Our Blog

The Blindspot Brief

Welcome to The Blindspot, our monthly blog series where we provide clear, honest thinking on risk management, governance, and how to build organizations that are genuinely resilient.

Back to Insights
Risk Appetite Statement
May 2026

Why Your Risk Appetite Statement Isn't Working — And How to Fix It

Most organizations have a risk appetite statement. Far fewer have one that actually changes how decisions get made. Here is what separates the two.

Read more 5 min read
Board Risk Report
April 2026

The Five Elements of an Effective Board Risk Report

Board risk reports are often too long, too technical, and too backward-looking. Here are the five things that make risk reporting genuinely useful at the top of the house.

Read more 4 min read
Fractional CRO
March 2026

The Rise of the Fractional CRO: Is It Right for Your Organization?

The fractional executive model has transformed how organizations access senior finance and legal expertise. Risk is now following suit — and for good reason.

Read more 5 min read
Risk Framework
February 2026

Building a Risk Framework That Actually Gets Used

A risk framework that lives in a PDF is not a risk framework. It is a compliance exercise. Here is how to build one that embeds into how people actually work.

Read more 5 min read
ORSA
January 2026

ORSA: Moving Beyond the Compliance Checkbox

For many insurers, the ORSA has become an annual chore rather than a genuine management tool. Here is how to change that.

Read more 6 min read
Risk Appetite Statement
5 min read · May 2026

Why Your Risk Appetite Statement Isn't Working — And How to Fix It

Ask any risk manager whether their organization has a risk appetite statement and the answer is almost always yes. Ask whether that statement actually changes how decisions get made day to day, and the room goes quiet.

It is one of the most common gaps in risk management. Organizations invest time in drafting a carefully worded document, get it signed off by the board, file it in the risk framework — and then carry on exactly as before. The statement exists, but it does not live.

Why most risk appetite statements fail

The problem usually starts with how they are written. Most statements are drafted at such a high level of abstraction that they are impossible to apply to a real decision. Phrases like "we have a moderate appetite for operational risk" sound reasonable but offer no practical guidance when someone needs to decide whether to proceed with a new product launch or enter a new market.

The second problem is ownership. Risk appetite is often seen as a risk function deliverable rather than a business decision. When the risk team writes the statement in isolation, the business has no real stake in it. Third — and most common — there is no link between the appetite statement and actual decisions. Committees make calls, management takes on new initiatives, and the risk appetite statement is never consulted.

What good looks like

Effective risk appetite is not a single document. It is a set of clear, practical boundaries that people can actually use.

  • Quantified thresholds where possible. "We will not pursue any single counterparty exposure exceeding 10% of net assets" is useful. "We have a low appetite for credit risk" is not.
  • Articulated in the language of the business. Risk appetite for an underwriting team should be expressed in underwriting terms. Generic risk language does not translate well across functions.
  • Owned by management, not the risk function. The risk team's job is to facilitate the conversation and provide the framework — not to write the appetite on management's behalf.
  • Connected to decision-making processes. Risk appetite only works if it appears on proposal templates, comes up in committees, and gets referenced when new initiatives are evaluated.
  • Reviewed regularly. Appetite is not static. An annual review is a minimum; quarterly is better for fast-moving organizations.

A practical starting point

If your organization's risk appetite statement is gathering dust, the first step is not to rewrite it. It is to have an honest conversation with senior management about whether it is actually being used and, if not, why not. Risk appetite, done well, is one of the most powerful tools a leadership team has. The goal is to make it real — not just correct, but genuinely used.

Board Risk Report
4 min read · April 2026

The Five Elements of an Effective Board Risk Report

Board risk reporting is one of those things that everyone agrees is important and almost no one is completely satisfied with. The problem is rarely a lack of information — it is usually too much of the wrong kind, presented in a way that does not help the board do its job.

1. A clear view of the top risks

The board needs to know what the organization's most significant risks are and whether the picture has changed. A short, well-prioritised list — ideally no more than ten — with a clear direction of travel (improving, stable, deteriorating) does more useful work than a comprehensive risk register with 200 entries.

2. Connection to strategy and objectives

Risk does not exist in isolation. The board wants to understand how the current risk profile connects to what the organization is trying to achieve. Are there risks that could derail the strategy? Framing risks in terms of strategic objectives makes them immediately more relevant.

3. Forward-looking content

Most board risk reports are dominated by what has already happened. That is necessary, but it should not dominate. Boards care more about what is coming — what risks are on the horizon, what scenarios to think about, how the external environment is shifting.

4. Clear appetite adherence

The board report needs to make clear where the organization is operating within appetite and, critically, where it is not. Appetite breaches and near-misses deserve specific attention. This is one of the primary ways the board holds management accountable.

5. A small number of clear asks

Every board risk report should end with a short list of items requiring board attention or decision — not just "for information" but specific questions, decisions, or challenges. This transforms a report from a status update into a genuine governance tool.

Good board risk reporting takes discipline. It requires risk teams to be ruthless about what goes in and what gets left out, and to always ask: does this help the board do its job?

