• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

Strengthening risk oversight

October 27, 2025

A summary of a round table discussion held on 2 October 2025, jointly hosted by Diligent and the Risk Coalition.

Whilst structures, frameworks and processes all contribute to effective risk governance, a consistent underlying theme arising from the roundtable was the centrality and importance of changing mindsets and behaviours.

The risk landscape today is increasingly challenging.  We are all long familiar with the concept of VUCA (volatility, uncertainty, complexity and ambiguity).  The term apparently originated in the US military in 1987 to describe the post-Cold War world; the concept is now widely used in business to describe the environment companies face.  Except, arguably, it is now more challenging than ever.  Events are now often non-linear, impacts are accelerated and risks are increasingly interconnected.

In his forward to Raising Your Game, Sir James Wates clearly sets out the challenge with risk governance as it stands today: it too often focuses only on avoiding risk whereas there is also a strong need to identify opportunities in order to create and preserve value.  He adds that major challenges also arise when risk oversight is disconnected from strategy.  To shift from an approach to risk that focuses only on ‘stopping things going wrong’ requires an understanding that “… thriving organisations are led by boards that take decisions rooted in an understanding of opportunity and risk [1].

In some ways, risk governance is easier for financial services organisations – there are firm regulatory expectations of board-level risk committees, risk functions (the Second Line in the ‘Three Lines’ framework) and Chief Risk Officers, which all need to be in place.  Many aspects of financial risk are more easily quantifiable and risk appetite is an established concept (if not always well understood).  In other sectors, there is more to do to justify the value of more formal risk governance arrangements and the concepts that underpin them. 

Several of the roundtable participants said, in their experience, they often found a need to teach people in their organisations the basic concepts of risk governance – even at senior levels.  They need to understand how and why risk governance makes a difference to effective decision making, helping to navigate through challenging times and support long-term business success.  A mindset shift is needed so they don’t think of ‘risk’ as a compliance, form-filling exercise but an integral part of the day-to-day running of a business.  Participants added that training on risk management for new managers – about how to think about risk – will also contribute to supporting effective risk governance and risk management.  Different conversations may be required for non-quantitative people but, in any event, risk should be an important part of business conversations.

Outside of financial services, board-level risk committees are uncommon.  Adding risk governance responsibilities to an audit committee’s traditional remit – in effect, making it an audit and risk committee – can change the nature and perception of the committee from one purely focused on financial reporting and internal control (still important!) to introducing a greater value-added and strategic element to its work.  (The board, of course, retains ultimate accountability for risk governance.)  Meanwhile, introducing conversations about opportunities to traditional risk discussions will require a further mindset change as this is not natural to audit committees.  The committee chair will have a key role to play.

Language can be an important facet to facilitating a mindset change amongst leaders and managers.  The roundtable participants pointed to a tendency to lapse into ‘risk jargon’, which they felt was unhelpful.  In a public sector context, there have been changes to the language of risk: for example, government departments now routinely consider the ‘chances of different degrees of success or failure’.  This introduces the concept of variability in outcomes.  As a result, senior leaders in the public sector now increasingly consider what they (and their teams) are doing to shape and influence different outcomes.  Their audit and risk committees continue to have a key role to ensure accountability.

To change mindsets, the audit and risk committee or the board risk committee needs to have diverse skill sets and bring a range of expertise.  It needs to encourage a two-way flow of information – not just from the executives up to the board and the committee, but back from the board and committee to the executives and to the organisation more broadly.  It also needs to ensure that the approach to risk is not just bottom up – which might otherwise mean interconnections are missed or siloed thinking results – but involves top-down thinking, with board involvement.  Participants also say it is vital that the chief risk officer or equivalent attends executive committee meetings, even if they are not a voting member of the committee.  They also encourage the chief risk officer’s attendance at board meetings, where they are an active contributor on risk-relevant matters and not a mere observer; however, they acknowledge many boards would not be ready for this and would not want ‘risk’ in the room.

In summary, the roundtable’s participants concurred that conversations should regularly be about risk and that risk concepts should be part of the organisation’s vocabulary: decisions need to be made fully be cognisant of the risks that an organisation faces.  There is also a crucial need to start talking about driving opportunities as part of the organisation’s risk governance conversations, and this may not come naturally to everyone.  There may be a need to sell the benefits of a greater focus on risk.  In essence, therefore, a mindset shift is needed to change behaviours and attitudes so that risk is more deeply embedded in an organisation’s DNA.

[1]  A quote from Melanie Hind, in Raising Your Game.  Melanie is an experienced non-executive director and a former executive director at the Financial Reporting Council.

This blog was written by Hanif Barma. Hanif is a co-founder of the Risk Coalition and the founder director of Board Alchemy, a specialist governance advisory firm that supports its clients by undertaking board effectiveness reviews and by assessing the effectiveness of their risk and audit arrangements.

This Chatham House Rule round table discussion, attended by ten participants (board members and senior risk professionals) with experience from different sectors, was chaired and facilitated by Hanif Barma.  It was hosted by Scott Garnett of Diligent at their London offices on 2 October 2025.  The discussion built on the guidance contained in Raising Your Game, cross-sector risk governance guidance published by the Risk Coalition in February 2025.

Tags: Hanif Barma
Prev / Next

Blog

Featured
Oct 27, 2025
Hanif Barma
Strengthening risk oversight
Oct 27, 2025
Hanif Barma
Oct 27, 2025
Hanif Barma
Sep 16, 2025
True, Fair... and Future-Proof: Risk Accounting for a New Era
Sep 16, 2025
Sep 16, 2025
Sep 16, 2025
Risk Matters Blog – The Anatomy of a Ransomware Attack
Sep 16, 2025
Sep 16, 2025
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser