True, Fair... and Future-Proof: Risk Accounting for a New Era

September 16, 2025

There’s a quiet reckoning happening in accounting. For generations, the profession has stood by the notion that our reports must present a “true and fair view” of an entity’s financial position. But as we confront climate risk, systemic fragility, and operational volatility, one wonders — is “true and fair” still enough? Or should we be aspiring to something more: a “true, fair and sustainable” view?

This isn’t simply an ethical debate. It’s a technical one too. Sustainability implies the ability to survive — and thrive — over time. And that requires us to engage with risks that haven’t yet struck but loom in plain sight. If a firm is sitting on a mountain of residual non-financial risk — cyber vulnerabilities, conduct exposure, climate liabilities — should its pristine balance sheet lull us into complacency?

Let’s reflect on Silicon Valley Bank. At year-end 2022, its audited financials showed pre-tax profits exceeding $2 billion. Then, within months, it collapsed in spectacular fashion. The failure wasn’t due to some unknown black swan. The bank had concentrated risk, an unbalanced funding profile, and poor hedging — all observables. But not, apparently, ‘accountable’.

And that’s where we hit a deeper problem. Accounting today is based on information provided to the auditor — not all information available. Auditors are not expected to scan the horizon; their duty is narrowly scoped to verifying what’s been placed in front of them. But in the age of real-time data, digital signals, and risk modeling, should that still be the case?

Imagine if auditors had a mandate like Know-Your-Customer in banking — an obligation not to remain willfully blind. When non-financial risk accumulates, and external data shows rising exposure, shouldn’t that prompt scrutiny? After all, we know from Basel’s BCBS 239 principles that aggregating risk data is a supervisory expectation. Shouldn’t it be a professional one too?

This brings us to a concept that might reshape our financial lens: Risk Accounting. At its core is the Risk Unit (RU)— a standardized metric quantifying residual non-financial risk. Think of it as a unit of post-control exposure. By capturing risks such as cyber threats, compliance gaps, or climate vulnerabilities in a quantifiable form, RUs let us translate the abstract into the actionable.

So how does this play out in double-entry terms? Let’s say a firm calculates its residual exposure to conduct risk at £5 million, using a defensible methodology. That amount — an expected future loss — is posted as a provision in the P&L.

Dr Risk Expense
Cr Risk Accrual (Balance Sheet)

Straightforward so far. But here’s where it gets innovative.

That risk accrual can now be tokenized. Tokenization refers to the process of converting a quantified risk exposure into a tradable digital asset — a Tokenized Risk Unit (TRU) — which can then be issued and sold on a regulated exchange. TRUs allow firms to transfer the financial burden of future risks to market participants willing to underwrite them. [More on this can be found in the RASB whitepaper.]

Now observe the double-entry:

Dr Cash
Cr Risk Accrual (Derecognition)

The balance sheet improves, not by hiding the risk, but by externalizing and funding it transparently. This isn’t securitization of fantasy assets; it’s risk transfer rooted in disclosure, standardization, and marketplace pricing. And because TRUs are based on quantified RUs, the pricing reflects actual risk levels — auditable, comparable, and reportable.

Far from conflicting with IFRS, this model enhances its logic:

IFRS 8 encourages segment-level risk disclosures. RUs make that real, aligning residual risk to each operating unit.
IFRS 9 is built on expected credit losses. RUs apply that forward-looking principle to non-financial domains.
IAS 37 allows provisions where loss is probable and measurable. With RUs, both conditions are met.

This isn’t futuristic theory. The Risk Accounting Standards Board (RASB) has published frameworks showing exactly how these accounting treatments can align with international standards. Disclosures include staging models, assumptions, and sensitivity analysis — just as we do for credit loss provisions today.

What’s more, these practices speak to broader changes in regulation. As ESG mandates tighten — through mechanisms like CSRD in Europe — firms will be held accountable not just for emissions, but for risk readiness. That includes recognizing the cost of failing to address foreseeable risks. If your data privacy practices expose you to a probable fine, or your supply chain is geopolitically fragile, the market deserves to know. Risk Accounting gives you the language — and ledger — to say it.

So what does it mean for ethics? Quite a lot. Ethics in accounting has long centered on independence and integrity — values that remain non-negotiable. But today, ethical reporting also means refusing to ignore what is knowable. A sustainable accounting framework would not only record past performance but also signal looming threats. It would push boards to act before risks crystallize — and empower markets to price those risks intelligently.

