.