Risk management is not what it used to be. What was once a back-office checklist of compliance and controls is now a front-line player in a world of cyber threats, regulatory curveballs, and market shocks. The old playbook, which is to react, report, repeat, will not cut it anymore. Organisations need a risk function that does not just survive the future but shapes it. This means cultivating a culture that breathes risk awareness, embedding behaviors that make frameworks like the three lines of defense work in harmony, and investing in people who can think ahead, not just catch up. Here are some ideas on how to get there.
Crafting a risk culture that sticks
A strong risk culture is not a memo from the top, but it is a mindset that runs through every desk from the C-suite to the mailroom. It starts with leaders who do not just preach caution but live it. Some management meetings kick off with a quick “risk moment.” For example, a story about a near miss or a smart save. It is not flashy, but it signals that risk is not someone else’s job; it is everyone’s. Over time, that trickles down as staff start flagging oddities without prompting, like a weird vendor invoice or a glitchy login.
But culture is not at all shapeless. It needs structure to stick. Clear policies help such as having a no-blame rule for reporting mistakes so that people feel safe speaking up. Pair that with visible wins, like celebrating a team that caught a phishing scam before it spread, and then momentum rolls. The goal? Risk becomes less of a burden and more of a reflex, which is something people do because it is who they are, not because they are told to.
Behavioral norms that power the framework
The three lines of defense, that is, business units owning risks, risk teams overseeing them, and auditors checking the system, sound great on paper. But it falls apart without the right behaviors holding it together. First up is accountability. Front-line staff need to see risk as part of their day-to-day, not a handoff to the “risk people.” For example, a bank manager trains tellers to question sketchy transactions, not just process them – small moves that keep the first line solid.
The second line, risk management itself, thrives on curiosity and directness. They need to ask tough questions: “Why’s this process lagging?” or “What’s the CISO not telling us?” and push back when the answers do not add up. The risk team’s mantra is “trust but verify.” They are partners, not cops, but they do not let sloppy assumptions slide. For the third line, independence is non-negotiable. Auditors cannot cozy up to the business. They need the guts to call out gaps, even when it is so awkward.
For some reason, certain companies ditch the three lines for leaner setups, like integrated risk committees. Whatever the model, the same norms apply: own your piece, challenge the status quo, and do not dodge the hard stuff. Without that, any framework is just a flowchart gathering dust.
Training the risk team of tomorrow
Building a future-ready risk function means betting big on people. Training cannot be a one-off seminar. It needs to evolve with the risks. Start with the basics: give staff a firm grip on tech-driven threats like AI failures or cloud breaches. Companies nowadays send risk analysts to coding bootcamps not to turn them into developers, but to demystify the systems they are guarding. It is practical, not academic, and it pays off when they are dissecting a vendor’s security pitch.
Beyond tech, prioritise adaptability. Risks shift fast — remember the COVID-19 pandemic or crypto meltdowns — so staff need to pivot just as quickly. Scenario planning workshops help, where teams game out wildcards like “What if our supplier’s hacked?”. Risk teams in energy companies run these quarterly, and it has sharpened their instincts. Soft skills matter too such as communication to sell tough calls to the board, or collaboration to sync with IT and compliance. One concrete example to share is pairing risk officers with sales representatives for months, which is awkward at first, but it builds empathy across the lines.
Professional development is not cheap, but it is cheaper than a blind spot. Certifications like FRM are table stakes; the real edge comes from cross-training. Let’s say, rotating a risk analyst into operations for six months. It is chaotic, sure, but it breeds a team that sees the whole chessboard, not just their corner.
Tying it all together
Future-proofing risk management is not about chasing the next big tool or rewriting the organisational chart, but it is about rooting the function in culture, behavior, and capability. A risk-aware organisation does not happen by accident; it is built through consistent signals and systems that make vigilance second nature. Behavioral norms such as accountability, curiosity, independence turn frameworks into living things, not paper tigers. And with a well-trained team, armed with tech savvy and agility, it keeps the function sharp for whatever is coming.
The risk landscape will not slow down. Cybercriminals do not clock out, and regulators do not nap. But with a culture that is awake, a framework that is alive, and people who are ready, the risk function can do more than weather the storm; it can steer the ship.
As published in The Manila Times, dated 21 May 2025
