Risk & Resilience Operations.
Enterprise risk, operational resilience, and business continuity. Operationalized as a portfolio input, not compliance overhead.
Some organizations have outgrown a compliance-led approach to risk. They need to operationalize it — to turn risk into a portfolio input that informs capital allocation, program prioritization, and board-level decisions in real time. We build the operating model that lets enterprise risk management actually run, rather than producing a document that sits on a shelf.
This practice covers the full enterprise risk surface: traditional ERM design and operationalization, operational resilience under regulatory pressure, business continuity and disaster recovery, and third-party and concentration risk. We monitor and advise on the disclosure regimes that have moved risk from a back-office concern to a board-level one (CSRD, ISSB IFRS S2, the SEC climate rule, California SB 253 and SB 261), and where clients require it, we provide informed counsel on operationalizing them. Climate is not a practice we lead with. Risk operations is.
This practice draws on deep credentials across insurance and risk, cyber and information security, and program execution. Every practitioner holds the relevant professional certifications in their domain. It also draws on something less common in this category: senior practitioners with direct experience designing and operating risk functions inside live, high-stakes environments. That perspective informs how we design programs that have to perform when tested, not just programs that look defensible on paper.
The full enterprise risk surface, operationalized — each domain mapped to what it covers, the regulatory pressure driving it, and the role we play.
| Domain | What it covers | Regulatory drivers | Our role |
|---|---|---|---|
| Enterprise risk management | Risk identification, appetite, prioritization, and the governance that feeds the board. | Board governance expectations; rating-agency and lender scrutiny. | Design and operationalize the function; produce decision-grade inputs. |
| Operational resilience | Impact tolerances, severe-but-plausible scenario testing, recovery posture. | Sector regulators; operational-resilience regimes. | Design, test, and operationalize the program against current expectations. |
| Business continuity & DR | Continuity planning and disaster recovery aligned to the real technology estate. | ISO 22301; audit and customer assurance requirements. | Modernize programs that have drifted out of sync with operations. |
| Third-party & concentration | Vendor concentration, critical-supplier exposure, outsourced-enterprise resilience. | Third-party risk regulation; contractual assurance. | Assess and operationalize the controls that contain it. |
| Climate disclosure | Disclosure readiness and the operating model to sustain it. | CSRD, ISSB IFRS S2, SEC climate rule, California SB 253 / SB 261. | Monitor the regimes; advise on operationalization where required. |
Resilience investment tends to get approved when a risk feels urgent and cut when budgets tighten, because the number underneath it is seldom made explicit. What a day of downtime actually costs, how much exposure belongs on the balance sheet versus with an insurer, and what a regulator or an acquirer will expect to see — these are answerable questions, and answering them changes how the board funds resilience. We put defensible figures against them, drawing on people who have worked both the finance and the insurance side of the decision rather than only one.
- Cost-of-risk quantification. Express operational and continuity exposures in financial terms — expected loss, tail scenarios, and the capital implications — so the board can weigh a given risk against what it would cost to mitigate it.
- Disruption scenario modeling. Work through the financial impact of the scenarios that matter — an outage, a supply shock, a key-system failure — in terms of cost over time, where it lands in the P&L, and how quickly recovery investment earns its keep.
- Risk financing & transfer analysis. The economics of retaining risk versus transferring it: program structure, retention and limit calibration, and the genuine trade-off between carrying exposure on the balance sheet and paying to move it off, assessed by people who have sat on both sides of that table.
- Contingency & reserve planning. Size the reserve and contingency the plan actually requires and build the assumptions into the program, so funding is matched to the exposure it is meant to cover.
- ERM design & operationalization. Build or rebuild the enterprise risk management function so it produces decision-grade inputs to leadership and the board, not after-the-fact reporting.
- Operational resilience. Design, test, and operationalize resilience programs against current regulatory expectations, including impact tolerance setting and severe-but-plausible scenario testing.
- Business continuity & DR. Modernize BCM and DR programs that have drifted out of sync with the actual technology and operating estate they're meant to protect.
- Third-party & concentration risk. Assess and operationalize controls around vendor concentration, critical-supplier exposure, and the resilience implications of an increasingly outsourced enterprise.
- Crisis governance & tabletop exercises. Stand up or stress-test the executive and board-level decision-making structures that have to operate under crisis conditions. Designed to produce decisions, not status updates.
- Climate disclosure advisory. Informed advisory on CSRD, ISSB IFRS S2, the SEC climate rule, and California SB 253/SB 261 frameworks. We monitor the regulatory environment and advise on operationalization where clients require it.
Standing Enterprise Risk Advisor.
Not a one-time assessment. An embedded enterprise risk function that operates alongside your leadership team, quarter after quarter.
Most risk consulting ends with a report. The differentiated work begins where that report would stop — operating as the ongoing enterprise risk function for organizations that need the capability but aren't ready to build it in-house. Our practitioners have served as the primary enterprise risk advisor to PE firms managing 30+ portfolio companies, running multi-line risk programs across the portfolio through hard-market conditions, adverse claims activity, and active M&A including carve-outs, divestitures, and bolt-on acquisitions.
For a PE-backed or publicly traded organization, that means quarterly governance reporting the board can act on, carrier and broker relationship management, emerging-risk monitoring, and the board-level risk communication that keeps risk a live input to capital and operating decisions — not an annual compliance exercise. Where we earn it, the work develops into a firm-level mandate: standing engagement across every portfolio company under a sponsor, reflecting multi-year credibility with senior finance and operating leadership.
| Cadence | What we run |
|---|---|
| Quarterly | Governance reporting, risk register review, and board-level risk communication. |
| Ongoing | Carrier and broker relationship management; emerging-risk monitoring across the portfolio. |
| Event-driven | Risk integration for active M&A — carve-outs, divestitures, and bolt-on acquisitions. |