Emerging risks don’t announce themselves with a bang. They creep in through backdoors—new technologies, market shifts, regulatory ripples, human shortcuts. In fast-growing companies, where the pace is high and structure is light, the real danger isn’t what you don’t know; it’s what no one’s looking for.

This Playbook offers a sharper lens: a multi-layered mental model to help leaders anticipate, interrogate, and act on the risks that don’t fit neatly into a register.

Why emerging risk is so often missed

Emerging risk isn’t just about unknown unknowns or black swan events. It’s about the second-order effects of change—new technologies, rapid scaling, external pressures—that outpace your ability to adapt, monitor, or govern. These risks often stem from within the business, not just the outside world.

Here’s why they’re easy to miss:

• Speed > certainty: Fast-growth environments optimise for momentum. The cost of delay is clear; the cost of unmitigated risk is deferred.

• Fragmented accountability: No one “owns” the unknowns. They fall between strategy, ops, and compliance. For example: Who owns AI risk? Product? IT? Legal?

• False confidence in frameworks: Traditional ERM processes—RCSA, bowties, risk registers—aren’t designed for ambiguity or pace. They look backwards or sideways, not forward.

• Tech, talent, and trade-offs: AI, third-party dependencies, new markets—risk increasingly arises from innovation itself.

• Misaligned incentives: Execution targets, OKRs, and commercial urgency can create blind spots and brittle decisions. The sales team closes a risky client. The product team ships before the auth process is built.

It’s not just about spotting the risk. It’s about how fast your organisation can metabolise uncertainty.

The mental model: three interlocking layers

This isn’t a checklist, nor will it expose every possible risk. Instead, it’s a mental model designed for reflection. These three interlocking lenses can help you spot risk that emerges through growth, change, and complexity.

1. Exposure

What are we newly exposed to?

• New activities (e.g. AI-powered features, API integrations, offshore contractors)

• New stakeholders (regulators, activists, suppliers, users, adversarial actors)

• New thresholds (volume, scale, velocity)

💡 This layer is about mapping surface area, not risk ratings. It’s about noticing where the business model has quietly shifted.

Prompting questions:

• What’s changed in how we operate?

• What are we doing now that we weren’t 12 months ago?

• What parts of the business are outpacing our policies?

2. Fragility

Where are we increasingly brittle?

• Single points of failure (e.g. one vendor, one person, one workaround)

• Informal process dependencies (e.g. “Jen always handles that”)

• Cultural fragility (e.g. silos, reluctance to escalate, founder dependency)

• Incentive fragility (e.g. targets that drive risky behaviour or quiet bad news)

💡 This layer is about system stress-testing. Fragility is what turns exposure into incidents.

Prompting Questions:

• Where are we relying on goodwill or informal workarounds?

• What would break if that person left tomorrow?

• Where are people incentivised to move fast, but not flag problems?

3. Blindness

Where are we flying blind?

This is the hidden layer—risk you’re not even thinking about yet. You can’t manage what you’re not looking at.

• Data latency: Reporting lags, vanity metrics, or dashboards that show what happened, not what’s brewing.

• Assumptions that go untested: “We’d know if something went wrong.” Would you? Who would tell you?

• Narrative anchoring: Leaders sticking to a storyline that’s no longer true: “We’re lean and agile” or “We’ve de-risked the model.”

• Over-rotation to familiar risks: Fixating on phishing while ignoring synthetic media, or drilling into compliance while culture is decaying.

• Deliberate blindness: Metrics that no one wants to surface. Risks that are tolerated because fixing them would slow down progress.

💡 Blindness is where leadership courage and cultural honesty matter most. The goal here is to see what your system is designed to ignore.

Prompting Questions:

• What weak signals are we missing?

• Where do we assume things are “fine” without evidence?

• Are we incentivising truth-telling or quiet compliance?

Real-world signals

1. AI gone wild
   A scaling SaaS business deploys a customer-facing AI tool without strong monitoring of how it learns. Bias, hallucination, and regulatory questions follow.

→ Blindness to model drift, fragility in decision auditability.

2. The licensing loop
   A fintech enters a cross-border data partnership assuming its UK regulatory licence extends to all new use cases. Turns out, the arrangement technically triggers licensing or consent requirements in another jurisdiction.

→ Exposure via cross-border complexity, blindness in edge-case legal interpretations.

3. The burnout bottleneck
   A high-growth tech-enabled logistics company realises that one person in ops is holding the company together. When they leave, critical processes stall.

→ Cultural fragility, informal risk ownership.

4. Sales vs sanity
   A revenue team hits targets by onboarding large clients without proper diligence. Six months later, service fails, and the client exits noisily.

→ Exposure from client complexity, incentive misalignment, and blindness to operational impact.

How to use this model

This is a reflection tool for founders, CFOs, and anyone with executive or board-level oversight.

• Pressure-test growth narratives: Ask which assumptions are out-of-date, and what’s growing faster than your oversight.

• Cross-functional risk sprint: Invite product, ops, legal, and finance to map exposures across domains.

• Monthly or quarterly reviews: Use the model to surface weak signals during exec sessions, where discussions often default to performance metrics.

• Pre-mortem lens: Apply the layers before major launches or pivots to uncover second-order risks.

The bottom line

Emerging risk isn’t just a compliance challenge. It’s a leadership one.

The businesses that weather uncertainty best aren’t those that predict every risk—they’re the ones that notice shifts early, act fast, and stay structurally honest.

You don’t need to see around every corner. But you do need to design a company that notices when the ground shifts under its feet.

• Embedded finance is no longer optional. It’s now a core feature of modern retail strategy, spanning payments, credit, insurance, and beyond.

• Brand risk is growing. When financial products go wrong, customers don’t blame your partners. They blame you.

• Regulatory pressure is rising. New rules in the UK, EU, and Australia are tightening expectations for how financial services are marketed and delivered, even by non-financial brands.

• Traditional risk models aren’t enough. Embedded finance requires new playbooks for vendor due diligence, customer support, governance, and compliance.

• Strategic accountability matters. Retailers must treat financial features like infrastructure, not just UX. That means building cross-functional ownership from day one.

The rise of embedded finance in retail

Embedded finance isn’t new, but in 2025, it’s everywhere. Buy-now-pay-later options appear at nearly every checkout. Retailers offer their own branded insurance. Gym memberships come with lending plans. Travel sites sell financial protection products bundled with experiences. What used to be the exclusive domain of banks and insurers is now baked directly into the customer journey, often without the customer—or the company—fully realising it.

For retailers and digital brands, embedding financial products has unlocked powerful new growth levers. It promises better margins, deeper engagement, and control over more of the customer experience. But that control comes at a price. Financial products carry weight—legal, operational, and reputational. And as brands take on more responsibility for the financial well-being of their customers, the line between commerce and finance is starting to blur.

This shift is a structural transformation. And like any transformation, it brings risk, often where it’s least expected.

Why brands are embracing embedded finance

Retailers didn’t wake up one day wanting to be banks. They were pulled into this space by customer expectations, fintech innovation, and the search for new margin in competitive markets.

At the front end, it’s about customer experience. Offering credit at checkout reduces friction and boosts conversions. A flexible payment option increases basket size. Branded insurance builds peace of mind (and another touchpoint). For digital-native consumers, seamless financial features feel like the minimum standard to even compete.

At the back end, it’s about strategy. Embedded finance provides a new source of income that doesn’t rely on moving more units. It gives access to richer customer data. It allows brands to shape the entire transaction ecosystem rather than just playing in it.

A few examples:

• A fashion giant like ASOS integrates BNPL options from Klarna and Clearpay directly into its checkout flow, offering customers four interest-free instalments and earning a slice of the margin on each transaction. For ASOS’s millennial and Gen Z shoppers, it’s fast, frictionless, and expected.

• An electronics retailer like JB Hi-Fi bundles accidental damage and theft protection into an upsell at checkout. The cover is underwritten by a third party but branded entirely as JB Hi-Fi’s own “Extended Care Plan,” reinforcing the brand relationship while quietly outsourcing the risk.

• A travel platform like Booking.com embeds multi-currency wallets, flexible payment options, and insurance cover directly into its booking engine. From the customer’s perspective, it’s all Booking.com, but behind the scenes, providers like Cover Genius and Adyen do the heavy lifting.

The logic is sound. The market is growing. And for many brands, the financial layer is becoming a core part of their value proposition. But there’s a catch.

The hidden risk transfer

Embedded finance adds features, but it also shifts responsibility. For many retailers, that shift is happening faster than their risk posture is evolving.

1. Reputational contagion

Customers don’t distinguish between your brand and your fintech partner. If something goes wrong, they come to you. That reputational spillover is one of the defining challenges of embedded finance. More on that below.

2. Regulatory proximity

Just because you’re not a bank doesn’t mean you’re safe from financial regulation. In fact, regulators in multiple jurisdictions are making it clear: if you distribute financial products—even indirectly—you may have obligations around disclosures, conduct, data protection, and more.

Brands are finding themselves pulled into compliance conversations they never expected. Questions about suitability, affordability, KYC, and AML are becoming boardroom issues.

3. Operational risk by proxy

Every integration is a dependency. If your embedded finance partner goes down, delays payments, or suffers a breach, the customer comes to you. You may have the slickest front end, but if the plumbing fails, the fallout hits your support lines and brand equity.

Even more concerning is what happens when a payments provider enters administration. Recent investigations in the UK have shown that the insolvency of electronic money and payment institutions can leave retailers unable to access cleared funds for weeks, despite regulatory safeguards. The legal frameworks are improving, but when funds are frozen and customers start asking questions, contracts and compliance offer little comfort in the moment. Trust suffers. And the retailer wears the blame.

Regulatory landscape: 2025 and beyond

The embedded finance boom has caught the attention of regulators, and not in a good way. What started as a grey zone is rapidly becoming a patchwork of emerging obligations, enforcement actions, and shifting expectations across jurisdictions.

United Kingdom: The FCA steps in

The FCA’s Consumer Duty is now fully in force, raising the bar on how all firms—banks or not—distribute financial products. That means clearer disclosures, fair terms, and stronger support, even when finance is embedded in retail checkouts or mobile apps. The regulator has flagged concerns with how BNPL is marketed, especially around affordability. Recent consultations signal a push for greater accountability for distributors, not just providers.

European Union: DORA and beyond

The Digital Operational Resilience Act (DORA) took effect in January 2025, bringing tougher standards for cyber risk, incident reporting, and third-party resilience. While aimed at financial institutions, DORA also captures critical ICT providers—including those powering embedded finance. Retailers may find themselves in scope if they hold sensitive data or brand a financial service delivered by one of these providers.

Australia: financial product distribution under licence

As of June 2025, BNPL is regulated as consumer credit in Australia. That means licensing, responsible lending checks, and disclosure rules now apply, even when products are embedded via partnerships. ASIC has made it clear: under the Design and Distribution Obligations (DDO) regime, product issuers can be held responsible for how and where their products are sold, including through non-financial brands.

Global direction: function over form

The direction is clear: regulators are becoming channel-agnostic. It doesn’t matter if the financial product is offered via an app, a checkout page, or a chatbot. If it walks like a financial service and talks like a financial service, the regulatory expectations will follow.

The financialisation of the brand

Embedded finance is changing what it means to be a brand in 2025. Selling goods or services now often means facilitating financial transactions, protecting customer assets, and delivering trust at a whole new level.

Are you a retailer or a fintech platform?

Many consumer brands now straddle both. That comes with strategic complexity. You’re responsible for an experience, a product, and now a financial outcome. The deeper the integration, the harder it becomes to disentangle where the commerce ends and the finance begins.

And with every white-labelled product—BNPL, insurance, prepaid cards—you take on a slice of perceived responsibility for the financial wellbeing of your customer. Even if your contractual liability is limited, your reputational liability isn’t.

Brand Risk Is Shared Risk

When a customer clicks “4 easy payments” or “add protection,” they’re not thinking about your fintech partner. They’re thinking about you. Even if the service is powered by a third party, the trust is yours to win—or lose.

That’s why embedded finance carries invisible accountability: you may not design the financial product, underwrite the risk, or manage the claims process, but if something goes wrong, your brand wears it. The more seamless the integration, the more likely customers will hold you responsible for the financial experience. That’s not a glitch. It’s a feature of modern brand loyalty.

This is especially important when marketing and product teams are leading the charge. Their goals—conversion, engagement, customer stickiness—don’t always align with what’s required to safely deliver financial products.

Financial services aren’t just UX decisions or clever upsells. They’re regulated, high-stakes offerings that require deep operational readiness, governance, and customer protections.

Redefining risk management for embedded finance

Traditional retail risk models aren’t built for this. Most brands assess suppliers through a lens of service delivery, brand fit, and IT security. But embedded finance calls for a different lens—one drawn from banking, insurance, and financial services.

Why the old model breaks down

• A software provider going down might mean disruption.

• A BNPL provider going down might mean cashflow chaos, refund disputes, and media fallout.

Today’s risk extends beyond IT hygiene to include product design, complaint handling, and regulatory alignment. Most brand-side risk teams don’t have that playbook—yet.

Emerging best practices

1. Fintech-specific due diligence
   Go beyond the SLA. Ask about underwriting models, KYC processes, claims ratios, dispute policies, and their compliance record with regulators. If you’re branding the product, you’re borrowing their track record.
   

2. Contracts that share risk, not just revenue
   Build in indemnities, notification clauses for regulatory issues, joint response protocols for complaints, and clear responsibilities for refund and dispute resolution. Assume failure. Design for containment.
   

3. Integrated monitoring and governance
   Don’t just do a vendor review at onboarding. Treat the fintech layer like critical infrastructure: ongoing audits, embedded dashboards, early-warning signals.
   

4. Customer support preparedness
   Your support team is the first line of defence. If they can’t explain the product, resolve a payment issue, or escalate a claim properly, you’re not just failing a customer, you’re potentially breaching duty-of-care expectations.
   

