Risk familiarity is not the same as effectiveness

In a recent board review, a director described their organisation’s risk management as robust. Frameworks were in place. Risk appeared on every agenda. Reports were tabled regularly. When asked what evidence underpinned that confidence, the answer came quickly: “We’ve been doing this for years. We know our risks.”

That answer is more common than most boards would be comfortable admitting. And it points to a gap that sits quietly beneath the surface of many otherwise capable organisations.

Familiarity with risk is not the same as managing it well.

The comfort of routine

Most organisations can list their top risks without hesitation. Financial pressure. Workforce capability. Technology failure. Regulatory change. Reputation. Risk appears on board and executive agendas. Heat maps are reviewed. Assurance is provided, at least periodically.

Over time, this rhythm creates confidence. Processes become familiar. Reporting cycles feel reassuring. The assumption forms quietly that what has worked in the past will continue to work – that the system is sound because it has been running.

But routine is not evidence. A risk register that is reviewed on schedule tells you the process is functioning. It does not tell you whether the controls behind it are working as intended, whether risk appetite is genuinely shaping decisions, or whether your reporting would surface emerging pressure before it crystallises.

When confidence is rooted in familiarity rather than evidence, organisations can appear well-governed while remaining genuinely fragile.

What maturity actually looks like

Risk maturity is not built from documentation. It is built from the foundations beneath it.

In mature organisations, risk ownership is active rather than nominal – people can tell you not just who owns a risk, but what they are doing about it. Risk appetite shapes real trade-offs, not just committee discussions. Controls are understood by the people who rely on them. And reporting provides genuine insight – the “so what” and “now what” – rather than simply documenting the “what.”

Perhaps most telling: issues escalate early in mature organisations, before consequences crystallise. Emerging risks are discussed openly, even when the conversation is uncomfortable. Boards can articulate why they are comfortable with current exposure – not because they have been reassured, but because they have seen the evidence.

These foundations are less visible than a well-formatted risk register. They are also far more important.

The patterns that mask fragility

Some of the most common markers of “strong” risk management can also conceal its weaknesses.

Risk ratings that rarely change across review cycles. Consistently positive control assessments despite known operational pressure. Comprehensive reporting that overwhelms rather than informs. A heavy reliance on lag indicators that confirm what has already happened rather than surfacing what is building. These patterns do not reflect poor intent. They reflect governance that has evolved incrementally and has not been tested against the conditions it is expected to withstand.

When risk is treated primarily as a compliance discipline – something to be maintained rather than used – its ability to inform decisions diminishes. The artefacts remain. The underlying capability quietly erodes.

Why self-assessment is difficult

Risk maturity is hard to judge from the inside. Familiar processes feel sound. Governance rhythms generate comfort. The people closest to the system are often the least positioned to see where it is stretched.

This is compounded when different parts of the organisation hold genuinely different views. Boards may feel governance structures are sound. Executives may sense operational fragility. Managers may experience risk processes as burdensome rather than enabling. Each perspective is valid. None is complete on its own.

Without a structured lens, improvement efforts tend to become reactive. Policies are rewritten. Registers are reformatted. Reporting expands. Activity increases – but confidence does not necessarily follow, because the underlying foundations have not been examined.

A more useful question

The question most organisations avoid is not “do we manage risk?” – almost all of them do, in some form. The more useful question is: what evidence gives us confidence that our risk management will hold up when conditions change?

That question sits at the heart of risk governance maturity. And it is where structured assessment – rather than internal reflection alone – tends to make the most difference.

Insync’s THRIVE Risk Governance Maturity Assessment examines six interconnected dimensions of risk governance: tone from the top, a holistic risk view, risk appetite clarity, insightful reporting, value protection and creation, and embedded accountability. Together, they provide a disciplined way to identify where foundations are genuinely strong, where maturity is uneven, and where confidence currently rests more on familiarity than evidence.

The goal is not to find fault. It is to provide the clarity that allows organisations to strengthen their governance with focus and intent – rather than simply adding more activity to a system that may already be under strain.

The harder question

Mature risk governance does not eliminate uncertainty. It does not prevent all surprises. What it provides is confidence that the right things are being watched, that signals will surface early, and that decisions are informed by evidence rather than assumption.

If your organisation has a well-functioning risk management system, that is worth protecting. The question worth sitting with is whether the foundations beneath it are as strong as the system above them appears.

To explore how the THRIVE framework applies to your organisation, contact Murray Chapman at mchapman@insyncboards.com or Susan Staples at sstaples@insyncboards.com.