As the role of risk professionals evolves, so too must the way risk management is understood and integrated within the business. At a recent Risk-!n session, a panel of senior risk professionals and CROs explored how the function needed to evolve to make risk management great again.

In many organisations, the risk function continues to suffer from an identity problem. Is it a compliance role? A control mechanism? A strategic enabler? Or simply a cost centre tied to insurance procurement?

Panellists noted that these blurred perceptions can hinder effectiveness and engagement. Risk professionals are often brought in too late, expected to react to decisions rather than inform them. In other cases, their roles are reduced to risk registers, policy policing or insurance negotiations, divorced from the real levers of value creation.

Risk

To overcome this, the panellists argued that risk leaders must reposition their function with clarity of purpose: not just managing risk, but enabling better business decisions.

From reactive to strategic

A recurring theme was the need to shift risk management from a reactive, compliance-led activity to one that is fully embedded in strategic decision-making. Rather than simply documenting exposures, the function must help leadership understand which risks are worth taking, and how best to take them.

This demands a mindset shift, both from risk teams and the wider business. Risk managers must speak the language of opportunity and value, not just control and mitigation. They must demonstrate how risk intelligence informs choices, whether that’s entering a new market, investing in innovation, or optimising a supply chain.

Importantly, this also means being comfortable with ambiguity. Strategic risks are often complex and uncertain, and cannot always be captured in a matrix or a scorecard. The panel stressed that effective risk leaders need strong interpersonal skills, business acumen, and the confidence to engage with senior stakeholders as equals.

Bridging the gap with the business

One of the greatest challenges discussed was the disconnect between the risk function and operational decision-makers. In many organisations, risk teams are perceived as a back-office function, distant from frontline realities and poorly integrated into planning or investment cycles. 

To overcome this, risk managers must work harder to “walk the floor”, build relationships, and co-create solutions with business units. Embedding risk thinking into daily decision-making requires more than frameworks and dashboards - it demands presence, empathy and influence.

This also means rethinking how risk information is communicated. Traditional reports often fail to resonate with business leaders. Instead, risk insights must be reframed in commercial terms, showing tangible impacts on performance, objectives and reputation. One panellist noted that reframing a cyber risk conversation in terms of revenue loss per hour immediately changed the tone of the discussion.

The insurance dilemma

The conversation also touched on the role of insurance within the broader risk function. There was consensus that insurance is important – but increasingly, it is not sufficient.

In some organisations, risk professionals still find themselves perceived primarily as insurance buyers. This narrows the perceived value of the role and limits influence. Worse, it can create the illusion that transferring risk is the same as managing it. 

Panellists called for a more integrated approach: one where insurance is aligned to the organisation’s true risk appetite and used strategically, rather than defensively. This might mean using captives, parametrics or alternative risk transfer structures, but only when these are informed by deep operational understanding.

Equally important is ensuring that insurance and enterprise risk teams collaborate rather than operate in silos. Both functions contribute to resilience - but without alignment, the organisation risks duplication, blind spots or underutilised tools.

The need for measurable impact

Another area of discussion was the pressure to prove the value of risk management. In a competitive business environment, all functions are expected to justify their existence, and risk is no exception.

The panel explored how metrics, dashboards and KPIs can help. But there was also a note of caution: not all risk value can be captured in numbers. Some of the most important contributions, such as preventing reputational damage, building trust, or enabling strategic clarity, are difficult to quantify.

That said, the panel cautioned that risk teams should not shy away from measurement. By aligning their work to key business outcomes, and using clear, consistent indicators, they can make their impact more visible. Tracking the number of business decisions influenced, the time saved through risk-informed processes, or the reduction in unplanned losses can all help build credibility.

Creating a culture of intelligent risk-taking

Ultimately, the panel agreed that the future of risk management lies in culture. A risk-aware culture is not one that avoids risk, but one that takes the right risks, in the right way, with eyes wide open. 

This requires senior leadership to champion the function, and risk professionals to step into more visible, collaborative roles. It also means recognising that risk appetite is dynamic, shaped by context, ambition, and resilience. What was an acceptable risk last year may no longer be appropriate today.

The panel concluded: embedding this cultural shift is the true work of modern risk management. Not building bigger frameworks, but enabling better conversations - and ensuring the organisation has the clarity, capability and confidence to navigate uncertainty.