5. Board oversight
   Embedding finance introduces a strategic layer that touches governance, compliance, and brand trust, not just customer experience. Make sure it’s on the risk register and governance agenda at the highest level.

What leaders should do now

What once felt like a growth experiment has become part of many brands’ core operating stack. With that comes responsibility. For executives, the question is no longer if this is a risk but how well your organisation is set up to manage it.

Strategic actions to take

1. Map your exposure

Start with an audit. Identify where and how financial services are embedded in your customer journey. This includes:

• BNPL and point-of-sale credit

• White-labelled insurance or protection products

• Wallets, prepaid cards, loyalty points-as-currency

• Anything that involves financial data, customer funds, or regulatory touchpoints

2. Involve legal and compliance early

In fast-moving teams, it’s easy for legal and compliance to be brought in late—sometimes only once contracts are being finalised. But financial products carry regulatory implications that may not be obvious upfront. Involving legal early—during feature design or partner selection—can prevent costly delays, rework, or unintended exposure.

3. Review contracts with risk in mind

Look beyond commercials. Do your agreements clearly define:

• Liability in the event of complaints, refunds, or financial harm?

• Regulatory breach reporting?

• Data-sharing protocols and obligations under GDPR, CCPA, or similar laws?

• Dispute resolution and shared customer support responsibilities?

4. Pressure-test your customer journey

Mystery-shop your own flow. Ask: if something goes wrong, how easy is it for a customer to find help, lodge a complaint, or understand who is responsible? The more invisible your partner is, the more visible your responsibility becomes.

5. Engage with regulators proactively

Lifting your head above the parapet feels risky, but it’s also a marker of operational maturity and foresight. Many regulators are still shaping their response to embedded finance. Engage early to show you’re taking customer outcomes and compliance seriously. It can shape the tone of any future conversations.

Embedded, exposed, and evolving

Retailers now play an active role in their customers’ financial journeys, often without fully realising how much that responsibility has grown. Embedded finance offers undeniable upside. It unlocks revenue. It deepens relationships. It redefines what a brand can be.

But it also carries weight.

In a world where the checkout is a bank, the returns process is an insurance claim, and the loyalty program looks like a financial portfolio, the risks are no longer theoretical. They’re structural. They’re shared. And they’re yours.

The winners in this next phase won’t just be the fastest movers or the most innovative integrators. They’ll be the brands that recognise embedded finance for what it really is: a shift in responsibility. And they’ll respond not just with excitement but with strategy, governance, and care.

This checklist flips the usual approach. Instead of building from policies upward, we work backwards from the moment of impact. Think of it as a pressure test: if a major claim landed today, how well would your strategy hold up?

1. Start at the end: walk through a hypothetical claim

Forget hypotheticals; get specific. Take a material loss scenario (fire, cyber attack, product recall, serious injury) and walk through it in detail.

✅ Have we simulated what a material claim might look like for each key policy?

✅ Have we set explicit, board-approved thresholds for what constitutes a “material” loss in each risk category (e.g., property, cyber, liability)—both in dollar terms and operational impact?

✅ Who’s likely to identify the incident first? Would they know what to do next?

✅ Do we have the right information flow in place to quickly trigger a claim?

Tip: Tabletop exercises reveal more than strategy documents ever will. Run one and watch where friction shows up.

2. Review policy wordings against real-world events

Now map your policy documents against your messy operating environment.

✅ Do the triggers and definitions reflect how we’d actually describe the event?

✅ Are our sums insured and policy limits regularly updated to reflect current asset values, revenue, and business scale?

Warning: Underinsurance is a leading cause of claim shortfall, especially for fast-growing businesses. If your cover hasn’t kept pace with your growth, even a successful claim could leave you exposed to significant out-of-pocket costs.

✅ Are there grey areas or vague triggers (e.g. “unforeseen,” “sudden,” “malicious”)?

✅ Have we tested exclusions using real examples from our business?

✅ Would indemnity periods, limits, and sublimits hold up under our current operations?

✅ Are we relying too much on extensions or endorsements to fill core coverage gaps?

E.g.: Would our cyber BI policy respond if a third-party SaaS outage took us offline? And how would we prove causation?

✅ Do we have a process in place to review and update our insurance program whenever there are material changes, such as new locations, product launches, acquisitions, or entry into new markets?

Tip: Many claims are denied or reduced because policies weren’t updated after business changes. Schedule policy reviews after any major operational shift—not just at annual renewal.

3. Map claim ownership and documentation gaps

Claims don’t fail because something went wrong, they fail because no one can prove what happened.

✅ Who owns the claims process internally (beyond initial notification)?

✅ Are we clear on who prepares claim files, liaises with adjusters, and controls messaging?

✅ Have we documented key workflows for evidence collection, incident logs, and financial loss tracking?

✅ Can we reconstruct timelines from systems, emails, and decision logs under pressure?

✅ Are we capturing costs that may be recoverable under claim preparation or loss mitigation clauses?

4. Challenge broker and insurer alignment

This is where many programs fall short—not due to bad intent, but because no one asked hard questions.

✅ Does our broker proactively test our policies against emerging risks and real scenarios?

✅ Have we had a claims-focused review? Or just a renewal meeting?

✅ Do we know who will represent us in a claim, and do we trust them?

✅ Are we relying on assumed market norms that don’t hold up when contested?

✅ Have we seen how similar claims played out across the market?

5. Test strategic fit and appetite alignment

Insurance should match your risk appetite, not misrepresent it.

✅ Does our program reflect our operational reality?

✅ Are there legacy covers in place that no longer match how we work?

✅ Have we adjusted for changes in scale, geography, tech infrastructure, or supply chain risk?

✅ Are emerging exposures (e.g. ESG litigation, regulatory change, digital dependencies) covered?

Final check: could we move at claims speed?

When a major incident occurs, speed and clarity of response can make or break your claim. Even the best policy won’t help if notification is delayed or evidence is lost. Claims are just as likely to fail on execution as on policy wording. Test both.

✅ Do key people know how to notify and escalate a claim right now?

✅ Is our notification process fast, documented, and easily actioned under stress?

✅ Do we have legal, PR, finance, and operational responses aligned in advance?

✅ Have we captured lessons from near misses, small claims, or industry events?

Wrap-up

Most businesses only see the cracks in their risk strategy after a claim. The smart ones reverse the lens early.

This checklist is designed for leaders who are accountable for their organisation’s resilience. Use it to uncover blind spots, challenge assumptions, and ensure your risk strategy holds up under real-world pressure.

Even businesses that don’t offer crypto directly are finding themselves caught in the crossfire, especially if their clients, investors, or vendors are exposed. Think: a fintech app with crypto rewards, or a SaaS platform serving Web3 clients. Some fintech-forward providers continue to support compliant businesses in this space, but many mainstream banks are tightening their risk thresholds without warning.

The upcoming EU Anti-Money Laundering (AML) Package, expected to take effect by the end of 2025, will accelerate this trend. Financial institutions will face tougher obligations to identify and manage financial crime risk, including expanded expectations for due diligence on indirect exposure. While enforcement timelines will vary by entity and jurisdiction, the direction of travel is clear: more scrutiny, more offboarding, and lower tolerance for perceived risk.

Why it matters

1. The risk is indirect (and often difficult to see).

You may not be handling crypto yourself, but exposure through your network—clients, vendors, or backers—can still trigger concern. Some businesses have been de-banked with little explanation, though in places like the UK, banks are now required to give 90 days’ notice and justification.

2. AML regulation is expanding the risk perimeter.

The EU AML Package will apply to a wider range of entities, including certain digital platforms, depending on their function and exposure. The new rules introduce standardised due diligence and risk management requirements, along with a central AML Authority (AMLA).

3. It affects capital flow, payments, and trust.

Account closures or restrictions can delay funding rounds, disrupt payroll, or lead to lost clients. Even the perception of being “high risk” can erode business relationships and investor confidence.

What to do this quarter

1. Assess your financial infrastructure
   ☐ Map your exposure to regulated banking, FX, and payment providers
   ☐ Identify concentration risk (e.g. reliance on a single provider or jurisdiction)

2. Screen your client and partner base
   ☐ Are any of your customers or stakeholders involved in high-risk sectors (crypto, gambling, remittances, etc.)?
   ☐ Proactively document any steps you've taken to manage that exposure

3. Engage your providers early
   ☐ Be transparent with banks and payment platforms about your exposure and controls
   ☐ Ask about their evolving risk appetite—don’t wait to be surprised

4. Build banking resilience
   ☐ Open secondary accounts or lines with fintech-friendly providers
   ☐ Diversify payment rails across regions and entities where possible

5. Strengthen internal AML and risk processes
   ☐ Even if not legally required, demonstrate strong onboarding and monitoring
   ☐ Prepare documentation to show you understand financial crime risk and act on it

6. Brief senior leaders and investors
   ☐ Position de-banking as a strategic risk, not just an operational nuisance
   ☐ Communicate your plan for resilience and continuity

Bottom line:

Banking access is becoming more fragile, especially for fast-moving businesses with even indirect exposure to crypto. The ability to demonstrate proactive risk governance—not just regulatory compliance—may soon become a differentiator in investor due diligence, customer onboarding, and strategic partnerships.

• The annual risk matrix creates a false sense of control—most are updated too rarely, scored inconsistently, and disconnected from real decisions.

• Boards cling to it for familiarity, but even executives admit it’s more compliance ritual than risk intelligence.

• Leading organisations are moving to dynamic, data-driven systems: real-time dashboards, scenario testing, and narrative reporting.

• The shift isn’t from one tool to another, it’s from periodic assessment to continuous, embedded risk thinking.

• Organisations that treat risk as a daily practice—not an annual exercise—are 3x more likely to achieve their goals in volatile conditions.

The illusion of control

In 2023, MGM Resorts lost over $100 million to a cyberattack. Hotel keys stopped working. Call centres collapsed. Casino floors fell silent. Cyber risk was on the register, but the breach wasn’t some unknown threat. It exploited the blurred lines between IT and physical infrastructure—links the company hadn’t properly mapped or prioritised. They had a matrix. It just didn’t matter.

Risk matrices still serve a purpose. In lower-maturity environments or heavily regulated sectors, they can provide a baseline, helping teams introduce structure, communicate risk in a simple visual format, and meet compliance expectations. But as risks become faster-moving, more interdependent, and harder to predict, these tools struggle to keep up. What once helped organise complexity now risks oversimplifying it.

That’s the deeper challenge many organisations face: the tools we use to understand risk often give us the comfort of structure without the clarity we need. The traditional risk matrix is a perfect example. It looks rigorous. It signals control. But it rarely delivers either.

According to research in Risk Analysis, fewer than 10% of randomly selected risk pairs can be correctly and unambiguously ranked using a standard matrix. The other 90% fall into a fog of ambiguity. The result is a blurred risk picture that obscures meaningful distinctions and can mislead decision-makers.

Where the risk matrix fails

1. It’s too subjective

On the surface, the process looks structured: rate the likelihood, rate the impact, plot the result. But even in well-designed frameworks, those ratings rely heavily on human judgement. What one team considers “likely,” another might call “rare.” Definitions of “major” or “moderate” vary depending on role, experience, and risk appetite. In theory, this can be managed through calibration. In practice, it often leads to inconsistency. The same risk can land in green with one team and red with another—not because the risk changed, but because the people did.

2. It oversimplifies complexity

Risk matrices reduce multidimensional problems into a 2x2 or 5x5 grid. It’s neat, but real risk doesn’t behave that way. The model can’t capture how risks interact, evolve, or cascade. And for risks with negatively correlated likelihood and severity, research shows that matrices can actually produce worse-than-random prioritisation. The tool tries to clarify uncertainty, but often distorts it instead.

3. It flattens critical distinctions

Worse still, the matrix compresses very different risks into the same category. A low-likelihood, high-impact cyber event might sit alongside a recurring supply chain delay—not because they pose the same threat, but because the scoring system flattens them into the same amber box. This kind of range compression creates false equivalence, making it harder to prioritise what really matters. The result is a blurred risk picture that can mislead decision-makers.

4. It disconnects risk from action

In many organisations, once a risk is plotted, it tends to get parked. The matrix becomes an artefact to be reviewed, rather than a tool to guide real decisions. This isn’t a failure of the format alone—it’s a cultural issue. When the matrix is treated as a compliance document instead of a living tool, risks get tracked without being challenged. Few matrices reflect the effectiveness of controls, and even fewer account for how risks evolve. Without a feedback loop to operations, the output sits in a spreadsheet, not in strategy.

Why we cling to it

Despite its flaws, the risk matrix is still the default. One reason is visual simplicity. The grid is easy to read, easy to explain, and easy to drop into a board slide. It feels democratic—anyone can understand it, which helps drive consensus. That sense of shared understanding is useful, even when the tool itself is misleading.

The other reason is inertia. Once a tool becomes embedded, it’s hard to dislodge. Anchoring bias keeps teams tied to the familiar, even when better alternatives exist. The matrix persists not because it works, but because it’s always been there.

Signals of change

Some organisations are quietly moving beyond the matrix—not just in theory, but in practice. They’re shifting from static categorisation to dynamic sense-making. The signs are clear, even if the adoption is uneven.

1. Real-time risk is gaining traction

Risk isn’t static, so the tools to manage it can’t be either. The World Economic Forum’s 2024 Global Risks Report highlights the accelerating pace and interconnected nature of global threats—from AI-driven misinformation to geopolitical fragmentation—and calls for adaptive, real-time risk management approaches that move beyond periodic assessment. Modern platforms now support live dashboards, giving teams up-to-date visibility into shifting conditions.

2. Advanced tools are no longer niche

Techniques like Monte Carlo simulation and scenario stress testing have moved from niche applications to core practice in high-performing organisations. Once confined to finance and engineering, they’re now guiding decision-making across industries. Combined with machine learning and cloud-based analytics, these tools offer a far more precise, predictive, and responsive view of risk than any matrix can.

