Episode 322: Getting enterprise risk management right with Simon Grima

In this episode, we host Professor Simon Grima to explore why risk management is too often treated as paperwork and how it can become a genuine strategic superpower when anchored to clear objectives and stakeholder needs.  We unpack what “good” risk management looks like in practice: defining risk appetite, separating risk from uncertainty, avoiding box-ticking frameworks, and building indicators and registers that stay alive as the world changes. 

From challenging the “three lines of defence” to making space for observation, communication, and adaptable KPIs, this conversation offers practical insight into why organisations still get the basics wrong and how they can start doing risk management in a way that actually supports better decisions, resilience, and opportunity.

Professor Simon Grima is the Dean of the Faculty of Economics, Management and Accountancy, a professor, and Head of the Department of Insurance and Risk Management at the University of Malta. He is also a professor in the University of Latvia’s Faculty of Economics and Social Sciences, and a visiting professor at UNICATT Milan and Haxhi Zeka University in Kosovo.

Simon has served as President of the Malta Association of Risk Management (MARM) since 2023, and as President of the Malta Association of Compliance Officers (MACO) from 2013 to 2015 and from 2016 to 2018. He is also Co-Chair of the Scientific Education Committee of the Federation of European Risk Managers (FERMA) and a member of the Strategic Risk Leaders Association (SRLA).

Simon’s research focuses on governance, regulation and internal controls, and he has over 30 years of experience in financial services, academia and public entities. He serves as an editor and reviewer for multiple publications and journals, and has been awarded Outstanding Reviewer for the Journal of Financial Regulation and Compliance in 2017 and 2022, and the Outstanding Author Contribution award for the book series Contemporary Studies in Economic and Financial Analysis (Emerald Literati Awards) in 2024. Simon acts as an independent director for financial services firms, sits on risk, compliance, procurement, investment and audit committees, and carries out duties as a compliance officer, internal auditor and risk manager.

The International Risk Podcast brings you conversations with global experts, frontline practitioners, and senior decision-makers who are shaping how we understand and respond to international risk. From geopolitical volatility and organised crime to cybersecurity threats and hybrid warfare, each episode explores the forces transforming our world and what smart leaders must do to navigate them. Whether you’re a board member, policymaker, or risk professional, The International Risk Podcast delivers actionable insights, sharp analysis, and real-world stories that matter.

The International Risk Podcast is sponsored by Conducttr, a realistic crisis exercise platform. Conducttr offers crisis exercising software for corporates, consultants, humanitarian, and defence & security clients. Visit Conducttr to learn more.

Dominic Bowen is the host of The International Risk Podcast and Europe’s leading expert on international risk and crisis management. As Head of Strategic Advisory and Partner at one of Europe’s leading risk management consulting firms, Dominic advises CEOs, boards, and senior executives across the continent on how to prepare for uncertainty and act with intent. He has spent decades working in war zones, advising multinational companies, and supporting Europe’s business leaders. Dominic is the go-to business advisor for leaders navigating risk, crisis, and strategy; trusted for his clarity, calmness under pressure, and ability to turn volatility into competitive advantage. Dominic equips today’s business leaders with the insight and confidence to lead through disruption and deliver sustained strategic advantage.

The International Risk Podcast – Reducing risk by increasing knowledge.

Subscribe for all our updates!

Tell us what you liked!

Transcript

[00:00:00] Elisa Garbil: Welcome back to The International Risk Podcast, where we discuss the latest world news and significant events that impact businesses and organisations worldwide. 

[00:00:10] Dominic Bowen: This episode is brought to you by Conducttr. Conducttr software helps you design and deliver crisis exercises without needing a big team or weeks of preparation. You can create a central exercise library with Conducttr Worlds, and you can generate reports that support your governance and compliance requirements. So, if you want flexible, realistic crisis exercises that are easy to adopt, then Conducttr is worth a look.

[00:00:34] Dominic Bowen: And I have a quick favour to ask before we start today. If you’re a regular listener, please subscribe and follow The International Risk Podcast. It’s the simplest way to support the show, and it helps us reach more listeners who need this content. My commitment to you is that we’ll keep improving every part of the experience – from our guests to the quality of the research, and the practical insights we provide. And if there’s a guest you think we should bring on the podcast, or a risk that you want unpacked, send it through to us – and I promise we read all your comments.

