When does risk intelligence become just a buzz phrase... and what to do about it

C-suites and non-executive boards are navigating a rare overlap of deep, structural shifts. Dramatic changes in US governance, with global political and economic impact. Technology transformation, including breath taking advances in AI. Mounting pressure on the post-WWII rules-based order, marking generational shifts in geopolitical alliances.

In this climate, language of ‘risk intelligence’ is cropping up everywhere – in strategy decks, vendor pitches, and boardroom conversations. It’s the phrase we might reach for when we want to sound informed, proactive, and prepared. But what does it actually mean? And are organisations genuinely building, maintaining, and using it effectively – or just borrowing the language?

Risk intelligence – a working definition

We define risk intelligence as: ‘A flow of verified, curated, relevant information which supports timely decisions and targeted actions owned at the right level, enabling safe and effective delivery of business strategy and objectives.’

Accurate, timely and targeted risk intelligence is a critical prerequisite for effective enterprise risk management in the context of an organisation’s overall business strategy and objectives. Good risk management, led from the top, is simply good management.

The reality gap – what the data shows

This year’s Risk Radar survey reveals a vertical gap between aspiration and reality. While many organisations talk about risk intelligence, fewer have the comprehensive structure, ownership or integration to make it meaningful.

Over two-thirds of respondents say their organisations have established, systematic approaches to producing risk intelligence – but only 61% rate their intelligence reliability as “very good”, and just 49% say the same for its timeliness. Neither score is particularly reassuring for C-suites or audit/risk committees.

Reliable but slow intelligence isn’t decision-ready. If it doesn’t reach the right people fast enough, it’s not helping them act. That’s a sign it’s serving reporting needs more than strategic ones.

The picture gets starker when you look at accessibility and use. A third of respondents say their intelligence is only partially accessible across the business, and equally report partial utilisation. If intelligence isn’t reaching the right people or being used across the business, it’s not embedded. It will probably lead to poorly informed risk management, sub-optimal performance and missed opportunities.

These gaps don’t prove that risk intelligence is being used as a buzz phrase. But they do show that in many organisations, it’s not yet delivering on its promise. When a concept is widely referenced but inconsistently applied, it risks becoming more language than action.

Why risk intelligence often falls short – and what’s changing

The greatest challenge facing businesses today isn’t a lack of intelligence, but the inability to harness, trust and apply it.

The tsunami of multi-sourced data and information available demands time and resource to collect, verify, filter, curate and disseminate. Information fatigue can rapidly overwhelm recipients of intelligence, leading to significant trends and developments (downside risks and upside opportunities) being missed, resulting in damaging business decisions. Advances in information technology – in particular, generative and agentic AI – bring new challenges but also opportunities.

AI is now central to the creation and spread of increasingly sophisticated mis- and disinformation. This is fast becoming a mature industry, actively developed and exploited by malicious actors – from state-sponsored groups and organised criminal networks, to a growing number of ruthless commercial competitors.

In 2021, PwC reported that commercial Disinformation-as-a-Service (DaaS) vendors were emerging in many countries, offering deniable and damaging services to private sector clients – including news articles for as little as $15. [1]

PwC went on to summarise several cases of commercial disinformation – without naming the victims. A US semiconductor firm saw a planned acquisition collapse after a forged Department of Defense document raised false national security concerns. A bottled water brand faced consumer panic and reputational damage when fake contamination claims spread online, feeding into a broader trend of health-related disinformation targeting consumer brands. A foreign state media outlet falsely linked 5G mobile technology to health risks, eroding public trust in US providers while boosting its own 5G rollout.

As a state-sponsored example, several Western intelligence agencies and media outlets [2] [3] reported that Russian state-linked actors ran disinformation campaigns aimed at undermining trust in Pfizer and Moderna vaccines. These efforts often promoted Sputnik V as a safer or more effective alternative.

On the other hand, AI that’s trained, guardrailed, and guided by human analysts can help automate and connect the steps involved in the collection, verification, and dissemination process. It’s especially strong at handling large volumes of data quickly, identifying trends and changes, and pushing intelligence to the people who need to see it.

There are further challenges ahead. For the implementation of AI, role-related workforce training will need investment. Increasingly well-defined data legislation and regulation will demand rigorous corporate compliance with auditable policies, processes and procedures. The World Economic Forum’s ‘Global Risks Report 2025’ [4] lists State-based armed conflict, extreme weather events, geoeconomic confrontation and mis- / disinformation as the top four risks identified by respondents. Cyber threats are proliferating and becoming increasingly damaging. In July the UK Government published its first ‘Chronic Risks Analysis’ [5] for UK businesses and policy leaders, identifying systemic risks across security, technology and geopolitics. With this publication, a G7 economy has broken new ground in telling its business and policy community that international instability contains geopolitical risks that all companies need actively to anticipate and manage.

How is risk intelligence managed successfully?

Risk intelligence only adds value when it matches its definition. It needs to be owned, accurate, and tied directly to business priorities – so that it drives timely, confident decisions rather than fill reports.

Best practice includes:

• Clear ownership and governance: Risk intelligence sits firmly within the overall risk framework, with defined accountability for delivery.
• Right information, right resource: Reporting needs are clearly identified, and the right people and tools are in place to meet them.
• Decision-ready intelligence: Data is verified, filtered, and shaped into insights leaders can trust and act upon – meeting the definition of timely, targeted action.
• Action-focused triggers: Clear points are defined for when intelligence should drive business decisions – answering the ‘So What, Now What?’ questions.
• Executive sponsorship: Visible C-suite support ensures risk intelligence is integrated into strategy and operations.
• Cross-functional alignment: Many firms now use a Risk Intelligence Steering Group (often chaired by the CRO or another senior executive) to define and prioritise intelligence needs, oversee escalation procedures, and regularly review outputs for timeliness and impact.

Application – putting it into practice

These principles are easy to list, but take effort and commitment to implement. Building the capability to manage risk intelligence well demands time, structure and deliberate investment. There’s no shortcut.

Chief Risk Officers, once focused on operational and financial issues, are increasingly called on to manage and report on a much broader palette including government regulatory divergence and cybersecurity. That’s why risk ownership and integration matter more than ever.

With geopolitical risk topping risk registers, a number of commentators [6] have suggested that companies might consider the creation of a Chief Geopolitical Officer role, integrating strategic geopolitical intelligence directly into core business decisions protecting people, operations, product, supply chain and market access. The incumbent would have responsibility for the full life cycle of risk intelligence (including requirements definition) and horizon-scanning. They would make a critical contribution to key stakeholder management (internal and external to the company) and crisis response. They would be an integral member of the Risk Intelligence Steering Group.

So, is risk intelligence just a buzz phrase?

Risk intelligence becomes a buzz phrase when it’s used to signal readiness, but isn’t backed by ownership or integration. In other words, when it’s talked about more than it’s acted on.

But it doesn’t have to be.

Intelligence is a discipline. And like any discipline, it needs investment, structure and time to grow. In a world where uncertainty is the norm, organisations that treat risk intelligence as a strategic capability will be better placed to protect value, seize opportunity, and outperform their peers.