Our 2024 State of the Industry survey reveals a risk profession that is evolving, with more practitioners than ever moving beyond insurance buying to focus on enterprise risk management. But with new threats emerging at a dizzying rate, the pressure is on to improve controls and communicate your value. Sara Benwell reports.

Risk management looks very differenttoday than it did 10 years ago.

While over a third of risk managers still have responsibility for risk transfer solutions, such as insurance, our research shows that mitigation is the most common area of responsibility, selected by 83% of respondents.


Measurement practices, such as quantitative risk analysis, are a key responsibility for 58% of the risk managers we spoke to, while just 17% have oversight of employee benefits.

FERMA’s CEO, Typhaine Beaupérin says the organisation has continued to see an expansion in the scope of the risk management function and greater visibility at the strategic level within organisations.

The body’s recent ERM Maturity Study found that 44% of respondents present risk assessment results and risk management activities at board or management meetings. However, Beaupérin argues that risk quantification remains an area where improvements are needed.

“We will see risk quantification capabilities becoming much more mature.”

She says: “Currently, most risk managers evaluate risk using a combination of qualitative and quantitative metrics. It is our expectation that as new technologies and innovations such as AI become a more integrated component of the risk assessment process, enabling the speedier analysis of larger data sets, we will see risk quantification capabilities becoming much more mature.”

Stéphane Martin, CEO of Smart Risk Consulting and co-founder of Risk-!n, agrees that identification and quantification is an ongoing area of concern, adding that the relatively low numbers of CROs responsible for risk transfer means that professionals must forge a closer relationship with their insurance-buying colleagues.


Martin is also concerned that risk analysis and assessment is not among the top areas of focus for the next 12 months.

“[This] is the most important part of risk management,” he says. “Strategies should include improvements in risk analysis, thus better understanding and quantifying causes and consequences. Without this, everything that comes out will be wrong.”

He also feels that while it is good to see risk culture rising up the agenda, he is sceptical about how this materialises in practice. He is reassured, however, to see business continuity management rising to fifth place, as this is the natural next step to preventing the consequences of risks.

Airmic’s head of research, Hoe-Yeong Loke, says the growing focus on culture is critical, particularly against the backdrop of recent crises. But it is vital that it starts at the top.

“There needs to be more effective communication at board level of the intrinsic value of risk management in the business decision-making processes”

He explains: “Risk culture has risen to top of mind for risk professionals. This is no doubt due to the string of bank collapses last year. But we have seen all this before – the fall of Lehman Brothers, Enron and Arthur Andersen. As Airmic’s 2023 research with the ACCA found, the authority of the chief risk officer or people in charge of risk is key to improving risk culture for the organisation.”

Beauperin feels the survey’s findings on risk manager priorities reflect the evolution of the risk management function, and the increasing integration of risk management into overall business strategy, particularly since the pandemic.

However, she adds that one key area of focus not reflected is the integration of risk management into ESG activities within companies. Another key area of missing focus is governance.

She says: “This may reflect how the risk management function is perceived in the company – still as that second line of defence in terms of risk management and mitigation. There needs to be more effective communication at board level of the intrinsic value of risk management in the business decision-making processes and the overall running of the organisation.”



When it comes to the threats keeping risk managers up at night, there are few surprises. In 2024, organisations are most concerned about cyber/technology risks and operational risks, with supply chain, ESG and geopolitics all significant areas of concern.

Martin expected to see cyber topping the charts, adding that operational threats are being driven by escalating people, supply chain and technological risks.

“Cyber is a negatively evolving topic, which means we are less and less prepared for the unexpected in this space. [It is] truer than ever that we are behind the attackers and transfer to insurance is more and more difficult,” he says.

However, Loke cautions that risk professionals must look beyond individual risks and seek to understand how each threat impacts another.

“It is imperative that companies have robust risk frameworks in place to bolster their resilience in such a volatile landscape.”

He explains: “Risk professionals have been preoccupied with cyber risks for some time. They need to realise that, increasingly, all these risks are interconnected. Wars and other geopolitical events have accentuated cyber risks, as do supply chain risks – the Red Sea crisis, which has threatened to disrupt trade globally, comes to mind.”

