Risk-!n Zurich Day Two Explored the Future of Decision-Making Under Uncertainty

Key Takeaways

• Risk Management Creates Value When It Changes Decisions: Across sessions on ERM, crisis management, cyber resilience, insurance and governance, speakers repeatedly emphasized that the ultimate purpose of risk management is not reporting or compliance, but improving the quality and speed of organizational decision-making.
• The Profession Is Moving Beyond Risk Identification Toward Strategic Influence: Presentations challenged risk professionals to move beyond documenting uncertainty and become more active participants in shaping strategy, challenging assumptions and helping leadership navigate complex trade-offs.
• Resilience Depends on Integration, Not Silos: Discussions on crisis management, business continuity, quantitative ERM and DORA highlighted the importance of connecting risk, resilience, controls, cybersecurity and governance functions into a coherent decision-support capability.
• Cybersecurity Has Become a Leadership and Resilience Challenge: Speakers stressed that cybersecurity can no longer be treated as a technical discipline alone. Effective cyber resilience requires board accountability, threat-led testing, strategic planning and continuous adaptation to evolving threats.
• Human Judgment Remains the Profession's Competitive Advantage: As AI increasingly automates monitoring, analysis and reporting, the uniquely human contribution of risk professionals is shifting toward judgment, context, ethical reasoning, constructive challenge and the ability to frame the questions that matter most.

Deep Dive

The second day of Risk-!n Zurich had a different character from the first. Day one was largely about visibility and how organizations can see risk clearly enough in environments shaped by artificial intelligence, cyber acceleration, operational complexity, climate exposure and emerging technologies. Day two moved the discussion one step further. If organizations can see more, faster and with greater precision, what exactly are they supposed to do with that visibility?

That question ran through the day's presentations with unusual force. The speakers approached it from sharply different angles. It was an eclectic program, and became a sustained argument about decision quality.

Risk management is often described as a discipline of identification, assessment, mitigation and reporting. Those words are familiar because they appear in policies, frameworks, standards and committee materials across the world. Yet they do not capture the full burden now being placed on the profession. Risk teams are increasingly expected not merely to describe uncertainty, but to help organizations make better choices under pressure, before the facts are complete and while the consequences are still unfolding. That is a harder job than maintaining a register. It is also a more valuable one.

Insurance as a Strategic Design Question

Karin Rechsteiner's presentation on directors and officers insurance began with a deceptively simple question: what were you doing on Sunday, January 28, 2024? The date mattered because it anchored the discussion in Project Jupiter, Holcim's separation of its North American business, later known as Amrize. The transaction forced a practical question about where should listing-related liabilities sit, and how should insurance coverage be structured when a company moves into a different liability environment?

The scale of the North American exposure made the issue anything but theoretical. North America, excluding Mexico, represented only two of Holcim's 45 countries, but it accounted for a significant portion of the group's overall risk exposure. In 2024, the United States and Canada represented 38.4% of annual net sales, approximately 1,100 operational sites, 16,000 full-time employees, a broader product line and B2B distribution structure, and a major share of annual captive premium.

The listing environment added another layer. Moving into a New York Stock Exchange context meant increased regulatory scrutiny, particularly from U.S. authorities, as well as heightened litigation risk, social inflation, shareholder activism and securities claims exposure. The presentation made clear that the issue was not simply whether insurance existed, but whether the structure of the transaction and the structure of coverage were aligned.

That distinction is central to mature risk management. A less sophisticated view of insurance treats coverage as something purchased after strategic decisions have already been made. Rechsteiner's presentation showed the opposite. Insurance structure, legal exposure, deal design and board accountability had to be considered together. The lesson was that risk management must influence transaction structure, not simply respond to it.

The eventual proposal separated the exposures into different homes. Holcim's existing D&O policy would address wrongful acts committed before the transaction date. Post-spin coverage would include annually renewed D&O coverage for Holcim, a run-off arrangement for North American entities and an operational D&O policy for Amrize. A separate public offering of securities insurance policy would ringfence securities claims arising from the listing for up to 10 years.

