The Growing Visibility of Risk Management
Over the past two decades, risk management has become increasingly visible within organisations. Concepts such as risk governance, resilience, risk appetite, risk culture, strategic risk, emerging risk, cyber risk, AI risk and third party risk now appear in business discussions, professional events, training programmes, certification courses, advisory conversations and public commentary. This wider use of risk concepts and language reflects how much the profession has grown, and it also shows that organisations are paying much closer attention to risk in an environment shaped by technological disruptions, regulatory pressure, environmental changes, geopolitical instability and changing stakeholder expectations.
This development should be welcomed because it shows that risk management is no longer treated as a narrow back office protection or a compliance activity that is brought in only after the important decisions have already been made. More people are speaking about risk, more organisations are including risk considerations in their strategic and operational planning, and more professionals are expected to understand how risk may affect outcomes. At the same time, the wider adoption of risk management terminology has paradoxically created another issue that deserves attention. As certain words become widely used and familiar, there is a tendency for people to assume that the underlying discipline they refer to is well understood and that people know what they are talking about. Is it always really the case?
The Illusion of Understanding
Every profession develops its own language. Medicine, law, finance, engineering, technology and governance all rely on specific concepts and terms that allow practitioners to communicate ideas with precision. Risk management is no different. The specific risk language is useful because it helps people clarify complex issues, establish shared understanding and discuss matters that may otherwise remain vague or scattered with inadequate labels.
The problem arises when the language itself begins to carry more weight than the thinking behind it.
A discussion may sound solidly grounded because the right key concepts and words are used. A presentation may sound informed because it refers to recognised frameworks or standards. A panel discussion may sound persuasive because familiar concepts are mentioned with confidence. The surface of the conversation appears professional; however, when we scratch beneath the surface, we quickly realise that the deeper layers of analysis remain largely unexplored.
This is where the distinction between talking about risk and practising risk management becomes important. Many people are now familiar with risk terminology, and some can use it fluently in professional discussions. Familiarity, however, is only the first layer. Real competence begins when the discussion moves into how the concept is developed, applied, tested, challenged and translated into real decisions.
The Questions Behind Risk Appetite
Risk appetite is a useful example because it is one of the most widely used concepts in modern risk discussions. When a business opportunity is being considered, a strategic initiative is proposed, or a new investment is being discussed, it is common for someone to ask about the organisation’s risk appetite. The question is valid because decision makers do need to understand the amount and nature of risk the organisation is prepared to accept in pursuit of its objectives.
However, asking “what is our risk appetite” is often treated as sufficient in itself.
The discussion quickly becomes focused on whether a proposal falls within a predetermined threshold, limit, or statement, with little attention given to how that appetite was developed or whether the underlying assumptions remain valid. It should not stop there. It should open the door to a much deeper set of questions:
How was the appetite developed in the first place?
- What objectives does it support?
- What assumptions sit behind it?
- What level of capacity does the organisation have to absorb loss, disruption or failure?
- What capabilities are needed to take that risk responsibly?
- How does the appetite differ across business activities, markets, customer segments or time horizons?
- What happens if circumstances change after the decision is made?
Once these questions are asked, the discussion becomes very different. The focus moves beyond the existence of a risk appetite statement and towards the judgement, capability, timing, trade-offs, accountability and consequences that influence how decisions are actually made.
Looking Beyond the Labels
The same pattern can be seen across many other risk concepts.
- Risk governance is often mentioned, although the real issue may be how decisions are made, how information is escalated, how accountability is carried and how difficult matters are challenged and by whom before they become larger problems.
- Resilience is often mentioned, although the real issue may be whether the organisation has the people, systems, leadership discipline and financial capacity to continue operating under intense stress.
- AI risk is often mentioned, although the deeper conversation may involve data quality, model dependency, vendor exposure, operational redesign, workforce capability gaps, business model changes, competitive positioning and the consequences of adopting too fast or slowly.
The terminology itself is rarely the difficult part. Most experienced professionals can explain what governance means, describe risk appetite, or discuss resilience. The real test often comes when these concepts need to be applied in situations involving risk, competing objectives, limited resources, and imperfect information. Understanding these layers takes time, experience, and a willingness to keep asking questions after the concepts have been introduced. This is often where assumptions are tested, competing priorities emerge, and the implications of a decision become clearer.
This is why the ability to speak confidently about risk should not be confused with the ability to practise sound risk management.
Speaking requires some level of familiarity with concepts. Practice is much deeper and requires the ability to work through complexity, connect information from different sources, understand how decisions may unfold over time, and recognise how one risk can create consequences across different parts of an organisation.