Fractional CRO
5 min read · March 2026

The Rise of the Fractional CRO: Is It Right for Your Organization?

The fractional executive model is not new. Businesses have been accessing part-time CFOs, CMOs, and legal counsel for years. But it has taken longer to arrive in the risk function — and now that it is here, it is solving a problem that many organizations did not have a good answer to.

The problem is this: senior risk leadership is expensive, and the need for it is not always constant. A growing insurer may genuinely need CRO-level thinking on a governance build or a regulatory submission — but may not need or be able to justify a full-time executive to provide it.

What a fractional CRO actually does

The role varies depending on where the organization is and what it needs. In some cases it is about building — creating a risk framework from the ground up. In others, it is about covering — stepping in during a leadership transition. And in others still, it is about deepening — augmenting an existing risk team with senior-level thinking. In all cases, the fractional CRO is genuinely embedded, not an external adviser operating at arm's length.

Who it works well for

  • Organizations growing into regulated environments. When a business needs the risk infrastructure that regulators expect, a fractional CRO can build it without the cost of a permanent hire.
  • Insurers needing specialist capability intermittently. Solvency assessments, ORSA production, and regulatory engagements peak at specific times and a fractional arrangement can scale accordingly.
  • Businesses in transition. A merger, strategic pivot, or leadership change often creates a temporary but acute need for senior risk guidance.
  • Organizations that want independence. An internal risk function can be subject to cultural pressures. A fractional CRO, with no career stake in the organization, can be more direct.

What to watch out for

The model does not work well if the organization needs daily, hands-on management of a large risk team. It also requires the business to be clear about what it needs — a vague mandate produces limited value. The best engagements are those where the organization has thought carefully about its actual risk challenges and what good would look like.

Risk Framework
5 min read · February 2026

Building a Risk Framework That Actually Gets Used

There is a particular kind of organizational pain that comes from having a risk framework that nobody uses. The documents are there. The policies are signed off. The risk register is updated twice a year. But risk management is not really happening — it is being performed.

Start with the real risks, not the structure

A lot of risk frameworks are built top-down. Someone decides on a taxonomy, creates categories, builds a template, and then asks the business to populate it. This starts with structure and looks for risks to fit into it. It should be the other way around — begin by understanding what the organization is trying to do and what could go wrong along the way.

Make it simple enough to use without training

If someone needs to read a manual to understand how to use your risk framework, it is too complicated. The best frameworks are intuitive. The risk assessment methodology should be something a business unit manager can apply without specialist knowledge. Complexity is often a sign that the framework was designed to satisfy a regulator rather than to help the business manage risk.

Embed it in processes that already exist

One of the most effective things you can do is attach risk thinking to decisions that are already being made — new product approvals, investment decisions, significant operational changes. When risk assessment becomes a step in the new product approval process, it gets done because the process requires it. Embedding beats reminding, every time.

Build in accountability

A risk framework without clear ownership is a framework in name only. Every significant risk needs a named owner in the business — not in the risk function — who is accountable for managing it. The risk function provides structure, tools, and challenge. The business owns the risks.

Review it like it matters

A risk framework reviewed only annually is already out of date. Build regular review touchpoints into the calendar — at least quarterly for top risks — and make sure they are substantive conversations, not box-ticking exercises. A risk framework that gets used is not a richer document. It is a more connected one.

ORSA
6 min read · January 2026

ORSA: Moving Beyond the Compliance Checkbox

The Own Risk and Solvency Assessment is one of the most important risk management tools available to an insurer. It is also, in many organizations, one of the least useful things produced all year — not because the concept is flawed, but because somewhere between the regulatory requirement and the actual document, it becomes a compliance exercise rather than a genuine management tool.

Treat the process as more important than the document

The ORSA is often thought of as a report. It should be thought of as a process. The real value is not in the document that gets submitted — it is in the conversations and analysis that happen along the way. Is senior management genuinely engaging with the organization's risk profile? Is the board stress testing its assumptions about capital adequacy?

Make the stress tests genuinely stressful

One of the most common weaknesses in ORSA production is scenario testing that is not actually challenging. Organizations naturally gravitate towards scenarios that look credible but do not raise uncomfortable questions. Good scenario design starts from a different place: ask what would genuinely threaten this business, then build those scenarios in, even if they are uncomfortable.

Connect it to real capital and strategic decisions

The ORSA's most important function is to support decision-making about capital adequacy and strategic direction. It should be answering questions like: do we have enough capital to pursue our growth strategy under adverse scenarios? When the ORSA is genuinely connected to these questions, it becomes something the CFO and CEO want to engage with, not just sign off on.

Engage the board properly

The ORSA should not arrive on the board's desk as a finished document for sign-off. Ideally, the board is engaged throughout the process — reviewing scenarios, challenging assumptions, providing direction on risk appetite boundaries. When the board is involved in the process, the final document reflects genuine governance rather than a reporting formality.

A good ORSA, produced through a genuinely rigorous process, is one of the most valuable things an insurer can invest time in. The compliance submission is just the by-product.