Steve: Hello and welcome to another episode of the our ORX podcast. I'm Steve Bishop and today I'm joined by Luke Carrivick and Simon Wills as we discuss a 2025 refresh to the Strategic Vision for Operational and Non-financial Risk.
Steve: We'll talk about what's involved in the vision, why these updates matter, and how risk leaders can build resilience and achieve strategic success through 2026 and beyond.
Steve: So, it's 12 months since our vision was published. The risk landscape has definitely shifted. We've seen factors like geopolitics, digital transformation and growing interconnectivity continuing to fundamentally change the environment.
Steve: And today, we'll share insights from the updated version and what this means for risk professionals. So, then we're going to begin by exploring the drivers behind this refreshed vision.
Steve: I think we believe that understanding what prompted the changes and the thinking behind them is key to appreciating their impact. And to kick this off, I'm going to turn to you, Luke, if that's okay.
Steve: What inspired the refreshes of ORX’s vision?
Luke: Two reasons, really. Firstly, it was always the intention. The ambition was that it was going to be a living document. It's not a radical change from last year, but for it to remain valuable, we do need it to reflect the most contemporary thinking.
Luke: So that's the first thing that it was the plan. Secondly, I think it's because it was a success. So, it resonated. It was well-received. It stood the test of time.
Luke: It's been a really useful tool for when we have discussions within the industry, and more and more it's becoming a framework to understand where we're heading and where the progress is being made.
Luke: The other thing that we've seen in the last 12 months is that there is an increasing link between, good non-financial risk management and success.
Luke: So, there is an upside to non-financial risk. A lot of that is really about understanding the risks you're taking, minimising the downsides, but also linking how you manage risk to strategic success as well.
Luke: And I think that's a really positive step for the discipline. For years and years, we focused on the downside of things that have happened in losses. But focusing on success and the upside is a really healthy step forward.
Steve: Great. Thanks, Luke. And so over the past year, we've held, lots of discussions with our, leaders community. Tend to you, Simon. Based on these discussions. Could you elaborate on how sort of feedback from those risk leaders has influenced the refinement of the of the vision?
Simon: Thanks, Steve. Well, yeah, I'd start perhaps where Luke left off. Which is to say that I think the vision we articulated last year was fundamentally right.
Simon: So really, I think what we've seen this year is it's sort of themes that were in that vision strengthening and coming to the fore. And really, I think we'd highlight six items.
Simon: So first is the need for non-financial risk managers to become more strategic as non-financial risk becomes more important to the achievement of strategy. And I think we see that as a as a challenge and an opportunity.
Simon: Secondly, and I know this one is close to your heart, Steve, that resilience is very definitely front and centre for everybody, though. It's a key objective for non-financial risk managers. And I think the key theme is how to integrate that rather than to do it separately.
Simon: Thirdly, and again we heard this last year, but again it's every conversation almost it is about speed. How do we keep up with the business? How do we keep up with the environment that we operate in?
Simon: Fourthly, no surprise is digitalisation and artificial intelligence a massive focus for everybody, but I don't think yet a really clear direction, a clear kind of strategy, especially to how we might use AI. Fifth is around communication.
Simon: Perhaps in the absence maybe of comprehensive metrics for non-financial risk, how we communicate, how we take the diverse sources of information, insight we've got and stitch them together into a compelling story.
Simon: And then finally, and again, this is sort of the expansion of a theme that was always there. The increased emphasis on outside in risk. So, risks that come from it, a very volatile geopolitical environment, risks that come from a very fast moving technological, change environment.
Simon: Those would be the six things strategy, resilience, speed, digitalisation and AI communication. And that outside in shift as a sort of source of risk.
Steve: Great. Thanks, Simon. I want to pick up on a sort of the, I guess, number one and number two points that you sort of raised their, resilience and strategy.
Steve: And Luke, I wonder if you could perhaps expand on those a little bit more and talk a little bit about why they are so the core objectives in the in the refreshed vision?
Luke: Yeah, it's a largely just kind of build on what Simon said. Those two themes were always in there to a certain extent.
Luke: But we've really chosen to elevate them more than anything else in this iteration of the vision that we even have a tagline in the insurer resilience today and strategic success tomorrow.
Luke: And I think the reason that they're probably more important than they were, say, a year ago, is just a reflection of the world that we're living in at the moment. There's an awful lot of volatility.