3. Narrative is overtaking colour

There’s growing recognition that red-yellow-green plots don’t tell a story. Boards want more than a colour-coded snapshot—they want context. As Harvard Business Review puts it, narrative reporting leads to deeper engagement by prompting discussion, not just sign-off. The most forward-thinking organisations are shifting to narrative risk reports that explain how threats are evolving, where interdependencies sit, and what’s actually at stake. These reports don’t just describe the risk landscape—they help decision-makers navigate it.

4. Risk is becoming a daily discipline

The most meaningful shift is cultural. In leading teams, risk isn’t a register, it’s a rhythm. It’s part of how decisions get made, week to week. With modern systems enabling collaboration and shared visibility across locations, risk is no longer confined to annual reviews or compliance audits. It’s embedded—owned, reviewed, acted on. That’s the real change.

What replaces it

This isn’t a call to throw everything out. It’s a call to evolve. The question isn’t whether to kill the matrix—it’s what to build in its place.

Living systems, not static registers

The best risk tools are now living systems: updated continuously, fed by real-time data, and integrated into day-to-day operations. They don’t just describe threats—they shape response. When risks shift, the system shifts too.

Technology with judgment

Big data, AI, and machine learning now play a central role in detecting and managing risk. But they don’t replace human insight—they amplify it. Algorithms flag patterns. People make calls. The key is combining automation with accountability.

Continuous calibration

Risk models need to evolve just as fast as the environments they describe. That means regular recalibration—not just quarterly reviews or annual workshops. New data triggers updates. New context shapes priorities. There’s no pause button.

Ownership, not observation

In effective systems, every material risk has a name beside it. Not a team. A person. According to McKinsey, clearly assigning ownership is one of the most effective ways to ensure risks are actively monitored and mitigated. It forces focus, drives follow-through, and closes the gap between identification and action.

Final thought

Most organisations won’t kill the matrix outright. That’s fine. But the smartest ones are already outgrowing it.

They’re shifting from scoring risks to stress-testing decisions. From compliance routines to dynamic sensing. From snapshots to movement.

They’ve moved beyond relying on heatmaps to understand what matters. They’ve built systems, and cultures, that make risk part of how they operate. Every day.

That’s the real future of risk management. Not a better matrix. A better mindset.

Synopsis

This book tells the inside story of Huawei, the Chinese tech giant that became a proxy for growing Western anxieties about the country’s desire to dominate critical technologies. Through dogged reporting and rare access, Eva Dou charts the company’s journey from a scrappy telecom supplier to a strategic player at the heart of global geopolitics and the centre of a tech cold war.

It’s a story about the architecture of influence—how corporate strategy, national pride, and state power intertwine.

Why I picked it up

I wanted to understand Huawei beyond the headlines. Not just the sanctions, or the drama around 5G, or the arrest of Meng Wanzhou, but the deeper forces at play. What made Huawei different, and what does it reveal about how China builds, protects, and exports power? As the Wall Street Journal’s lead China tech reporter, Dou had rare access to Huawei insiders and years of frontline context, making her the ideal person to answer that.

Why it stuck with me

Huawei thrived in ambiguity—between the state and the market, between global norms and local realities. It mastered the use of complexity as camouflage, and in doing so, it exposed a blind spot in how Western firms think about risk: we’re not always good at seeing things that don’t play by our rules.

This book isn’t just about a company. It’s about what happens when a system of incentives, relationships, and national strategy coheres into something that looks like a firm, but behaves like something else entirely.

Through the lens of Modern Risk

For risk professionals, House of Huawei lands hard:

• Geopolitical risk is supply chain risk. If your infrastructure—cloud, devices, comms—is entangled with firms like Huawei, you’re exposed. Not just to operational disruption, but to reputational, legal, and compliance risk.

• The boundary between public and private is collapsing. In China (and increasingly elsewhere), private companies often act in alignment with state interests, whether by choice or necessity. That changes how we assess counterparty risk, due diligence, and even M&A exposure.

• Resilience means more than redundancy. Dependency on opaque or state-aligned vendors weakens contingency planning and invites regulatory scrutiny. Boards and risk leaders should be asking: Who are we dependent on, and what assumptions are we making about their intentions, incentives, and allegiances?

Worth questioning

One of the quiet tensions in the book is Western complacency. Huawei didn’t rise in secret. Its pricing model, its hiring practices, its relationships with state entities—these were visible for years. But they were ignored, downplayed, or misunderstood until the geopolitical temperature rose.

How many other risks are hiding in plain sight because they don’t fit our frameworks? How many suppliers, investors, or partners operate with incentives and constraints we don’t fully grasp?

For readers who enjoyed…

• The Chip War by Chris Miller

• The Smartest Guys in the Room by Bethany McLean and Peter Elkind

• AI Superpowers by Kai-Fu Lee

Let’s Talk About It

What concrete steps—if any—have you taken to assess or reduce exposure to politically sensitive suppliers or jurisdictions? Have you made any changes to vendor onboarding, risk assessment, or tech procurement in response to these shifts?

• Risk fluency is best understood as a leadership behaviour—a way of navigating tension, consequence, and uncertainty—rather than a technical function.

• Frameworks and registers can support good decisions, but without active judgment from leaders, they remain structurally sound and strategically irrelevant.

• The most damaging risks aren’t always the ones with the highest heatmap score, they’re the ones no one owns.

• Boards and executives build real risk capability by moving beyond assurance and actively engaging with trade-offs, consequences, and uncertainty at the point of decision.

Where risk really belongs

Why is it that the word “risk” still makes so many leadership teams glance toward Legal, Compliance, or Audit?

We’ve been trained, both explicitly and implicitly, to associate risk with regulation, red flags, and reporting. But in fast-moving, complex environments, treating risk as a siloed function makes organisations more fragile, not more resilient.

Real risk capability lives in leadership. It shows up in the ability to weigh consequences, make judgment calls, and act when the path ahead is uncertain.

And yet in many companies, the default response is still to “loop in Risk” at the end—a sign-off step rather than a source of insight. That might satisfy formal requirements, but it often leaves leadership under-prepared for fast, messy change.

The legacy model: risk as box-ticking

The modern risk function evolved in regulated sectors like banking, healthcare, and energy — environments where managing risk often meant documenting it. That legacy still shapes how many businesses approach risk today, even in faster-moving, less-regulated contexts.

Registers are maintained, frameworks are adopted, and appetite statements are written, but these tools often sit outside the real flow of business decisions. Frameworks can be useful, especially when they create shared language across complex teams. But in practice, they’re often designed with auditability in mind, not day-to-day usability. Without active engagement from leadership, they tend to operate in parallel to actual decision-making, rather than shaping it.

This disconnect can create a false sense of security. On paper, the organisation looks covered. In practice, risk conversations are delayed, delegated, or avoided. When risk is treated as a specialist domain, people wait for permission instead of exercising leadership.

The Boeing 737 MAX crisis is a clear example. Engineers raised concerns. Processes were followed. Documentation existed. But the broader leadership failed to confront the trade-offs between safety, cost, and time-to-market. The risk was real, visible, and still not acted on.

The issue wasn’t the absence of compliance. It was the absence of executive accountability for how risk shaped core decisions.

What it means to treat risk as a leadership skill

Leaders who take risk seriously don’t rely on frameworks to protect them. They know how to:

• Make decisions with incomplete information

• Hold opposing priorities in tension

• Stand behind the second- and third-order consequences of their choices

Risk capability isn’t abstract. It shows up in practical habits: thinking two or three steps ahead, asking better questions, and resisting the pressure to push decisions downstream.

For founders, it might show up in how product decisions balance momentum with durability. For a COO, it’s in how operational speed is weighed against long-term resilience.

A CEO might ask, “Where are the edges of this move? What happens if it works too well, or not at all? Are we still in control if the environment shifts?”

Airbnb faced these kinds of questions early. As the platform grew, so did the reputational risks—trust, safety, fraud. Rather than wait for regulators to act, Airbnb’s leadership introduced identity verification, community standards, and a host guarantee fund. These were strategic decisions that recognised risk as central to the customer experience and to the business model itself.

That’s the shift. Risk isn’t the cost of doing business. It’s part of how smart leaders make it work.

Risk has always been part of leadership, but the nature of risk is changing. What leaders are facing now doesn’t fit neatly into the old categories of financial, legal, or operational compliance.

Take AI adoption. When Slack quietly updated its privacy policy to allow use of customer data for model training, it triggered a backlash from customers who felt blindsided. The issue wasn’t just legal risk, it was trust, brand equity, and retention. These are leadership concerns, not checklists.

The same pattern shows up across industries:

• A marketing team pushes a bold data strategy without looping in privacy or security.

• A product team expands into a new market, unaware of local regulatory friction.

• A CFO signs off on cyber coverage limits that don’t match their exposure.

These moments reveal something deeper: situations where the risk was visible, but no one held the decision.

Regulators are beginning to notice. Directors are being asked to show more than policy awareness; they’re expected to demonstrate risk literacy, especially in fast-moving areas like ESG, cybersecurity, and digital governance. Insurers, too, are tightening their scrutiny. Boards that can’t explain their exposure in plain language are finding themselves with narrower cover or higher premiums.

If you’re on an executive team, ask whether your reporting lines make space for real risk conversations, not just compliance updates. If you’re a CFO, ask whether capital allocation decisions surface underlying exposure early enough. And if you sit on a board, expect your risk committees to bring judgment, not just assurance.

This isn’t about blame. It’s about capability. The risks that matter now can’t be managed from a framework alone. They require leadership.

Developing risk fluency in leadership teams

If risk is going to live at the top table, leaders need a different kind of support. Not more paperwork: better thinking tools.

Risk fluency is more than just knowing the rules. It’s understanding the consequences of choices and the tensions they carry.

Start with the basics:

• Make risk part of the conversation early. Too often, risk is brought in after key decisions are already made.

• Ask better questions. “What are we assuming here? What would need to be true for this to work? Who pays if we’re wrong?”

• Frame trade-offs clearly. Don’t bury risk in language. Surface it.

Some organisations use pre-mortems to good effect—mapping out what could go wrong before launch. Others run lightweight red-team reviews, where someone plays the role of a sceptic before a big decision is locked in. These are more than compliance exercises. They’re leadership habits.

You don’t need a new risk framework. You need leaders who can hold opposing ideas in tension and move forward with intent.

In a fast-scaling business, that might mean choosing between rapid customer acquisition and long-term infrastructure resilience. For a public company, it could mean weighing short-term investor pressure against slower, strategic shifts. These are risks to hold, not problems to solve, and leaders who know how to hold them are the ones who build trust.

Risk maturity is leadership maturity

Risk capability doesn’t sit in a document. It shows up in how decisions get made—and who owns them when things go sideways.

Compliance will always have a role. But leadership is where risk lives or dies.

Organisations that treat risk as someone else’s job will keep finding gaps. The ones that build risk fluency into how they think, plan, and act will be better placed to respond when the pressure’s on.

That shift isn’t technical. It’s cultural. It starts with leaders asking sharper questions — and being willing to sit with harder answers.

Welcome to The Signal, a new mini-series on Modern Risk. Each week, we share a fast, early heads-up on emerging developments that could reshape risk, regulation, or strategy for forward-thinking businesses. Think of it as your early-warning system for what’s coming over the horizon.

Australia’s AI policy is heating up. The government is drafting a National AI Capability Plan, aiming to position the country as a global leader by 2028. Business groups, including the Business Council of Australia, are urging against over-regulation that could stifle innovation, but the direction is clear: mandatory guardrails for high-risk AI systems are coming.

Meanwhile, the EU is already there. From August 2025, the EU’s AI Act begins enforcement. Any company deploying AI in sectors like hiring, healthcare, infrastructure, or financial services must meet strict standards around data quality, transparency, and human oversight.

This is no longer just a tech issue; it’s a strategic, financial, and reputational one.

Why it matters

1. AI risk is now regulatory risk.

Just as cyber moved from IT to the boardroom, AI is heading the same way. If your business uses AI to make decisions that affect people or financial performance, you’ll be expected to demonstrate governance and control.

2. Global clients and capital will expect compliance.

Even if you don’t operate in the EU, expect to be asked about your AI controls. Corporate buyers, investors, and insurers are starting to screen for AI maturity just like they do with cybersecurity.

3. Insurance won’t cover governance gaps.

Insurers are watching. Expect changes in policy wordings, with exclusions around “algorithmic error” or “automated decision-making.” Poor governance could translate to limited cover (or no cover at all).

What to do this quarter

1. Map where AI is already in use
☐ Identify internal and third-party systems using AI or automation
☐ Prioritise high-risk use cases (e.g. hiring, scoring, underwriting, customer service)

2. Assign ownership
☐ Nominate an exec-level sponsor for AI governance
☐ Get risk, legal, tech, and operations in the same room

3. Benchmark against emerging standards
☐ Review frameworks like NIST AI RMF or ISO/IEC 42001
☐ Note any gaps in explainability, documentation, or human-in-the-loop controls

4. Review risk transfer and legal exposure
☐ Ask your broker how AI exclusions are evolving in cyber, PI, and D&O policies
☐ Audit contracts with AI vendors. Who carries the liability?

5. Brief the board
☐ Add AI risk to your next board or risk committee agenda
☐ Frame it as both a compliance horizon and a trust-building opportunity

6. Make a 90-day plan
☐ Don’t wait for regulation. Start with a short internal roadmap
☐ Show employees, investors, and partners that you’re ahead of the curve

Bottom line:

The voluntary window for AI governance is closing. Aligning early isn’t just smart risk management—it’s a competitive advantage.

• AI tools are being used across businesses, often informally, invisibly, and without clear ownership.

• The biggest risks aren’t in the code, they’re in the assumptions people make about what AI is doing, and how accurate or reliable it is.

• Liability can arise from decisions or documents shaped by AI, even when the business didn’t build the tool or approve its use.

• Insurers are starting to treat unmanaged AI use as a signal of poor operational control.

