From silos to strategy: how boards are rethinking risk

The past decade has forced boards to treat risk differently. From the global financial crisis to COVID-19 and today’s geopolitical shocks, disruption has made directors more conscious of business model fragility.

At the same time, investor scrutiny, regulatory shifts and rising stakeholder expectations have changed the tenor of board conversations. Risk is moving from a back office function to something that must be viewed through a strategic lens.

Bruce Duncan, head of risk & assurance at Certas Energy UK, says that boards are responding by becoming more engaged and are sponsoring the risk agenda more proactively.

He explains: “They can see the benefits that risk management brings to mitigating potential disaster, but also the fact that risk and opportunity are two sides of the same coin… by getting teams involved right the way through the organisation that enables organisations to identify opportunities to mitigate, but also opportunities to enable and to grow.”

Andrea Brodie, chief marketing officer at Riskonnect, says this change is reflected in the way that company boards are thinking about risk. “They’re starting to ask the right questions, such as what emerging risks are we not talking about? How do we quantify and prioritise the trade-offs? And are we using technology to see around the corner?”, she explains.

“Risk awareness took a quantum leap after the financial crisis”

RAK Ceramics’ chief governance and sustainability officer Vibhuti Bhushan agrees that this is the general direction of travel, but argues that the global financial crisis was the wake-up call that seeded today’s board engagement.

“Risk awareness took a quantum leap after the financial crisis… Today I don’t think there is any sector where you can say that risk awareness is not there. What differs is the degree,” he says.

Ultimately, the webinar panel agreed that sophisticated boards no longer tolerate static or backward-looking reports. They want forward visibility, a sense of how risks cluster together and where appetite needs to flex.

From silos to strategy

Despite this shift, too many organisations still view risks in disconnected buckets. ESG, cyber, HR, supply chain and finance often run parallel processes with different taxonomies and owners. The result is duplication in some areas, blind spots in others and limited understanding of how risks interact.

Bhushan’s answer is a portfolio lens that gives boards a wide-angle view, so that organisations can make informed decisions based on a sophisticated understanding of the risks faced.

He says: “Risk is a landscape. It’s a tapestry. It’s not one single component… [Where] risk gets locked in silos, that’s where the trouble comes.”

At his own organisation, he implemented a bespoke lexicon to help achieve this goal. Categories such as business model risk and group priority risk surface cross-cutting exposures that do not sit neatly in one function.

The aim is clarity rather than jargon, so executives and directors discuss interdependencies in the same language, which improves decisions on allocation, sequence and ownership.

“Risk is a landscape. It’s a tapestry. It’s not one single component”

Brodie says that this approach can be extended to other board practices. She advocates for solutions that allow risk-intelligent boards to orchestrate across silos rather than reacting to one at a time.

She explains: “Do scenario planning and table top exercises that involve directors, not just executives, using dashboards that visualise risk exposure, mitigation progress and interdependencies.”

Those practices, she says, create space for tougher questions about worst-case scenarios, blind spots and missed opportunities, and they shift the discussion from a heat map to trade-offs.

Duncan adds that evidence is the quickest way to cut through when scepticism appears. He says: “If you’ve got the numbers to back up something that you believe is a developing risk, it’s always important that you make sure that those are in front of your board, with simple, clear reporting.”

“Do scenario planning and table top exercises that involve directors, not just executives, using dashboards that visualise risk exposure, mitigation progress and interdependencies.”

He adds that creating bottom-up pressure by engaging with the wider business can help to motivate boards to take emerging risks seriously.

All three panellists agreed that silos are often reinforced by internal structures and culture. Functions protect their own territory, KPIs are narrowly defined, and risk owners sometimes lack visibility of how their issues cascade elsewhere.

Breaking that cycle requires deliberate governance design, such as subcommittees with cross-functional representation, integrated dashboards that show interdependencies, and risk categories that don’t map one-to-one with an organisational chart.

When directors can see how a cyber incident could trigger a disclosure issue, a supply chain bottleneck and a reputational backlash simultaneously, they are far more likely to back coordinated investment.

Culture, people and persistence

Frameworks and dashboards are necessary, but culture determines whether they work. Three levers dominated the discussion: relevance, psychological safety and persistence.

Relevance starts with simplicity and utility. Duncan’s view is that people commit when risk practices help them to do their jobs better.

He said: “In terms of culture, it needs to be relevant. It needs to be relatable, it needs to be understandable. And we must give people the tools to achieve what we’re asking them to achieve, without making it an additional task in the day.”

Bhushan adds that psychological safety enables honest conversations about forward-looking threats. He argues for visible allies at board and executive level and for recognising the people who carry risk day to day.

He says: “You’ve got to have a setup where people are not afraid to go and do things that need to be done to mitigate risks,” adding that it’s important to ensure that risk owners get credit when mitigations succeed.

