Why risk function and fluency in risk, not just a strong risk team, is becoming a regulatory and cultural imperative in today’s fast-paced FS world.
Introduction: Why Risk Can’t Sit in a Single Function
For years, firms relied on a strong risk function, staffed and formally structured, to safeguard oversight. But that’s no longer enough.
Regulators, boards, and markets now expect risk to be owned throughout the business, not siloed. Yet when risk becomes “everyone’s responsibility,” too often it becomes no one’s accountability.
The solution lies not in more controls, but in risk fluency, the ability of people across functions to recognise, understand, and act on risk in real-time.
Why Now: Regulatory Amplification and Cultural Imperatives
2025 marks a turning point. Several factors amplify the urgency of building fluency now:
- Regulatory expectations: The FCA’s 2024-25 culture and non-financial misconduct findings emphasise that healthy cultures underpin resilience, requiring everyone, not just the second line, to be alert and accountable.
- SMCR focus: The Senior Managers & Certification Regime increasingly links misconduct with regulatory liability for senior leaders. The FCA is extending bullying and harassment rules to over 37,000 firms by 2026, signalling broad cultural scrutiny.
- Compliance complexity: According to PwC’s 2025 Global Compliance Study, 77% of firms report that growing compliance complexity disrupts operations, especially in transformation and technology deployment.
- Operational resilience focus: KPMG’s 2025 benchmarking shows FS firms are increasingly embedding operational and digital resilience in risk functions, yet doing so requires fluency across teams, not just within siloed second-line functions.
In short: Risk fluency is no longer optional; it’s a competitive and regulatory imperative.
The Pain of Missing Fluency
Even the best-defined risk frameworks fall short if fluency is absent:
- Hidden red flags: When front-line staff lack the language to surface issues, controls collapse quietly before second-line notice.
- False security: Robust processes mean little if teams don’t understand why they matter.
- Duplication and delays: Hesitation leads to over-reporting by some and under-reporting by others – neither is constructive.
- Board uncertainty: Boards receive dashboards, but without fluency, they can’t assess whether risks are genuinely owned.
- Risk fatigue: Repeated misalignments erode ownership, leaving staff burnt out and disengaged.
Awareness vs Offloading: Decoupling the Myth
Many firms confuse “embedding risk” with “offloading responsibility”, creating a dangerous illusion of oversight:
- Awareness means employees know risk matters.
- Fluency means they can act with confidence and clarity.
Under SMCR and cultural scrutiny, regulators stress that accountability cannot be delegated simply through documentation.
What Good Looks Like: A Fluency Maturity Snapshot
| Fluency Level | Description |
| Level 1: Aware | Staff understand risk frameworks but escalate all decisions to risk teams. |
| Level 2: Informed | Staff identify issue types and consult quickly using checklists. |
| Level 3: Fluent | Staff assess minor risks directly and escalate only material exceptions; cross-functional teams use shared language and KPIs. |
Fluent firms feature:
- Scenario-driven training tailored to functions
- Embedded risk prompts in workflows
- Speak-up-empowered culture
- Board visibility: Regular metrics on fluency, not just incidents
Framework for Building Risk Fluency
Here’s how to convert awareness into fluency:
1. Define fluency tiers across roles: what should decision-makers know and do?
2. Embed inclusion in learning journeys: Risk literacy in induction, training, and ongoing leadership programmes.
3. Run cross-functional simulations: Real-world scenarios that decode trade-offs.
4. Align incentives: Reward risk-informed decision-making alongside results.
5. Measure fluency: Culture surveys, near-miss tracking, and escalation data.
Final Word: Fluency as a Growth Enabler
Board and regulator questions are evolving. No longer: “Do you have a risk team?”
Now it’s:
– How fluent is your front-line in recognising and owning risk?
– Are risks surfaced early, or only post-failure?
– Do teams default to escalation or handle relevant decisions autonomously?
The most resilient firms of 2025 and beyond, will not just have strong risk functions; they’ll build a business fluent in risk, every day, everywhere.
Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>