• Businesses don’t need to slow down, but they do need visibility, review processes, and basic governance in place.

A Quiet Shift

AI didn’t enter most businesses through the front door. It showed up gradually—embedded in writing assistants, analytics dashboards, CRM plug-ins, and slide deck generators. Often, these tools were adopted by individual teams without legal, risk, or leadership ever signing off.

Now those tools are shaping client proposals, investor presentations, pricing decisions, and even legal advice.

The risks aren’t always obvious. You didn’t build the model. You didn’t even know someone was using it. But if the output is wrong, or the information is fabricated, the liability still sits with you.

This article isn’t about what AI can do. It’s about what people assume it’s done—and what happens when those assumptions go unchecked.

So where are the exposure points that matter most?

Shadow AI

Many teams are using AI tools without going through procurement, legal, or security channels. A 2024 Cisco report found that nearly 70% of employees globally admitted to using generative AI tools at work without formal approval. The risks here aren’t just about data leakage or copyright infringement—they’re about loss of control. If something goes wrong, the company—not the tool—is usually held accountable.

✅ What to do:

Start by mapping your AI exposure. What tools are being used, by whom, and for what purpose? Shadow tools, plug-ins, and browser extensions rarely show up on risk registers, but they’re increasingly shaping what your business says, decides, and delivers.

Accidental Overpromises

AI-generated content is making its way into pitch decks, marketing materials, sales proposals, and even client deliverables, often without anyone reviewing it properly. The problem isn’t just tone or polish. It’s accuracy. If that output includes errors, outdated assumptions, or fabricated information, the liability still sits with you, and it may trigger a professional indemnity or E&O claim if advice is relied upon.

This isn’t theoretical. In January 2024, a New York-based law firm was sanctioned for submitting a court filing that included six fictitious legal cases—all generated by ChatGPT—which the lawyers had assumed were real.

In most businesses, the stakes may not be legal sanctions, but the same pattern applies. That creates risk—especially in sectors like consulting, finance, law, and professional services, where clients rely on your advice to make decisions.

It’s not just about what you claim. It’s about what your clients, customers, or stakeholders assume you’ve validated.

✅ What to do:

Treat AI-generated outputs as unverified drafts. Build human review into your workflows and be clear about when AI has been used — especially for anything client-facing or contractual. If the information’s wrong, the liability won’t fall on the tool.

Ownership and IP Ambiguity

Many generative tools are built on training data that may contain copyrighted content. If you’re creating commercial outputs—ads, code, strategies, reports—there’s a risk that someone, somewhere, will challenge the originality or ownership of the material.

A high-profile case in 2024 involved Getty Images suing Stability AI in the UK, alleging unauthorised use of its copyrighted images in training datasets. The suit is ongoing, but it’s already shaping how legal teams and insurers view generative tools in creative workflows.

✅ What to do:

Make sure your contracts with vendors and contractors clarify who owns outputs generated with AI. Avoid tools that can’t provide clarity on how their models are trained.

Algorithmic Accountability

From recruitment screeners and pricing engines to workflow automations and customer sentiment scoring, AI tools are increasingly being used to support decision-making. Many of these tools are embedded in off-the-shelf platforms, with little visibility into how they reach their conclusions.

That becomes a problem when decisions need to be explained—to customers, regulators, or insurers.

In April 2024, the Dutch government fined a financial institution €2.1 million for relying on an AI-driven credit model that disproportionately penalised certain applicants. The issue wasn’t just bias, it was the institution’s inability to explain how the model worked.

The same risk exists in any business using third-party tools to make or inform decisions. If you can’t explain why a candidate was filtered out, a client charged more, or a customer complaint prioritised differently, you may struggle to defend that outcome.

✅ What to do:

Ask vendors how their tools reach decisions. Prioritise systems that offer explainability and documentation. Internally, make sure someone is responsible for understanding what the tool is doing, not just whether it’s working.

AI Exposure: A Quick Health Check

Ask yourself:

1. Do you know which AI tools are in use across your business?
   ☐ Yes — we've mapped both approved and unofficial tools
   ☐ Partially — we track formal tools, but shadow use is likely
   ☐ No — we haven’t looked into it yet
   

2. Is there human review in place for AI-generated content or decisions?
   ☐ Yes — anything client-facing or high-stakes is checked
   ☐ Sometimes — depends on the team
   ☐ No — AI outputs are often treated as final
   

3. Do your vendor contracts address AI-specific risks?
   ☐ Yes — they cover IP, liability, and model transparency
   ☐ Partially — some references, but no consistency
   ☐ No — we haven’t updated contract language yet
   

4. Could someone explain how AI-influenced decisions are made in your business?
   ☐ Yes — we document model logic or vendor rationale
   ☐ Somewhat — we rely on vendors to explain it
   ☐ No — we assume it’s working and leave it at that
   

5. Do employees have clear guidance on how and when to use AI?
   ☐ Yes — we have a simple, accessible internal policy
   ☐ Informally — some teams have their own rules
   ☐ No — we haven’t put anything in writing

Insurance Is Waking Up to AI Risk

Insurers are starting to factor AI into how they price, underwrite, and limit liability across multiple lines of cover. Not through standalone AI policies (yet), but through tighter scrutiny of how AI affects existing risks.

In March 2024, Beazley issued updated cyber underwriting guidelines that flagged generative AI tools as potential “data leakage vectors,” prompting stricter controls on third-party SaaS usage. Around the same time, AIG warned in its Q1 market bulletin that failure to monitor or document AI decision-making could affect coverage under professional indemnity and tech E&O.

Some carriers have already begun adding exclusions for claims arising from AI-generated outputs where explainability or documentation is lacking. Others are quietly asking for more disclosure: how tools are used, where data goes, what contractual protections exist.

Expect tighter definitions, narrower triggers, and sharper questions at renewal.

🔍 What underwriters are looking for:

• Proof of human review or oversight in AI-assisted work

• Clear IP ownership of AI-generated outputs

• Internal policies that guide AI use

• Documented incident response plans that include AI-generated errors or hallucinations

Most businesses aren’t buying AI-specific cover — but the way you use AI still affects the policies you already have:

• Professional Indemnity / E&O: faulty advice or deliverables shaped by AI outputs

• Cyber: unauthorised tools creating exposure to data breaches or model injection

• D&O: failure to disclose or manage AI-related risk as part of governance

This doesn’t mean AI makes your business uninsurable. But it does mean that poorly governed AI can push you into higher-risk categories or create grey areas that slow down claims.

The Path Forward

No one expects a small business to have a full-time AI ethicist. But investors, partners, and insurers do expect clarity on how AI is being used, monitored, and governed across your business.

Innovation isn’t the risk. It’s what happens when you move fast without knowing where your exposures are. The companies getting this right aren’t slowing down, they’re just getting smarter about how they build.

The most forward-looking businesses aren’t just playing with AI—they’re pressure-testing it, documenting it, and building safeguards into its everyday use. Because in the end, how you govern AI is becoming a proxy for how you govern everything else.

Smart Money: How Digital Currencies Will Shape the New World Order

Brunello Rosa & Casey Larsen (2024)

Synopsis

This book explores how digital currencies—especially state-backed ones—are reshaping the global balance of power. It’s about money, yes, but more than that, it’s about the fight to control the infrastructure of the future economy.

Why I picked it up

I’ve been trying to understand how money is evolving—not just in terms of crypto hype, but in how governments, institutions, and private actors are positioning themselves for control. This book promised a geopolitical lens on digital currencies, and it delivers.

Why it stuck with me

“Since the end of the Second World War, the US dollar has been the global reserve currency, which has ensured American dominance of the world economy. But no longer. More than a hundred countries are developing Central Bank Digital Currencies (CBDCs), digital equivalents to cash that will utterly transform how we do business at home and abroad.”

It’s not a book about Bitcoin. It’s a book about control—how states, central banks, and private actors are racing to shape the architecture of digital money in their image. Rosa and Larsen argue that digital currencies aren’t just a financial innovation, they’re a tool for geopolitical leverage and a reassertion of sovereignty in a fragmented world.

Through the lens of Modern Risk

For risk professionals, the implications are hard to ignore:

• Monetary risk is becoming infrastructure risk. CBDCs, stablecoins, and programmable money will change how capital flows, how sanctions bite, and how liquidity crises spread. That reshapes FX exposure, supply chain financing, and even cyber threats.

• The line between financial systems and national security is blurring. If money becomes programmable, it also becomes censorable. Organisations will need to think more seriously about where they bank, what rails they rely on, and what that says about their risk posture.

• Fragmentation isn’t temporary—it’s the baseline. The book reinforces a Modern Risk theme: global integration is being replaced by selective alignment. Smart money is also strategic money.

Worth questioning

One of the tensions that runs beneath this book is the growing Western scepticism of CBDCs. Unlike the more top-down enthusiasm seen in China or the Gulf states, many Western democracies are confronting a backlash rooted in civil liberty concerns. Programmable money raises real fears: Could governments restrict transactions by location, time, or behaviour? Could monetary infrastructure be used as a tool of soft coercion (domestically or abroad)? The book makes a strong case for the inevitability of digital currencies, but it’s less clear whether liberal democracies are ready to adopt them without a fight.

For readers who enjoyed…

• Principles for Dealing with the Changing World Order by Ray Dalio

• The Future of Money by Eswar Prasad

• Digital Gold by Nathaniel Popper

Let’s Talk About It

CBDCs get a lot of theoretical attention, but how are they being accounted for in real-world treasury, risk, or compliance strategies? Have you seen any serious corporate planning around them, or is this still mostly noise? Would love to hear what you're seeing.

• Contingent risk insurance is increasingly used to transfer known legal risks—like tax exposures, IP disputes, or shareholder conflicts—out of the deal.

• It’s gaining traction in mid-market M&A, not just big-cap private equity, with growing adoption in Australia across sectors like tech, energy, health, and services.

• Typical use cases include IP assignment issues, unresolved litigation, ATO uncertainty, and regulatory investigations.

• Policies are bespoke and require legal input. Premiums typically range from 2–10% of the insured amount.

• Used well, it can unblock stalled transactions, accelerate capital raises, and de-risk exits—without holding up negotiations or leaving cash on the table.

• If you’re facing a specific legal issue in a deal, ask your broker or legal adviser if it’s insurable. You might be able to solve it faster than you think.

When legal risk holds the deal hostage

In high-stakes transactions, uncertainty kills momentum. A single unresolved issue—whether it’s a regulatory query, an IP ownership gap, or a shareholder dispute—can delay or derail a deal. These aren’t abstract legal problems. They’re commercial blockers.

Contingent risk insurance offers a way forward.

It’s a product that allows buyers, sellers, and investors to transfer a specific, known legal risk to an insurer. And it’s no longer confined to billion-dollar deals or US private equity mega-funds. In the past 18 months, it’s become a real tool for the UK and US mid-market—and increasingly, for Australian founders, investors, and acquirers.

This isn’t general liability or D&O. It’s a targeted, often bespoke policy that solves for a single point of legal ambiguity. And when used well, it can unlock transactions, clean up balance sheets, or protect against messy exits.

What is contingent risk insurance?

Contingent risk insurance, sometimes called structured risk insurance, protects against the financial consequences of a clearly identified legal risk. Unlike traditional insurance, it doesn’t require uncertain or unforeseen events. The risk is already known—it just hasn’t materialised yet.

The policy steps in if that risk crystallises. If it doesn’t, it gives everyone the confidence to proceed without holding back cash, forcing renegotiations, or walking away.

What can it cover?

Common uses include:

• Tax risk: historical structuring, employee classification, untested positions, or uncertain ATO treatment

• Litigation: known claims with uncertain outcomes, or indemnities provided as part of a sale

• M&A and restructures: ambiguity in contract clauses, restructuring steps, or past compliance

• Regulatory risk: unresolved investigations or shifting legal obligations (particularly ESG, privacy, and financial services)

• IP disputes: unclear ownership, contractor-developed code, or prior art claims

• Shareholder fallout: co-founder exits, disputed entitlements, or blocking stakes

In every case, legal advice has already been sought. The risk is ringfenced, but not eliminated. That’s where the policy adds value.

Why it matters

For founders, contingent risk cover can:

• Unblock a stalled exit

• Accelerate a raise without intrusive warranties

• Secure a clean break from a business or board

• Navigate regulatory grey zones with confidence

For investors and buyers, it reduces the need to hold back funds, demand sweeping indemnities, or accept risk they can't price.

It’s not just about comfort. It’s about execution. In markets where delays can kill deals, speed and certainty matter.

How it plays out in practice

These scenarios are fictional but they reflect the kinds of deals, risks, and decisions we’re seeing in the market. Think of them as composites, drawn from the past 18 months of real placements across Australia, the UK, and the US mid-market.

Tax cover clears the path in a local carve-out
In late 2024, a Melbourne-based energy services firm was acquired by a UK private equity fund. A tax position relating to R&D credits claimed under previous ownership caused concern. Rather than delay the sale or restructure the deal, the parties secured a tax insurance policy that protected the buyer against ATO reassessment. The deal closed on time.

IP ownership issue resolved during US-Australia software acquisition
In early 2025, an Australian SaaS company was acquired by a US acquirer. The buyer flagged that a core piece of code had been written by a now-defunct offshore contractor. No signed assignment could be found. Rather than hold back $2 million in escrow, the buyer placed an IP title insurance policy. The acquisition proceeded with no delay or legal dispute.

Contingent litigation risk mitigated in a healthtech sale
In June 2024, a Sydney-based healthtech platform was preparing for exit when a legacy contractor lodged a claim for underpaid entitlements. The claim was speculative but couldn’t be resolved before signing. Rather than renegotiate terms, the vendor purchased a contingent litigation policy. The buyer accepted the cover in lieu of a warranty. The sale completed within six weeks.

Why now?