[00:01:03] Dominic Bowen: Please hit the subscribe or follow button now, and let’s jump into today’s episode.

[00:01:08] Simon Grimer: A good risk manager is capable of communicating to the board, to employees, and to stakeholders what they want. Sometimes it’s the stakeholders who don’t know how to communicate exactly what they want, and they expect you to come up with parameters and tell them, “Look, your objective should be this.”

[00:01:24] Dominic Bowen: Most people say they manage risk. But in practice, risk management is still treated like paperwork for many organisations, instead of the superpower that it really is. I’m Dominic Bowen, host of The International Risk Podcast, where we discuss the topics that really matter. And today, we’re joined by Professor Simon Grimer. He’s one of the editors of Essentials, an assessment of risk management, and we’re going to talk about what good risk management actually looks like; how it links to strategy; how you assess risk and uncertainty without fooling yourself; and why most organisations are still getting the basics of risk management wrong. Professor Simon Grimer is the Dean of Economics, Management and Accountancy, and the Head of Department for Insurance and Risk Management at the University of Malta.

[00:02:08] Dominic Bowen: His previous experience includes non-executive director roles with financial and IT firms in the commercial sector, and I think we’re going to have a great conversation with Professor Grimer today. Professor Simon Grimer, welcome to the International Risk Podcast.

[00:02:21] Simon Grimer: Thank you for the invite, Dominic.

[00:02:23] Dominic Bowen: And whereabouts in the world are you today?

[00:02:25] Simon Grimer: In Malta.

[00:02:26] Dominic Bowen: In Malta. Beautiful part of the world.

[00:02:28] Simon Grimer: Small island.

[00:02:30] Dominic Bowen: Small island. Not a bad place to be – not a bad place at all. Well, Simon, let’s jump straight in. I know you sit on a lot of advisory committees, and you see a lot through your work in academia, but also in the commercial sector.

[00:02:44] Dominic Bowen: What is it that organisations are consistently getting wrong when it comes to risk management?

[00:02:50] Simon Grimer: Actually, I don’t really think it’s that they’re getting it wrong. It’s the fact that most of us think about risk management as a framework, but it’s also the skills that the risk manager has. The risk manager is not just there to follow frameworks, follow controls, or follow rules, but is there to understand and facilitate between stakeholders – you know, those taking the risk – and the company they’re working in. So, it’s not about your risk, or the regulator’s risks; it’s about the objectives.

[00:03:20] Dominic Bowen: I think that’s a really good point. Someone recently asked me what it is I actually do, and I answered by saying that the first thing I always want to understand is: what is my client actually trying to achieve? The second thing I’ll look at is: what are all the threats and risks to them? But the first one is: I really need to understand what they’re trying to achieve.

[00:03:36] Dominic Bowen: But, Simon, when someone asks you, “What is good risk management?” – in one or two sentences – what is good risk management?

[00:03:42] Simon Grimer: For me, good risk management is about looking at the objectives and seeing how we can arrive at them with the fewest hiccups. That means knowing what the rules are, what the mandatory things are that are required, and what voluntary things the stakeholders want.

[00:03:59] Dominic Bowen: And I think everyone agrees that we live in an environment that’s just so volatile. There’s a lot of uncertainty, complexity, and ambiguity. And you emphasise a lot the two elements – risk and uncertainty. Can you talk about the distinction?

[00:04:14] Dominic Bowen: And what is it that leaders and business leaders often misunderstand when considering uncertainty and risk?

[00:04:20] Simon Grimer: Now, when they’re talking about risk, many people think that risk is just negative. Being Maltese – and some words come from Phoenician times, when the Phoenicians used to travel around the Mediterranean – they used an Arabic word which is called rizq. So that’s where it comes from. When we say rizq in Maltese – and even in Arabic – it means “good luck”, “go with God”, “prosper”. So, it’s about prosperity; it’s not looking at risk as negative.

