From “we know it’s not working” to clearer risk governance

“I know risk is a problem in our organisation,” a client said recently.
“We just don’t know where to start rebuilding it.”

It’s a comment heard more often than most Boards or executives would admit publicly.

Sometimes the issue is fragmentation – risk processes exist, but feel disconnected.
Sometimes it’s over-engineering – documentation is strong, but confidence is thin.
Sometimes it’s cultural – issues surface too late, or ownership feels unclear.

And sometimes, the discomfort is harder to articulate.
Something feels fragile – but no one can quite pinpoint why.

In each case, the question isn’t whether risk management exists.
It’s whether it is strong enough to be relied upon.

When confidence outpaces clarity

For organisations already sensing that something isn’t quite right, the challenge is not awareness – it’s clarity.

Where exactly are the weaknesses?
Are they structural, behavioural, cultural – or simply uneven?
Is the issue appetite, ownership, reporting, assurance – or all of the above?

Without a clear lens, improvement efforts often become reactive.

Policies are rewritten.
Registers are reformatted.
Reporting expands.
Controls multiply.

Activity increases – but confidence doesn’t necessarily follow.

What’s missing is not effort.
It’s evidence about how strong the foundations really are.

From discomfort to diagnosis

A common challenge is that different parts of the organisation see risk differently.

• Boards may feel governance structures are sound
• Executives may sense operational fragility
• Managers may experience risk processes as burdensome rather than enabling

Each perspective is valid – but incomplete.

Before rebuilding, organisations need a shared and disciplined way to diagnose.

That diagnosis should answer a small number of fundamental questions:

• Is leadership setting a clear and consistent tone?
• Is risk appetite shaping decisions – or sitting on paper?
• Are controls understood and relied upon?
• Does reporting provide insight – or simply volume?
• What evidence actually underpins Board confidence?

These are governance questions – not operational ones.
And they sit at the heart of how risk is overseen at the top of the organisation.

A more structured way to understand risk governance

When organisations begin to question their risk oversight, it is rarely because everything is broken.

More often, governance has not kept pace with change.

Strategy evolves.
Complexity increases.
Expectations rise.

But governance structures, reporting, and decision frameworks don’t always evolve at the same speed.

The result is a subtle but important gap: Oversight exists – but confidence in that oversight begins to erode.

Closing that gap requires more than incremental fixes.
It requires a structured way to understand how risk is actually being governed.

Introducing THRIVE: a disciplined lens

The THRIVE Risk Governance Maturity Assessment provides a structured, evidence-based way to assess how effectively risk is governed at the top of the organisation.

It does not assume governance is broken.
Nor does it assume it is strong.

Instead, it asks a more useful question:
How mature – and how reliable – are our foundations of risk governance?

The framework examines six interconnected dimensions:

• Tone from the Top – Clear leadership expectations shaping disciplined risk behaviour and accountability
• Holistic Risk View – Integrated, enterprise-wide view across strategic, operational and emerging risks
• Risk Appetite Clarity – Clearly defined appetite actively guiding decisions, trade-offs and prioritisation
• Insightful Reporting – Forward-looking reporting providing clear insight, trends and escalation signals
• Value Protection & Creation – Protects value while enabling opportunity and risk-adjusted performance outcomes
• Embedded Accountability – Clear ownership, roles and responsibilities consistently applied across governance layers

Together, these dimensions shift the conversation from intuition to insight:

Where are we strong? Where are we exposed? And what matters most to address?

Rebuilding with focus, not reaction

One of the most valuable outcomes of a structured assessment is prioritisation.

When maturity is uneven, not everything needs to be fixed at once.

Instead, organisations can focus on the few areas that will have the greatest impact on confidence and decision-making.

That might mean:

• Clarifying ownership and escalation pathways
• Making risk appetite practical and usable
• Strengthening the credibility of reporting and assurance
• Simplifying controls so they are genuinely workable

The shift is subtle but powerful:

From activity to impact.
From reaction to intent.

From evidence to confidence

Ultimately, risk governance maturity is about moving from assumption to evidence.

When organisations say, “We know risk is a problem,” what they are often describing is a loss of confidence – not a lack of activity.

Something feels misaligned.
Over-engineered.
Or fragile.

A structured assessment brings that into focus.

It provides a disciplined way to surface gaps, align perspectives, and strengthen how risk is governed — at the level where it matters most.

Because risk governance is not about eliminating uncertainty.

It is about ensuring that Boards and executives can make decisions with clarity, alignment and confidence — even in the presence of it.

A simple question to start

For organisations ready to move from concern to clarity, the starting point is simple:

Do we truly understand how mature our risk governance is – and what evidence supports that view?