Embedding risk management is often seen as the holy grail of an effective organisation. Research by  ACCA now shows that although organisations have similar risk management objectives, the paths they take to embedding risk management varies. Those paths depend on the external environment in which they operate and a range of internal factors, such as leadership tone and the success or failure of past risk management initiatives. 

“Organisational paths varied in the risk management mechanisms used and, in particular, the formality or informality of these mechanisms,” the report Risk and performance: embedding risk management said.


While risk managers are fond of frameworks and tools, effective risk management requires the use of complementary formal and informal mechanisms. Formal mechanisms include risk registers, control assessments, internal audits and risk reports. Informal mechanisms include social networking and sales or influencing techniques. 

For risk managers, the formal mechanisms provide a visible platform on which they can operate throughout the business. But the informal mechanisms are vital for making the formal mechanisms work in real life, the report said.

“Often the design of a formal tool is less important than the informal mechanisms used to support the tool,” it said. “Simple tools, complemented by a broad suite of regular inform mechanisms (one-to-one meetings, etc,) may be more effective than complex tools in embedding risk management.”

The report was based on four in-depth case studies. The authors questioned whether the three lines of defence model of corporate governance — which divides the business into management (first line), compliance, risk and support (second line), and internal audit (third line) — had helped with the specific task of embedding risk management. It suggested that a more integrated model of accountability could be more effective as an alternative means of approaching risk governance.


Risk managers are well aware that clear communication on risk is vital to the success of the function. That includes communication between business units and functions, as well as communication to and from the risk management function and internal audit function. 

The report supported the idea that risk management function plays a pivotal role in such communications and must building risk management relationships across the organisation. But a lot of such communication is informal and includes simple behaviours such as picking up the phone, having a chat and dropping someone an email about an issue.

“I think if it was just the formal, it wouldn’t be as embedded in the business,” said one board member in the study. “I think because there is that informal ability to pick up the phone to somebody who might help you chew a problem over, it just works.”

Not surprisingly, a risk management function that cannot build effective relationships across an organisation will not be able to embed effective risk management practices, the report concludes.

The R word

Getting away from technical jargon is important too when dealing with front-line business members. While the formal frameworks and mechanisms existed in the case study organisations, the report said that these tended to work best if they were not specifically badged as risk management tools. Risk managers talked to front-line staff about how to become more efficient, or customer-focused, or simply about behaviours and attitudes instead.

“I rarely use the word ‘risk’… And we just ask the question: tell me what can go wrong? Tell me what has gone wrong and tell me what could go wrong?” one risk manager said. 

Tentative conclusions

  • To be embedded, risk management activities must be forward looking to meet the needs of the organisation and its stakeholders. 
  • Risk management activities must accommodate a diverse range of stakeholder needs, including threat reduction and the exploitation of future business opportunities. 
  • Key business needs include effective communication and strategic/tactical decision making. Risk management activities must support both. 
  • Risk management activities best support communication and decision making when they combine formal and informal mechanisms. From an informal perspective an essential element is “risk talk”.
  • Risk management activities should be supported by a risk management function that designs organisation-appropriate risk identification, assessment, reporting and control tools and helps decision makers to use these tools. The appointment of local risk champions and a CRO will support the work of the risk function. 
  • The effective use of risk management tools is reinforced by complementary governance and performance-management arrangements.