Several trends are pushing uptake, particularly in Australia:

• More complex transactions: carve-outs, bolt-ons, and earn-outs come with legacy risks

• Growing regulatory pressure: especially around privacy, employment law, and ESG disclosures

• Mid-market maturation: more Australian companies reaching size and scale where minor risks carry major value impacts

• Global investor exposure: offshore acquirers and funds are bringing structured tools into local deals

According to Aon, contingent risk insurance placements in APAC rose by over 60% in 2024, with Australia accounting for nearly a third of regional deal volume.

Could this be you?

Contingent risk insurance may be worth exploring if:

• You’re selling a business and there’s a known regulatory or tax query

• You’re buying a company with outstanding litigation or an unresolved co-founder dispute

• You’re raising capital and want to neutralise an identified risk without delaying the round

• You’re part of a management buyout and want clean separation from past liabilities

If any of those situations sound familiar, it’s worth asking your broker or legal adviser if the risk is insurable. Even if a policy isn’t ultimately placed, the exercise can shape better negotiations.

A note for advisers

If you're a legal, tax, or corporate finance adviser, you're often the first to spot these risks. Consider:

• Flagging known, defined legal exposures during diligence

• Seeking informal broker advice early on whether those exposures are potentially insurable

• Factoring the potential for insurance into how you advise on structuring, indemnities, or escrow

Clients don’t always know this is an option. You can be the one who unlocks it.

What it costs (and what to expect)

Contingent risk policies are priced based on the size and nature of the exposure. Expect:

• Premiums of 2–10% of the insured limit

• Insured limits ranging from $1m to $100m+

• Underwriting periods of 2–4 weeks, often requiring detailed legal opinions and advisor briefings

It’s not fast and it’s not cheap. But it can be the difference between a deal that dies and a deal that completes.

Final thought

Not every risk can be insured. But many more are now being insured than even a few years ago.

In the right hands, contingent risk cover is a dealmaking tool, not just a legal backstop. It adds leverage, speed, and certainty when the clock is ticking and the stakes are high.

• Standard policy templates often miss how modern businesses actually operate

• Common blind spots include intangible assets, cross-border operations, and outsourced dependencies

• Smarter insurance comes from better structure — not just broader cover

• Underwriters respond best to clear, well-documented risk narratives

• The most effective buyers involve brokers early and treat insurance as a strategic tool

The Limits of Standardisation

Most insurance products are built on patterns. They rely on the idea that risk follows a certain shape, that liability is cleanly defined, and that loss looks more or less like it always has. For decades, that assumption mostly worked. Businesses were relatively stable, exposures were well understood, and the lines between asset, liability and revenue were easier to draw.

That’s not the world most businesses operate in anymore.

Today, risk tends to move faster than the policies designed to respond to it. Organisations are layered, outsourced, and decentralised. Key assets aren’t physical. Critical operations depend on service providers you don’t control, in countries you’ve never set foot in. Standard cover doesn’t always stretch far enough to keep up.

It’s not that insurers are unwilling to adapt. Many are. The problem is that off-the-shelf wordings still dominate, and they often don’t reflect how modern business actually works. Gaps appear not because insurers won’t cover the risk, but because no one’s asked the right questions early enough to shape the cover around it.

The Most Common Mismatches We See

Not every gap is obvious. Many only become visible when something goes wrong and the policy doesn’t respond the way the insured expected. Some of the most common mismatches include:

Jurisdiction creep
You’re based in one country, but your data lives in another, and your contractors operate in a third. A policy written to respond to losses “in Australia” may not cover exposures that unfold across borders, even if the activity is part of your core business.

Non-physical disruption
Many policies still hinge on tangible loss. But business interruption today is just as likely to stem from a software outage, a supplier breach, or a misfiring algorithm. If there’s no physical damage, traditional triggers may not activate, even if the financial impact is very real.

Asset ambiguity
What counts as an asset in 2025? For many, it’s source code, data sets, licensing agreements, and brand equity. Yet these don’t always sit cleanly within the definitions used in legacy policies. If ownership or value isn’t clearly established, coverage may falter.

Contractual risk leakage
Cloud providers, logistics partners, and SaaS vendors are increasingly pushing liability downstream. You may be contractually liable for things your policy doesn’t contemplate—or you may have agreed to terms that void key protections. These risks often slip past procurement and land squarely in the gap between legal and insurance.

Why It’s a Structuring Problem, Not Just a Coverage Problem

The instinctive response to a coverage gap is to buy more insurance. But that’s not always the answer (and in many cases, it’s not even possible). Some exposures fall between product lines. Others blur the boundary between insurable and uninsurable risk.

What’s often needed instead is a structural rethink.

Rather than stacking policies on top of each other, the most effective approach involves understanding how your risk flows through the business, then mapping that flow against your insurance architecture. That might mean:

• using layered policies to protect against cascading loss across jurisdictions,

• negotiating carve-backs in exclusions,

• building in bespoke extensions that reflect how the business actually operates.

This is where the role of the broker becomes critical. Not just as a policy placer, but as someone who can translate operations into risk (and then translate that risk into terms underwriters can work with). The brokers adding the most value in 2025 aren’t just getting cover in place. They’re reshaping it to fit the organisation it’s meant to protect.

Underwriters Want More Context — and More Clarity

The more atypical your risk, the more important your explanation becomes. Underwriters aren’t looking for more paperwork—they’re looking for clarity. If you can’t articulate how your business operates, what its key exposures are, or how you’re managing them, it’s harder to get meaningful cover. And it’s harder again to negotiate on price, wording or limits.

The good news is that insurers are more open than ever to tailoring cover, especially when submissions are clear, consistent and well-evidenced. The shift isn’t just towards bespoke cover, but towards defensible logic. What are you doing to manage the risk? What could go wrong? What does a loss look like in this context? How have you thought about transfer, mitigation and residual exposure?

The strongest submissions now include risk maps, operational diagrams, sample contracts, and internal policies. Not because insurers demand them, but because they help bridge the gap between exposure and understanding. The clearer you are about your risk, the more flexibility you tend to unlock in your cover.

What Smart Buyers Are Doing Differently

Buyers who treat insurance as a transactional afterthought often find themselves with coverage that doesn’t reflect reality. The smarter approach is upstream: bring your broker in early, design your program around how your business actually works, and treat insurance as one tool in your wider risk strategy.

That doesn’t just mean more comprehensive policies, it often means better structured ones:

• Excesses that match your real risk appetite.

• Sub-limits that reflect your biggest exposures.

• Extensions that align with your actual contracts, not boilerplate assumptions.

It also means breaking silos internally. Risk isn’t just the CFO’s problem. Operational leaders, legal teams, procurement and IT all hold pieces of the puzzle. The buyers getting better results are the ones who treat insurance as a shared responsibility, not a single-owner product.

Hypothetical example: A fintech company operating across Australia and Singapore worked with its broker to map out critical third-party dependencies in its payments stack. That visibility allowed the broker to negotiate bespoke non-damage business interruption cover for service outages—something that wouldn’t have been possible off the shelf.

Final Thought

In an environment where risk is increasingly fluid, generic cover is increasingly fragile. The question isn’t whether you’re insured—it’s whether your insurance actually matches the way your business runs.

Standard policies still have their place. But when your operations don’t fit the mould, your cover shouldn’t either. The organisations getting the most value from insurance in 2025 aren’t the ones buying the most. They’re the ones designing smarter, asking better questions, and building protection that reflects the real shape of their risk.

• Supply chains are vulnerable to trade shifts, climate events, regulatory pressure, and geopolitical shocks.

• Most insurance programmes have gaps, especially around unnamed suppliers and non-physical disruptions.

• Review your contingent BI, trade credit, and political risk covers to make sure they match your real exposure.

• Map your supply chain risk. Don’t just list suppliers, understand where bottlenecks and overlaps exist.

• Balance resilience with cost-efficiency by diversifying critical inputs, stress-testing suppliers, and building optionality into sourcing.

The new age of fragmentation

For the last two decades, global trade ran on muscle memory. Offshore production. Just-in-time delivery. Scale efficiencies. That certainty is gone.

What replaced it is a harder, more political world. Trade flows are splintering along new lines. Security trumps efficiency. Carbon costs are being priced in. Governments are intervening more—through tariffs, bans, and subsidies—and supply chains are caught in the middle.

We’ve seen this play out across multiple fronts:

• In early 2024, the US expanded its restrictions on AI chip exports to China and flagged potential sanctions on related tooling.

• Australia’s biosecurity stance led to delays and temporary bans on imports from countries with different animal welfare standards.

• The EU began phasing in its Carbon Border Adjustment Mechanism (CBAM), imposing compliance burdens on companies exporting into Europe from carbon-intensive jurisdictions.

• Attacks on commercial vessels in the Red Sea forced carriers like Maersk to reroute around the Cape of Good Hope, driving up shipping times and costs for Asia–Europe trade.

These aren’t isolated events. They reflect a structural shift. The old assumption—that goods can be made cheaply in one place and reliably shipped anywhere—no longer holds.

Why supply chain risk looks different now

Not all disruption comes from blocked ports or missing parts. Today’s supply chain risk is layered, complex, and increasingly invisible until it hits.

Here’s what’s driving the shift:

Tariff and trade risk

Political decisions are reshaping the economics of trade. New tariffs or export bans can be imposed with little warning, disrupting established flows and making pricing volatile.

Geopolitical risk

Supply chains touch multiple jurisdictions. That means exposure to sanctions, investment restrictions, regulatory divergence, and in some cases, regime risk. For industries reliant on specific countries (e.g. rare earths, semiconductors, agribusiness), the risk isn’t theoretical.

Environmental risk

Drought, floods, and heatwaves are now common causes of delay. Extreme weather and regional climate instability are now common causes of delay, affecting both logistics routes and production hubs across the globe.

Regulatory risk

Governments are increasing transparency demands. Australia’s modern slavery laws, the EU’s Corporate Sustainability Due Diligence Directive, and ESG reporting regimes all push responsibility down the chain. Firms must now demonstrate not just that goods arrived but that they were ethically and legally sourced.

Reputation risk

Brand damage can occur even when the misconduct happens deeper in the supply chain. Allegations of forced labour, environmental harm, or unethical sourcing may originate with a supplier, but the reputational fallout often lands on the end brand.

📌 In 2024, several global brands faced shareholder pressure over sourcing links to Xinjiang and other high-risk regions. Insurers are now scrutinising these links more closely, with some professional indemnity and D&O policies excluding ESG-related exposures where proper diligence hasn’t been demonstrated.

How insurance responds (and where the gaps are)

Insurance can help, but only if the policies are built for the real shape of risk.

Contingent Business Interruption (CBI)

CBI cover can respond when a named supplier suffers a disruption. But it’s often limited to direct (Tier 1) suppliers, leaving a gap if the issue sits further upstream. Many policies also require physical damage as the trigger, ruling out disruptions caused by sanctions, climate, or regulation.

Trade Credit and Political Risk Insurance

These are increasingly being used to hedge against counterparty default and government interference. Political risk insurance, in particular, has seen a resurgence in sectors where expropriation, currency controls, or embargoes are on the rise.

📌 After Russia’s invasion of Ukraine, firms with manufacturing operations or receivables in Eastern Europe scrambled to review their political risk cover. Many found their limits outdated or triggers too narrow to respond to the evolving situation.

Marine and Cargo Insurance

Marine insurers quickly raised war premiums and rerouted underwriting priorities in response to conflict zones and shipping delays. But again, these covers tend to focus on physical loss—less so on delay, regulatory detention, or secondary impacts.

Cyber Supply Chain Risk

Less visible, but no less important. A ransomware hit to a critical supplier can paralyse downstream operations. Some cyber policies provide contingent coverage, but policy wording varies widely—and the insured must often prove a direct link.

🔍 Underwriting Scrutiny is Rising
Insurers now want detailed answers—where your critical suppliers are based, how you manage vendor risk, and whether you’ve mapped second-tier dependencies. Generic answers won’t cut it. If you can’t map your supply chain, you may not be able to insure it.

What risk management needs to look like now

For risk teams and boards, the conversation is shifting. It’s no longer just about cost and efficiency. It’s about resilience and optionality—especially when the next disruption might come from a warzone, a courtroom, or a weather map.

Here’s where the focus is going:

Find your single points of failure

Many businesses still can’t name their Tier 2 or Tier 3 suppliers. That’s a problem. You might have a backup for your Tier 1 manufacturer in Malaysia, but if both rely on the same pigment factory in Gujarat, you’ve got a bottleneck.

Some firms are now investing in supply chain mapping software and scenario-based stress testing. Not just where delays might happen—but how they’ll affect inventory, revenue, and customer experience if they do.

Rethink sourcing geography

It’s tempting to look at cost alone. But in practice, a slightly more expensive supplier in a low-risk jurisdiction may be better than the cheapest option in a volatile one.

The most resilient firms are building regional redundancy—sourcing the same critical input from two or more suppliers in different jurisdictions, ideally with different climate and political profiles.

Review your triggers and exclusions

Many contingent BI policies only respond to physical damage at a named supplier’s site. That excludes sanctions, ESG compliance issues, cyberattacks, and regulatory shut-downs.

If those risks matter to your business, your insurance programme should reflect it. That might mean:

• Expanding your definition of an “insured event”

• Seeking non-damage BI or cyber supply chain extensions

• Reviewing political risk and trade credit limits annually, not just at renewal

📌 Some clients are now using parametric covers to protect against shipment delays or climate disruptions. These pay out based on measurable events (e.g. port closure, rainfall index) rather than traditional loss adjustment processes.

Tighten vendor diligence

Risk and procurement teams must work together more closely, especially when onboarding new vendors or stress-testing existing ones. It’s not enough for a vendor to be technically capable—they also need to pass ESG checks, prove business continuity capability, and show insurance of their own.

Risk questions worth asking:

• Do our key suppliers have cyber insurance and an incident response plan?

• Are they located in areas with rising climate or conflict exposure?

• Are we named as an interested party on their business interruption or liability cover?

