Skip to main content
main content, press tab to continue
Article | WTW Research Network Newsletter

How your definition of risk influences decision making – and what to do about it

By Lucy Stanbrough and Fiona Ribbons | March 13, 2025

Risk definitions can affect more than just the layout of a risk register. We explore why revisiting yours should be a key action in 2025.
Alternative Risk Transfer and Financing|Aerospace|Credit and Political Risk||Environmental Risks|Insurance Consulting and Technology|Investments|Risk and Analytics
Geopolitical Risk|managing-complex-organizational-risks|Risk Culture

The concept of risk and risk assessments has a long history, and risk continues to be of cultural significance in contemporary society in nearly all aspects of life. Should I cross the road or wait? Are our assets going to experience flooding this year? Will economic uncertainty continue, or do I need to plan for trade sanctions? While it is unlikely that anyone would dispute the importance of actively managing risks, more focus needs to put on risk definitions.

The choice of definitions can affect more than just the layout of a risk register. It can change the outcome of policy debates, budget and resource allocation, safety strategies, and political leadership within companies and societies. Each aspect focuses on different concerns and priorities, exposing just how fragmented and diverse our understanding of risk is.

With regulators starting to ask organizations to go beyond providing a list of key risks and explain how they reached those conclusions, being ready to answer those questions is essential. That starts with revisiting your understanding and risk definitions to understand why these risks matter – or challenge if they really do.

To help you better understand and identify risk, we explore:

Why risk definitions matter

When talking risk does everyone share the same understanding? This can be a hidden question, or it can drive organizations to document everything. Driven by the need to ensure shared understanding, the Department for Homeland Security (DHS) created a risk definition Lexicon that sets 746 pages of a unified controlled vocabulary and framework guidance to use when communicating and sharing data between teams. [1] While this brings total clarity, keeping up to date with it would be a full-time job.

Definitions should drive value and support organizational frameworks. In our Emerging and Interconnected Risks Survey we provided the International Risk Governance Council definition emerging risks “a risk that is new, or a familiar risk in a new or unfamiliar context or under new context conditions (re-emerging)” alongside definitions for the 48 survey risks that fit on two pages to provide shared understanding.

Survey risk taxonomy

Risks and opportunities arising from changes in the global financial environment, including: insurability, economic outlook, volatility, sanctions, financial shocks and business finances

Risks and opportunities arising from geopolitics, institutions, societal cohesion, government policy, civil wars and terrorism
Risks and opportunities arising from critical infrastructure, artificial technology, biological risks, cyber, disruptive technology and dependencies
Risks and opportunities arising from changes to climate risks, natural catastrophes, epidemics and pandemics, environmental degradation and failure
Risks and opportunities arising from public health, changing societal dynamics, wellbeing, health, migration
Risks and opportunities arising from organizational strategy, governance, leadership, risk management, regulatory compliance and marketplace dynamics
Risks and opportunities arising from supply chain, workforce planning and effectiveness, business model, brand perception and reputation, product defects or failures
Risks and opportunities arising from transformation, capital enablement, culture, talent strategy mix, pay competitiveness and alignment, benefit cost trends

Table 1 provides a view of the six financial risks and a full view of the taxonomy risks can be found in the appendix of the report. By considering the full taxonomy you can challenge your own view of risk, especially as these risks rarely operate in isolation. Human capital risks are a good example of this, as they can fit in talent and performance, governance, business and operational, and societal.

Table 1: Financial risk source taxonomy

Table showing types of risks within financial risk source taxonomy
Category Risk Description
Financial
Insurance gaps Uninsurable risks or underinsurance leaving some markets, regions or socio-economic groups vulnerable.
Economic outlook The uncertainty or potential challenges associated with the future trajectory of the economy. Including: Inflation, recession, market crash.
Trade sanctions Restriction of trade activities with certain foreign targets, including: trade embargoes, tariffs, protectionism.
Financial shock Unexpected disturbance which originates from the financial sector and has a significant effect on an economy. Including: market crash, sovereign default, asset bubble.
Business financial risk Inability to finance operations due to loss of market share, M&A, costs, intangible assets.
Volatility Rapidly changing financial dynamics, including price of raw materials and inputs, access to and cost of capital, commodities, credit risk.