The language of the session was insurance. The underlying subject was decision architecture.

A spin-off is not only a financial event. It is a redistribution of accountability. Liabilities move, or fail to move. Boards inherit exposures, or leave them behind. Coverage gaps appear at the moment of separation if the structure has not been thought through carefully enough. Rechsteiner's lessons learned captured the larger point: structure dictates liability, ringfencing matters, underwriter trust is essential and continuity of coverage is one of the most important risks in a separation.

That was an unusually concrete way to begin a day that would keep returning to the same idea. Risk management creates value when it shapes decisions before they harden.

From Risk Reporting to Decision Advantage

Michael Rasmussen and Stefan Gershater took that argument from the transaction level to the enterprise level. Their session on value-based risk management challenged one of the profession's most persistent habits—confusing risk activity with decision impact. Risk teams can produce frameworks, policies, reports, committees and discussions. They can refine taxonomies, improve scoring models and circulate more polished dashboards. None of that necessarily matters if decisions remain unchanged.

The point was not that risk management infrastructure is useless. It was that infrastructure is only valuable to the extent that it improves choices. The presentation contrasted the rearview-mirror problem with a more decision-oriented view of risk. Organizations often spend enormous energy describing what has already happened or formalizing risks that have already become visible. The more useful role is to help the business make good decisions faster, with foresight, agility, cooperation, efficiency and simplicity.

Gershater's use of John Boyd's OODA loop was apt. Observe, orient, decide and act is not a compliance cycle. It is a decision cycle. It asks whether information is being collected from the right sources, filtered in ways that improve understanding, converted into actionable insight and tested through execution.

That framing matters because time changes the nature of risk control. A strategic risk playing out over several years requires a different decision process from an in-year performance issue, a transformation risk, a process failure or an incident. Risk management that treats all uncertainty as if it belongs in the same report inevitably becomes less useful to the business.

The session's most pointed line was that risk management should not be the handbrake. It should be the navigation system. The metaphor has force because it rejects the familiar caricature of risk as the department that slows the business down. Good risk management does not exist to prevent movement. It exists to help the organization move with a better understanding of the road ahead.

That idea carried into the discussion led by Hermann Suter and Stefan Hunziker on the golden rules of enterprise risk management. Their provocation was direct: decisions should determine risk management methods, not the other way around. The machinery of risk management can grow while its decision impact shrinks. More frameworks, more policies, more committees and more reports do not necessarily produce better outcomes. If no decision changes, there is no value.

They also pressed on the role of the chief risk officer. A CRO absent from strategy is absent from the risks most likely to matter. The presentation cited a familiar imbalance: risk management often focuses heavily on financial risks because they are measurable, even though strategic and operational risks are often far more consequential to corporate failure. The profession manages what is measurable, not always what is dangerous.

That observation echoed across the broader day. The goal of enterprise risk management is not to make the risk function more visible for its own sake. It is to make better decisions feel natural inside the business. The end state is not a larger risk bureaucracy. It is risk thinking embedded so deeply into management that it becomes second nature.

The uncomfortable question asked during the session captured the issue neatly: if enterprise risk management disappeared tomorrow, would anyone notice? For many organizations, that question should sting.

Quantifying Risk Without Losing the Business

Markus Buchner's presentation on quantitative enterprise risk management at Siemens Energy gave the discussion a practical operating model. Siemens Energy is a global energy technology company present in more than 90 countries, with approximately 103,000 employees and €39.1 billion in fiscal year 2025 revenue. Its technology is connected to roughly one-sixth of global electricity generation. In that context, enterprise risk management cannot remain a slow reporting exercise or a disconnected set of specialist activities.

Buchner described the evolution of Siemens Energy's risk management from subjective scoring, lengthy manual reporting and fragmented risk functions toward a more integrated assurance framework. The company's model brings together enterprise risk management, internal audit, internal control, cyber security, environmental health and safety, integrated risk reporting and other risk functions into a more connected structure.

The direction of travel was familiar from the rest of the conference: away from static reporting and toward data-driven decision support.