What to watch next

Supply chain risk isn’t going away. If anything, it’s becoming more fluid and harder to contain. But there are also promising shifts happening in how businesses and insurers are responding.

Here are three areas worth watching:

1. More flexible CBI cover

Traditional CBI policies often fall short—especially when disruption comes from an unnamed or second-tier supplier.

To address this, some carriers are now offering more dynamic options, including:

• Coverage for unnamed suppliers (with pre-agreed disclosure thresholds)

• Triggers based on cyber events, regulatory shutdowns, or even ESG violations

• Sector-specific programmes that reflect the unique exposures in industries like tech, pharma, and food

These changes reflect mounting pressure from clients and brokers who need cover that matches the way supply chains actually operate.

2. Embedded supply chain intelligence

Firms are beginning to pair real-time shipment data, satellite monitoring, and AI-powered ESG screening with their insurance and risk management tools.

This unlocks faster claims, better underwriting, and stronger internal reporting. It also gives risk teams leverage in supplier negotiations and board-level decision-making.

3. The rise of captives and structured solutions

Where the commercial market won’t go, captives and structured solutions increasingly will. We’re seeing this particularly with:

• Regional climate risk (e.g. drought hitting suppliers in Latin America)

• Concentrated manufacturing exposures in high-risk countries

• Large firms trying to control pricing volatility in transport or input costs

If traditional insurance stops short, finance and risk teams are collaborating on bespoke protection strategies that blend captives, parametrics, and credit-based solutions.

Final thought

Most businesses didn’t build their supply chains with geopolitics or climate volatility in mind. But that’s the world we’re in.

You don’t need to abandon efficiency but you do need to design for resilience. That means knowing where your risks are concentrated, having the tools to measure them, and the coverage to respond if things go sideways.

Because global supply chains don’t break cleanly—they ripple. The smarter firms are already adjusting.

• Australia’s new ransomware rules mean certain organisations must report incidents within 72 hours, even if no ransom is paid.

• Disclosure is now mandatory for critical infrastructure sectors and likely to expand beyond them.

• Silence is no longer a strategy. The way you respond carries legal, reputational and insurance consequences.

• Materiality is subjective. Companies need to predefine what counts as a reportable impact before a crisis hits.

• Boards can’t sit back. Cyber is now a governance issue, not just a technical one. Response plans must involve legal, comms, and executive leadership.

The Rules Have Changed

In Australia, you no longer need to pay a ransom to land in regulatory trouble. Just being hit is enough.

Under amendments to the Security of Critical Infrastructure Act 2018 (SOCI) that came into effect on 17th April, certain organisations now have a legal obligation to report ransomware attacks. Even if no money changes hands. Even if you manage to contain the damage.

If you’re in one of the 11 sectors classed as “critical infrastructure” — including energy, healthcare, transport, and financial services — and your systems are locked, your data is stolen, or your operations are disrupted, you may need to notify the Cyber and Infrastructure Security Centre (CISC) within 72 hours. You’ll also be required to keep records of the incident and your response for a full year.

This is a significant shift. Until now, ransomware attacks often played out behind closed doors. Regulators and the public only found out when services stopped or data was dumped online. These new rules close that gap.

Why This Matters, and What It Signals

These changes aren’t just about tightening compliance. They reflect a broader shift in how governments — and society — are starting to think about cyber risk.

Around the world, we’re seeing regulators move away from “please report if you can” to “you must report or face consequences.” The US is introducing mandatory disclosure laws under CIRCIA. The EU is doing the same under NIS2. Australia is now following suit — starting with critical infrastructure, but unlikely to stop there.

At a policy level, the message is clear: cyber attacks aren't just a private business problem. When essential services are hit, the impact is public. The government wants visibility early, not after the fact.

From a business perspective, this tells us something else. Ransomware is no longer just a technical issue or an operational headache. It’s a national security concern. That’s why it’s now subject to the same kind of rules we see in financial reporting or environmental risk. You don’t get to keep it quiet just because it’s uncomfortable.

The End of Private Cyber Crises

There was a time when ransomware attacks could be handled quietly. Pay the ransom. Don’t pay the ransom. Restore from backups. Put out a vague statement (or none at all). The goal was to move on as quickly and discreetly as possible.

That’s no longer a safe option.

These new rules change the default setting from discretion to disclosure. If your systems are locked up or your data is compromised, someone outside your business may now have to be told, whether you like it or not.

This isn’t just a compliance shift. It’s a cultural one. Silence and spin are no longer viable crisis strategies. The act of being hit, regardless of how well you recover, now carries legal and reputational weight.

It also raises a harder question: how will companies decide whether an incident is reportable? The new rules refer to “material impact,” but that’s not always easy to define, especially in the middle of a crisis. Was an hour of downtime critical? Did a suspicious data transfer count as exfiltration? These grey areas leave room for interpretation, and with it, risk. That’s why materiality thresholds — whether based on regulatory exposure, customer disruption, or financial impact — need to be agreed ahead of time, not debated under pressure.

And regulators aren’t likely to be generous if they think a company has chosen to under-report, delay, or downplay an incident. If anything, the window for plausible deniability is getting smaller.

What This Means for Boards and Business Leaders

This isn’t just a technical update buried in compliance documents. It reshapes how organisations need to think about ransomware — and who’s responsible when it hits.

1. Response is reputation

Once an incident crosses the threshold for mandatory reporting, the way you respond becomes part of the public record. The speed, clarity, and coordination of that response matter as much as the underlying fix. If regulators or the media find out before your own stakeholders do, you've lost control of the story.

Even well-contained breaches can cause damage if the response is slow, confused or secretive.

2. Insurance doesn't cover avoidance

Cyber policies often include conditions around timely notification. In some cases, failure to report an incident to authorities can void coverage entirely. It also raises flags at renewal time. Underwriters are increasingly factoring in governance behaviours when pricing risk. That includes how openly you deal with incidents.

If you're managing cyber exposure behind closed doors, you're likely also limiting the support available when it matters most.

3. Materiality is a judgement call

The rules refer to “material impact” without offering much precision. That leaves it to internal teams to assess whether a disruption qualifies. For time-poor executives in the middle of a crisis, that’s a risk in itself.

Misjudge it and you may be in breach. Over-report and you may invite scrutiny that wasn’t required. The process needs to be discussed well before anything goes wrong.

4. The right people need to be in the room

Cyber incidents aren’t just technical failures. They can trigger legal obligations, stakeholder panic, and brand damage. That means legal, comms, risk and operational leadership need to be aligned — ahead of time. If your incident response playbook still routes everything through the IT team, it’s outdated.

Board directors should know what the response plan looks like and how fast key decisions can be made when the pressure is on.

This Is Just the Beginning

For now, the rules apply to critical infrastructure sectors. But the direction is clear. Governments want earlier visibility into attacks, especially those with national or economic impact.

Australia’s 2023 Cyber Security Strategy made this shift explicit. The aim is to move from reactive enforcement to active coordination. That starts with critical sectors, but many expect mandatory reporting requirements to extend into other parts of the economy.

The safest assumption is that ransomware incidents will soon carry formal reporting obligations for a wider set of organisations. Waiting for regulation to apply to you directly is a risky strategy.

Case in Point: DP World Australia, November 2023

When DP World Australia was hit by a ransomware attack in November 2023, it caused major disruption to container terminals across the country. Port operations were suspended for several days. Freight was delayed. Supply chains were strained.

At the time, the nature of the attack wasn’t confirmed publicly. It wasn’t until March 2024 — during a Senate inquiry — that the company acknowledged ransomware was involved.

If the new rules had been in place, the breach would likely have triggered mandatory reporting to the CISC within 72 hours. The level of operational disruption, and the national significance of DP World’s role in the logistics network, would meet the threshold.

This example shows how disclosure timelines are changing. It also reinforces the message that regulators expect organisations to be proactive, not defensive.

Final Take: Disclosure Is the New Risk Surface

Every organisation focuses on preventing attacks. Fewer are prepared for what comes next. The decisions made in the hours and days after a breach are fast becoming just as important as the breach itself.

Mandatory reporting isn’t just a compliance challenge. It forces leadership teams to make faster, higher-stakes calls under pressure. Who gets informed? What do you say? How do you avoid compounding the damage?

This rule change is a signal. Cyber security isn’t just about defence. It’s about accountability. And increasingly, that accountability sits in the open.

We’ve all read the post-incident reports that end with the same tidy phrase: “due to human error.” It’s become corporate shorthand for “somebody made a mistake, and that’s all you need to know.”

But in high-stakes environments—whether that’s data security, healthcare or mining operations—stopping the investigation at human error is like blaming gravity for a fall. It’s technically true. But it tells you nothing useful about prevention, and even less about resilience.

Too often, the phrase becomes a full stop instead of a starting point. The real question isn’t who made the mistake, it’s why the system allowed that mistake to matter.

Was the task ambiguous? Was the environment high-pressure? Was the process confusing, outdated, or impossible to follow as written?

Most failures don’t start with a bad decision. They start with a process that was designed in isolation from how work actually happens.

That’s not human error. That’s a systems failure in disguise.

The Trouble With Human Error

Human error isn’t a cause. It’s an effect. A downstream symptom of deeper design flaws, broken workflows, and cultural blind spots.

Safety science figured this out decades ago. James Reason’s “Swiss Cheese Model” reframed accidents as the alignment of latent system failures—holes in the layers of defence that normally keep people safe. The person at the sharp end of the error isn’t the cause. They’re the last line of defence.

More recently, cognitive systems engineering and human factors research have expanded that lens. Professor Sidney Dekker’s work on the “New View” of human error emphasises the context in which decisions are made. Mistakes are not random—they’re shaped by the information, pressures, and constraints people face in real time.

That means if someone clicked the wrong button, skipped a step, or ignored a protocol, the right question isn’t “why didn’t they follow the rule?”. It’s “why did breaking the rule make sense to them at the time?”

This isn’t just theory. It plays out in boardrooms and courtrooms.

When things go wrong, procedural non-compliance is often the headline finding. But beneath that headline, you’ll usually find a tangle of small, systemic contributors: unclear documentation, overstretched teams, outdated control frameworks, and incentives that reward speed over care.

These aren’t outliers, and they show up in ways that are easy to overlook:

• Confusing interfaces

• Poorly written procedures

• Inconsistent training

• Conflicting KPIs

• Tools that don’t match the task

• And rules that are impossible to follow in practice

In the end, it’s often the system that allows the error to happen. It leaves the door open and relies on people not walking through it. But that’s not resilience—that’s luck. Because any system that depends on perfect human performance isn’t built to adapt. It’s built to break.

The Real Risk Surface

In risk management, the disconnect between work as imagined and work as done is a recurring theme. The manual says one thing. The real world demands another. The gap between the two? That’s where risk lives.

People fill the gap every day—navigating ambiguity, resolving conflicts, smoothing over clunky systems. Until one day, something goes wrong. And the gap gets renamed “non-compliance.”

This is your human risk surface: Where people, processes, and platforms collide under pressure, with imperfect information, and limited time.

Most organisations don’t map that surface. They map policies. They audit procedures. But they rarely ask how people actually get things done. Or what friction forces them into unsafe or insecure behaviours in the first place.

This is where smart leaders focus. Not on the error itself, but on the conditions that made it inevitable.

What to Do Instead: From Blame to Learning

So how do you shift from punishment to prevention? You start treating mistakes as data, not dead ends.

Here’s what that looks like in practice:

🔍 Investigate context, not just compliance

Don’t stop at “who made the mistake?” Ask “what were they dealing with?” Was the person under time pressure? Were they using outdated tools? Did they have the information they needed? When someone bypasses a protocol, it’s usually not out of carelessness—it’s because the process didn’t match the task. If your investigation doesn’t surface that friction, it’s incomplete.

🛠 Redesign for the way work really happens

Most policies are written from the boardroom. But most risk shows up on the frontline. Shadow the people doing the work. See what gets skipped, patched, worked around. Map out the critical moments where human judgment meets unclear systems—and fix the mismatch. Risk isn’t reduced by tightening control. It’s reduced by making the right action easier than the wrong one.

🗣 Remove the fear of reporting

If people only speak up after something goes wrong, you’ve already lost the lead time. The organisations that learn fastest are the ones where people can raise their hand before there’s a breach, a spill, or a system failure—without fear of blame. This isn’t just culture. It’s architecture. Design reporting systems that reward transparency, not perfection.

📈 Track near misses and weak signals

Near misses are the clearest warnings you’ll get. They expose system vulnerabilities in plain sight, even if nothing went wrong this time. Sometimes it’s luck. Sometimes it’s a last-minute catch. Either way, they offer a crucial opportunity to analyse the conditions that could lead to something more serious.

But don’t overlook the quieter signals: repeated workarounds, high helpdesk volumes, backlogged maintenance, inconsistent form completions. These patterns often surface long before a headline incident does.

⚖ Rethink accountability

True accountability isn’t about naming the person. It’s about understanding the system. Yes, people make decisions. But those decisions are shaped (and at times cornered) by the environment around them. Real leadership owns the conditions, not just the consequences.

And if you're still thinking, “but they should’ve known better”—ask yourself this:
Did the system make doing the right thing obvious, easy, and supported? If not, you’re not managing risk. You’re just managing optics.

When Systems Learn, People Don’t Have to Pay the Price

You don’t fix a plane by firing the pilot. You fix the checklist. The handover. The cockpit alert. The assumptions about what someone will do when the engine fails.

Organisations should be no different.

Want fewer errors? Build better systems. Want real resilience? Don’t ask who failed; ask what made failure inevitable.

Disclaimer: This post isn’t legal or financial advice—just ideas to think with. For decisions that affect your business, speak to someone who knows your context.

Most companies will spend more time debating tone in a press release than preparing for the first 60 seconds of a reputational flash fire. They think in press cycles. But reputation now lives in meme cycles. And no, your five-page PDF response plan won't save you.

The New Rules of Reputational Risk

• Speed: Outrage travels faster than your approval chain.

