Key takeaways

• Risk fluency is best understood as a leadership behaviour—a way of navigating tension, consequence, and uncertainty—rather than a technical function.

• Frameworks and registers can support good decisions, but without active judgment from leaders, they remain structurally sound and strategically irrelevant.

• The most damaging risks aren’t always the ones with the highest heatmap score, they’re the ones no one owns.

• Boards and executives build real risk capability by moving beyond assurance and actively engaging with trade-offs, consequences, and uncertainty at the point of decision.

Where risk really belongs

Why is it that the word “risk” still makes so many leadership teams glance toward Legal, Compliance, or Audit?

We’ve been trained, both explicitly and implicitly, to associate risk with regulation, red flags, and reporting. But in fast-moving, complex environments, treating risk as a siloed function makes organisations more fragile, not more resilient.

Real risk capability lives in leadership. It shows up in the ability to weigh consequences, make judgment calls, and act when the path ahead is uncertain.

And yet in many companies, the default response is still to “loop in Risk” at the end—a sign-off step rather than a source of insight. That might satisfy formal requirements, but it often leaves leadership under-prepared for fast, messy change.

The legacy model: risk as box-ticking

The modern risk function evolved in regulated sectors like banking, healthcare, and energy — environments where managing risk often meant documenting it. That legacy still shapes how many businesses approach risk today, even in faster-moving, less-regulated contexts.

Registers are maintained, frameworks are adopted, and appetite statements are written, but these tools often sit outside the real flow of business decisions. Frameworks can be useful, especially when they create shared language across complex teams. But in practice, they’re often designed with auditability in mind, not day-to-day usability. Without active engagement from leadership, they tend to operate in parallel to actual decision-making, rather than shaping it.

This disconnect can create a false sense of security. On paper, the organisation looks covered. In practice, risk conversations are delayed, delegated, or avoided. When risk is treated as a specialist domain, people wait for permission instead of exercising leadership.

The Boeing 737 MAX crisis is a clear example. Engineers raised concerns. Processes were followed. Documentation existed. But the broader leadership failed to confront the trade-offs between safety, cost, and time-to-market. The risk was real, visible, and still not acted on.

The issue wasn’t the absence of compliance. It was the absence of executive accountability for how risk shaped core decisions.

What it means to treat risk as a leadership skill

Leaders who take risk seriously don’t rely on frameworks to protect them. They know how to:

• Make decisions with incomplete information

• Hold opposing priorities in tension

• Stand behind the second- and third-order consequences of their choices

Risk capability isn’t abstract. It shows up in practical habits: thinking two or three steps ahead, asking better questions, and resisting the pressure to push decisions downstream.

For founders, it might show up in how product decisions balance momentum with durability. For a COO, it’s in how operational speed is weighed against long-term resilience.

A CEO might ask, “Where are the edges of this move? What happens if it works too well, or not at all? Are we still in control if the environment shifts?”

Airbnb faced these kinds of questions early. As the platform grew, so did the reputational risks—trust, safety, fraud. Rather than wait for regulators to act, Airbnb’s leadership introduced identity verification, community standards, and a host guarantee fund. These were strategic decisions that recognised risk as central to the customer experience and to the business model itself.

That’s the shift. Risk isn’t the cost of doing business. It’s part of how smart leaders make it work.

Risk has always been part of leadership, but the nature of risk is changing. What leaders are facing now doesn’t fit neatly into the old categories of financial, legal, or operational compliance.

Take AI adoption. When Slack quietly updated its privacy policy to allow use of customer data for model training, it triggered a backlash from customers who felt blindsided. The issue wasn’t just legal risk, it was trust, brand equity, and retention. These are leadership concerns, not checklists.

The same pattern shows up across industries:

• A marketing team pushes a bold data strategy without looping in privacy or security.

• A product team expands into a new market, unaware of local regulatory friction.

• A CFO signs off on cyber coverage limits that don’t match their exposure.

These moments reveal something deeper: situations where the risk was visible, but no one held the decision.

Regulators are beginning to notice. Directors are being asked to show more than policy awareness; they’re expected to demonstrate risk literacy, especially in fast-moving areas like ESG, cybersecurity, and digital governance. Insurers, too, are tightening their scrutiny. Boards that can’t explain their exposure in plain language are finding themselves with narrower cover or higher premiums.

If you’re on an executive team, ask whether your reporting lines make space for real risk conversations, not just compliance updates. If you’re a CFO, ask whether capital allocation decisions surface underlying exposure early enough. And if you sit on a board, expect your risk committees to bring judgment, not just assurance.

This isn’t about blame. It’s about capability. The risks that matter now can’t be managed from a framework alone. They require leadership.

Developing risk fluency in leadership teams

If risk is going to live at the top table, leaders need a different kind of support. Not more paperwork: better thinking tools.

Risk fluency is more than just knowing the rules. It’s understanding the consequences of choices and the tensions they carry.

Start with the basics:

• Make risk part of the conversation early. Too often, risk is brought in after key decisions are already made.

• Ask better questions. “What are we assuming here? What would need to be true for this to work? Who pays if we’re wrong?”

• Frame trade-offs clearly. Don’t bury risk in language. Surface it.

Some organisations use pre-mortems to good effect—mapping out what could go wrong before launch. Others run lightweight red-team reviews, where someone plays the role of a sceptic before a big decision is locked in. These are more than compliance exercises. They’re leadership habits.

You don’t need a new risk framework. You need leaders who can hold opposing ideas in tension and move forward with intent.

In a fast-scaling business, that might mean choosing between rapid customer acquisition and long-term infrastructure resilience. For a public company, it could mean weighing short-term investor pressure against slower, strategic shifts. These are risks to hold, not problems to solve, and leaders who know how to hold them are the ones who build trust.

Risk maturity is leadership maturity

Risk capability doesn’t sit in a document. It shows up in how decisions get made—and who owns them when things go sideways.

Compliance will always have a role. But leadership is where risk lives or dies.

Organisations that treat risk as someone else’s job will keep finding gaps. The ones that build risk fluency into how they think, plan, and act will be better placed to respond when the pressure’s on.

That shift isn’t technical. It’s cultural. It starts with leaders asking sharper questions — and being willing to sit with harder answers.