Risk Management in Australia

Table of Contents

01 Introduction

Risk Management as a Strategic Discipline

Every organisation, regardless of size, industry, or strategic goals, operates in a state of perpetual uncertainty. The extent to which an organisation understands, manages and articulates the fact that uncertainty is one of the most certain signs of its stability in the future.

Risk management is the art that fills the gap between what organisations intend to do and what the world presents.
Well done, it does not paralyse organisations with prudence - it liberates them to take up opportunity with a clear understanding of where acceptable loss is.
When poorly done, organisations are taken by surprise by the events that could have been anticipated and avoided with careful analysis.

The Evolution of Enterprise Risk Management

Risk management has changed dramatically in the past 20 years due to a series of high-profile corporate failures, regulatory measures and the acknowledgment that proactive, siloed risk management is not suitable to the complexity of the current operating environment.

The enterprise risk management framework has emerged as the structural response to this complexity. This coherent and integrated framework connects risk identification and risk assessment with strategy, operations, governance, and reporting.
At its most, an enterprise risk management framework is not a compliance instrument but a strategic one: a system by which boards and management can see the entire spectrum of risks that the organisation is exposed to.
It allows making conscious, informed decisions regarding the level of risk-taking in achieving strategic objectives.

Who This Guide Is For

This is a guide to junior and mid-level practitioners building experience in risk management, whether you have a financial, operations, audit, legal, or specialist background, e.g. compliance risk or climate and ESG risk.

Spans the whole spectrum of the field, beginning with the background of the enterprise risk management framework and the key risk categories: financial risk, operational risk, compliance risk, and climate and ESG risk.
Covers disciplines of controls testing, risk-appetite statement development, board reporting, and incident escalation.
Gives the analytical basis of risk identification and assessment.
You will have an operating, workable framework to add to risk management programs of true sophistication by the time you finish reading.

Risk management is not the act of eliminating uncertainty – it is the act of being clear about uncertainty to make better decisions. It is not its intention to make the organisation risk-free but risk-conscious.

02 Enterprise Risk Management in Australia Framework

What the ERM Framework Is

An enterprise risk management framework is the structure within which an organisation identifies, analyses, manages, oversees, and reports on all the risks it faces. Contrary to siloed risk management models, where financial risk is with the treasury, operational risk with operations, and compliance risk with legal, an enterprise risk management model brings these components together into a cohesive whole.

With this integration, the board and senior management will be able to gain an understanding of the organisation's overall risk profile.
It also unveils the interrelationships among the types of risks that can multiply individual exposures into systemic risks.
The interconnective tissue that converts individual risk functions into an organisational capability is the enterprise risk management framework.

The COSO and ISO 31000 Reference Frameworks

The COSO ERM framework, most recently updated in 2017, is the most popular conceptual framework for designing enterprise risk management structures, supported by the internationally recognised ISO 31000 standard.

COSO ERM defines enterprise risk management as a set of principles organised around five interrelated components: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting.
ISO 31000 provides principles and guidelines that organisations can adopt to fit their specific situations and industries.
The baseline professional competency of any risk management practitioner is familiarity with both frameworks and the ability to explain their similarities and differences.

Tailoring the Framework to the Organisation

The enterprise risk management framework should be designed to suit the specific characteristics of the individual organisation- its size, complexity, regulatory environment and strategic objectives.

An international financial institution will possess a more formalised ERM system, with special risk management functions, sophisticated risk modelling facilities, and broad-based regulatory reporting requirements.
A mid-sized professional services firm will operate under a simpler structure, but still needs the following core items: a documented risk register, a defined risk appetite statement, accountability of risk ownership, regular risk identification and assessment, and a board reporting cycle.
It is not the principles that make big and small organisations different, but their size and complexity. The principles are universal.

03Financial Risk

What Financial Risk Encompasses

Financial risk involves risks to an organisation’s financial status due to fluctuations in market variables, credit quality failures, liquidity mismatches, and weaknesses in financial reporting.

Financial risk is the centre of the risk management agenda of financial services organisations - it is the core business risk, managed by elaborate frameworks of market risk management, credit underwriting, and liquidity stress testing.
For non-financial organisations, financial risk is also important. Still, it manifests in different ways, namely: commodity price risk, foreign currency risk on international revenues, credit risk of counterparty in supply chain relationships, and financial misstatement risk due to ineffective internal controls.

The Three Primary Sub-Categories

Market risk, credit risk, and liquidity risk are the three primary sub-groups of financial risk that practitioners are most likely to face, and each is unique yet closely linked.