Yes, there are complexities. Risk accruals must eventually crystalize or reverse. Tokenization demands governance, liquidity, and investor protections. But the broader arc is clear: when we quantify risk, we can manage it. When we manage it, we can report it. And when we report it, we invite solutions — whether internal mitigation or external transfer.

That is what a “true, fair and sustainable” view could look like.

Not just a snapshot of what was, but a dashboard for what lies ahead. Not just compliance, but foresight. Not just statements, but stewardship.

Maybe it’s time we let the ledger speak not only to profit and loss, but to possibility and preparedness.

Because the future won’t wait until year-end to reveal its risks — and neither should we.

“A sustainable financial view doesn’t distort reality — it reflects it.”

Steve Bailey FCCA, Chairman, Risk Accounting Standards Board

Risk Matters Blog – The Anatomy of a Ransomware Attack

September 16, 2025

Risk Coalition Virtual Roundtable – 12 September 2025

Authors: Chris Burt, Halex Consulting/Risk Coalition, Vish Nayi, CyberQ Group, Carrie Stephenson, Brave LLP

Ransomware has become one of the most pressing threats to organisational resilience, disrupting critical services, damaging reputations, and testing board decision-making under pressure. At our September Risk Matters roundtable, the Risk Coalition convened non-executive directors, audit and risk committee members, and governance professionals to explore the “anatomy” of a ransomware attack: what happens before, during, and after, and how boards can prepare to respond.

The discussion was led by two subject-matter experts: Vish Nayi, Chief Solutions Architect at CyberQ Group, who brings extensive incident response experience, and Carrie Stephenson, co-founder of Brave LLP, who contributed perspectives on legal, compliance, and governance.

The Current Threat Landscape

Participants were reminded that ransomware is no longer a fringe issue. UK businesses face a cyberattack on average every 44 seconds, with ransomware affecting an estimated 19,000 businesses annually – roughly 52 each day. Phishing remains the dominant entry point, often serving as the precursor to more serious ransomware incidents.

As Vish noted, ransomware groups operate like multinational enterprises. They employ developers, negotiators, and managers; they track performance against KPIs; and they even offer “ransomware-as-a-service” to affiliates. In parallel, geopolitical factors – including state-sponsored activity – continue to fuel the scale and sophistication of attacks.

AI technology is creating new challenges. As Carrie explained, "Criminals are using AI to craft more convincing phishing and automate vulnerability scanning, while businesses rely on it for threat detection – creating a double-edged sword."

The financial impact is stark: the UK economy loses an estimated £27 billion annually to cybercrime. Yet for criminals, ransomware is a multi-billion-pound industry.

Before the Attack: Building Preparedness

The first theme of discussion was preparedness. Boards were urged to ask themselves whether they have:

A clear understanding of their organisation’s “crown jewels” – the data and systems critical to survival.
A defined risk appetite for cyber threats, recognising that “zero risk” is not realistic.
An incident response plan that is not only written but rehearsed. Too often, boards sign off policies they have never read or tested.

Vish highlighted common pitfalls: response plans locked in digital systems that become encrypted during an attack; key roles assigned to a single individual who may be unavailable; and reliance on cyber insurance that may not pay out if the organisation has not maintained promised controls.

Carrie emphasised the governance dimension: “Boards must address cyber resilience before a crisis strikes. Debating whether to pay a ransom should not take place for the first time in the middle of an attack. Businesses must adopt a proportionate and proactive approach to cyber security and assess the risk as part of a larger risk management framework.” Establishing principles in advance – including the legal, regulatory, and ethical implications of ransom payments – enables calmer decision-making under stress.

She stressed the personal stakes for directors: "If you're a NED, you hold fiduciary duties as a director – this encompasses good cyber security risk management. You have personal liability – do not assume your D&O covers you. It might cover decisions and actions but not wider costs.

Carrie challenged boards to examine their current approach: "Are you following a proven framework like Cyber Essentials? Are you building in cyber resilience and business continuity planning? Is it on the agenda? If not, it should be. Who is the designated lead? If no-one, assign one."

During the Attack: Decisions Under Pressure

When ransomware strikes, pressure mounts rapidly. Data is encrypted, operations stall, and a ransom demand arrives – typically in cryptocurrency.

Key dilemmas for boards include:

Ransom payments – who has authority to decide, and on what basis? While some organisations pragmatically negotiate, government proposals now point towards tighter restrictions and mandatory reporting.
Communications – how to handle regulators, insurers, employees, customers, and the media in the crucial first 24 hours. Misinformation or premature statements can magnify reputational damage.
Law enforcement engagement – while support and guidance are improving, technical interventions are often limited once encryption has occurred.

