Risk means different things to Different People. That’s the whole problem.

I spent a chunk of last weekend scrolling through risk management job vacancies, out of nothing more than professional nosiness (and a need to avoid 24/7 football). It’s not as if the confusion over what “risk” actually means was news to me — I’ve spent the best part of two decades watching it play out in meeting rooms and tender documents. But twenty minutes of job ads did something my usual grumbling about it never quite managed: it made the whole thing embarrassingly stark.

One ad wanted a “Risk Manager” for a large infrastructure programme — read the spec and it was pure project risk: schedule slippage, cost overrun, contractor performance. Another wanted a “Head of Risk” and turned out to be finance risk through and through — credit exposure, treasury, regulatory capital. A third wanted someone to “own operational and business continuity risk” and asked, as an essential requirement, for ACA or ACCA qualification.

How finance ended up owning the word

That last one is the one that stopped me scrolling. Why would you need to be a chartered accountant to audit a business continuity plan? I have genuinely never worked out the answer, beyond the fact that in most large organisations, risk became institutionalised through finance. Enterprise risk frameworks, risk committees, internal audit — all built on the back of financial control and reporting, all staffed and led by people whose training is in numbers, ledgers, and regulatory capital. So when “risk” needs a home in an org chart, it defaults to Finance, and Finance defaults to hiring people who look like Finance.

That’s fine when the risk in question actually is financial. It’s a serious problem when it isn’t. Business continuity, crisis management, operational resilience — these are disciplines with their own body of knowledge, their own standards (ISO 22301 didn’t write itself), their own failure modes, and honestly very little overlap with financial audit beyond the word “risk” appearing in both job titles. A brilliant ACCA-qualified accountant can tell you a huge amount about going-concern risk and won’t necessarily have the faintest idea whether your incident response plan would survive contact with a real incident, because nobody ever trained them to know.

The Big 4 Reflex

Then there’s the Big 4 default, which is really the institutional version of the same mistake. Ask most boards who they’d bring in to review resilience or continuity arrangements and the instinctive answer is one of the large accountancy-led consultancies, because that’s a recognisable, board-reassuring name, and because those firms’ risk practices are — again — built out of the audit function. It’s not that they’re incapable; some do this work well. It’s that the credential a board recognises (chartered accountant, Big 4 badge) and the credential that’s actually relevant (BC and crisis management specific training, ISO lead auditor status, hands-on incident experience) are two completely different things, and almost nobody outside the profession knows to ask for the second one.

None of this is really anyone’s fault. It’s what happens when one word — risk — has to do service for half a dozen genuinely separate professions: financial risk, project risk, operational and enterprise risk, information security risk, health and safety risk, and business continuity and crisis risk. Ask a project manager, an internal auditor, a CISO and a crisis manager to each define “risk” and you’ll get four coherent, defensible, almost non-overlapping answers.

Start with the bad day, not the job title

So if you’re the person actually trying to buy this kind of support — not write a thought piece about it, actually procure it — the question worth asking before you write the job spec or the tender document isn’t “do we need risk expertise.” It’s “what are we actually afraid will happen.” If the honest answer is “we’ll lose money on a project,” you want project risk expertise, and PMI or APM-trained people are your market. If it’s “we’ll fail a regulatory or credit test,” you want financial risk. If it’s “something will happen that stops us operating, and we won’t cope,” you want business continuity and crisis management specialists — and the qualification to look for is against ISO 22301, not ACA or ACCA. Different fear, different discipline, different letters after the name.

It sounds obvious written down. It clearly isn’t, or half the risk job market wouldn’t be advertising for the wrong thing. But it’s a useful test to run before any procurement decision: describe the actual bad day you’re trying to prevent, in plain English, before you decide who’s qualified to prevent it. The credential should follow the fear, not the org chart.

Share the Post:
what about alt text for the picture?13:22Claude responded: Helen Molyneux, founder of Cambridge Risk Solutions, ISO 22301 and ISO 27001 Lead AuditorHelen Molyneux, founder of Cambridge Risk Solutions, ISO 22301 and ISO 27001 Lead Auditor

Helen Molyneux is the founder and director of Cambridge Risk Solutions. A certified Lead Auditor for ISO 22301 and ISO 27001, she has spent nearly two decades helping organisations across the public and private sectors build genuine resilience — not just documented compliance. She writes from practice, not theory.

Work with us →