Contact
Strategy and planning
22 August 2025

Elevating risk management: moving beyond box-ticking

Download article PDF

Right Lane Review

Dr Marc Levy

Right Thinking

In Elevating risk management, Dr Marc Levy calls for moving beyond ‘performative box-ticking’ to make risk management a genuine source of strategic value. He outlines how organisations can build on existing frameworks to embed risk into strategic decision-making, culture and operations, transforming it into a dynamic capability. The article emphasises strengthening first-line ownership, sharpening risk appetite, using scenario planning and stress testing, and identifying emerging risks. A strong risk culture, shared language, and active collaboration between risk roles are essential. 

Risk management was never meant to be a ceremonial exercise. Yet in many boardrooms, the machinery of frameworks, registers and appetite statements have become just that, an administrative ritual. The irony is stark: the tools designed to protect an organisation can lull it into a false sense of security when treated as ends in themselves.

Today, the risk environment moves faster than the ink dries on most registers. Cyber incidents unfold overnight, regulatory landscapes shift in weeks, and reputational shocks erupt in hours. In this context, boards and executives face a consequential question: how do we move risk management beyond ‘performative box-ticking’ and make it a genuine driver of resilience, agility, and strategic advantage?

This article explores how organisations ready to strengthen their risk management can build on the fundamentals they already have and bring them to life, transforming risk from compliance paperwork into a living capability embedded in decisions, culture and strategy.

1. Developing and operationalising a living risk management framework

A documented risk management framework must be more than a compliance trophy; it should be applied, understood and tested, a living tool that helps leaders make sense of uncertainty.

Defining roles: strengthening the first line

One reason risk frameworks fail in practice is confusion about roles, especially in the first line. Many operational managers believe risk is the job of the second line or internal audit. But they own the risks, the controls, the day-to-day decisions.

Leading organisations invest in clarifying these roles through clear position descriptions, onboarding sessions, refreshers and performance metrics. They spell out how managers own risks alongside performance, what they must assess and monitor, and what to escalate. When first-line leaders understand that managing risk is part of how they enable and protect performance, it shifts ownership from paper to practice.

Sharpening risk appetite 

A single enterprise-wide risk appetite statement is not enough. We worked with a state government department to clarify its major risks – both strategic and operational risks above defined thresholds – and to set a clear risk appetite for each. This work culminated in a spirited, ‘papers down’ discussion at the highest levels of the organisation, where leaders debated the true nature of these risks and critically examined the corresponding risk appetites. In some cases, this meant a willingness to take on greater exposure in pursuit of opportunity; in others, it signalled a deliberate choice to minimise exposure.

Turning principles into action

Many organisations have documented risk taxonomies and governance structures, but these can feel abstract. The next step is to make them practical and accessible. A concise ‘risk on a page’ for each major risk can improve transparency, sharpen clarity, and create alignment, turning risk management into a shared, actionable understanding.

A good ‘risk on a page’ should capture:

  • A clear risk statement everyone can understand.
  • Root causes and factors that amplify the risk.
  • Specific risk appetite and tolerance levels for that risk.
  • Key controls mapped to the risk, with their effectiveness assessed.
  • Residual risk level, the real exposure after controls.
  • Key risk indicators (KRIs) and control performance measures.
  • Clear owners in the first line and how they escalate breaches.
Enhancing reporting and dashboards

Too often, risk reports are overloaded with immaterial detail and static data. The best keep reporting sharp – clear, timely, material. The ‘risk on a page’ informs this: reports should spotlight changes to major risks, shifts in control performance, KRIs breaching thresholds, and new or emerging exposures. This enables executives and boards to spend more time discussing real opportunities and threats, and how to respond to them. 

2. Embedding risk in decision-making

A robust framework means little if it sits to the side of real decisions. High-performing organisations embed risk into everyday choices and long-range plans.

Elevating the conversation

Too many risk discussions get bogged down in register reviews and low-level incidents. Leaders need to push the conversation ‘above the register’.

Practical ways to do this include:

  • Scenario planning: Structured sessions that test how plausible shocks, such as cyber-attacks, regulatory shifts, market downturns, would stress the organisation and how it responds – including if those shocks occur simultaneously.
  • Simulations and stress tests: Rehearsals for how playbooks hold up and how escalation pathways work under pressure.
  • ‘What if?’ debates: Probing what happens if assumptions fail or are understated, or risks escalate together.

We worked with the board and executive of a government agency to assess how resilient the organisation’s strategy was to major, disruptive, ‘outside in’ risks. This led to clear priorities for strengthening preparedness, setting up the organisation to respond decisively if these risks materialised. Discussions like these elevate risk from theory to action, exposing weak spots before they become problems.