Market risk: Sensitivity to loss due to adverse movements in financial market variables like interest rates, exchange rates, commodity prices and equity prices.
Credit risk: Exposure to loss in case of default of a counterparty in its financial commitments - a customer defaulting on a loan, a supplier defaulting on a prepaid contract, or a derivative counterparty defaulting before settlement.
Liquidity risk: The risk of the organisation failing to meet its financial obligations when they become due, either because it cannot convert its assets into cash in time or because it loses its financing.
These three are connected: deteriorating credit quality may lead to a liquidity event, and even cause the forced sale of assets at low market prices.

Real-World Example: Financial Risk Management in Practice

An instructive case of financial risk policy and practice going awry – with tangible results – is given by a European manufacturing conglomerate.

The group had large USD revenues and a predominantly euro-denominated cost base, which posed a substantial foreign exchange translation risk.
It had a treasury policy that enabled it to hedge up to 80 per cent of projected USD revenues 12 months ahead through forward contracts and options.
In the case of the USD declining sharply in value relative to the euro over 18 months, the hedged position cushioned a large part of the group's income, while the unhedged part remained fully exposed.
Post-event analysis showed that the policy had been properly designed. Still, there had been a lack of discipline in execution - the actual hedge ratio had consistently been lower than the policy minimum because of uncertainty about revenue forecasts.
Lesson: It is not a policy of risk management, but a risk documentation issue, to have a financial risk policy without consistent implementation.

04 Operational Risk

Definition and Scope of Operational Risk

The Basel Committee on Banking Supervision, the most authoritative standard-setter in this area, defines operational risk as the risk of loss caused by inadequacy or failure of internal processes, people, and systems, or by external events.

The scope of risk scenarios included in this definition is truly staggering: failures in the processes of financial reporting, technology failures that result in the inability to deliver services, employee or third-party fraud, data management failures that result in regulatory breaches, or external incidents such as cyberattacks, natural disasters, or pandemics.
The most common risk in the enterprise risk management model is operational risk - it is a risk that is present in every function and every process of the organisation.

Preventive and Detective Controls

Operational risk management involves a set of preventive controls (to reduce the likelihood of a risk event) and detective controls (to detect when a risk event occurs, so the impact can be limited and the cause mitigated).

The success of the two types of controls is mainly ensured by control testing, as explained in a subsequent section.
Operational risk is not eliminable, but can be controlled within the organisation's risk appetite statement.
Operational failure is always to some extent inherent in any complex organisation - operational risk management is not about zero incidents, but about prompt identification, successful containment, and the systematic elimination of root causes.

Technology and Cyber Risk — The Dominant Sub-Category

In the past 10 years, technology and cyber risk have emerged as the largest sub-category of operational risk for most organisations due to increasing digital reliance and the advancement of external threat actors.

Examples: In 2022, a ransomware attack on a large logistics company paralysed port operations across multiple continents for a few days, resulting in losses of more than USD 400 million.
The post-incident analysis revealed that the attack vector was a third-party software supplier whose security was significantly lower than the logistics company's information security policy required.
Lesson: The risk practitioner. The risk boundary extends beyond organisational walls to the whole supply chain and technology ecosystem.

05Compliance Risk

What Compliance Risk Is

Compliance risk refers to the risk of legal or regulatory penalties, financial penalties, or reputational damage resulting from non-compliance with laws, regulations, rules, standards, and codes of conduct that apply to the organisation’s operations.

It is at the intersection of legal and operational risk: operational, because it affects daily operations, and legal. After all, external regulatory and judicial authorities set their effects.
Compliance risk is one of the most significant risks in the enterprise risk management framework in highly regulated settings, such as the financial services, healthcare, energy and professional services sectors.
It can put the organisation's licence at risk due to its mismanagement.

Three Fundamental Capabilities for Managing Compliance Risk

Compliance risk management needs three core capabilities that constitute a complete compliance function.

Regulatory horizon scanning: The ability to detect and track regulatory changes before they become enforced so that the organisation can build compliance capacity in advance of deadlines instead of rushing to comply.
Design of compliance program: Developing policies, procedures, training and monitoring frameworks that convert regulatory demands into operational behaviour.
Controls testing and monitoring: The ongoing checks that the compliance program is indeed operating as planned, that policies are being adhered to, that all appropriate personnel are receiving training, and that monitoring systems detect non-compliant behaviour before it becomes regulatory exposure.
Pathways of incident escalation that direct potential compliance violations to the appropriate internal and external authorities in a timely fashion are an essential part of this third capability.