• Channels: X (Twitter), TikTok, Reddit—none of them respect a comms blackout.

• Actors: It's not just journalists or customers anymore. It's employees, trolls, bots, whistleblowers, and your own staff.

• Persistence: The internet doesn’t forget (and neither does Google).

• Exposure: Risk isn’t just external—it’s embedded in your own culture, tech stack, and leadership choices.

Traditional crisis plans are:

• Too slow.

• Too hierarchical.

• Too focused on message control.

• Built for broadcast media, not participatory backlash.

You won’t always control the story. But you can avoid adding fuel to it.

Case Studies in Losing Control

Even well-resourced organisations with legal teams, PR agencies, and insurance in place can lose control of the narrative in hours—sometimes minutes. These examples aren’t just media missteps. They’re systemic failures that played out in public.

• United Airlines (2017)
  When a video surfaced of a passenger being forcibly removed from an overbooked flight, United’s initial response was procedural and defensive. The backlash was immediate. Within 48 hours, the airline’s market value had dropped by $1.4 billion. The damage wasn’t caused by the incident alone—but by the tone-deaf handling of it.

• PwC Australia (2023)
  The firm faced a national scandal when it emerged that partners had misused confidential government tax policy information for commercial gain. But what escalated the crisis was the internal Slack messages leaked afterward—revealing not just misconduct, but a dismissive internal culture. Reputational damage came not just from the breach, but from how it was internally tolerated.

• Optus (2025)
  In early 2025, Optus suffered a second major network outage—barely 15 months after a high-profile data breach. While the technical failure was serious, it was the public and political response to the company’s lack of communication that caused the most damage. Confused messaging, delayed updates, and absence from key media moments led to renewed questions about the company’s leadership and crisis management capability. The brand was hit harder by perception than by the outage itself.

Reputation as a Transferable Risk (But with Limits)

Reputation is one of the few business risks that’s both insurable and intensely human. That creates tension. On paper, a policy might respond. In practice, the fallout often runs deeper than any coverage can reach.

Some insurance products can help cover the immediate costs of managing a reputational crisis—typically things like external PR support, media consultants, and digital monitoring. But they don’t rebuild trust. They don’t stop key staff from leaving or customers from walking away. And they certainly don’t undo a leadership failure or cultural misstep.

Here’s what the coverage usually looks like:

• What’s commonly included: Crisis consultancy, communications support, media strategy advice (usually through a pre-approved vendor panel).

• What’s not included: Loss of future revenue, brand equity erosion, staff morale, or broader reputational damage outside the scope of a defined incident.

There are some useful policy triggers to be aware of:

• Crisis Management extensions: Often embedded in Management Liability or Cyber policies with set sublimits and predefined response services.

• D&O cover: Relevant when reputational fallout leads to regulatory scrutiny, shareholder action, or allegations of governance failure.

• Reputational Harm clauses: Occasionally available in bespoke placements, but highly variable in scope and activation thresholds.

None of these are silver bullets. They’re useful tools, but they only work well when backed by genuine preparation and internal alignment.

What Modern Risk Leaders Do Differently

When reputation is on the line, the worst response is indecision. Modern risk leaders understand that trust is lost in seconds and rebuilt in months—if at all. So they prepare not just to respond, but to respond well.

Here’s what that looks like in practice:

• Designate pre-approved crisis teams with delegated authority
  Don’t rely on comms, legal, and execs to align in the moment. Assign a cross-functional team, give them parameters, and empower them to act without waiting for consensus. Decision latency is often more damaging than the incident itself.

• Run scenario simulations—not just tabletop exercises
  Most organisations do one symbolic crisis drill a year. Modern teams run realistic simulations that include messy variables: misinformation, employee leaks, conflicting messages, and social backlash. The goal here is to build muscle memory.

• Build rapid-response templates focused on tone, not just facts
  You don’t need a perfect statement. You need a fast, human one. Create draftable frameworks that allow your team to acknowledge the issue, show empathy, and communicate early—even before all the details are known.

• Treat employees like stakeholders, not liabilities
  Employees are often the first to speak, post, or leak. If they trust the organisation, they become your advocates. If they don’t, they become your critics. Internal comms isn’t a soft skill—it’s a frontline risk control.

• Align insurance with operational readiness
  Insurance should be part of the plan, not a side conversation. That means understanding who can trigger cover, how quickly support can be deployed, and which vendors are pre-approved. Risk transfer is only useful if it activates in time to matter.

The 3 Pillars of Modern Crisis Response

1. Signal
   Spot it early. Use social listening tools, employee feedback loops, and internal escalation channels. Don’t rely on gut instinct or media alerts.

2. Speed
   Empower response teams to act without unnecessary sign-offs. Reputational damage compounds with delay.

3. Sincerity
   Speak like a human. Avoid legalese and corporate platitudes. In a trust crisis, tone is the message.

Reputation Is a Systems Issue

Reputation isn’t just shaped by what you say when things go wrong. It’s shaped by how you operate when things are going right.

A strong comms team can’t paper over a weak culture. Slick messaging can’t substitute for sound ethics. And no amount of reputation management will fix leadership that’s out of step with employees, customers, or the community.

That’s why reputational risk is best understood as a systems issue, not a communications issue. It’s the result of how your organisation makes decisions, lives its values, and responds under pressure. If there’s a gap between what you say and what you do, that gap becomes the story.

Leaders who ignore that reality often find themselves managing consequences, not risks.

So, What’s the Risk Transfer Strategy?

Insurance can be a powerful part of your reputation strategy—but only if it’s integrated thoughtfully into your broader response plan.

Think of it less as a shield and more as scaffolding. It won’t stop the blow, but it can help you stabilise and respond faster.

• Don’t just buy cover—understand how it activates.
  Who can trigger it? What vendors are pre-approved? What qualifies as a “crisis”? These details matter when minutes count.

• Know your first call.
  Have your crisis advisors locked in and briefed. Know who you’re leaning on—PR, legal, insurers—before the headlines hit.

• Go beyond the policy schedule.
  Insist on insurers who understand your real risk exposures—not just your industry label or headcount. The quality of advice and alignment can make the difference between a useful response and a generic one.

Used well, insurance is a tactical enabler. It gives your team space to focus on what matters most: restoring trust, staying visible, and leading through the storm.

Conclusion

Reputation isn’t something you control. It’s something you earn—and hold onto by being consistent when things go wrong.

In a crisis, people don’t look for polish. They look for clarity. They want to know who’s in charge, whether the response is real, and if the organisation actually stands behind what it says.

That kind of response doesn’t come from a playbook. It comes from preparation. From a leadership team that trusts each other. From systems that support quick decisions. From a culture where people raise their hand when something feels off.

Insurance can help. But it works best when it’s part of the plan, not the fallback. The real work starts well before the headlines.

The teams that do this well aren’t trying to control the narrative. They’re focused on showing up early, acting with integrity, and making decisions they can stand by—online and off.

Disclaimer: This post is for general informational purposes only. It does not constitute legal or financial advice. Always consult qualified professionals for guidance tailored to your specific situation.

In an era where late payments are commonplace and insolvencies are rising, extending credit isn't merely a commercial decision; it's a strategic risk management choice. This is where Trade Credit Insurance (TCI) becomes indispensable and increasingly, expected.

🚩 What Is Trade Credit Risk?

Trade credit is one of the most common, and least understood, forms of financing in global business. When you deliver goods or services before receiving payment, you're not just making a sale. You're extending credit. And like any form of credit, it comes with risk.

Trade credit risk is the risk that your customer won’t pay their invoice on time (or at all). That might happen because:

• They become insolvent (e.g. enter administration, liquidation, or bankruptcy)

• They default or delay payment for extended periods (protracted default)

• They’re affected by external shocks such as political upheaval, currency controls, or sanctions

• Or, increasingly, they restructure their supply chain or capital stack, pushing unsecured creditors to the back of the queue

This isn't just an issue for exporters or those operating in frontier markets.

In 2025, global business insolvencies are expected to rise by another 6%, on top of a 10% jump in 2024. This marks the fourth straight year of increases, driven by delayed interest rate cuts and lingering economic uncertainty. And it’s not just small businesses feeling the pressure. Large, publicly listed companies like Wilko in the UK and ProBuild in Australia have gone under in recent years, leaving tens of millions in unpaid receivables behind them.

The impact of non-payment doesn’t end with the balance sheet. It can:

• Disrupt payroll, inventory, or capex planning

• Strain supplier relationships when upstream payments are delayed

• Trigger breaches of debt covenants or working capital ratios

• Damage reputation if you're seen chasing struggling customers or writing off large debts.

And it’s not just about large exposures. According to Atradius, the average DSO (days sales outstanding) globally hit 59 days in 2024 and nearly 45% of businesses reported late payments as a regular challenge.

While many finance teams are laser-focused on customer acquisition costs, revenue growth, and net margins, the risk of not getting paid often gets overlooked until it's too late.

This is why trade credit risk sits at the intersection of finance, strategy, and governance. It’s not just who your customers are — it’s about how concentrated your exposure is, how well you monitor their creditworthiness, and what risk transfer tools you have in place when things go wrong.

🛡️ What Trade Credit Insurance Covers

Trade Credit Insurance (TCI) protects your accounts receivable, typically covering up to 90% of the invoice value when a customer fails to pay due to insolvency or protracted default. That’s often the difference between a short-term cash crunch and a full-blown solvency issue..

Cover usually applies to risks outside your control and unrelated to performance disputes. These include:

• Insolvency: The customer enters liquidation, administration, or bankruptcy.

• Protracted default: The customer doesn’t pay after a defined waiting period, usually between 90 and 180 days, even though the debt isn’t in dispute.

• Political risk (for export sales): Non-payment triggered by war, revolution, expropriation, embargoes, or currency restrictions.

Depending on your insurer, industry, and the jurisdictions involved, coverage can be extended to include:

• Pre-shipment risk: Where production is customised or capital is front-loaded, some policies can cover the period between order confirmation and delivery.

• Contract frustration: If political or regulatory changes prevent the fulfilment of a contract, despite both parties being solvent and willing.

• Public buyer default: Cover for sovereign or state-owned buyers who delay or fail to pay due to bureaucratic or funding constraints.

Many policies also include credit limit approvals, where the insurer assesses and signs off on specific customers up to a certain exposure. This gives you a useful third-party view of a customer’s financial stability.

In some cases, the insurer’s refusal to approve a limit can act as an early warning sign, prompting closer scrutiny before you extend terms.

🔍 What It Doesn’t Cover

TCI doesn’t function as blanket protection and won’t respond to issues stemming from internal breakdowns, known risks, or disputes over performance.

Typical exclusions include:

• Contractual disputes: If the buyer claims goods were delivered late, faulty, or in breach of contract, the insurer will pause any claim until the issue is resolved.

• Administrative issues: Late invoicing, unapproved changes to payment terms, or poor record-keeping can invalidate a claim.

• Pre-existing exposures: Any debt that was already overdue or known to be problematic before the policy started is outside scope.

• Fraud by the insured: If the insured misrepresents facts, fails to declare material changes, or submits fictitious invoices, the policy won’t respond.

• Sanctioned or undeclared risks: Transactions involving sanctioned countries, excluded industries, or buyers without a declared and approved credit limit are not covered.

Importantly, TCI isn’t retrospective. If a customer defaults and only then do you consider insurance, it’s already too late. Coverage must be in place before a problem occurs.

Compliance is also critical. Claims can be denied if you miss a reporting deadline, extend payment terms without approval, or exceed a declared credit limit. Even if the loss is genuine, failing to follow the policy’s conditions can invalidate cover.

📊 A Strategic Tool for Liquidity, Lending, and Deal Confidence

Trade Credit Insurance has evolved beyond its traditional role as a backstop for bad debt. For CFOs and corporate finance teams, it’s now part of a broader capital management strategy—one that influences lending terms, liquidity planning, and even deal valuations.

Several trends are driving this shift:

• Receivables-backed lending: Banks are more likely to offer favourable terms, higher credit limits, or lower interest rates when receivables are insured. From invoice finance to asset-based lending, TCI strengthens the collateral position and gives lenders confidence in repayment.

• Private equity and M&A due diligence: Buyers—particularly in leveraged transactions—scrutinise customer concentration risk and recurring revenue quality. A robust TCI program helps de-risk these exposures and may influence how future earnings are valued or adjusted in deal models.

• Debt covenant compliance: In an environment where cash buffers are shrinking and interest coverage ratios are under pressure, insured receivables offer stability. They can help smooth out volatility in operating cash flow, supporting compliance with EBITDA- or working capital-linked covenants.

• Cross-border growth: For businesses expanding into new geographies, particularly emerging markets, TCI offers more than peace of mind. It acts as a market enabler, giving boards the confidence to enter jurisdictions that might otherwise be ruled out due to payment risk.

In a tightening credit environment, where cost of capital and access to funding are under scrutiny, predictability is currency. And predictability is exactly what TCI delivers—not just to finance teams, but to the lenders, investors, and partners assessing the business from the outside.

🧾 Two Paths, One Lesson: How Credit Insurance Shapes Outcomes

Trade Credit Insurance doesn’t just respond to loss — it changes how the market sees you. Two recent cases, from opposite ends of the risk spectrum, show what’s at stake when credit risk is either ignored or actively managed.

🚨 Tower Trade Finance Ireland: When Assumptions Replace Assurance

In 2023, Tower Trade Finance Ireland (TTFI), a Dublin-based supply chain lender, collapsed owing €14 million. Investors were assured that exposures were diversified and protected by credit insurance. But behind the scenes, one borrower — JACC Sports Distributors — accounted for €9.5 million of the debt and wasn’t insured.

When JACC defaulted, the hole couldn’t be plugged. Up to 85% of investor funds were lost. TTFI’s failure wasn’t just a credit event; it was a governance failure. Credit insurance had been assumed, not verified. Limits weren’t managed, and the true exposure wasn’t communicated.