The discussion also reflected on real-world examples, from large retailers forced to disclose outages, to smaller firms negotiating instalment payments on the dark web. These illustrate both the diversity of responses and the intense moral, legal, and financial pressures boards may face.

After the Attack: Recovery and Learning

Even if ransom is paid, restoration is uncertain. Criminals may not provide decryption keys, or they may strike again. True resilience lies in restoring systems independently and learning from the incident.

Boards should ensure:

Backups are offline, secure, and regularly tested.
Legal obligations – including mandatory reporting under emerging regulation – are understood and actionable.
Lessons learned feed into strategy, culture, and governance.

Carrie noted that new legislation, including the forthcoming Cyber Security and Resilience Bill (CSRB), will require boards to demonstrate more proactive oversight. The Bill is expected to expand regulatory scope into the value chain, impose stricter incident reporting (within 72 hours), and give regulators sharper enforcement powers.

Carrie highlighted the significance of these changes: "We're seeing a step-change in UK cyber regulation with the CSRB. This moves away from voluntary frameworks to encourage a culture of accountability, with compliance obligations that could result in significant penalties."

Policy and Legal Context

The roundtable considered the UK Government’s July 2025 consultation response on ransomware. Key proposals include:

A targeted ban on ransom payments for public bodies and critical national infrastructure (supported by 72% of respondents).
Exploration of an economy-wide prevention regime, though views were mixed.
Introduction of a mandatory reporting regime, strongly backed by respondents, to improve government visibility of ransomware threats.

The reality of ransom restrictions is becoming clearer. As Carrie warned, "Ransom payments may be a thing of the past for CNI providers and public sector organisations. The question becomes: how do you recover in the absence of being able to pay a ransom? We await answers from the government on what happens when there are no technical restoration options.

For boards, the implication is clear: decisions about ransom payments and incident handling are moving from discretion to regulation.

Key Takeaways for Audit and Risk Committees

Several practical actions emerged from the session:

Preparedness and validation – Incident response and continuity plans must be read, rehearsed, and printed. Boards should regularly test them through realistic simulations.
Decision-making clarity – Authority for ransom payments (if legally permitted) should be pre-defined.
Insurance scrutiny – Verify what is actually covered and under what conditions. Cyber insurance transforms operational risk to credit risk, rather than eliminating it.
Supply chain resilience – Critical suppliers, including managed service providers, must be part of the resilience equation.
Legal foresight – Understand the implications of AML, data protection, and emerging cyber legislation before an attack occurs.
Culture of learning – Every incident must inform future governance and risk oversight.

Carrie emphasised the expanded regulatory focus on supply chains: "The CSRB extends due diligence requirements. Businesses that rely on external IT or security providers will be required to conduct due diligence, which means you need to be checking contractual agreements reflect security expectations."

Conclusion

Ransomware is not an IT issue alone – it is a strategic business risk. Boards cannot outsource responsibility; they must understand the threat, set clear principles, and test their organisation’s resilience.

The Risk Matters roundtable underscored that the anatomy of a ransomware attack involves more than encryption and extortion. It is about governance, legal, compliance, financial resilience, and the ability of directors to lead under pressure.

As new legislation reshapes the regulatory landscape, the imperative for boards is clear: move beyond compliance and embed cyber resilience at the heart of risk oversight.

Useful links:

National Cyber Security Centre – a great source of advice and guidance National Cyber Security Centre - NCSC.GOV.UK

NCSC Cyber Governance for Boards – board focused cyber resources Cyber Governance for Boards - NCSC.GOV.UK

NHS Cyber Security Guide for NEDs Cyber security guide for non-executive directors - NHS England Digital

UK Government Cyber Governance Code of Practice Cyber Governance Code of Practice - GOV.UK

📅 The next Risk Matters roundtable will be held at 9am (UK) on Friday 12 December 2025. We encourage audit and risk committee members to join the discussion.

The future of ESG: navigating a fragmented landscape

April 15, 2025

The business world has long wrestled with the question of purpose beyond profit. But in the era of ESG (Environmental, Social and Governance), this debate has become more than philosophical – it’s a battleground where culture wars, regulatory demands and investor expectations collide. In this Risk Coalition blog, Vera Cherepanova looks ahead and considers the evolution and challenges of the ESG landscape, and discusses how this might evolve in future.