The Siemens Energy approach uses risk scoring models built around risk themes, risk factors, risk contributors and performance corridors. The objective is to create consistency and comparability across risks and over time while aligning risk assessment more closely with strategic business objectives. Themes such as cybersecurity, manufacturing capacity, market and price development, supply chain disruption, political instability, project execution, quality issues, adverse financial developments and EHS adverse events are evaluated through a more structured and forward-looking process.

The presentation did not pretend this is easy. Buchner highlighted familiar obstacles: fragmented risk functions, resistance to change, limited external benchmarks, data collection challenges, technology limitations, dynamic internal and external environments and capacity constraints.

Those challenges are important because they prevent quantitative risk management from becoming a slogan. The value of quantification lies not in mathematical elegance but in whether it helps decision-makers compare exposures, understand thresholds and act when performance moves outside acceptable corridors.

That theme connected directly to the broader Day 2 discussion. Quantification matters when it improves decisions. It fails when it becomes another technical ritual detached from management action.

When Risk Becomes Crisis

The session from Bruno Parnet of Audemars Piguet and Marybelle Barras of Barras Advisory explored another point at which risk management must prove its value: the moment uncertainty becomes disruption, and disruption becomes crisis. The presentation mapped the relationship between risk management, business continuity management and crisis management through ISO 31000, ISO 22301 and ISO 22361. Each discipline has a distinct role. Risk management anticipates and prioritizes uncertainty. Business continuity management sustains and recovers critical activities. Crisis management governs exceptional response when events threaten the organization and require strategic, adaptive and timely decisions.

The matters because organizations often blur these disciplines into a single plan. A local IT outage restored within 30 minutes is not the same thing as a fire at a major production site with operations stopped, media calling and top management mobilized. A supplier delay with alternative capacity already available is not the same thing as a cyberattack spreading through the organization with possible customer data compromise and regulatory notification obligations.

The value of the session lay in showing how these categories should connect without collapsing into one another. Risk appetite and impact thresholds define when ordinary incident management is sufficient, when business continuity plans should be activated and when crisis escalation is mandatory. Crisis management is not simply a more dramatic version of incident response. It is a governance mechanism for situations requiring executive decision-making under uncertainty, often with reputational, regulatory or strategic consequences.

The lifecycle view was particularly useful. Post-crisis reviews reveal weak assumptions and inadequate continuity measures. Business continuity tests expose unrealistic recovery times and missing dependencies. Risk reassessments incorporate lessons learned and actual disruption data. In a mature organization, the disciplines reinforce one another. That is another version of the Day 2 thesis. Risk management is valuable when it improves the quality and speed of decisions, especially when the organization is under stress.

Cybersecurity as a Business Strategy

The cybersecurity presentations developed the same argument from a different direction. Christophe Pelfresne of Banque de France focused on DORA and threat-led penetration testing. DORA has applied directly since January 17, 2025, establishing a unified digital operational resilience framework for financial entities across the European Union. The regulation brings together IT risk management, incident reporting, resilience testing and third-party risk management, with the governing body accountable for approving and validating measures taken under the regulation.

The discussion of threat-led penetration testing and TIBER-EU reinforced the importance of realistic, intelligence-driven testing. Traditional penetration tests remain useful for identifying technical and configuration vulnerabilities, but DORA TLPT and TIBER-style testing go further by using threat intelligence and the tactics, techniques and procedures of real malicious actors to test critical functions in production environments.

A conventional test may tell an organization whether a particular system has a vulnerability. A threat-led test asks whether a realistic attacker can compromise functions that matter to the stability of the organization and, in the financial sector, potentially to the system as a whole.

The presentation also grounded the discussion in operational reality. Common findings from TIBER tests include improper access rights on file-sharing platforms, weak password practices, patching gaps in third-party software with administrator rights, less protected development environments, inadequate rights management, weak initial password policies, and configuration weaknesses in Microsoft 365 integration or ADFS environments.

The point was not that organizations lack cyber activity. It was that cyber resilience requires testing that reflects the way attackers actually behave. Doron Tenne's cybersecurity strategy presentation made the complementary leadership argument. Cybersecurity cannot be treated as a narrow IT problem. It is a business strategy issue, tied to survival, continuity, trust, resilience and the organization's ability to operate.