How your organizations risk register can provide key insight into the inner workings of your organization and risk culture

The discussion of risk definitions for organizations often manifests itself in the risk register. This important piece of documentation has a critical role in ensuring the risk strategies and culture of the company are aligned. One aspect it seems all risk strategies can agree on is, that when it comes to the identification of risks, it is essential for organizations to determine which risks will have the most impact on their long-term strategy and overall purpose so they can prioritize accordingly when it comes time for treatment strategies.

Risk registers are often a collection of risks with varying levels of detail about the causes, the impact of consequences, risk owners, the probability of the event and the likelihood of occurrence. Risk registers can be a response to legally required mandates or risk assessments. It can also be a key piece to a risk manager’s strategy.

There are recommendations for risk register content such as ISO 31000 and COSO’s guidelines, but experience with companies of all sizes and sectors, reveals little in the way of consistency for risk naming within companies, let alone between different companies. In today’s risk environment, while research is scarce, those companies which engage with their risks and embrace strategic risk management are performing ahead of their peers. In a study of Taiwan’s financial industry, enterprise risk management (ERM) adoption was found to significantly help organizations improve revenue (9.22%) and cost efficiencies (16.34%). [2]

Risk identification, by itself, is not enough to manage risk on its own but it is the first step in informing the design and management of effective risk control interventions. Thus, companies attempting to mature in their risk strategies move from strategies founded on inexperience or a strategy of avoidance, to those which enable them to actively engage with risks – moving towards taking advantage and finding opportunities from risk rather than be victims of it. For example, empirical evidence from U.S. bank holdings companies that had active risk management strategies with balance sheets displaying higher risk taking were less likely to become insolvent during the 2007-2009 financial crisis. [3]

The importance of applying a risk maturity framework: an insight into risk maturity

Risk registers and risk descriptions can tell you a lot about the risk maturity of an organization. As an organization matures and with the passing of time, risks can and should change as understanding buildings on how they may represent risks or opportunities, and awareness increases internally on the impacts across risk and strategy. If this information is not created in a collaborative fashion, this may lead departments to work off different data. Inevitably these disparities can lead to some or all departments having incomplete or inaccurate data, which, according to IBM estimates, costs the US alone $3 Trillion per year. [4]

  • A high-level top 10 category register, with little to no detail, or an incredibly long register which adds rather than updates risks, indicates lower levels of maturity. This type of register often reflects a box-ticking approach and little to no active engagement. Varying methodologies can lead to consequences, causes/triggers, specific incidents, or themes to all be included as “risks” within the same register – which makes tracking and comparing across risks difficult.
  • A detailed and well-maintained list with a consistent naming structure reveals higher level of maturity. This naming structure dictates what constitutes a “risk”. Mature risk registers often include vulnerabilities to the risk, mitigations, and identified risk owners. By providing these deeper levels of information on risks, risk managers can make effective and efficient strategies for decreasing risk probability and increasing risk resilience by finding common vulnerabilities across risk types allowing for efficient shared risk mitigation strategies across risk types.

Table 2: Emerging risk descriptions, Emerging and Interconnected Risks survey

Table of low and high risk examples within risk types
Environmental Geopolitics Technology
Low risk maturity Climate change Geopolitics Disruptive technologies
High risk maturity Increased hurricane activity and tornado alley moving east, causing workforce and production disruption Geopolitical tensions and uncertainty leading to supply-side shocks such as inflation and economic downturn Adoption of new digital technologies requiring new skills, and the ability to access a labour pool with those skills

The importance of challenging your definition

The choice of definition can affect more than just the layout of a risk register. It can change the outcome of policy debates, budget and resource allocation, safety strategies, and political leadership within companies and societies. Each aspect focuses on different concerns and priorities, exposing just how fragmented and diverse our understanding of risk is.