Luke: As Simon said, there's an awful lot of challenges to assumptions that were made many years ago when people were working through those. And quite often they have a strategic angle or an angle which impacts resilience as an organisation.
Luke: So just going into a little bit more detail, as Simon said, I think it's really clear that to be successful strategically, you do need to be good at non-financial risk management.
Luke: And these days, strategy always involves taking some non-financial risk. I think that was possibly overlooked in the past, but things like, how you choose to adopt AI will have a profound impact on your non-financial risk profile.
Luke: So, on the resilience side, similar in a way, lots of focus on digital. We've got a geopolitical angle, all of those things, are affecting the resilience of organisations as well as some regulatory pressure in jurisdictions as well.
Luke: And all of that does relate back to the strategy. So, how resilient the organisation is, particularly when you think about things like the complexity of your third parties or your supply chain.
Luke: Some of that is a consequence of historical strategic decisions that may well have been made absent much thoughtful risk or resilience. So, that's one of the things that we're seeing. People are now taking that more seriously.
Luke: And I think the pennies drop to a certain extent that some of those strategic decisions do have an impact on your kind of future risk profile and your resilience as well.
Luke: And perhaps in the past, they were sometimes made primarily around kind of economic kind of, affordability decisions rather than risk being part of that discussion.
Steve: Great. Thanks, Luke. Hopefully, that gives everyone a sort of a good overview of the key drivers, some of the key changes that we've seen in the vision.
Steve: Well, what I'd like to do now is perhaps turn to some of the more practical aspects of the vision. So, the year is a long time in risk management.
Steve: And I think despite all of the challenges that have just been outlined, financial firms have made a huge amount of progress towards, shared vision. I think this has come through loud and clear in both the individual discussions we've had with our members, but as well as the sort of collective sessions, particularly with our latest group.
Steve: So, we're now going to talk about the sort of pathway that we've set out for successful operational on non-financial risk management, that pathways grouped into three areas. The first is laying fit for purpose foundations.
Steve: We set out that they are governance, culture and communications, skills and your framework. The second area is building a digital course that's using data technology, including AI, to match the digitalisation across the business.
Steve: And then thirdly, it's around developing new insights and sort of new capabilities. And this is where risk teams can really make a difference, I think where they focus on emerging risks, the risks that are within that ecosystem, the risks of the rapid change that's going on within their business, and then also how they understand how all these risk components come together to challenge their organisation.
Steve: Simon, perhaps you could sort of lay out which of the foundations you think have really come to the forefront this year, and perhaps why they're so critical.
Simon: Yeah. I mean, again, Steve, I think the pathway looks right a year on, which is gratifying.
Simon: And seems to have really resonated with people. One element that we got wrong in a kind of weird way is I think when we published the original vision, we articulated a concern that people would kind of treat those elements of the pathway as a sort of a sequence that you have to build to fit foundations.
Simon: Then you have to do digital stuff, and then you generate the new insights and capabilities. And that that actually hasn't happened, is I think certainly there's continuing degree of focus on building those fit foundations, especially around we've already mentioned skills and communications.
Simon: But really, I think for some firms at least, we kind of get a sense that that project, which is a project of the last 5 to 10 years for many firms, is really coming to fruition that they've got that single framework in place, that they've got a governance structure that brings all those pieces together, that they've started to change the skill set of their teams.
Simon: So, I think we're kind of seen almost like the reward of that decade of effort. And then actually, because there's been that demand from senior management, people have kind of leapfrogged the digital bit almost in the last year. I think this is what we saw, I’d be interested in your view. You get into those kind of insight and capability challenges that there hasn't been the time to wait.
Simon: To get the perfect answer. We need an answer now to how do we get a better view of emerging risk? How do we get a better grip on change risk management? How do we bring those pieces together, connect the dots, create that holistic view, and we need to do that now because business is moving fast, the environments moving fast.
Simon: Senior management are asking us for answers. And I personally think that that's meant that people have had to be really positively pragmatic. They, we've been guilty as a discipline in the past. I think, of kind of seeking that the perfect answer.
Simon: And really, we've had to kind of move fast, come up with solutions that use what we've got and deliver as good a solution as we can. And then I think that digital piece is really, at least in my view, going to be the defining project for the next ten years of operational and non-financial risk.