Internal audit and risk management must work together to navigate uncertainty

March 06, 2025

Heightened economic volatility, technological disruption and geopolitical tensions impact all organisations today - whatever their sector. This means that internal audit and risk professionals are under more pressure than ever to help their organisations remain resilient. The Chartered Institute of Internal Auditors (Chartered IIA)’s new Internal Audit Code of Practice - now in force - designed to strengthen internal audit functions and support organisations in tackling these emerging risks head-on, raising the bar for the profession across financial services, private, and third sectors. Mo Warsame from the Chartered IIA explains why internal audit and risk management need to work together to navigate these ever-increasingly challenging risks.

Three key threats of phishing to be aware of

September 04, 2024

Phishing is a significant IT risk and this risk is largely a behavioural one. It is estimated that 90% of cyber attacks originate with a phishing attack so, with cyber regularly identified by boards as one of the biggest risks their businesses faces, it is useful to be reminded what the warning signs are, and how to best prepare and respond. Polly Williams tells us how to avoid the common pitfalls.

Principles versus rules in data and corporate governance

August 25, 2024

In the world of corporate governance, the question of whether a principles-based approach or a rules-based approach is the most effective is often a matter of debate. Different jurisdictions and different regulators take alternative approaches and, indeed, different approaches may be followed at different times. Felix Ritchie considers these two alternative approaches in his blog for the Risk Coalition. He looks at the cross-sector consultation document, Raising Your Game from the Risk Coalition and he draws on this to provides him with some lessons for data governance.

How can you maintain high standards in your business without suffering burnout?

July 16, 2024

People risk is nowadays recognised as a very wide-ranging concept, in its many dimensions. Gone are the days when this focused solely on headcount (we haven’t got enough people! or, we can’t afford the people we have!) and their capability (we haven’t got the right skill sets!). Wellbeing is now recognised as a key part of people risk, and an important aspect of this is burnout. Burnout is a state of complete mental and physical exhaustion, where we become so overwhelmed that our performance at work can suffer, while physical and mental health issues can also affect us outside of the work environment. If not addressed and adequately managed, it can easily become a feature of high perfoming businesses. Jane Hunter discusses how to maintain high standards and high levels of performance without suffering burnout.

Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?

June 02, 2024

Increasing personal accountability was the focus of the Senior Managers and Certification Regime (SMCR), introduced by the financial regulators following the 2008 financial crisis. However, has individual accountability really resulted since the introduction of SMCR, have behaviours changed and has governance and risk culture improved? These are questions that Afshan Moeed considered in her now-completed PhD project, and she discusses this in her blog.

Three exciting new developments for AI in 2024 that you need to know about

May 28, 2024

Robotics and artificial intelligence have been in the public consciousness for decades, but only in recent years have we really started to comprehend the technology’s sheer potential. Businesses of any size now have the chance to leverage AI to keep up with the competition, to make better informed decisions, and to improve operational efficiency. Craig Morris discusses the key developments to watch out for in three critical sectors: healthcare, environmental sustainability and cyber security.

The stuff of nightmares: risk management is shut down, and nobody notices

May 24, 2024

Do a firm’s risk management activities actually create value? Companies increasingly spend time and money implementing a range of risk norms and frameworks whose focus is often on risk identification, analysis, and risk reporting; these are risk process activities that do not create value for decision-makers argues Stefan Hunziker. He say that, typically, nothing has been managed and no decision has been made better by these processes. In this blog, he gets to the heart of risk management - explaining that its single purpose is increasing decision quality.

What should boards know about digital technology?

March 20, 2024

Digital technology drives immense business opportunity explains Neill Tinegate, adding that this comes with an ever-increasing need for boards to understand and mitigate significant risks. In this blog, he considers cyber security, data governance and privacy, emerging technology as well as digital transformation - and he discusses some vital considerations for board members in each of these areas.

The insolvency risk for company directors - are you swimming naked?

March 15, 2024

The standards of diligence and care expected of non-executive directors in the oversight of a company are extremely high and, as Francis Kean explains, often become the subject of intense scrutiny and controversy in protracted and expensive investigations and proceedings following collapse. He discusses the potential coverage issues under D&O liability insurance policies and argues that non-executive directors should take an active and personal interest in the insurance protections which may be available to them in the event the worst happens.

Are you sitting comfortably? Cyber risk, board attestations and the implications for NEDs

February 29, 2024

Cyber risk remains one of the most challenging risks facing many organisations. Regulations in the US, EU and UK in relation to cyber risk disclosure requirements are making these risk ever increasingly prominent for business and challenging for their non-executive board members. Andy Watkin-Child discussed the complexities of cyber risk and the various regulatory responses emanating from the UK, US, and EU at December’s Risk Committee Chairs Forum hosted by the Risk Coalition, highlighting the challenges for non-executives and risk committee members.