Risk Exists With or Without a Risk Function
One common misunderstanding is the belief that risk management begins only when an organisation establishes a risk function, appoints a risk manager, creates a risk register or introduces a formal framework. In practice, every organisation manages risk because every organisation makes decisions under conditions of uncertainty.
- A business that expands into a new market is managing risk.
- A company that hires senior talent is managing risk.
- An institution that invests in technology is managing risk.
- A management team that chooses to delay action is also managing risk, even if the decision is framed as caution.
The difference lies in the quality of thinking behind those decisions.
Some organisations still mostly manage risk informally, relying heavily on instinct, past experience, authority or habit. Others manage it more consciously by examining objectives, assumptions, exposures, controls, opportunities, consequences and early warning signals. Formal risk management frameworks can support this process, but they do not replace the need for sound judgement. Without sound judgement, they are just a compliance procedure.
This is where Enterprise Risk Management becomes especially relevant. The emergence of Enterprise Risk Management reflected changes in the operating environment faced by organisations. As risks became increasingly interconnected and organisational decisions began producing consequences across multiple functions, traditional silo based risk approaches became less effective. A broader perspective was needed to understand how risks interacted, accumulated and influenced organisational objectives.
Speaking Is Not Capability
The growing visibility of risk management and the use of risk language has helped raise awareness, and awareness is an important starting point. However, awareness should not be mistaken for understanding and competence.
- A professional may know the meaning of a risk term without knowing how to apply it in a complex organisational setting.
- A speaker may discuss risk appetite, governance, resilience or AI risk with confidence, while still remaining at the surface of the subject.
- A manager may feel assured by the use of the right risk terminology in a report without fully understanding whether the underlying analysis is sufficiently robust.
Competence develops through deeper exposure to, and practice in, how risks are identified, assessed, prioritised, communicated, governed, monitored and linked to decisions.
It also develops through experience with ambiguity, competing interests, imperfect information and consequences that do not always appear immediately. These are the parts of risk management that are far less visible in public discussions, although they often determine whether the work has real value.
Familiarity with risk terminology can be developed relatively quickly. Developing the judgement required to apply those concepts across competing priorities, organisational constraints, and uncertain situations is often a much longer and more challenging process.
Evaluating Expertise
As risk management has become more visible, organisations are faced with a growing range of choices when selecting trainers, facilitators, consultants, advisors, and risk professionals. Professional profiles, conference appearances, panel discussions, articles, certifications, and social media commentary often provide the first impression of expertise. In many cases, they also shape perceptions of what risk management involves.
The ability to discuss governance, resilience, risk appetite, AI risk, culture, or enterprise risk may reflect familiarity with important concepts. What is often less visible is the depth of understanding behind those concepts, how they have been applied in practice, how they influence decision making, and whether the individual has the capability to deal with the complexities that arise when theory meets organisational reality.
This may explain why professionals with similar titles, credentials, or public profiles can possess very different levels of experience and capability beneath the surface.
Some practitioners spend years implementing frameworks, facilitating risk assessments, supporting strategic decisions, challenging assumptions, integrating risks across functions, and helping organisations work through uncertainty. The distinction becomes even more important in Enterprise Risk Management, where practitioners are expected to understand how risks interact across organisational objectives, functions, stakeholders, and decision making processes rather than viewing individual risks in isolation. Much of this work receives far less attention than the apparent ability to use the key terminology, despite being where many of the most valuable lessons are learned.
Beneath the Language of Risk
Few would dispute that risk management is far more visible today than it was two decades ago. More people are talking about risk, more organisations are paying attention to risk, and more decisions are being examined through a risk lens than at any point in the profession’s history.
At the same time, visibility has a tendency to simplify complex disciplines. Concepts that once required years of study and practice can gradually become reduced to familiar concepts, key words, recognised frameworks, and commonly accepted terminology.
The fluency of the risk language becomes easier to access than the thinking that originally gave rise to it.
Perhaps this is why some of the most valuable risk discussions begin only after the terminology has been introduced. The first layer often provides a useful starting point. The layers that follow tend to reveal the assumptions, trade-offs, interdependencies, capabilities, constraints, and consequences that shape real decisions.
New concepts and terminology will continue to emerge, but the future of the profession is more likely to be shaped by whether organisations, practitioners, and leaders continue asking the deeper questions that sit beneath the terminology.
After all, the use of fancy concepts and terminology is usually the easiest part of the conversation.
Looking to strengthen your ERM capabilities with structure, clarity and relevance?
Join the network of professionals who have been rigorously trained and certified through ARiMI’s flagship program. Alumni come from leading organisations including AON, KPMG, SingHealth, the Ministry of Home Affairs, Changi Airport Group, Airbus and many more.
Explore ARiMI’s professional certification programs and start building the skills that matter.