Compliance Culture — Who Owns the Risk

Among the most useful lessons concerning compliance risk management is that compliance risk is not the risk of the compliance function to own, but rather the risk of the business to manage. The compliance function is the part that offers oversight, guidance, and challenge.

Business units that outsource compliance responsibilities to a central team and consider compliance not their problem often experience the largest compliance failures.
The organisations with the most effective compliance risk management cultures are those in which line managers are as conversant with their compliance needs as they are with their business goals.
In such organisations, compliance performance is reported alongside financial performance, and the compliance role is free to bring matters to the board level without being filtered by the commercial side.
The culture will not be developed quickly, and it will need a long-term commitment by the leadership- and that commitment has to be at the board level.

06 Climate and ESG Risk

From the Periphery to the Centre of the Risk Framework

Climate and ESG risks have moved from the periphery of the enterprise risk management system to the centre in an incredibly short time. All boards and management teams across all industries are now expected to demonstrate that they have identified, evaluated, and are actively addressing their exposure to climate and broader ESG-related risks.

This expectation is motivated by regulatory demands, such as the mandatory climate disclosure requirements in Australia under AASB S2, heightened investor expectations, and the growing body of evidence on the physical and economic effects of climate change.
To most organisations, this is a major growth of the risk universe - new analytical capabilities, new data sources, new governance structures.

Physical and Transition Risks

Climate and ESG risks can be split into two main categories that require distinct analytical methods and management actions.

Physical risks are the direct financial impacts of climate change: destruction of assets from severe weather, supply chain disruption from water shortages or extreme temperatures, agricultural losses, and property repricing in coastal and flood-prone areas.
Transition risks are the financial effects of the move to a lower-carbon economy: stranded asset risk arising from a carbon price or regulatory shift, technology dislocation from the electrification of transport and industry, and market changes as customers and investors respond to climate concerns.
Climate and ESG risk identification and assessment should be done through scenario analysis, i.e., how the organisation's finances would be affected by different climate paths, which is a mandatory component of AASB S2 disclosure for in-scope organisations.

Broader ESG Risks and Integration into the ERM Framework

In addition to climate, the broader ESG risk category includes social and governance risks, which need to be incorporated into the enterprise risk management framework alongside traditional financial and operational risks.

Standards of supply chain labour, exposure to modern slavery, workforce diversity and inclusion, and community relationships are all social risks.
The following are some of the governance risks: board independence, executive remuneration structure, tax transparency, and anti-corruption compliance.
Climate and ESG risk integration into the enterprise risk management framework is not just an additive exercise. Still, it involves a real reconceptualisation of risk that connects environmental and social factors to financial value drivers in a rigorous, evidence-based way.

07 Controls Testing

What Controls Testing Is and Why It Matters

Control testing is the verification activity in which an organisation ensures that the controls it has designed to address the identified risks are functioning effectively in practice. It is between risk assessment and risk assurance.

Without controls testing, the enterprise risk management framework is built on assumptions, not evidence, in the belief that controls are being implemented as declared in policy manuals, that technology controls are functioning as intended, and that human controls are not being compromised under commercial pressure.
These assumptions are often incorrect, and before they can turn into a risk event, controls testing is used to bring that reality to the surface.

Three Types of Controls Testing Activity

There are three types of control testing activities with varying verification purposes.

Design testing: Tests the ability of a designed control to deal with the risk it is intended to deal with - whether the logic of the control is correct.
Operating effectiveness testing: Tests whether the control is being implemented as planned and is operating properly in the actual operational environment.
Continuous monitoring: Checks the functioning of controls on a real-time or near-real-time basis using technology, instead of periodically sampling. Continuous monitoring is also being applied to supplement or replace periodic control testing of high-frequency, high-volume controls in organisations with well-established enterprise risk management systems.

Feeding Results Back into the ERM Framework

The results of control testing should be systematically fed into the enterprise risk management system – this is one of the most crucial yet underdeveloped areas of ERM.

Control deficiencies detected during testing should be assessed for their impact on risk: does the deficiency create a gap that needs to be re-rated as a risk? Is it an institutional flaw that needs redress? Or is it a single failure, over which it has been conquered?
Material control shortcomings should be communicated through incident escalation and board reporting mechanisms - not dealt with under the carpet at the working level, and remain out of the radar of the board.
The interdependency between the controls testing findings and the risk register, the risk appetite statement compliance assessment, and the board reporting cycle is one of the most urgent, but least developed spheres of the ERM operation.

