Julien Haye

Why Risk Management Must Evolve Beyond Resilience

Modern organisations face volatility that rarely pauses. Economic shifts, rapid technology change, and global interdependence expose systems to constant pressure. Traditional risk frameworks protect stability but seldom help organisations grow through disruption.

Resilience helps organisations recover after a shock. Anti-fragility enables them to improve because of it. The difference defines how effectively leadership teams convert disruption into insight and foresight.

What Anti-Fragility Means in Practice

The idea originates from Nassim Taleb’s Antifragile: Things That Gain from Disorder, which expands on concepts from The Black Swan and Fooled by Randomness. Taleb described systems that thrive on stress and evolve through exposure to uncertainty.

Applied to risk management, anti-fragility links structure, behaviour, and data into one learning system. Instead of measuring success by stability, it measures progress by how quickly organisations adapt, apply lessons, and refine governance.

An anti-fragile organisation identifies patterns in volatility, not just incidents. Each event becomes information that improves appetite calibration, control design, and leadership awareness. Boards and Chief Risk Officers (CROs) use this feedback to make faster, evidence-based adjustments.

From Stability to Learning

Resilience and robustness help systems resist shocks and stay the same. Anti-fragility adds a higher purpose: learning. The most mature organisations integrate learning directly into their oversight cycles.

Poll data from Aevitium’s recent surveys show why this shift matters. Seventy-one percent of professionals said cultural resistance most limits adaptability under pressure. Twenty-two percent cited rigid controls. The insight is clear: most frameworks fail not because of design but because of how they are used.

Anti-fragile risk management focuses on culture as much as control. Transparency, curiosity, and accountability ensure that information travels quickly and decisions follow evidence, not hierarchy. When people feel safe to escalate early, governance becomes anticipatory rather than reactive.

How Technology Enables Foresight

Technology accelerates this evolution. Predictive analytics, scenario modelling, and continuous monitoring give leaders earlier visibility of emerging risks. Automation frees time for interpretation and judgement. Artificial intelligence detects weak signals that manual reviews miss.

Data becomes strategic when combined with behaviour. A fintech organisation that integrates escalation data with incident trends can identify where culture supports early warning and where delays persist. These insights strengthen both operational and cultural resilience.

Three Priorities to Build Anti-Fragile Systems

Boards and executives can begin embedding anti-fragility through three practical priorities:

1. Integrate Learning into Governance
Add structured learning reviews to board and executive cycles. Discuss not only what happened but how quickly lessons were identified and applied. Make adaptation a performance measure.

2. Link Appetite and Culture
Refresh risk appetite statements to reflect adaptability, not only tolerance. Encourage open discussion of uncertainty and curiosity about weak signals. Recognise early escalation as a strength.

3. Measure Improvement from Stress
Track metrics that show growth through volatility: adaptation velocity, lesson conversion rate, and escalation timeliness. Use these indicators to assess governance maturity.

The Role of Boards and CROs

Boards define the conditions for learning. Their oversight should connect strategic intent, risk appetite, and cultural visibility. CROs translate these principles into daily practice, integrating behavioural insight with operational data.

Effective anti-fragile governance focuses on speed of learning, not only on residual risk. Each disruption becomes a feedback cycle that strengthens both foresight and execution. The outcome is a governance model that develops clarity through challenge.

A Forward-Looking Discipline

Anti-fragile risk management reframes volatility as a teacher. It builds organisations that adapt faster, govern smarter, and learn continuously. When culture, technology, and governance align, risk management evolves from protection to progress.

Organisations that master this discipline turn uncertainty into strategic advantage. They create a leadership culture that gains from disorder, linking performance, trust, and resilience in one continuous learning system.

Read full article here: https://www.aevitium.com/post/anti-fragile-risk-management

Operational risk is one of the most significant exposures boards and executives face. It can halt service delivery, erode trust, and trigger regulatory attention. Yet it also provides one of the strongest opportunities to strengthen governance and build resilience.

The Operational Risk Management Framework: Identify, Mitigate & Monitor article shows how leading organisations turn operational risk into foresight. It highlights the importance of ownership, culture, and capacity as the foundations of a mature operational risk environment. When these elements are aligned, risk management becomes a source of confidence and strategic advantage.

Embedding Operational Risk into Leadership Practice

Operational risk management works best when it is integrated into daily decision-making. High-performing organisations align governance, culture, and capacity to ensure that ownership is visible and escalation is timely.

This approach transforms operational risk into a leadership discipline that supports execution and strengthens organisational trust. Clarity of accountability, simplicity of control, and open dialogue create the conditions for foresight and adaptability.

What the Data Shows

Industry data continues to show why this shift matters.

• 49% of professionals identify unclear first-line ownership as the biggest operational risk management challenge.
• 29% report that their RCSAs do not influence decision-making.
• Only 6% of risk managers have first-line functions formally in scope.