[00:04:43] Simon Grimer: Even if you take it from Chinese words, it means danger and opportunity. I like to see it as an opportunity to innovate – an opportunity to reach objectives with the least problems. When we consider risks, we can consider them under three headings. Unknown risks – because we know they will happen sometimes. 

[00:05:03] Simon Grimer: Then there are known risks. We know that if we’re on a construction site, we need to have helmets, we need to have safety boots, because we know there are risks there. Then there’s the unknowable – an alien attack. Do we need to look at it? We can simulate it, but it’s unlikely that it will happen.

[00:05:17] Simon Grimer: So, if you know something can happen, you can take precautions. If you can take precautions, is that a risk?

[00:05:22] Dominic Bowen: You talked about how likely it is to happen, and I think that’s something that’s really important when I work with our analysts – but also when I’m working with clients, and we’re looking at the different threat vectors and trying to understand: what is the likelihood of this risk actually being realised? I speak a lot to clients and to analysts about cognitive bias and availability heuristics. What are the top three biases that you come across that distort risk assessments, especially when we’re trying to get people to understand likelihood? What are the biases that concern you the most?

[00:05:54] Simon Grimer: The biases – actually, again – it depends on the character. If you are pessimistic about things, you can take a certain bias, and if you have experienced certain things, you might take a certain side. However, the first thing you learn is to look at facts and not to have biases. So, you look at the facts coming from stakeholders. It’s the stakeholders who are the ones taking the risks.

[00:06:15] Simon Grimer: They are paying your bills; they are taking the risks of that company. So, you’re looking at their biases, their requirements, and also their risk appetite. It’s not your risk appetite – it’s their risk appetite. If they want to take that risk, you advise them on what can happen and what the variations are from the norm, from what they’re expecting. It is up to them, then, to see how much risk they can take.

[00:06:39] Dominic Bowen: It’s really interesting. Something that continually surprises me, when working with really large and really effective companies – companies that impress me a lot – is that when I come in to help them strengthen their risk management so they can actually implement their strategies and pursue more opportunities with confidence, it surprises me how often companies don’t have clear risk appetite statements. They haven’t defined what their risk tolerances are, and I find that quite surprising. Can you talk us through what a good – a real – risk appetite statement looks like to you?

[00:07:11] Simon Grimer: To have a good risk appetite statement, you need to know your stakeholders, and you need to know what they want. If you don’t know the objective, how can you get there? So, a good risk manager is capable of communicating what the stakeholders want to the board and to the employees.

[00:07:28] Simon Grimer: Sometimes it’s the stakeholders who don’t know how to communicate exactly what they want, and they expect you to come up with parameters and tell them, “Look, your objective should be this.” On the other hand, if you are in an alternative investment fund where you are setting the policy, the investors – who are the stakeholders – are investing according to the policy. So, the offering memorandum is your bible; it’s your objective. That makes it easier.

[00:07:50] Simon Grimer: Certain companies have the same thing: they put out the policies, and then they get the investors. Or you put out a bond with the criteria in it, so you have the limits already set. We are setting the criteria as risk managers because we believe that, with that, the investments can be made and can gain value.

[00:08:06] Dominic Bowen: Now, I understand insurance and investment companies are very clear – they’ve got their risk tolerances, they’ve got their key risk indicators, they’re very numbers and data-driven. But what about other companies – industrial companies, manufacturing companies, retail companies? How do they properly define what risk appetite statements they should have, and what they should actually be saying in these statements?

[00:08:24] Simon Grimer: It depends, again, on the objective. You’ve still got the memorandum and articles, but then obviously you have to go down to the granular details. Now, to get to the granular details – in my experience, having worked with financial firms – you can then deliver the same things to non-financial firms, and maybe they can get regulated. Now the criteria are set with ESG criteria. If consumers are conscious about being more green, or following the SDGs, or being more transparent, they will request it from the companies.

[00:08:53] Simon Grimer: The companies might be listed, so even there, you’ve got investors who will invest in a company because they are more green. However, there are family companies, and then you have to see what the family’s objectives are. But if you’re selling, then the consumer will be directing the risk management criteria. So, in cases where you’ve got regulated or listed companies, you’ve got the investors plus the customers. In other areas which don’t have regulation – they might be family-run, they might be small businesses – it would be the family themselves.