08 Risk Appetite Statement

What the Risk Appetite Statement Is

The official statement of the amount and character of risk an organisation can assume to achieve its strategic objectives is the risk appetite statement. It is one of the most important governance documents within the enterprise risk management structure.

It is not important because of its documentary qualities, but because of the strategic talk it elicits, and the boundaries of behaviour it establishes.
A good risk appetite statement translates top-level strategic intent into operational risk limits: how much financial risk the business units are willing to take on to achieve growth objectives, what operational risk is tolerable when providing new technology capabilities, and how the organisation places itself on compliance risk and climate and ESG risk.

Qualitative and Quantitative Elements

A good risk appetite statement is structured so that both qualitative and quantitative components work together to create a complete statement.

Qualitative statements explain the general risk philosophy: zero tolerance for violations of legal and regulatory requirements, low tolerance for reputational risk, and moderate tolerance for strategic and commercial risk, with returns proportional to exposure.
Quantitative measures convert these qualitative positions into quantifiable limits: maximum acceptable loss in the event of a single operational risk, minimum liquidity coverage ratio, maximum acceptable regulatory capital consumption, and limits for each material financial risk category.
These quantitative thresholds serve as the basis for the organisation's perception of its actual risk profile, which is directly reported through the board reporting cycle and allows directors to readily determine whether the organisation is within its approved risk profile.

The Most Common Failure Mode

The commonest risk in the design of risk appetite statements is the production of a document approved by the board that does not impact operational behaviour.

A risk appetite statement that is not translated into business unit risk limits, is not referred to in investment and operational decisions, and is not reported against in management information is not a risk governance tool; it is a compliance artefact.
Organisations that achieve the true value of their risk appetite statement are those that make it part of annual strategic planning and budgeting, roll it down to business-unit risk tolerance levels, and use board reporting dashboards to show whether actual performance and risk exposure are within the board-approved limits.

09Incident Escalation — Five Key Steps

What Incident Escalation Is

The process of identifying, categorising, reporting risk events to the appropriate levels of the organisation, investigating, correcting, and learning is known as incident escalation; risk events may be operational failures, compliance breaches, financial losses, or near-misses.

It is one of the most operationally vital components of the enterprise risk management framework.
The difference between an operational issue that can be managed and a reputational crisis, regulatory intervention, or system failure lies in the speed and quality of the response to a risk event.
The organised process comprises the five steps below, resulting in the most effective organisational response.

Step 1 — Detect and Classify the Incident

Timely detection is the initial step to successful incident escalation, and it involves ensuring that all levels of the organisation understand what constitutes an incident worthy of reporting and feel free to report without fear of being blamed.

Every employee should be aware of what constitutes a reportable incident, and there should be an open and accessible reporting channel.
Incident classification (severity, risk type (financial risk, operational risk, compliance risk, or climate and ESG risk), and possible regulatory notification implications) should be provided during the initial notification.
It should be categorised under a standardised taxonomy that is consistent throughout the organisation and congruent with the enterprise risk management framework risk register categories.

Step 2 — Contain and Stabilise

The first step after an incident is detected and classified is containment, to prevent further impact.

Examples of this include disabling a system to halt a cyberattack from spreading, halting a transaction process that generates incorrect outputs, halting a business process that creates regulatory risk, or hiring outside experts when the incident is too big to manage internally.
Containment decisions must be made swiftly and documented in a manner that ensures the appropriate authorities are informed in time, and that will assist in the subsequent investigation of the root cause.
The containment phase should not be left to conceal or demolish evidence that can be used in the investigation.

Step 3 — Notify and Escalate

The enterprise risk management procedures in the organisation should pre-define the pathway for incident escalation – so that those involved are always informed immediately and reliably, without the need to make ad hoc decisions about who should be informed.

Material incidents must be reported to the Chief Risk Officer, the business unit head, and the General Counsel within hours of their occurrence.
Requirements for regulatory notifications, applicable to a wide range of events such as data breaches, financial services licensing terms, and environmental incidents, should be determined and implemented within the required timeframes.
Late or inadequate regulatory notification is a compliance violation in itself and exacerbates the initial incident.

Step 4 — Investigate and Document

A thorough root cause investigation – not only what, but why – is the analytical heart of the incident escalation process.