Beaupérin agrees, adding that this interconnectedness is making effective risk management and mitigation more complex for professionals.

She says: “It is imperative that companies have robust risk frameworks in place to bolster their resilience in such a volatile landscape. That ability to anticipate risk where possible and put in place protection measures will enable companies to respond much more rapidly and effectively.”

Looking to other risks in the top five, she says that as people risks continue to rise, it’s important that risk managers collaborate closely with HR teams, something that FERMA research found has been improving since the pandemic.

She also believes that ESG is likely to become a more prominent focus for risk professionals, adding: “While current regulatory developments and reporting requirements mean that the focus is primarily on compliance, we would expect moving forward that this will become a much bigger component of the strategic activities of organisations.



Survey respondents report that the emerging threats worrying them the most are: increasing political instability and conflict, artificial intelligence, and climate change.

It is unsurprising that geopolitics came out top. The global ramifications of even very localised events can be extremely significant. Protests and unrest can erupt quickly and from a business perspective, it is the speed at which these impacts are felt around the world that is the key challenge.

The knock-on effects of the Red Sea attacks on supply chains and product availability have been almost instantaneous, for example.

Loke says: “The prospect of a change in government in several countries within a short space of time could be potentially destabilising for businesses, especially if economic policies change overnight. Risk professionals should take the opportunity to better understand how political developments can affect their business strategy, or indeed their fundamental business model.”

Beaupérin adds: “As these tensions continue to grow, the implications for companies will rise, amplifying the need for resilience-focused risk frameworks that prepare companies not only to respond effectively to this heightened risk state but, where possible, emerge stronger.”

“Risks need to be looked at individually and also in the portfolio view”

Martin says that for threats such as geopolitics, which are driven by external factors, risk managers must take other, sometimes drastic, measures to mitigate the impacts.

He explains: “Some risk mitigations are linked to internal controls, the ones where you can manage the causes, but for the ones you cannot, such as geopolitical and environmental, then you need to change strategies. This could mean leaving a country and setting up business somewhere else.

“Risks need to be looked at individually and also in the portfolio view, which means an organisation needs to accept some risks and their consequences if they can’t avoid them.”

Technology is another key risk that businesses must be laser focused on, as the emergence of AI and GenAI have created both incredible opportunities but also significant issues in the form of data security and privacy concerns.

Beaupérin explains: “Legislators are trying to introduce controls such as the EU Artificial Intelligence Act, which will come into effect soon. This is a key area of focus for FERMA as we look to raise awareness of the risks and opportunities it creates, and how risk managers can capitalise on it effectively to support decision-making, boost resilience and make organisations more agile.”



While it is reassuring that 79% of risk managers surveyed say their controls suite is at least partially effective, it is a significant source of concern that Just 13% say it is fully effective.

Those risk managers looking to boost controls through investment may be in for a shock, as just 29% report increased budgets for risk management. 15% report decreasing budgets, with the remainder saying spend has stagnated.

Martin says: “[The low percentage of people reporting fully effective controls] is very surprising. To me, it means risk management is not being applied properly.

“To me, it means risk management is not being applied properly.”

“We may be in a situation where risk reporting is in place but not real risk management with full understanding of the risks taken. Risk assessment and analysis are key to setting up the right mitigations, including controls on causes and consequences.”

Beaupérin adds that a key consideration for risk managers looking to improve the overall effectiveness of the risk control suite will be how effectively they can harness and apply data.

She says: “This will require considered integration of data-focused technology and AI capabilities into their risk frameworks that will enable faster and more effective risk analysis and quantification.”


Turning to budgets. Martin says that the best way to get more resources is to ensure that risk management activities are supporting the business in the right way, by linking them to business objectives.

Beaupérin agrees, adding that demonstrating the business value of the risk management function is imperative. She concludes: “It is about being clear on how the risk function supports sustainable growth. Often senior teams don’t realise the business potential that the risk management function delivers because it hasn’t been communicated to them effectively.

“If we can open their eyes to that and clearly demonstrate the strategic value risk management affords then hopefully the budget increases will follow.”