Simon: And that's because, you know, it will move at the pace with which the business digitalise is, but also it will move at the pace where any IT project, any IT transformation moves, which is it? Would a little bit slower. Yeah.
Simon: That would be my view is that the foundations are pretty solid for lots of people. We've used those foundations to address those kind of higher order challenges in the short term.
Simon: And the next big kind of generational challenge for, for non-financial risk will be that digitalisation of the at the core of what we do.
Steve: Brilliant. Thank you. Yeah. No, I’d agree, I think with that particularly that insights and capability piece, the demand has been driven probably through a couple of factors.
Steve: Firstly, you know I call out one of the things we mentioned earlier, the sort of geopolitical environment has placed demands on our colleagues in the risk teams to be pragmatic, to operate at speed, to provide views to business leaders that perhaps push them outside their comfort zones. I suspect that they've been able to adapt and take maybe some of the traditional tools and use them in a very practical and efficient and effective way.
Steve: I think we've heard that particularly around scenarios over the course of the last year. But I think above all of that, you see in and, you know, a risk that's elevated to the fact that it's on, it's on the tip of the tongue for business leaders, it's really core to what they're doing.
Steve: And that is going to continue to drive demand on risk teams to be able to deliver those insights, and particularly to risk committees, to leadership committees.
Steve: And I think at the moment, they're probably doing that in a slightly more hand knitted way. And that sort of building that digital backbone is going to be what enables them perhaps to do to do that more effectively over time.
Steve: So, I think you're right. I think that that sort of digital core project is really what many are sort of facing into. And trying to make that incremental progress with now.
Steve: So, thanks, Simon, for that. Luke, one of the things we've also heard loud and clear across the course of the last year is how resilience and risk are really coming together perhaps over time, they've been sort of separate concepts.
Steve: But I think we're seeing them really come together as one. Now we're seeing that being driven within businesses. I think we're also seeing that being driven within the regulatory environment as well.
Steve: What are your views on sort of how organisations are practically beginning to bring those concepts together?
Luke: Yeah. Good question Steve. I could speak about it for a lot longer than I will. So, I would encourage people to go onto our website and have a look. We’ve got a lot of material on resilience, but I'll talk about it a little bit.
Luke: I mean, the first thing is resilience is widely seen as an outcome of good and robust risk management these days. So, that's kind of agreed pretty much by everybody.
Luke: Quite hard. What that means in practice is, variable. And I think in terms of frameworks, at one end of the spectrum, we do have very integrated risk and resilience frameworks.
Luke: And the, the other end of the spectrum, so really no integration at all. And I talk about the kind of sliding scale across those firms. So, at some have brought risk and resilience together under a single framework that, obviously brings some efficiencies.
Luke: There are challenges with that approach as well. And we often see that in those jurisdictions where there's a lot of regulatory focus on it.
Luke: So, demonstrating that you're taking the regulation seriously by bringing everything together. There are probably a majority of firms in the middle, which is more like a practical alignment.
Luke: So, potentially separate programmes for risk and resilience linked within some kind of overarching framework. And then at the far end of the spectrum, we do have people who've maintained separate approaches, which could well lead to silo working, duplication of efforts, some of the efficiencies that you get from an integrated approach, you wouldn't see.
Luke: And one of the challenges in those instances is that it's really incumbent on stakeholders to bring the insights together from the two frameworks. Quite what people have done is influenced by regulation quite a lot.
Luke: We do see more integration in the more mature regulatory jurisdictions. It influenced by, the maturity of your practices and some of the individual operating models as well.
Luke: So, like a lot of things that we see in frameworks, it really depends on the situation. But what does any of that mean in practice in terms of how are things being integrated.
Luke: We see process-based risk assessment. So, that's taking that horizontal view assessing the risk and controls in that direction. So, rather than a kind of traditional silo view or thinking about risk by risk thinking about things horizontally, we do see resilience included a risk appetite statements sometimes we've seen a lot of resilience scenario testing that's very popular.
Luke: So, that's testing your resilience using scenario analysis as well as integrating, reporting and tooling. So, how those things work really depend on the decision you've taken to integrate or not resilience and risk management.
Luke: What I do see, in the leading firms is I think I wouldn't underestimate the challenge of maintaining that resilience framework. I think when we shift from a project to a kind of a BAU world, maintaining an accurate picture of what critical services do look like is very complicated and time consuming.
