Fort's Head of Risk & Compliance, Simon Luxon discusses managing risk and why it is vitally important that a business understands the risk it faces, in order for the business to achieve its strategic objectives.

The famous American investor Warren Buffett once said, “risk comes from not knowing what you’re doing” so, in today’s dynamic business environment, it’s vitally important that a business understands the risks it faces, in order for the business to achieve its strategic objectives.

In reality, if a business takes no risks at all, then it is unlikely that the business will achieve its objectives. A business must therefore be able to understand the potential risks it faces and manage those risks accordingly. Failure to manage risk can be costly, in 2024 Citigroup was fined US$136m by U.S. regulators for deficiencies in risk management and data governance.

What Does Good Risk Management Look Like?

• Proportionate – you want to spend more time on your big risks with major consequences and not over focus on what matters less.

• Consistent – a business’s approach to risk management must remain coherent across all levels and functions.

• Iterative – recognise that risk management is a dynamic process which must evolve and stay relevant, in order to help a business succeed in achieving its objectives.

Building an effective risk management framework is essential for businesses to identify, assess, and mitigate potential threats. A well-structured framework will enhance management information and decision-making, foster resilience, and support long-term success.

What are the Core Components of an Effective Framework?

1. Risk Identification
   The first step involves systematically identifying internal and external risks across all areas of the business. Typically, this would involve the use of a risk taxonomy – a structured framework of classifying different types of risks within a business. These may include financial, operational, technology, strategic, compliance, or people risks.

2. Risk Assessment and Analysis
   Once identified, risks are assessed to understand their likelihood and potential impact. Tools like risk matrices, heat maps, and scenario analysis help prioritise risks and allocate resources effectively.

3. Risk Control and Mitigation
   This step involves developing strategies to manage or reduce risks. These can range from risk avoidance and reduction to risk transfer (e.g. insurance) or acceptance. Controls and policies are implemented to ensure risks are addressed appropriately.

4. Monitoring and Review
   Risk management is an ongoing process. Regular monitoring ensures that the risk environment is continually assessed, and controls remain effective. Key risk indicators (KRIs) and audits are valuable tools for this stage.

5. Communication and Reporting
   Transparent reporting and open communication channels ensure that all stakeholders—from the board to frontline employees—are aware of key risks and mitigation efforts. This fosters a risk-aware culture throughout the business.

Risk management is not a one-time project, but a continuous process embedded in a business’s operations and culture. By proactively managing risks, businesses can safeguard their interests, comply with regulations, and seize new opportunities with greater confidence.

In the financial services industry, an effective risk management framework has evolved far beyond mere compliance checklists. Regulators themselves use a risk-based approach when it comes to supervision and will have an expectation for financial services businesses to do the same, especially in the area of combatting financial crime.