This wasn’t a rogue client or a black swan event. It was a known risk that was left uncovered — and a reminder that a single uninsured debtor can bring down an entire structure.

✅ Asos: Market Confidence, Rebuilt

By contrast, online retailer Asos faced its own crisis in 2023–24. Soft demand, excess inventory, and declining margins put pressure on its cashflow. Credit insurers pulled cover for its suppliers, spooking the market.

But in early 2025, after a period of strategic restructuring — including better inventory management and cost discipline — Atradius and Coface reinstated their trade credit insurance lines. This wasn’t just an operational win. It was a vote of confidence that gave suppliers reassurance and signalled to investors that Asos had stabilised.

In practical terms, it made it easier for Asos to secure better payment terms from suppliers and access working capital on improved terms. Insurers, in this case, became unwitting narrators of the company’s turnaround.

🧠 So Is It Worth It?

Trade credit insurance isn’t plug-and-play. It adds cost, demands process, and occasionally requires difficult conversations with sales teams or customers. But for businesses with material exposure to customer default risk, it can deliver protection and value far beyond the premium.

To get it right, you’ll need to:

• Establish internal credit controls, including buyer limit approvals, exposure tracking, and overdue reporting

• Align finance and sales teams, so growth doesn't outpace risk oversight

• Monitor policy compliance, especially around payment terms, declarations, and documentation

Done well, a TCI program doesn’t just respond to bad debt. It changes how you manage risk across the revenue cycle. It can:

• De-risk sales growth into new markets or higher-volume customers

• Protect EBITDA during downturns by stabilising cash flow from core accounts

• Unlock finance by making receivables more attractive to banks and investors

• Buy time when things go wrong, giving you room to negotiate, restructure, or recover without triggering broader consequences

It’s not about removing risk. It’s about giving yourself more options when risk materialises.

🎯 Final Thought

We insure our laptops. Our trucks. Our warehouse roofs.

But for many businesses, the most exposed asset on the balance sheet — the receivables ledger — sits uninsured.

Not because it’s uninsurable. Just because it’s been overlooked.

So ask yourself:

Trade Credit Insurance won’t prevent that scenario. But it might just buy you enough time to survive it.

And that can make all the difference.

Disclaimer: This post is for general informational purposes only and does not constitute legal or financial advice. The views expressed are my own and do not necessarily reflect those of Adroit Insurance & Risk. Always consult qualified professionals for advice tailored to your specific situation.

Here’s how cross-border exposures actually unfold, how product laws differ around the world, and what to look for in a truly international product liability cover.

🧭 Where Liability Actually Lands

• When your offshore supplier gets sloppy with quality control.
  They cut corners. You don’t find out until someone’s injured—or worse, a regulator finds out first. If you’re the importer or brand owner, liability often stops with you, not them.

• When your packaging doesn’t meet local compliance standards.
  Think missing warning labels, incorrect language, or the wrong certification mark. What passes in Sydney might get flagged—or fined—in Singapore or Frankfurt.

• When a distributor tweaks your instructions and you wear the lawsuit.
  Your safety guidance said one thing. Their translation said another. When the product fails, guess who gets named in the claim?

• When a consumer gets injured in a country you barely operate in.
  You didn’t market there. You didn’t ship there directly. But thanks to grey imports, marketplaces, or cross-border logistics—you’re still on the hook.

📍 And somehow, you’re the one in court.

Welcome to global supply chain liability, where responsibility flows faster than your insurance program can keep up—unless it’s been built for it.

📚 Product Laws Around the World (Yes, They’re Different)

🦘 Australia:

Under the Australian Consumer Law (ACL), manufacturers, importers, and even suppliers can be strictly liable for products that cause injury, death, or financial loss—even if they weren’t at fault. That includes local businesses who supply goods when the manufacturer can’t be identified or isn’t based in Australia (s138).
There’s also the overlay of mandatory consumer guarantees. Bottom line? If you’re importing it, distributing it, or branding it—you’re probably backing it.

🇪🇺 European Union:

The Product Liability Directive imposes strict liability across all EU member states. In 2023, the General Product Safety Regulation (GPSR) kicked in to modernise those protections—especially around connected, smart, and AI-enabled products. If you're selling IoT devices, wearables, or anything that runs code, you're now facing cyber-physical liability—where bugs, not bolts, cause harm.

🇺🇸 United States:

Welcome to the litigation capital of the world. Product liability can arise from strict liability, negligence, or breach of warranty. Claims often balloon into class actions. And if the jury thinks you cut corners? Punitive damages can wipe out even a well-capitalised company.

🌍 Rule of thumb:

You're not judged by the rules in your home country. You’re judged by the rules where the harm occurs. If you're not aware of local liability regimes, you're not just exposed—you're flying blind.

🛡 Structuring Product Liability Cover for a Global Market

✅ Use a global master policy with local fronting to align compliance and claims handling.

One central policy sets the tone, while locally admitted policies in key regions keep regulators happy and claims manageable. It’s the best of both worlds—uniform cover, local credibility, and fewer nasty surprises when something goes wrong in-market.

📍 Get clear on territorial scope (where damage happens) and jurisdiction (where you can be sued).

These two aren’t the same. A product might injure someone in Canada (territory), but the lawsuit might be filed in California (jurisdiction). If your policy doesn’t explicitly cover both, you might be holding the bag.

🧾 Claims-made vs. occurrence-based: know the difference—especially for long-tail risks.

With claims-made cover, if the claim’s filed after your policy lapses, you're out of luck. Occurrence-based? You're covered as long as the incident happened while the policy was active—even if the claim rolls in years later. Critical if you're in sectors with delayed-onset issues (like medtech or construction).

🔍 Review your policies regularly—your risk profile changes as fast as your suppliers do.

New suppliers, new markets, new materials = new exposures. A product tweak or new distribution channel could quietly create a coverage gap you won’t discover until a claim lands.

🔧 Managing Offshore Production (Without Losing Sleep)

🧠 Due diligence: Vet your suppliers like they’re part of your team.

Don’t just look at price and turnaround time. Investigate their manufacturing controls, incident history, certifications, and yes—their insurance. If they go quiet when you ask, that’s your first red flag.

📜 Contracts: Spell out who owns what risk—and confirm they’re insured.

“Standard” terms won’t cut it in cross-border production. Make sure your contracts cover indemnities, governing law, dispute resolution, and minimum insurance limits. And follow up on those COIs—yearly, not just at onboarding.

🔎 Quality control: Inspect what you expect (yes, even remotely).

Whether it’s hiring local QC auditors, using third-party inspection firms, or leveraging video-based verification, having oversight—however lightweight—can prevent major reputational damage and claims down the line.

🎯 If your brand’s on it, the liability probably is too.

In the eyes of the law (and the customer), the brand is the manufacturer. You might think you're just the middleman, but if you’re the face of the product, you’re probably the fallback when things go wrong.

💼 Best Practices for Risk Transfer

📝 Embed insurance clauses in every supplier agreement.

Don’t just ask if they’re insured—contract it. Make your supplier name you as an additional insured. Specify minimum coverage levels. Outline what types of insurance they must carry (e.g. public & product liability, recall, errors & omissions). And make proof of insurance a deliverable, not a handshake.

📦 Use batch coding and recall plans to limit exposure.

If you can’t trace defective stock by lot number, you’re recalling everything. That’s slow, expensive, and reputationally damaging. Most product liability policies include a recall extension—but the sublimit is often a fraction of what a real recall costs. Build your systems and workflows to contain a problem before it spreads—and double-check whether your cover is anywhere near enough.

🤝 Work with brokers who get global placements and regulatory quirks.

A good broker won’t just give you a product—they’ll map your whole risk footprint. They’ll tell you where local fronting is required, where export exclusions might sneak in, and how to structure your cover so you’re not double-paying (or missing something entirely). If you’re expanding into new jurisdictions, bring them in early—not after the deal is done.

🚧 Don’t just transfer risk—design it out.

Risk transfer is your last line of defence. Your first? Smart product design, localised labelling, controlled supplier changes, and robust QA. Insurance should catch what slips through—not carry what could’ve been prevented.

📉The Exactech Lesson: What Product Recalls Really Cost

In early 2023, Australian patients began receiving letters they didn’t expect: they had been implanted with defective medical devices that could degrade prematurely inside their bodies.

The culprit? U.S. medtech company Exactech, whose knee, hip, and shoulder implants had been improperly packaged—some for years. The issue? A missing layer of protective oxygen barrier film that allowed components to oxidise during storage, making them more likely to fail once implanted.

More than 4,500 Australian patients were affected. Globally? Tens of thousands.
Class actions followed in multiple countries. In Australia, claimants are seeking damages not just from Exactech, but also from local importers and distributors who facilitated the supply. That’s because under the ACL, local entities can be held liable—even if they didn’t manufacture the product.

💥 Key lessons?

• Your name doesn’t have to be on the product to be on the lawsuit.

• Packaging errors can trigger global recalls—and massive legal fallout.

• If you import, distribute, or even brand a product, you need to know how it's made, packed, and stored—and who’s insuring what.

It’s a textbook example of what happens when product liability, cross-border manufacturing, and patchy insurance collide.

🚨 Global Products Need Global Cover

If you're making, moving, or selling products across borders, you’re not just running a business—you’re managing a web of legal obligations, supplier decisions, and unknowns that stretch across time zones and regulatory systems.

And when something goes wrong, the fallout doesn’t stay local.

A packaging fault in the U.S.
A labelling error in France.
A bad batch out of Vietnam.
All of them can end up on your desk—complete with media scrutiny, legal letters, and sleepless nights.

That’s why global product liability cover isn’t just about ticking the “insurance” box. It’s about:

• Designing cover that mirrors your real-world operations

• Closing the gaps between contracts, compliance, and coverage

• Being able to act fast, defend early, and recover financially—anywhere the fallout lands

❌ Don’t assume:

🧠 your policy covers every jurisdiction, product tweak, or distribution channel.
📄 your documentation will hold up under legal pressure in a foreign court.
🤝 your suppliers will have your back when something goes wrong.

Assumptions are the enemy of resilience.

The best product risk strategies don’t just manage what happens after something breaks.

They’re built to recognise where things are most likely to break—and who pays when they do.

Disclaimer: This post is for general informational purposes only. It does not constitute legal or financial advice. Always consult qualified professionals for guidance tailored to your specific situation.

It’s a brilliant reminder that the best ideas in business often don’t make sense — at least not rationally. They work because they tap into how people feel about value, trust, danger, and loss.

It got me thinking:

🧠 Why Logic Can Be a Trap

We love risk registers, frameworks, and actuarial models.
But they’re often built on a hidden assumption:

👉 That people behave rationally.

(Spoiler: they don’t.)

When it comes to risk, emotion often beats calculation. Not because people are stupid — but because in uncertain, complex environments, feelings are faster, stickier, and (sometimes) more protective than spreadsheets.

Here’s how that shows up in practice:

🔸 People don’t fear the most statistically likely outcome — they fear what feels uncertain.
🔸 A risk that looks managed is often more reassuring than one that is managed.
🔸 Most risk communication fails because it explains when it should empathise.
🔸 Stakeholders want confidence, not caveats.

🛠 Practical Shifts to Build a Smarter Risk Culture

If you want risk management to actually work in the real world, you need people to internalise it instinctively — not just comply with it mechanically.

Here are four shifts that stand out:

✅ Frame Risk in Human Terms, Not Technical Ones

• Risk isn’t just about probabilities and severities — it’s about how people feel about danger, loss, and uncertainty.

• If you want teams to spot and respond to risks early, you have to talk about it in language they live every day.

• Example: Instead of “third-party vendor failure risk,” say, “What happens if our partners let us down when we need them most?”

✅ Use Storytelling and Symbolism, Not Just Spreadsheets

• Data doesn’t move people. Stories do.

• Strong risk cultures are built on shared narratives: cautionary tales, close calls, "we almost lost it" moments.

• Symbolism matters too — small rituals, visible reminders, and common language that keep risk felt and seen, not buried inside a monthly report.

✅ Design for Confidence, Not Compliance

• Compliance is a box-ticking exercise. Confidence is a felt sense: “We know how to act when things go wrong.”

• Good risk management empowers people to make smart decisions under uncertainty — not just follow procedures.

✅ Build Trust, Not Just Processes

• Good risk culture isn’t about having the thickest handbook or the longest compliance checklist. It’s about creating an environment where people trust that raising a risk, challenging assumptions, or flagging uncertainty will be valued, not punished.

• If your people don’t trust the system (or worse, don't trust each other) no amount of documentation will save you.

• Trust turns risk management from a box-ticking exercise into a living, breathing part of how decisions get made. It turns technical protection into a bigger emotional contract: "We’re ready. We’ve thought about this. We’ve got each other’s backs."

🧠 The Real Lesson

Don’t just quantify risk.
Psychologise it.

If your risk strategy only makes sense to a spreadsheet, it won’t survive first contact with real people.

Logic might explain risk, but it doesn’t move people to act on it — or to trust your judgment when it matters.

If you want your risk strategy to hold up under real pressure, you have to design for something messier: belief, instinct, confidence.

Risk culture isn’t a technical problem. It’s a human one.

Disclaimer: This post is for general informational purposes only. It does not constitute legal or financial advice. Always consult qualified professionals for guidance tailored to your specific situation.

Because the biggest risks often don’t come from outside threats. They come from inside—through habits, silos, and a culture that shrugs off responsibility.

This short eBook is about fixing that.

It’s a practical guide to building a security-first culture where people—not just policies—are your strongest line of defence. Inside, you’ll find ideas for:

• Engaging leadership and frontline staff alike

• Turning mistakes into learning moments

• Breaking down silos and building trust

• Responding (and recovering) when things go wrong

• Embedding security into the everyday

No jargon. No fear-mongering. Just clear, actionable advice.

🔐 Download it free—whether you’re a security leader, people leader, or just someone trying to build a safer, stronger organisation from the inside out.

Building A Cybersecurity First Culture

880KB ∙ PDF file

Download

Download