Mapping and testing controls

A risk register without a control map is only half a tool. Mapping each major risk to its key controls is essential, but the real value comes from testing whether those controls are fit for purpose and truly effective. Are they well designed? Are they operating as intended? Will they hold up when conditions change or pressure increases? Where gaps emerge, they should drive focused improvement plans, with clear ownership, timelines and measures of effectiveness.

Tracking KRIs and control metrics

Most leaders love KPIs. Few give sufficient weight to KRIs, the early warning signals that something might be going wrong. Coupled with control performance metrics, simple, practical KRIs for major risks tell leaders whether mitigations are working or drifting.

Spotting emerging risks

While known risks get most of the attention, over-the-horizon threats (and the associated opportunities) can catch leaders off guard. Periodic deep dives on emerging risks help organisations stay prepared for the next wave
of uncertainty.

3. Building a stronger risk culture and capability

A sound framework and good tools don’t mean much if the culture does not support them. Risk culture is the difference between box-ticking and real engagement.

Signalling conviction

Strong risk management begins with a clear ‘tone from the top’, where the CEO and executive team demonstrate that risk awareness is not a compliance burden but a strategic priority. A CEO who is conversant in risk, champions its importance, and keeps it visible on the organisation’s agenda sends a powerful signal that prudent risk-taking and transparency are valued. This visible commitment cascades through the organisation, influencing how decisions are made, how issues are escalated, and ultimately, how resilient the organisation becomes.

Speaking a common language

A healthy risk culture depends on a simple, accessible, practical shared language. Organisations should use relatable metaphors, clear examples, and near-miss stories to make risk real. This builds understanding and comfort with speaking up.

Bringing lines together

First- and second-line teams should not work in silos. Structured forums bring people together to help resolve grey areas, share perspectives and build trust. A risk management network that meets regularly is one simple but powerful way to keep conversations alive. 

We helped create such a network for a major institutional investor, which led to improved relationships between the first and second line, increased familiarity with major risks and a shared understanding of the risk climate and the control environment.

Training and capability building

Capability must be built deliberately. Leaders need practical risk leadership sessions. First-line managers need coaching on how to own risks, monitor controls and act early. All staff need a baseline awareness of how to spot risks and escalate them without fear.

Right Lane Consulting’s 4Cs: making risk management real

At Right Lane Consulting, we ground all our risk work in the 4Cs, principles that keep risk management honest, practical and valuable.

Convergence
  • Elicit both top-down strategic perspectives and bottom-up frontline insights.
  • Look through reports to practice, to test, for example, whether controls are real.
  • Keep reporting focused on what matters: aim for materiality, clarity and timeliness.
  • Scan the horizon and beyond, to help prepare for the unexpected.
Context
  • Clarify the value-add of risk management, beyond compliance to real downside protection and informed risk-taking.
  • Highlight how risk relates to other organisational commitments – purpose, values and expectations regarding ethical conduct – fostering clarity and alignment.
Culture
  • Build a risk-aware environment, using common language, stories and shared experiences.
  • Bring first- and second-line risk leaders together, building shared understanding and
    collective ownership.
Cadence

Design a healthy rhythm of risk reviews; but encourage leaders not to be trapped by the calendar. When risks shift, the response must too.

Where to next

For boards and executives who want to lift risk management from the minutia of registers to strategic capability, the message is clear:

  • Make major risks visible and actionable, with clear ‘risk on a page’ summaries.
  • Clarify roles and ownership so first-line leaders know what they own and how to act.
  • Define appetite and tolerances for what truly matters, and test them under stress.
  • Keep reporting crisp, so leadership focuses on insights, not noise.
  • Push the conversation above the register through scenarios and simulations.
  • Map controls, test them, and close gaps, with clear improvement plans.
  • Bring in KRIs and performance metrics, for early warning and assurance.
  • Look beyond today, with deep dives on what’s next.
  • Invest in people, with training, forums and a shared language.

A well-designed, operationalised risk capability is not an administrative burden; it is a source of resilience, agility and trust. When risk management moves beyond the register, when it is genuinely embedded in decisions, culture and strategy, organisations are stronger, braver
and better prepared for whatever comes next.

The author wishes to thank the clients who reviewed drafts of this article for their thoughtful suggestions. Get in touch if you are interested in finding out more. 

While all views and conclusions are the author’s own, the drafting process benefited from editorial support provided through OpenAI’s ChatGPT.

 

Marc Levy