The investigation identifies the control failures, process weaknesses, or behavioural factors that permitted the incident to occur.
The output should be recorded in reasonable detail to help the board report on the incident, any regulatory reporting needed, and the design of remediation measures to avoid recurrence.
Where the incident may imply possible misconduct by individuals, legal privilege considerations, and the necessary HR involvement should be addressed cautiously from the outset.

Step 5 — Remediate and Review

Remediation fills the gap between the incident and the improvement of the enterprise risk management framework – it should address underlying causes, rather than symptoms.

Some remedies can involve redesigning a control that failed, retraining employees who failed to understand their duties, reorganising the technology that led to the error, or amending the risk appetite statement to reflect an underestimated risk.
Remediation actions' completion should be monitored using the board reporting cycle, not assumed; the effectiveness of remediation should be checked through subsequent control testing.
A process of incident escalation that leads to superior documentation but leaves no lasting impact on operations is not risk management - it is record keeping.

10Risk Identification and Assessment

The Analytical Engine of the ERM Framework

Risk identification and assessment is the analytical engine of the enterprise risk management model – the ongoing process through which the organisation identifies, assesses, and prioritises the threats it experiences. It is not a regular workout that is done once a year and stored until the next annual cycle.

Risk Identification and Risk Assessment — Two Distinct Phases

The risk identification and assessment process usually follows two distinct stages with different analytical purposes.

Risk identification - discovery phase: identification of all risks that can affect the realisation of organisational goals. This involves formal practices such as risk workshops with business unit executives, external horizon scanning, operational data and incident history, industry loss data, and contributions by specialist risk functions - treasury on financial risk, technology on cyber and operational risk, compliance on compliance risk, and sustainability on climate and ESG risk.
Risk assessment - the evaluation stage: the determination of the likelihood and possible severity of each of the risks identified, and a combination of these aspects into a risk rating that can be applied to prioritise resources and influence management decisions.

The Risk Register as a Living Document

The result of the risk identification and assessment process is the risk register, the final list of risks identified and prioritised by the organisation, their owners, and the controls in place to address them.

Quality risk register: A quality risk register is a living document, constantly updated as new risks are identified, old risks reassessed, and the effectiveness of controls tested through control testing.
It is the primary source of input into board reporting on risk, and the precision and completeness of its reporting are direct measures of the quality of board oversight.
Risk registers that are reviewed once per year, with generic risk descriptions unrelated to the organisation's specific context, give false assurance of risk, not actual risk assurance.

Table 1: Risk Assessment Matrix — Rating Framework

Likelihood / Impact	Low Impact	Medium Impact	High Impact	Critical Impact
Almost Certain	Medium	High	Critical	Critical
Likely	Medium	High	High	Critical
Possible	Low	Medium	High	High
Unlikely	Low	Low	Medium	High
Rare	Low	Low	Low	Medium

All four risk rating categories have different governance and management implications.

Low: Approved and handled by regular operational management.
Medium: Documented mitigation plans and periodic review are needed.
High: Proactive management, formal risk treatment plans and regular reporting to the executive risk committee.
Critical: Board escalation, as many mitigation resources as possible, and in certain situations, a radical reconsideration of the strategy or business activity that is creating the exposure.

Table 2: Enterprise Risk Management Framework — Implementation Process Flow

Phase	Key Activities	Responsible Party	Output
1. Framework Design	Establish ERM policy, risk taxonomy, risk governance structure, risk appetite dimensions, and board approval.	CRO + Board + Legal	ERM framework and risk appetite statement approved by the Board.
2. Risk Identification	Carry out risk workshops; scan operational data and incident history; conduct a horizon scan of the external environment.	Risk Business Units + Function.	Create a risk register listing all identified risks by category.
3. Risk Assessment	Assess each identified risk in terms of likelihood and impact; assign a risk owner; map to the controls.	Risk + Risk Function Risk Owners.	Control mapping rated risk register.
4. Controls Design and Testing	Evaluate the sufficiency of controls in place; develop new controls where gaps exist; perform initial controls testing.	Risk Function + Internal Audit + Operations.	Controls register; initial controls testing results.
5. Risk Appetite Calibration	Create quantitative risk appetite measures; translate them down to business-unit risk tolerances; connect with financial planning.	CFO + CRO + Board	Quantitative risk-appetite measures; business unit limits.
6. Monitoring and Reporting	Introduce continuous monitoring; create the incident escalation routes; create board and management reporting.	Risk Function + Compliance + IT.	Live risk monitoring; template board risk report.
7. Annual Review	Review and update the risk register; re-evaluate risk ratings; re-evaluate the risk appetite statement; update the controls program.	Board Risk Committee + CRO.	Revised ERM model; new risk register.
8. Continuous Improvement	Incorporate lessons from incidents; test the control cycle; enhance risk models using new data.	Internal Audit + Risk Function.	Enhanced controls, refined risk models, and risk culture.