Luke: And the other thing I see as well is that I do think there have been some cultural shifts, some changes in the way that people think as a consequence of bringing risk and resilience together.
Luke: So, we see this particularly in firms where there is a big regulatory focus. It's really forced people to think that things in a very different way, and a lot of that comes from that horizontal end to end critical service perspective rather than that siloed view that we would have had for years.
Luke: And that affects the way people think about risks, the way that they structure their teams, the way that that things are owned within an organisation as well.
Luke: Great. Thanks, Luke. Just sort of picking up on that last point around culture, I think we in a panel at the Risk Minds conference on this topic that point came through loud and clear and how risk and resilience need to be thought about as a concept that and driven into sort of strategic thinking and how organisations operate.
Steve: And that was sort of called out almost as one of the biggest challenges of sort of integrating those, those concepts. So, it'll be interesting to see how that progresses over the next couple of years.
Steve: And going to change direction a little. Now, we've heard from members, and Simon sort of touched on it earlier, how sort of digitalisation and an AI at a transforming operation non-financial risk management.
Steve: Luke, I'm going to come back to you again, if that's all right. How are organisations leveraging technology to deliver new insights and capabilities at scale and speed?
Luke: Good question. So, as we've mentioned before, the term we use in the vision of digital core that really encompasses data, new technology, automation, AI, all of these things come together to provide that, that kind of foundation on which you could do risk management.
Luke: And I think 2025 was a year of real progress, particularly in AI. So, prior to 2025, I think we've talked a lot about ambitions, ideas they had for applying AI. And actually, we've seen some real material progress to applications being rolled out.
Luke: Quite often they are leveraging the same kind of ability of AI to aggregate, summarise, compare, particularly text information. So, using large language models for what they're good for, which is bringing that text together.
Luke: So, we've seen applications in lots of areas. Things like kind of control descriptions, regulatory reporting, opening up the frameworks of reducing the friction, lowering the barrier to people understanding what they should be doing.
Luke: But all of that is probably not that advanced compared to what generative AI might bring in the future, but it's certainly a fantastic progress. And we see that being made across the globe in different institutions. An interesting thing that has cropped up, and I think this is one of the barriers to more sophisticated AI.
Luke: Is that people are now taking data quality really seriously. They realise that you do need the foundation of very good quality data to be able to do more of that sophisticated AI.
Luke: So, people are working on that. I think some people have found that prior work that they've done, for example, the work ten or so years ago on PCBS39 is proving useful now. It's a useful foundation to build on.
Luke: In other areas I think I've also noticed that we see more maturity in the way people are thinking about AI. So, the framing of AI as a tool for the risk professionals, people seem more comfortable in that these days and more comfortable in the role of AI will play in their jobs in the future.
Luke: So, that's a kind of another side of maturity as well as those applications. So, I think overall we have moved from experimentation to much more programmatic use cases. I think there is, sort of further ambition, things like agents, multiple agents, agent ecosystems. But a lot of that is really frontier work.
Luke: And I think you hear that in the conferences. I think that's where people are pushing the boundaries. But we haven't really seen much of that being rolled out.
Luke: So, you don't see a genetic risk management happening right there. But maybe that's for this year or next year or into the future.
Steve: Great. Thanks. Thanks, Luke.
Steve: So, the final area we're going to look at is we're going to look forward.
Steve: Question to Simon. Do risk leaders need to act now? And I'm assuming you're going to say yes. If so, where should they focus?
Simon: I think they needed to act before now. Steve. So yes, very much so. The business is creating the future now, and we need to be part of that conversation.
Simon: I think, I mean, it'd be very easy to discuss lots of, we have already discussed how you do that. You know, the people you need, the data you need, the technology you need.
Simon: But those will be different for everybody who's listening, depending on where your strengths and weaknesses are.
Simon: But I think if we boil it down to what we need to do, and I think urgently we need to work out essentially two things, I think, which is the first is, is how do we do operational non-financial risk management at scale.
Simon: So, our businesses are building in scale is their core objective in terms of the economics, the way that they serve customers. And I think we need to work out how we do operational and non-financial risk management at the speed of the systems that they're building at the scale, at the systems that they're building, and in a way that helps those systems be resilient.
Simon: So, I think that the first core strategic, what, is how do we do this scale. And I think my view again is a be Luke, Steve, really interesting your views that feels like a familiar problem to us.