Risk management and internal audit should collaborate to navigate the poly-crisis of risk

October 24, 2023

The global risk landscape has become increasingly complex to navigate, and the multitude of risks that organisations face has become ever more interconnected, says Mamun Madaser. He explains that the risk of a polycrisis – defined as a cluster of related global risks with compounding effects, such that the overall impact exceeds the sum of each part – has now become a very real threat. Risk in Focus 2024, a Europe-wide annual research project analysing the top risks faced by businesses, identifies cybersecurity as remaining the biggest threat to organisations. Human capital, diversity, and talent management as the second biggest risk, followed by macroeconomic and geopolitical uncertainty which is ranked jointly with changes in laws and regulations as the third most significant risk. To tackle this, he says internal audit and risk management should work together to build their organisation’s resilience to support them to successfully navigate the more risky, uncertain, and volatile times we face.

How to mitigate the risk of cyber security breaches – part 2

October 18, 2023

Organisations need to implement a comprehensive set of security tools that are appropriate to their businesses, says Jim Watson, and they also need to identify their most valuable and confidential data, ensuring that appropriate security tools and controls are used to minimise the risks involved. Building on his earlier blog which discussed the role of organisational culture in mitigating cyber risks, he discusses the key requirements of IT security tools and controls. He also explains the role that second-line risk management and compliance functions need to play in monitoring the security first-line controls, and the need for regular third-line internal audits to evaluate the effectiveness of governance, risk management and control processes.

Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code

October 13, 2023

One of the key proposed change under the UK Corporate Governance Code would require Boards to conclude on the effectiveness and material weaknesses regarding their risk management and internal controls relating to operations, reporting and compliance. Nisha Sanghani, summarising discussions at a recent Risk Coalition Risk Committee Chairs Forum, explains that the main aspect of the discussion focused on whether organisations have the right risk management framework in place to be able to confidently meet the requirements of the proposed Code revisions. The view generally, however, was there is much work to be done by organisations to be able to do this. However, if done properly, she says that UK companies can avoid firefighting when caught out by risk, and perhaps can even start to think about making commercial risk-based decisions.

How to mitigate the risk of cyber security breaches – part 1

October 09, 2023

Cyber security breaches regularly hit the headlines these days, and the fact of the matter is that we only hear about a fraction of the incidents that happen. The threat of these incidents is a significant risk for organisations and breaches can have devastating results for the companies and people involved. They can result in serious financial impact, lost customers and reputational damage to companies - even risk to health and life. In this blog, Jim Watson explains that people are often the weakest part of an organisation’s cyber defence, so organisations need to embed security within their culture and governance, ensuring that all levels of the organisation understand the importance and value of security.

The implications of the revised UK Corporate Governance Code

September 25, 2023

The latest of the Risk Coalition’s CRO Forum roundtable discussions held this month considered the implications of the proposed revisions to the UK Corporate Governance Code for senior risk professionals. The discussion highlighted several challenges that organisations might face if the revised Code is implemented as proposed. These challenges mainly relate to: the expansion in the Code’s scope beyond financial risks and controls, the need for organisations to identify and prioritise material controls, the requirement to report material weaknesses and the need for expertise and resource to handle the proposed changes effectively. This blog summarises the roundtable discussions and highlights key planning considerations.

Financial regulators take aim at crypto-finance

September 13, 2023

Recently, the Bank for International Settlements (BIS) and the Financial Stability Board (FSB) published important reports about the risks inherent in crypto-finance. They make unpleasant reading for some. The BIS concludes that crypto’s inherent structural flaws make it unsuitable to play a significant role in the monetary system, whilst the FSB proceeds to list series of major risks arising from crypto-assets. Andrew Cunningham sets out how board directors and risk professionals should respond to the latest work from the BIS and the FSB.

Opening our eyes to the risks in our hands

September 05, 2023

Some risks we cannot do anything about, some we choose not to do anything about, and others prompt us to take action. According to Emma Martins, Data Protection Commissioner at the Office of the Data Protection Authority in the Bailiwick of Guernsey, it is much easier to respond to risks when we are clear about what they are. When the harms are less visible, or hard to imagine, we tend not to be very good at ‘risk engagement’. One such area is data, which is often thought be an ephemeral concept, but she says we could not be more wrong. The risks are very real and - for example in relation to data protection and privacy - and could potentially be significant. She explains why it is essential to be laser focused on harm prevention when it comes to data and the risks faced.