Tenne emphasized that compliance with standards is not enough to ensure tailored protection. Organizations must understand their threat models, identify critical business data, map access rights, orchestrate security practices across the business and develop 24/7 monitoring, detection and response capabilities. Cybersecurity strategy should be led as an organizational strategy, not delegated reflexively to the CISO as a technical matter.

His discussion of red team exercises echoed the DORA and TIBER themes. Red teaming is not simply another form of penetration testing. Properly designed, it simulates real-life, real-time hostile scenarios across the whole organization, based on threat intelligence and aligned to business priorities. It tests not only technology but response, communication, management, third parties and operational resilience.

The cyber sessions reinforced a central Day 2 lesson. Exercises, audits and tests only create value when they are connected to strategy and decision-making. Otherwise, they risk becoming evidence of activity rather than proof of preparedness.

The Human Edge in the Future of Risk

The presentation from Adrian Clements and Sebastian Crosina, BeyondRM, added a broader professional reflection to the day. Its premise was that traditional risk management and governance are not evolving fast enough for a rapidly changing world, while the profession remains too often attached to rigid legacy tools and narrow definitions of its own role.

The discussion positioned risk management as a profession caught between compliance habits and strategic possibility. Its members argued that risk managers must move beyond narrow role definitions and create more open, challenging and decision-focused conversations. The issue is not only methodology. It is identity.

Several findings from the BeyondRM survey were especially relevant to the wider conference discussion. Respondents largely viewed risk's role as framing issues while leadership makes decisions. They identified framing the right questions, ethical judgment, courage to challenge, timing and proportionality as distinctly human contributions in an AI-augmented function. Yet the survey also suggested that escalation often depends on political readiness rather than formal triggers, and that psychological safety frequently rests on personal credibility rather than institutional design.

Those findings land heavily because they expose a contradiction within the profession. Risk professionals increasingly claim a role in strategic decision-making, but many still lack the authority, protection or cultural permission to challenge leadership early enough for it to matter. The gap between what risk managers know and what they say may be one of the most consequential issues in the field.

That point brought the Day 2 conversation back to the human role. Artificial intelligence may take over more monitoring, analysis, scoring and reporting. Quantitative models may improve comparability. Cyber exercises may become more realistic. Crisis frameworks may become more structured. Insurance programs may become more carefully designed.

But none of these developments removes the need for human courage. Risk management still depends on someone asking whether the strategy itself contains dangerous assumptions. It depends on someone challenging a decision before momentum makes it irreversible. It depends on someone distinguishing constructive challenge from negativity. It depends on leaders who are willing to hear uncomfortable truths before events make them obvious. That is not a tooling problem. It is a governance problem.

A More Demanding Profession

By the end of the second day, Risk-!n Zurich had moved from visibility to judgment. The first day asked how organizations can see risk more clearly in a faster and more complex world. The second day asked whether they are prepared to make better decisions with what they see.

That question cut across every major session. D&O insurance in a corporate spin-off became a lesson in designing accountability before liabilities crystallize. Value-based risk management challenged the profession to prove its contribution through decision impact rather than activity. Siemens Energy demonstrated how quantitative ERM can support a more integrated and forward-looking view of exposure. The crisis management session showed that escalation must be structured before events become existential. DORA, TIBER and cybersecurity strategy sessions emphasized testing and resilience as board-level business issues. BeyondRM forced the profession to confront its own readiness for a more strategic, AI-augmented future.

The common thread was not technology, it was responsibility. Risk management is being asked to move closer to the decisions that determine whether organizations merely withstand uncertainty or use it intelligently. That requires better data, but it also requires better judgment. It requires models, but also courage. It requires structure, but also adaptability. It requires professional independence, but not professional isolation.

The strongest message from Day 2 was that risk management creates value only when it changes what the organization does. Not the report it writes, the committee it convenes, the framework it maintains, or the decision it improves. That is a higher standard for the profession. It is also a better one.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.