11 Challenges and Lessons Learned

Challenge 1 — The Culture-Framework Gap

The disconnect between an effective enterprise risk management structure and the culture in which it is implemented is the most recalcitrant failure mode in risk management practice.

Organisations can spend a lot of money on framework design - documentation, governance structures, technology, reporting - and still fall into a disaster when the culture fails to truly accept risk management.
When commercial pressure systematically prevails over risk assessment, when the Chief Risk Officer is not truly independent of the business, when escalation of incidents is discouraged, and when board reporting gives an optimistic view rather than a true one, there is no structural design that can compensate.
Culture is the greatest risk management investment an organisation can make, and it is determined by the behaviour of leaders, day in, day out, in every decision.

Challenge 2 — Emerging Risk Blindspots

By definition, any enterprise risk management framework is built on identified risks. The most dramatic failures are likely to be found in the risks that are still unknown, the unknown unknowns.

The world pandemic, the increased development of cyber threats by state actors, and the rapid transition to large language model AI could not be accommodated in existing risk frameworks until they became real and expensive.
Lesson: the process of risk identification and risk assessment must be proactive, seeking to identify risks that are not known to the organisation, not just systematically recording the ones it already knows about.
The most effective risk manager is not necessarily the most efficient at known risks, but the one who discovers unknown risks before they become crises.

Challenge 3 — The Integration Gap

Various functions, methodologies, reporting on different cycles, and the use of different professional languages tend to manage financial risk, operational risk, compliance risk, and climate and ESG risk, which can lead to silos and the failure of the so-called enterprise risk integration.

A compliance violation could result in a financial risk due to a regulatory penalty; an operational risk event could result in a compliance risk due to a notification failure; a climate and ESG risk could result in a financial risk due to asset stranding or a compliance risk due to disclosure failure.
The ability to identify and control such interactions is among the most sophisticated in the field - and it is the ability that most clearly distinguishes between mature enterprise risk management systems and groups of risk silos that are well managed.

12 Conclusion and Actionable Insights

What Risk Management Ultimately Delivers

Optimal risk management helps organisations pursue their ambitions with a clear understanding of the extent to which they are willing to take risks, and with mechanisms in place to identify warning signs when they are about to exceed acceptable limits.

The structural manifestation of that discipline is the enterprise risk management framework, linking risk identification and assessment to governance, reporting, and operational decision-making.
Financial risk, operational risk, compliance risk, and climate and ESG risk all require specialist knowledge, and professionals who build true depth in one of these areas will be in high demand across virtually all sectors.

Five Actionable Steps for Practitioners

The five steps below provide a systematic career progression for junior to mid-level professionals in the field of risk management.

Step 1 - Develop a solid working knowledge of the conceptual basis of enterprise risk management frameworks: COSO ERM and ISO 31000 are the main reference standards, and understanding their principles is the basis for developing more specific risk knowledge.
Step 2 - Become truly competent in risk identification and assessment methodology: understand the techniques of risk identification in all four main categories, become skilled in the assessment of likelihood and impact, and understand how to develop and maintain a risk register that is actually useful as opposed to merely compliant.
Step 3 — Learn controls testing in-house: understand the difference between design testing and operating effectiveness testing, how to design a testing program commensurate with risk ratings, and how to interpret testing results to inform risk management actions.
Step 4 — Learn about risk appetite statement design and governance: what does a risk appetite statement actually do? Are you aware of what a risk appetite statement is, and how it is actually useful to the board and management, rather than a governance artefact that meets regulatory requirements without impacting decisions?
Step 5: Pay attention to board reporting and incident escalation practices in the organisations you work with or observe - the quality of these two processes is the best external indicator of the health of the overall enterprise risk management framework. The practitioners who can design and enhance both will always be at the top tables in the organisations they serve.

Risk managers are not the ones who make organisations avoid risks; they ensure that when risks are undertaken, they are known, quantified, and kept within the limits set by the board with a clear intention. The most fundamental level of risk management is the establishment of organisations that learn from successes and failures, and from the surrounding environment, and apply that learning to become more resilient, more informed, and more purposeful in the search for form value.

That is the discipline.