“In terms of culture, it needs to be relevant. It needs to be relatable, it needs to be understandable.”

Language is part of culture, too. Brodie’s advice is to elevate the narrative so boards hear strategy, not noise. She explains: “Boards care about revenue growth and shareholder and reputation, so connect risk directly to those drivers.”

Of course, in a less risk mature organisation, it is harder to put these practices into place, but Bhushan counsels that patience is key. “You have to be persistent and be prepared for the potential that you are going to fail… organisations mature and evolve, so what is true today may not be true tomorrow.”

The panel also shared tactics that make culture tangible. For instance, Duncan runs an annual risk and compliance week where risk owners co-design sessions and colleagues from across the business come together for workshops.

Framed around the ripple effect of risk, it shows how a problem in one area inevitably spreads elsewhere, which makes early transparency a shared responsibility rather than a compliance chore.

“You have to be persistent and be prepared for the potential that you are going to fail… organisations mature and evolve, so what is true today may not be true tomorrow.”

Where there is no CRO, Brodie has seen success with a visible executive sponsor who convenes cross-functional briefings and keeps the rhythm going until the organisation is ready for a dedicated risk leader.

Ultimately, the panellists were candid about how culture is often the hardest part of the job. Metrics and dashboards are relatively straightforward; shifting behaviours and mindsets is not.

That means embedding risk in everyday conversations, making it part of decision-making rituals, and rewarding transparency even when the message is uncomfortable.

It also means being realistic: culture change is iterative, often uneven, and sometimes reliant on moments of crisis to accelerate progress. The difference is that prepared organisations use those moments to reinforce good habits rather than scramble for fixes.

Risk can help you move faster

The most effective way to win hearts and minds is to show that risk management creates value, which starts with reframing the business case.

Bhushan points out that one strong mitigation can reduce several exposures at once. When you group risks at the portfolio level, you can target controls that deliver benefits across cyber, regulatory, operational and reputational dimensions together.

Duncan agrees that risk professionals should look for these hidden wins. Grouping solutions reduces manual effort, speeds up decisions and cuts rework, which releases capacity and capital for growth. He also notes how data-rich cases and external challenge can unlock stalled investment so action happens sooner and at larger scale.

Meanwhile, Brodie argues that risk managers can use risk to move faster, not slower. She gave the example of a pharmaceutical company facing uncertain regulation in a new market. The company mapped gaps, engaged local advisers and built mitigation plans in advance. This allowed it to enter the market faster while staying within tolerance.

Similarly, she shared how a financial services firm piloting AI customer service applied risk frameworks to identify bias risks, implement model governance and monitor compliance. That gave leaders the confidence to scale quickly while competitors hesitated.

Governance structures make these opportunities real. Duncan’s guidance on board rhythm is straightforward: “Make sure that you’ve got the right forums… make sure that you’ve got well-structured governance within the organisation and then be the facilitator and initiator of the conversations within those forums.”

Brodie adds that dashboards can be a valuable tool allowing you to map risks to strategic KPIs, and drill down on financial exposure scenario modelling and simulations, what-if events, and cyber risk quantification tools.

“Make sure that you’ve got the right forums… make sure that you’ve got well-structured governance within the organisation and then be the facilitator and initiator of the conversations within those forums.”

Do not be afraid to challenge orthodoxy with data. Bhushan recounts how questioning long-standing inventory buffers in heavy industry released working capital without breaching appetite, because the extreme events those buffers were meant to cover had occurred only a handful of times in two centuries.

The lesson is not recklessness but reviewing assumptions so your risk appetite supports the business model rather than constraining it by habit.

When prioritising, the most convincing cases are those where one programme meaningfully reduces several principal risks. That might be a supplier assurance model that addresses ESG and cyber together, a model governance framework that covers AI ethics and regulatory expectations, or a data quality initiative that improves both compliance and performance reporting.

The panel also discussed how opportunity is often hidden in the very same issues that boards fear. Cyber, for instance, is frequently framed as an existential risk, but organisations that build resilience often discover they can accelerate digital transformation projects that give other businesses pause.

Similarly, ESG disclosure is seen by some boards as a regulatory burden, but those that align reporting with brand and investor relations can gain reputational advantage. Ultimately, the same frameworks used to reduce downside can also be harnessed to move more quickly and confidently into new spaces.

The way forward

Boards are more engaged, but expectations have risen. The task now is to turn attention into better choices. Replace siloed lists with portfolio views. Tie analysis to strategy, capital and timing. Make culture the centre of gravity by keeping language relevant, creating safe spaces for challenge and persisting when progress is slow.

Above all, remember that people are the multiplier. As Duncan put it: “If you can get people engaged, you’re 50% or more of the way there.”