My first crack at baking sourdough a decade ago was a disaster – it was dense and gummy with a poor crumb structure. It took a while to realise that success wasn’t about blindly following a recipe. It was about watching, feeling, adjusting. Be patient with your starter – feed it regularly and maintain it well until it develops the necessary strength. Mix and hydrate the dough slowly to help it absorb the water. Bulk ferment with periodic folding to build strength, then shape, proof, and bake at the right temperature. It’s a natural product without additives or stabilisers, so it won’t behave the same every time. That’s why the artisan skill of understanding your dough and responding to the conditions matters more than just following a set recipe.
Risk Management is no different. In a world shaped by AI, cyber risks and complex third-party ecosystems, following the same old script isn’t going to cut it. You need structure, yes – but also flexibility, awareness, and the ability to adapt in real-time.
Why the Three Lines of Defence Still Matter – But Need Evolving
The Three Lines of Defence (3LOD) model has been the standard for years:
- First line: The business owns the risk.
- Second line: Risk and compliance provide oversight.
- Third line: Audit delivers independent assurance.
It’s like a solid sourdough recipe – it gives you the basics. But on its own, it’s not enough. In today’s environment, risk needs to be treated less like an obligation and more like a living system.
1. Knead Risk into Daily Operations
A good sourdough begins with a strong starter. You can’t just throw the ingredients together and expect great bread – each element needs to be gradually brought together, worked with, and understood. The same goes for Risk Management – it has to be developed and integrated, shaped over time, and adjusted as conditions change.
When risk is integrated from the ground up, it’s not a blocker – it becomes a strategic enabler. It improves decisions, builds confidence, and supports sustainable growth. Embedding risk early helps organisations stay ahead of potential issues instead of cleaning up after them.
Risk needs to be owned by the business, not handed off to a function. When it’s embedded, it supports innovation, builds trust, and improves execution.
- Create a culture where teams are empowered and expected to raise risks early – not wait for sign-off or escalation.
- Provide data-enabled tools that help teams detect and manage risks in real-time. Dashboards should surface key indicators – not bury them.
- Build cross-functional teams that bring together Customer, Product, Tech, Risk, and Operations to manage risk across the value chain.
- Define risk ownership clearly within delivery teams – not just second-line functions.
- Translate enterprise risk themes into practical, operational language so teams can relate to and act on them.
2. Monitor Risk Like You Monitor Fermentation
You don’t leave dough and hope for the best. You monitor what’s going on. Stretch, fold and adjust the time for bulk fermentation as you see it. That’s how you build strength.
In today’s world, risks emerge and evolve in real-time – especially with generative and agentic AI, which introduce new types of risk: model drift, hallucinations, lack of explainability.
But AI can also be used to strengthen risk practices – spot previously undetected anomalies, simulate future scenarios, identify control breakdowns.
- Invest in continuous risk monitoring and exception detection. For example, apply machine learning to surface unusual transaction patterns, control failures, or operational disruptions as they happen.
- Use AI to generate draft control responses based on live data. This could include tailoring controls in response to shifting threats or new obligations – moving beyond templates to contextual responses.
- Replace static risk registers with live dashboards or heatmaps. These should auto-update and visualise risk movement, making risks visible across teams, not buried in spreadsheets.
- Run scenario-based simulations to stress-test controls against potential shocks – cyber events, geopolitical risks, compliance changes, or supplier failures.
- Use natural language processing (NLP) to monitor regulatory updates and highlight required changes to controls, policies, or business processes.
3. Culture Is Your Starter – Feed It or Lose It
A good sourdough starter is alive. So is your culture. You can have the best tools, but if your culture is stale or fearful, risk will go underground.
High performing teams escalate emerging issues without being told – because they were trusted, trained, and supported.
Culture isn’t soft – it’s operational resilience.
- Build a culture of psychological safety around raising risks. Make it safe and expected for teams to speak up when they see something concerning – without fear of rocking the boat or bureaucracy.
- Train every level of the organisation – from front-line staff to senior leadership – to identify ethical dilemmas, reputational red flags, and tech-related risks like data misuse or AI bias. Use case studies, simulations, and real incidents to make it stick.
- Reward early intervention, not just outcomes. Celebrate those who raise issues before they become problems, and recognise teams that prioritise doing the right thing over short-term gains.
- Bake risk conversations into regular team rituals – town halls, retrospectives, or planning sessions – so they become part of the everyday rhythm.
- Support leaders in role model curiosity, humility, and accountability when risk issues are raised. Culture is caught, not taught.
A Living Recipe for Resilience
The Three Lines of Defence still provides a useful foundation. But real risk resilience comes from embedding it into how we build, monitor, and adapt-like a great sourdough.
Ask yourself:
- Are we ticking boxes-or paying attention to what’s actually happening?
- Is risk something people fear-or something that helps us move faster with confidence?
We’d love to hear how you’re evolving risk in your organisation. Let’s compare notes – and share your starters names.
#3LOD #RiskManagement #GRC #Governance #Compliance #RiskCulture #Timunar
