The Riskuniversum™

Why most Risk Universes are missing half the screws

If you’ve ever opened an IKEA flat-pack box, you’ll know there’s a particular moment of quiet faith required. You tip the contents onto the floor, count the screws, locate the Allen key, and trust that the diagrams in front of you will, in time, produce a wardrobe.

What makes those instructions work isn’t elegance. It’s clarity.

Every component is named. Every step is sequenced. Every screw has a purpose.

By the time you’re finished, you haven’t just built a piece of furniture — you’ve followed a shared logic that someone, somewhere, designed with care.

Now apply that same test to your Risk Universe.

Does it have a clear parts list? Are the components named with enough specificity to be useful? Is there a sequence that connects strategy, risk, controls, assurance and decision-making? Or does it simply gesture at the shape of the thing — and hope that everyone fills in the gaps the same way?

In my experience, far too many Risk Universes fall into the second camp.

The problem with generic categories

Walk into most housing associations and you’ll find a Risk Register built around a familiar set of categories. Finance. Health & Safety. Asset Management. IT. People. Tidy. Familiar. Reassuring.

There’s nothing technically wrong with any of those labels. But there’s nothing technically useful about them either. They are containers without context. Buckets without depth.

The Board is asked to set risk appetite against “Finance” — but does that mean treasury exposure, covenant headroom, welfare reform impact on rental income, pension deficit volatility, fraud and financial crime, or all of the above? Each of those needs a different conversation, different controls, different assurance. Lumping them under one label doesn’t simplify the discussion. It hides it.

This is what I mean when I say a Risk Universe should be more than a list of labels. At its best, it is the common language an organisation uses to understand itself — the shared vocabulary that lets the Board, the Executive and the frontline all build the same picture of what’s going on.

The Goldilocks Principle: finding the right level of detail

The instinct, having recognised the problem, is often to overcorrect. If generic categories are too thin, surely the answer is more detail? More risks? More granularity?

Not quite. There’s a sweet spot, and missing it in either direction creates its own problems.

Too generic. One-word categories. Big buckets, little meaning. The Board nods along but no real conversation is possible because there’s no shared understanding of what sits inside each label. Risk appetite ends up vague. Assurance ends up fragmented. The same issues circle the table at every meeting.

Too granular. A 200-line risk register dressed up as a Risk Universe. Every conceivable scenario logged in eye-watering detail. The Board can’t see the wood for the trees, the Executive loses focus, and the framework collapses under its own weight. Nobody can make a decision because nobody can find the signal in the noise.

Just right. Categories that have depth and structure, populated with named risk areas that are specific enough to mean something but framed with enough abstraction to support strategic thinking. Financial Resilience rather than Finance. Customer & Communities rather than Customers. Inside each category, named risks: treasury and liquidity exposure, loan covenant headroom, welfare reform impact on rental income. Now the Board can have a meaningful conversation. Now risk appetite has somewhere to land. Now assurance has a structure to map onto.

That’s the level of detail that makes a Risk Universe genuinely useful — and it’s the level that almost no template will give you, because the right calibration depends on your organisation’s strategy, scale, operating environment and risk profile.

What “just right” looks like in practice

Sticking with our Goldilocks Principle, a well-built Risk Universe does several things at once.

It connects strategy to operations, so that the risks named are the ones that genuinely matter to where the organisation is going. It supports a meaningful risk appetite framework, because you can only express appetite usefully when the underlying risks are named with enough precision. It gives the Board clear line of sight, so that scrutiny is targeted rather than diffuse. And it creates the foundation for an assurance map that actually maps onto something — rather than a Three Lines of Defence diagram floating in space.

Most importantly, it gives the whole organisation a shared language. When the Head of Operations, the Director of Finance and the Chair of the Audit and Assurance Committee all talk about Asset and Building Safety, they should be talking about the same thing. That alignment is not a nice-to-have. It is the difference between a governance framework that works and one that wobbles.

A wobble check for your Risk Universe

If you’d like to test whether your current framework is fit for purpose, here are the questions I find most revealing:

1. Are the categories meaningful to your strategy and operating environment, or are they generic headings borrowed from elsewhere?

2. Do they reflect your real exposure — your tenant base, your stock profile, your regulatory context, your funding model?

3. Are the risks within each category named and connected, or do they sit in isolated silos?

4. Is ownership clear from the Board through to the frontline, with no orphaned risks and no duplicated accountabilities?

5. Does the framework support real decisions — risk appetite, investment choices, strategic trade-offs — or is it a document that lives on a shared drive?

6. Does it help your Board ask better questions, or does it leave them asking the same ones every quarter?

If you find yourself hesitating on more than one or two of those, you might have a few screws missing in the kit.

A final thought

Built well, it gives the Board confidence, the Executive clarity, and the wider team a shared map of the terrain.

Built poorly, or lifted wholesale from someone else’s template, it becomes the governance equivalent of a wonky BILLY bookcase. Three pieces left over. Doors that don’t quite close. And a quiet hope that nobody leans on it too hard.

At House of Risk, we work hard to avoid the cookie-cutter approach. Different organisations have different operating environments, different pressures, different cultures and different exposures. A good Risk Universe should reflect yourworld, not somebody else’s.

If yours feels like it’s missing the instructions, the Allen key, and a few of the screws — you know where to find me.

Becky Tucker is the Founder and Director of House of Risk Ltd, a specialist risk, resilience and assurance consultancy supporting boards and leadership teams across the UK social housing sector.

#RiskManagement #OrganisationalResilience #OperationalResilience #SocialHousing #BoardEffectiveness #HouseOfRisk