[00:09:21] Dominic Bowen: And you talked about a variety of different stakeholders – from family offices to regulators and shareholders. There are other stakeholders involved, too. If we look across different levels, you often talk about the difference between strategic and operational planning. Why does this matter? And why do we need to be classifying risks across those different levels? What’s the importance of that?

[00:09:44] Simon Grimer: You classify them so that you understand them better. We now have audiences from Asia, from Africa, from all parts of Europe, and the US. So, I’m getting different characters, different ways of thinking, different religions. Some people like to put things in frameworks. Some people like to listen to somebody talk. On the other hand, some people are logical – they want to see everything in a sequence. The students are my customers, so I need to understand and see what triggers them to listen.

[00:10:10] Dominic Bowen: I think the Three Lines of Defence is a useful framework when it comes to risk management. But can you make that interesting for us – help us understand where the Three Lines of Defence model actually adds value, as opposed to just becoming bureaucracy? Where should we be getting excited when it comes to this model? What do we need to know about it?

[00:10:28] Simon Grimer: I am not excited at all by the lines of defence, and I can tell you why. In regulations, for example, the internal auditor should be independent from the risk manager and compliance – but the communication should be there, because we’re talking about ensuring value: value not in terms of money, but in terms of reaching objectives without hiccups. So, we’re working together. There’s business continuity – everybody helps each other. I need to know if something is missed by the front line so I can help from the back line.

[00:10:53] Simon Grimer: If I see something that is legal, I read it, I understand it, and then I pass it on. But if you’re blocking, you’re losing transparent communication; you’re losing a lot of things, in my opinion. So, I don’t believe that framework is understood correctly. Sometimes it’s understood as a way to avoid carrying out your duties, or to blame.

[00:11:10] Simon Grimer: There are others who say, “We believe in four lines of defence – five lines of defence.” That is a criterion that comes out of COSO, so it comes out of enterprise risk management, which I am totally against. Then there is the Open Compliance & Ethics Group – they emphasise integration of the systems and integrated risk management.

[00:11:27] Dominic Bowen: Thanks for explaining that, Simon. I also mentioned to our listeners that if you prefer to watch your podcasts, you can find The International Risk Podcast on YouTube. So please go to YouTube and search for The International Risk Podcast – and please remember to subscribe and like our content. That’s really critical for our success. 

[00:11:44] Dominic Bowen:  And we know, Simon, that risk should inform strategy – and the best strategies are informed by all the potential opportunities, both the good ones and the ones that could have a negative impact on the company. We know that successful and effective risk management is such a critical part of executing strategy in accordance with the plan. I wonder if you can talk us through – if you’ve got a case study or a recent example – where you’ve seen a company successfully use their risk awareness and risk management programme to inform their strategy and achieve success.

[00:12:20] Simon Grimer: When I go to a new company, the first thing I do is sit down in the canteen and listen to people – listening to what they do, when they do it – observing. Apart from getting to know the company, I do my research on who the stakeholders are and where they sell their product. If they’re selling a product, who are the customers? So, you’re sitting down, listening, and you see if the objective, the aim, the values of the company are really transmitted equally among everybody. The strategy is always based on what the objectives are, what the mandatory requirements – regulations – and what the voluntary requirements are to get to that objective. 

[00:12:55] Simon Grimer: You might be part of a stock exchange, so you need the rules of the stock exchange. You might be listed – for example. In banks, at one point, customers required that we wear a tie, we wear a suit, and we make sure we don’t have tattoos, and we don’t have earrings. Today, that’s changed. I find it strange, because I’ve been in financial firms for a number of years where you had to keep your decorum, you had to be smart, especially if you’re facing the client, but even in back offices. I have nothing against tattoos and earrings in a bank. For me, it looks strange, but it is a changing culture which we have to adapt to.

[00:13:27] Dominic Bowen: Culture is critically important. I don’t think I’ve done any big reviews with companies across Europe in the last few years where culture hasn’t been one of the recommendations I’ve made. And I think risk-aware culture is something we often understand, and it’s occasionally talked about, but it’s rarely something that organisations deliberately try to build, to actually foster a risk-aware culture. I don’t mean being afraid of risk. I mean being confident to identify risk, to effectively measure the likelihood and impact of that risk, and then to navigate into it in pursuit of opportunities. But when you’re working with companies, Simon, what are the visible behaviours that you see or hear that tell you a company really is genuinely risk-aware?