The next stage of maturity will depend on how effectively organisations translate these insights into real-time monitoring, decision support, and accountability loops.

Three Priorities to Strengthen Operational Resilience

Executives can embed operational risk as a strategic discipline by focusing on three priorities.

1. Clarify Ownership and Accountability: Assign ownership at the right level and define clear escalation pathways. Accountability must be visible and reinforced through leadership behaviour.

2. Simplify Controls and Processes: Streamline control frameworks and remove duplication. A focused control environment directs assurance where it adds the most value and improves engagement across teams.

3. Strengthen Culture and Behaviour: Operational resilience depends on how people act. Leadership tone, trust, and psychological safety ensure that weak signals are raised early and decisions reflect reality.

The Board’s Role

Boards are increasingly expected to demonstrate that operational risk frameworks work in practice. Effective oversight means understanding how ownership, culture, and capacity interact.

Boards that link operational risk to risk appetite, tolerance, and capacity create alignment between ambition and resilience. They gain visibility on how the organisation performs under stress and can act before limits are tested.

A Data-Enabled Future

Technology and data now shape how operational risk is managed. Integrated dashboards, AI-assisted monitoring, and automated control testing give leaders a real-time view of resilience and capacity. These tools turn operational data into insight and foresight.

When technology supports ownership and behaviour, it enhances the quality of decisions and reinforces governance credibility.

Final Reflection

Operational risk management is a continuous discipline that reflects how organisations lead and learn. Its strength lies in clear ownership, consistent behaviour, and data that supports timely decisions.

When boards and executives integrate strategy, governance, and culture, operational risk becomes more than a safeguard. It becomes a capability that protects value, strengthens resilience, and builds lasting trust.

Risk strategies often fail because cultures are fragile. Too often, silence delays escalation, hesitation hides signals, and decisions are made on incomplete information.

In my work with boards, executives, and risk leaders, I see the same pattern: organisations build detailed frameworks but neglect the foundation that makes them work — trust. Without psychological safety, those frameworks remain theoretical.

High-performing organisations treat trust as a strategic capability. It becomes the invisible infrastructure that ensures risks are surfaced, escalated, and acted upon when it matters most.

This article is based on insights from my recent webinar, “Why Your Risk Strategy Starts with Trust”, where over 100 professionals explored the link between psychological safety and risk visibility. You can watch the full recording here - The Risk Within Ask the Author Q&A.

Psychological Safety as a Strategic Capability

Psychological safety is often misunderstood as “being nice” or avoiding conflict. In reality, it is about creating the conditions where people feel safe to challenge assumptions, raise concerns, and share weak signals without fear of repercussion.

In The Risk Within, I define psychological safety as a shared belief that it is safe to speak up, ask for help, or admit mistakes. This belief shapes what people say under pressure and how quickly issues come to light.

When psychological safety is strong:

• Risks are escalated earlier.

• Decisions reflect reality, not silence.

• Leadership alignment strengthens governance outcomes.

When it is absent, risks are buried, signals are ignored, and frameworks fail to deliver.

What the Data Shows

In recent polls with risk professionals, several themes emerged:

• 45% of middle managers said lack of leadership backing prevents escalation.

• 57% identified resistance to change as the biggest cultural barrier.

• 66% pointed to silence and conformity as the most dangerous cultural signals of risk blindness.

These figures highlight a core truth: culture, not process, defines whether risk frameworks succeed.

Three Shifts Leaders Can Make

Leaders can strengthen trust and risk visibility by making three practical shifts:

1. Make leadership support observable
   People watch what leaders do more than what they say. Model inquiry, thank candour, and close the loop when issues are raised.

2. Remove ambiguity from escalation
   Clarity matters. Define thresholds, channels, and expectations so people know what good escalation looks like.

3. Treat silence as data
   Periods of “no escalation” in dynamic environments are not reassuring. They are a signal to ask: What are we not hearing, and why?

What This Means for Risk Leaders

For risk functions, this is not about becoming softer. It is about becoming more strategic. Functions framed only as compliance cost centres will always be first in line when budgets are cut. Functions positioned as enablers of trust and decision-making resilience are seen as essential to growth and stability.

This requires a shift in mindset: from enforcing policy to enabling transparency, challenge, and foresight.

Final Reflection

Risk strategy starts with trust because trust determines whether frameworks are lived or ignored. The most resilient organisations do not just build processes. They build cultures where candour is rewarded, escalation is safe, and silence is treated as a risk signal.

Every organisation faces an inevitable question: how would we close responsibly if required?

Business failures are rarely sudden. They are preceded by capital erosion, regulatory strain, or a gradual loss of strategic momentum. Yet too many boards only consider closure at the point of crisis, rather than treating it as part of the governance cycle. The reality is stark: in the UK nearly 12% of businesses closed in 2022, and across the EU fewer than half of new enterprises survive five years. In the US, around one in twelve firms closes annually.