When challenging your risk definitions, it is essential to seek additional viewpoints than just your own. 40% of the wider employees who responded to our Emerging and Interconnected Risks survey feel they’ve never been consulted on their organization’s emerging risks. Are views from across the business being fed into your organizational view on an ongoing basis? If not, you have an opportunity to decide what to prioritize and build that from the ground up.

By having internal stakeholders throughout the company provide insights and challenges for your risk definitions and registers, you can combat the inaccuracies of data found in siloed companies and equip your company with a wider, more complete view, for a more effectual knowledge base.

Connecting to your employee engagement survey is a way to harness pre-existing resources and diverse perspectives from colleagues at the frontlines of risk. This is particularly the case for large and complex organizations, where this type of analysis can identify interconnected risks that have the potential to impact strategic objectives.

How organizations are setting themselves up for success

Organizations need an approach that supports value and not just giving stakeholders comfort through annual reporting that they are secure. To effectively manage emerging risks, it is crucial to go beyond merely identifying them and to thoroughly analyze their causes and consequences.

By integrating your risk management strategy with your strategic planning and business goals, you get more than just a safety net—you get a powerful tool for uncovering opportunities in the face of uncertainty. Design a framework with built-in repeatability and continuous review as new risks and interdependencies emerge.

A robust risk framework is the foundation of a company’s approach to identifying, assessing and preparing your priority enterprise risks to align with your strategic objectives and improve long-term profitability. It promotes a systematic, unified approach to risk management, crucial to avoiding fragmented or inconsistent responses to threats. Understanding where your organization is on its maturity journey, and how you benchmark against industry standards and peers can support decision making across the various elements of an ERM approach:

  • Risk strategy and appetite
  • Risk governance and reporting
  • Risk identification and assessment
  • Risk control and mitigation
  • Risk monitoring and performance

For instance, in risk identification and assessment, an undeveloped framework lacks a formal process, relying on siloed or ad hoc approaches. On the other hand, an embedded framework features a robust, cross-functional risk identification process with scaled prioritization criteria consistently applied at both Group and business unit levels, where significant risks are quantified by frequency and severity.

A strong risk strategy must do more than equip organizations with consistent resiliency to the everyday risks of business operations. The frequency of crises is on the rise, where “black swan” events are increasing with such frequency that there are overlapping shocks. To thrive in this environment, business leaders need to have access risk assessments to understand what, when and where organizations could be impacted. A cohesive view on which aspects of a risk are of highest importance, i.e. the causes, the events itself or the consequences, will foster more consistent additions to the risk register in terms of risks and causal factors. This, in turn, will lead to a stronger tool for decision making.

Periodically assessing your risk registers for concentrations is a good exercise in determining risks of highest concern. In this exercise, it is important to challenge why risk concentrations occur.

  • Are these risks psychologically of highest concern - with recency or availabilities biases potentially increasing risk inclusion?
  • Are they risks that are of highest impact?
  • Are potential inconsistencies in naming practices the route cause?
  • Do you have the right tools and methods to define these risks? And do you have the most appropriate action plans to respond?
  • Can you demonstrate to senior leaders, board of directors, investors and shareholders that your risk management approach optimally supports your strategic goals for these risks?

Note that these options are not mutually exclusive. These questions can give insight into whether more controls are needed in these areas. Similarly, assessing your risk registers for gaps, allows a risk register to adapt to changing circumstances and identify areas for improvement.

We’ve seen how transparency around the process and the methodology and a common language are essential to ensure your risk management strategy is aligned with your organization's overall objectives.

By looking at your organization’s risks collectively, risk management can break down silos and foster collaboration and, with this, drive a risk management approach that’s aligned with, and is crucial to delivering better financial performance.

References

  1. Department for Homeland Security Lexicon Return to article
  2. The North American Journal of Economics and Finance. The value of implementing enterprise risk management. Return to article
  3. European Banking Center discussion paper. Return to article
  4. Harvard Business Review. The cost of bad data Return to article

Authors


Emerging Risks Research Lead
email Email

Head of Emerging Risks, WTW Research Network, WTW

Associate Director, Enterprise Risk Consulting
email Email

Contact us