Simon: And I think I can see us solving that. I think the second what is enormously more challenging for us, and that's how do we do operational and non-financial risk management at speed. So, our businesses are trying to move faster.
Simon: The world is moving faster. How do we help our businesses be successful in that environment?
Simon: What information do we need? What people do we need? What culture do we need?
Simon: All of those things, and I guess I'm much less comfortable. That speed is part of our DNA as risk managers.
Simon: But it needs to be going forward. And I think there's a real urgent need to work out what fast risk management looks like. And I don't sense that we've got a good answer there yet, Steve, Luke, you may disagree with me, but I think those are the two key what’s where we urgently need to have a strategy is how do we do this at scale, and how do we do this at a speed.
Simon: Yeah, no. I’d agree. I think you've got the that on the head. I don't think it's a natural part of the sort of history of risk DNA typically this the speed bit. But we do see efforts.
Simon: We've seen efforts this year to really sort of drive speed. I don't think we've got systemic solutions to that the moment.
Simon: So, I think it will be interesting to see how that develops as, as the demand and the risk team continues to increase little. Luke, perhaps turning to you for the final question, if that's okay.
Steve: Well, what are the core ingredients required for successful operational non-financial risk management now, and looking forward and perhaps probably building on Simon's answer a bit as well.
Luke: Yeah, sure. I mean, I think this is really the extremely helpful role that vision plays.
Luke: So, as a whole vision does. But I'll pick out a few things that I think are particularly important, probably more right now, at problems to solve a bit like what Simon said.
Luke: I do think that communications, effective communications idea that we've seen more and more this year telling a coherent story, that's particularly important. And I agree with Simon that I think it's what's needed in the absence of more structural ways of bringing information together.
Luke: So, bring it together to a narrative is what we see people doing. And I think also part of that is that the audience is becoming broader. So, more and more people need to understand non-financial risk.
Luke: So, being able to communicate with them is really important. In the digital core, a huge amount of things you can do lots of use of technology. But we do need it to improve risk management rather than just automating.
Luke: So here I'd say we do need some fresh ideas. We don't want faster horses. We want actually to have truly digital ways of managing risk.
Luke: And I think some of that requires stepping back and thinking about, what we're doing and whether that really fits in a very digital environment. And then from the capabilities, given the times that we're living through, I think a huge focus, a laser focus on the external environments of scanning for and responding to outside risks and bringing those together to form a complete view.
Luke: And a lot of the class, the speed and agility that Simon just mentioned as well. So, I think the balance of risks is shifting more externally, and I think they're harder to manage as a consequence as well.
Luke: And then finally that strategic alignment. I do think that it's no surprise that that's being elevated within our vision. No non-financial risk should be closely linked to the business strategy and resilience, a central part of risk management.
Steve: Great. Thank you very much, Luke. So, I think that leaves me, with the job of wrapping up this episode of the podcast.
Steve: I want to say a massive thank you to Luke and Simon, and also a massive thank you to you all for joining us on the podcast.
Steve: We hope today's conversation is giving you some valuable insights into the evolving landscape of operational and non-financial risk. But most importantly, how our refreshed vision can help support you.
Steve: Before we finally finished. I do want to leave you with three practical steps you can take right now. I think it's a really good thing to do to assess your approach to operational and non-financial risk against our vision. It's a good way to look at how you're approaching things, what your plans are for the next 2 to 3 years. Compare those to our pathway. As Simon touched on earlier, I think it's key.
Steve: If you haven't already, to begin to invest in your digital risk management capabilities, I think we genuinely believe this is a sort of really is a big, significant project for all for the next 5 to 10 years. So, start looking at your technology requirements, how you're going to use the AI and how you want to use your data to be able to manage risks at that sort of speed and scale. Point me with just touching on. And then, of course, and we would say this, but we think it's really important to engage with your peers.
Steve: If you're a member, join our forums and our community to share insights and learn for others. It really does genuinely help you to accelerate your, progress.
Steve: And if you do want more information, you can download the updated version from our website, or you can find the link in the show notes. And don't forget to subscribe to our podcasts and follow our blog and social channels for more content.
Steve: If you'd like to learn more, connect with our community or access practical resources, you can visit our website, orx.org, and you can stay tuned for future episodes as we continue to advance risk management together. Thank you very much.