Preparedness is not only about continuity, but also about closure. Supervisors in the UK, EU, and US expect firms to maintain credible wind-down plans that are both funded and feasible. Organisations that treat wind-down as a strategic discipline signal maturity to regulators, clients, and investors. In our experience, it also sharpens leadership discipline in running the business as a going concern.

What Makes Wind-Down Orderly?

An orderly wind-down means closing a business in a solvent, controlled, and transparent manner. It requires protecting clients and creditors, safeguarding employees, and ensuring obligations are fulfilled without market disruption.

The Prudential Regulation Authority defines orderly wind-down as “the capability to execute a full or partial wind down of trading activities in an orderly fashion… minimising the adverse effect firm failure could have on financial stability.” The emphasis is on feasibility, funding, and systemic safety.

From Theory to Practice: The Lifecycle

Credible wind-down readiness is built in three phases:

1. Preparedness (Business-as-Usual):Monitor triggers linked to appetite, tolerance, and capacity. Embed wind-down into governance and reporting.
2. Planning (The Playbook):Model costs and reserves, map critical services, assign roles, and define communication strategies.
3. Execution (Delivering with Control):Activate at agreed triggers, secure liquidity, repay obligations, and communicate transparently with stakeholders.

This lifecycle mirrors operational resilience. Resilience ensures continuity under disruption; wind-down ensures responsible closure when continuity is no longer viable.

Sector-Specific Pressures

• FinTechs and EMIs:Safeguarding client funds and maintaining investor confidence.
• Asset Managers:Ensuring orderly fund closures and fair investor redemptions.
• Banks:Integrating wind-down with recovery and resolution planning.
• SMEs/MMEs:Building proportionate plans to manage leases, creditors, and staff.
• Non-Profits/Charities:Protecting beneficiaries and donor trust in closure.
• Cross-Border Firms:Navigating multiple regulatory regimes and insolvency laws.

What High-Performing Organisations Do Differently

• Link wind-down triggers to risk appetite, tolerance, and capacity.
• Fund reserves and model balance sheet run-off.
• Map services and dependencies end-to-end.
• Assign clear governance roles and escalation pathways.
• Test assumptions through stress and reverse stress testing.
• Communicate transparently with regulators, clients, employees, and creditors.

From Obligation to Strategic Discipline

Wind-down planning is not a mark of failure. It is the ultimate test of governance maturity. Boards and founders that approach closure as a strategic discipline protect clients, preserve trust, and demonstrate foresight.

By embedding wind-down planning into risk and governance frameworks, organisations strengthen resilience in business-as-usual and prove that even at the point of exit, leadership remains accountable.

For more information, you can find a detailed article here - https://www.aevitium.com/post/orderly-wind-down

Operational resilience has become one of the most pressing priorities for boards and executives. Disruptions are no longer rare events. They are constant features of today’s operating environment. The test of leadership is not whether a policy exists, but whether critical services can continue when systems fail, resources are stretched, and multiple problems demand attention at once.

In my work with boards and CROs, I find the same pattern: most organisations have resilience frameworks, but they are often treated as compliance exercises. High-performing organisations take a different approach. They treat resilience as a strategic capability that safeguards clients, strengthens confidence, and turns disruption into advantage.

So, what does this look like in practice? A clear, structured roadmap helps leaders focus on what matters most.

The Five Steps

1. Identify What Matters Most
Map critical services end to end, define intolerable harms to clients and markets, and assign ownership to accountable leaders.

2. Define and Test Tolerances
Set measurable thresholds for disruption and run severe but plausible scenarios across people, technology, and third parties.

3. Strengthen Core Capabilities
Build incident response and crisis playbooks, integrate oversight of change, cyber, and supply chain risk, and align resilience with culture and leadership accountability.

4. Embed Into Governance
Ensure resilience features in board reporting, link escalation thresholds to executive decision triggers, and enable oversight functions to provide assurance.

5. Monitor and Evolve Continuously
Use dashboards and key indicators to track resilience, apply test–learn–adapt cycles after each disruption, and benchmark maturity against global standards.

Signs Resilience Is Embedded

Resilient organisations show consistent signs: recovery times improve with reduced client impact, escalation occurs early with clear triggers, scenario testing drives board-level action, and supply chain risks are actively managed. Most importantly, cross-functional reviews become more candid and solution-focused.

From Compliance to Competitive Edge

Operational resilience is not just about regulatory expectations. It is about protecting what matters most and enabling organisations to deliver under pressure. The sooner resilience becomes embedded in governance and strategy, the sooner it becomes a competitive edge.

If you are interested in benchmarking your own organisation’s readiness, I have created a short Operational Resilience Assessment to help boards and executives identify strengths, gaps, and next steps.

Location: Virtual or In-Person    Fees: Available on-demand

Service Type: Service Offered

Location: Virtual or in-person    Fees: Available on-demand

Service Type: Service Offered