Future-proofing your business - A framework for thinking differently about your risks

Introducing our framework for risk, control and assurance

The world of risk is changing. Challenging economic times, volatile world events and fast-changing technology are leaving organisations more vulnerable than ever. It’s much harder to predict where new risks will come from. But, businesses are adapting and so have we, supporting you in future-proofing your business to become risk resilient and risk ready.

Many organisations have elements of governance, risk and compliance (GRC) processes in place to manage risk. But, they are often not as robust as they need to be or they are more focused on yesterday’s risks rather than being forward looking. We’re taking a broader perspective based on the view that boards need to start taking a holistic approach to risk, moving from being reactive and compliance-driven to being proactive, seeing it as a strategic driver of performance.

We have developed a framework to help you explore where risk lies in your business and identify the potential threats and opportunities it holds.

The framework is flexible and dynamic – designed to encourage a broader perspective and future-facing approach to risk and resilience. It is a catalyst to help you think holistically about your key strategic risks and adopt a different mindset that explores the opportunities presented by risk, as much as the threats.

Used effectively, it can help you assess known areas of vulnerability and advantage, as well as uncover risks and opportunities that perhaps you didn’t know existed, enabling you to develop quick, effective and confident responses.

The framework is supported by world-class tools and methodologies that enable us to provide businesses with insightful, robust and leading edge support in all the areas it covers.

Types of risk

This element of the framework can help you to determine where risk is sitting in your organisation and where you are potentially vulnerable. We have identified four types of risk which make up the risk landscape, the population of risks which could affect – positively or negatively – the ability of your organisation to achieve its business strategy and protect or create value. These categories help in the identification of unknown or hard to predict risks.


Businesses need to clearly understand the alignment between what they are trying to achieve through their business strategy and which risks to take, avoid and manage.

This part of the framework captures the elements that should be present in an organisation’s model for managing risk – the risk, control and assurance continuum. It can form the basis of a ‘diagnostic’ evaluation that enables you to identify where you may be stronger or weaker.


The lines of defence are what your business has in place to protect itself. They form a critical part of your organisation’s overall response to risk.

We’ve identified four lines of defence. These are aspects of a business that span:
  • people, systems and controls
  • the board, risk management and compliance functions
  • internal audit
  • external assurance
As you move across the four lines they become increasingly independent of the business. This element of the framework can help you to consider a specific aspect of the business, for example, the effectiveness of your internal audit function, or, it can be used as the basis for a more general exploration of how effective the lines of defence are in protecting your organisation against risk.

Thinking differently to future-proof your business

The real power of the framework lies not in its individual components, but in the combined effect that results from considering types of risk your business might be exposed to, your approach to those risks and how effectively you are able to respond to them.

Using the framework will help you think differently about your risks. Thinking differently means taking a broader, deeper, more rigorous approach, one that will result in greater confidence and agility, both in the way you respond to the threats associated with risk and exploit its opportunities.

This will bring commercial advantage and, with it, the ability to plan ahead with certainty, knowing that you have taken essential steps to future-proof your business.