[00:14:13] Simon Grimer: Let me phrase it the other way: what are the things that I see that they’re doing wrong? For example, what they do is pick the categories that the regulator might have told them. So, you have to look at settlement risk, market risk, credit risk, and reputational risk, and you have to give the criteria according to category, which you mentioned before. When you categorise, you need to say, “No, that risk doesn’t apply to us.” Why should I look at credit risk if my company doesn’t have any credit? 

[00:14:39] Simon Grimer: The problem is: we identify risks that are not risks to us because most companies are just ticking the box; the real risks they face are not always identified. If you know it’s going to rain, it’s not a risk – because you can do something about it. The risks they don’t understand or cannot take because they don’t have enough capital aside, which is a passport to taking risks, they transfer away. How? By reinsurance, securitising, or derivatives. In fact, although they say, “we take risks”, they are not really taking risks. They are taking a premium for the things that they understand. So, if you understand it, it’s not a risk because you can take action to cover it.

[00:15:15] Dominic Bowen: And we’re working in an environment that is just so unpredictable right now – this permanently volatile environment. And at the same time, we’re telling organisations that they need strong risk identification and robust risk classification systems in place. And at the same time, we’re also saying – as risk professionals, advisers, as people working with executive teams and boards – that forecasting the future isn’t really possible anymore. All you can do is have a reasonable set of scenarios that you’ve compared your business model and decisions against.

[00:15:48] Dominic Bowen: So, what do you find are the most reliable methods – the most reliable techniques – to find the unknown knowns and the second-order effects of what’s happening in the environment? Do you have methodologies or processes that you recommend to organisations – and maybe even your students – to follow?

[00:16:04] Simon Grimer: I mean, it’s observation. No company is the same. There are models – and what happens when models start working? Our brains stop working.

[00:16:12] Simon Grimer: You wear a seatbelt because they tell you to wear a seatbelt in a car, because you’ll be safe. You learn how to drive. So, then you think, “I know how to drive, I’m wearing a seatbelt – I’m safe forever.” However, we’re assuming a lot. Models assume a lot.

[00:16:23] Simon Grimer: We’re assuming that other people know how to drive, the roads are fantastic, there’s no ice on the streets. So, models have certain variables in the model itself, but they assume other variables are constant. You need the models. It’s like using a broken speedometer: you need something to indicate where you stand, but it doesn’t assume that we know the assumptions behind the model.

[00:16:44] Simon Grimer: So, what I suggest is: when you’re thinking about risks, you need to know the models and frameworks, but you also need to know the assumptions those frameworks have, and then choose them within the environment you’re in. You need to know the environment, plus the models – and then you need to be able to think.

[00:17:00] Dominic Bowen: One thing that I actually nerd out on – that I really enjoy, Simon – is building really effective key risk indicators. They’re the things that allow me to rest at night – to be able to sleep – to trust teams and the projects that I’ve got running, knowing the risks are being monitored and we get early indications. But one thing I see when auditing governance systems and frameworks that clients are using is that many key risk indicators – or KRIs – are either backwards-looking or simply too late to be informative and useful to manage. So, I wonder: what do you see as useful key risk indicators, and how do you make sure these are feeding into mechanisms that enable good behaviour and good decisions?

[00:17:44] Simon Grimer: First of all, you need to observe, and you need to know the objectives, so that you can set these KPIs. If you set the KPI wrongly, you have the risk of losing opportunities and also creating more risk, because you’re losing value. However, KPIs are important because you need to have an indicator. You need to ensure that the people who are working while you are asleep are working within the brackets that you understand – that all the stakeholders understand –, but they need to allow some flexibility later on, so that when there are innovations, we can change them – and quickly – because the world is moving fast. Regulations and policies are very slow to change because people don’t like changing.

[00:18:24] Simon Grimer: So, we need criteria for how we change them and who changes them. Sometimes, KPIs are set in stone, and they are never changed. That leads to a lack of innovation, and you will lose value.

