“We know risk is an issue for us,” a client said not long ago. “We just don’t know where to begin putting it back together.”
It’s something more Boards and executives hear — and feel — than they’d readily admit.
Sometimes the problem is fragmentation — risk processes exist but feel siloed and disconnected. Sometimes it’s over-engineering — documentation is thorough, but genuine confidence is lacking. Sometimes it’s cultural — problems surface too late, or no one is quite sure who owns them. And sometimes the unease is harder to name. Something feels unstable — but nobody can quite explain why. In every case, the real question isn’t whether risk management exists. It’s whether it’s robust enough to be genuinely relied upon.
When confidence runs ahead of clarity
For organisations that already sense something is off, the challenge isn’t awareness — it’s understanding exactly what’s wrong. Where do the weaknesses actually lie? Are they structural, behavioural, cultural — or just uneven across the business? Is the issue appetite, ownership, reporting, assurance — or some combination of all of them?
Without a clear diagnostic lens, improvement efforts tend to become reactive. Policies get rewritten. Registers are reformatted. Reporting expands. Controls multiply. Activity increases — but confidence doesn’t necessarily follow. What’s missing isn’t effort. It’s evidence about how sound the foundations genuinely are.
From unease to understanding
A recurring challenge is that different parts of an organisation experience risk very differently. Boards may believe governance structures are solid. Executives may sense fragility in day-to-day operations. Managers may find risk processes more burdensome than useful. Each perspective is legitimate — but none is complete on its own.
Before any rebuilding can begin, organisations need a shared, disciplined way to diagnose what’s actually going on.
That diagnosis should address a handful of fundamental questions:
- Is leadership communicating a clear and consistent tone?
- Is risk appetite actively shaping decisions — or simply documented and forgotten?
- Are controls understood and genuinely relied upon?
- Does reporting generate insight — or just volume?
- What evidence actually underpins Board-level confidence?
These are governance questions — not operational ones. And they sit at the heart of how risk is overseen at the top of any organisation.
A more rigorous approach to understanding risk governance
When organisations start questioning their risk oversight, it’s rarely because everything has fallen apart. More commonly, governance simply hasn’t kept pace with change. Strategy shifts. Complexity grows. Expectations rise. But governance structures, reporting, and decision frameworks don’t always evolve at the same rate.
The result is a subtle but significant gap: oversight exists — but confidence in that oversight quietly erodes. Closing that gap takes more than incremental adjustments. It requires a structured way to understand how risk is actually being governed in practice.
Introducing THRIVE: a disciplined framework
The THRIVE Risk Governance Maturity Assessment offers a structured, evidence-based approach to evaluating how effectively risk is governed at the top of an organisation. It doesn’t assume governance is broken. Nor does it assume it’s working well. Instead, it asks a more productive question: How mature — and how dependable — are our risk governance foundations?
The framework examines six interconnected dimensions:
- Tone from the Top — Clear leadership expectations shaping disciplined risk behaviour and accountability
- Holistic Risk View — Integrated, enterprise-wide view across strategic, operational and emerging risks
- Risk Appetite Clarity — Clearly defined appetite actively guiding decisions, trade-offs and prioritisation
- Insightful Reporting — Forward-looking reporting providing clear insight, trends and escalation signals
- Value Protection & Creation — Protects value while enabling opportunity and risk-adjusted performance outcomes
- Embedded Accountability — Clear ownership, roles and responsibilities consistently applied across governance layers
Together, these dimensions move the conversation from intuition to informed insight: Where are we strong? Where are we exposed? And what should we focus on first?
Rebuilding with intention, not reaction
One of the most practical benefits of a structured assessment is prioritisation. Where maturity is uneven, not everything needs to be addressed simultaneously. Instead, organisations can focus on the handful of areas most likely to improve confidence and strengthen decision-making.
That might mean clarifying ownership and escalation pathways. Making risk appetite practical and usable in day-to-day decisions. Strengthening the credibility of reporting and assurance. Or simplifying controls so they’re genuinely workable rather than just technically present. The shift is subtle but significant: from activity to impact, and from reaction to intent.
From evidence to genuine confidence
At its core, risk governance maturity is about moving from assumption to evidence. When organisations say “we know risk is a problem,” what they’re often really describing is a loss of confidence — not a lack of activity. Something feels misaligned. Over-engineered. Or quietly fragile. A structured assessment brings that into focus.
It offers a disciplined way to surface gaps, align perspectives, and strengthen how risk is governed — at the level where it matters most. Because risk governance isn’t about eliminating uncertainty. It’s about ensuring that Boards and executives can make sound decisions with clarity, alignment and confidence — even when uncertainty remains.
A straightforward question to begin
For organisations ready to move from concern to clarity, the starting point is a simple one:
Do we truly understand how mature our risk governance is — and what evidence supports that view?