[00:18:36] Dominic Bowen: And I think there are other tools as well as key risk indicators. There are risk registers, matrices, risk profiling, and risk mapping. But for anyone listening who doesn’t already have a robust risk management system in place at their company, where should they start today, Simon? What should they be looking at? How do they get the ball rolling to strengthen risk management within their organisation?

[00:18:55] Simon Grimer: The risk register is a good thing to take. The good thing about a risk register is that you’re leaving a record – that means good business continuity. If somebody replaces you, they know exactly what happened before and how we were aiming to tackle it. If he or she wants to change things, they’ve got a track record of how to do it. However, KPIs are sometimes backwards-looking, because we tend to extrapolate the past and assume things will be the same in the future.

[00:19:17] Simon Grimer: But there are changes all the time. So, it’s an input–output dynamic. It’s not just linear – we are changing all the time; it’s dynamic. Regulations and risk registers need to be alive. Regulations are important, even KPIs, because until we are all angels, we will always have to regulate. So yes, the risk register is good because it reminds you what you are doing and how you are doing it.

[00:19:38] Dominic Bowen: And Simon, one question we ask all guests on The International Risk Podcast is: when you look around the world, out of all the issues that are going on today, what are the international risks that concern you the most?

[00:19:50] Simon Grimer: At the moment, it is two things. Firstly, over-regulation in Europe, vis-à-vis other countries. When you are in Europe, you are regulated strongly, but then we purchase things from China and Asia and other countries – countries which might have less strict regulations on certain aspects – the regulations are limiting the functions we need to create value. Sometimes they are too onerous and too late. 

[00:20:14] Simon Grimer: Secondly, we just don’t know what is happening in politics. Everybody’s coming out with changing tariffs from today to tomorrow. Cryptocurrencies are coming out. Some people like cryptocurrencies; others say, “No, this is the devil’s work.” So geopolitical risk and over-regulation are the biggest issues.

[00:20:32] Dominic Bowen: Of course, yeah – I think they’re very big concerns. I really do love that throwaway line, but I think it has a lot of weight: the US innovates, the European Union legislates and regulates, and China replicates. I think that’s quite apt. But it does represent quite a few of the risks that we have globally.

[00:20:50] Simon Grimer: But I don’t really think that China replicates. I think China is innovating. I don’t put everybody on the same lines. You have to be prepared for what can come and try to innovate. And as a risk manager, you try to forecast what can happen.

[00:21:04] Dominic Bowen: Exactly. Thanks for clarifying that, Simon – and thank you very much for coming on The International Risk Podcast today.

[00:21:10] Simon Grimer: Thank you. Thank you for the invite.

[00:21:12] Dominic Bowen: Well, that was a great conversation with Professor Simon Grimer. He’s the Dean of Economics, Management and Accountancy, and the Head of Department for Insurance and Risk Management at the University of Malta. And we really have to remember that the geopolitical environment is volatile, and organisations that are better prepared are going to be able to handle themselves much better when crises occur. And a shout-out to our sponsor and partner, Conducttr: when you run your own crisis exercises, and when you’ve practised responding quickly – even when geopolitical shocks hit your organisation – you’re going to be able to respond faster. So, do have a look at the Conducttr platform. You can try it for yourself at www.conducttr.com/demos.

[00:21:53] Dominic Bowen: I’m Dominic Bowen, host of The International Risk Podcast. Thanks very much for listening – we’ll speak again in the next couple of days. 

[00:21:59] Elisa Garbil: Thank you for listening to this episode of The International Risk Podcast. For more episodes and articles, visit theinternationalriskpodcast.com. Follow us on LinkedIn, Bluesky, and Instagram for the latest updates, and to ask your questions to our host, Dominic Bowen. See you next time.

[00:22:19] Dominic Bowen: This episode was sponsored by Conducttr – the crisis exercise platform that turns crisis plans into lived experiences, with tailored scenarios, decision logs, and realistic social media and news feeds. Conducttr helps organisations learn from their mistakes in a simulation, not during the real crisis. Have a look at the Conducttr website to learn more about their services and products.