Many suppliers claim to manage risk. In practice, they operate static templates with no defined methodology, no coherent governance model, and no understanding of how risks interact across disciplines. The output may appear structured, but it is superficial compliance rather than genuine risk management. This creates false assurance at the board level, removes traceability between risks and controls, and produces results that cannot withstand regulatory or audit scrutiny.

Templates are documentation tools. They are not risk engines.

‍

‍When a Spreadsheet Is the Product

The problem deepens when a platform can effectively be replaced by a spreadsheet. If a solution simply aggregates responses, it is not delivering risk intelligence — it is creating manual aggregation risk, calculation inconsistency, and fragmented outputs that fail to model interdependencies between cyber, physical, privacy, resilience, AI, and technology domains. Boards cannot govern from static documents. Executives cannot make sound investment decisions from manually compiled risk registers that lack dynamic recalculation, cross-discipline weighting, and control effectiveness analysis.

Polished dashboards do not solve this structural weakness. Heat maps, traffic lights, and executive summaries may look sophisticated, but without defined scoring logic, transparent calculation methodology, and evidence-based control assessment, visualisation becomes decoration layered over unmanaged exposure. The more refined the graphics, the easier it becomes to mistake presentation for substance.

‍

‍Governance Theatre

The result is governance theatre — frameworks that create the illusion of structure while masking real exposure beneath the surface. The warning signs are consistent: undefined taxonomies, inconsistent scoring, no residual risk validation, no maturity progression model, no integration across functional domains. These weaknesses distort investment decisions, misprioritise remediation, and generate executive overconfidence in fragile control environments.

‍

‍The ISO 27001:2022 Problem

‍

Claims of guaranteed alignment to ISO 27001:2022 expose this immaturity most clearly. Alignment cannot be universally guaranteed because implementation outcomes vary significantly across organisations — particularly in physical security and technology architecture. Physical environments differ in building design, shared occupancy, surveillance capability, environmental controls, and regional threat exposure. Technology environments differ in cloud adoption, legacy constraints, identity architecture, network segmentation maturity, logging depth, and third-party dependency models. Two organisations may implement the same control objective and achieve materially different levels of effectiveness.

‍

ISO 27001:2022 requires contextual, risk-based implementation that demonstrates suitability, adequacy, and effectiveness. It does not endorse templated declarations of conformity. Alignment must be evidenced through implementation reality — not asserted through documentation.

‍

This distinction matters in practice. A camera installed in a poorly monitored environment does not create meaningful physical assurance. A security tool deployed without integration, configuration discipline, or monitoring capability does not materially reduce cyber exposure. Control presence is not control effectiveness. Mature risk management recognises this variability and measures it, rather than assuming equivalence based on template responses.

‍

Control presence is not control effectiveness.

‍

A Different Approach

C2C, through its Myra platform, was built around this principle. Myra’s risk engines are underpinned by structured threat libraries that span each integrated risk discipline — physical security, cyber, privacy, AI, supplier risk, and operational resilience — curated, categorised, and mapped to defined taxonomies. This enables consistent risk identification, cross-discipline correlation, and structured assessment within a coherent architecture rather than a collection of isolated modules.

Because the threat libraries are integrated, risks are not treated in isolation. A technology vulnerability can be correlated to operational disruption, regulatory exposure, and privacy impact. A physical security weakness can be mapped to business continuity implications and information security controls. This prevents fragmentation and enables a realistic view of aggregated exposure — with control mappings and residual risk positions derived systematically, not manually assembled.

‍

The Cost of Getting It Wrong

The commercial consequence of engaging suppliers who do not understand risk is predictable and expensive. Rework arrives quickly. Re-implementation costs follow. Audit challenge and regulatory friction compound the damage. Most costly of all, executive confidence erodes when outputs fail to stand up to scrutiny — and the board that believed it understood its risk position discovers it was looking at a filing system with graphics.

‍

The Demand for Model-Driven Risk

Increasingly, clients are requesting API access to C2C’s methodology — not for additional reporting features, but for structured access to a fully operational risk engine built on defined threat libraries, integrated modelling, and transparent scoring logic. They want to embed the underlying logic into their governance ecosystems and operational workflows because it is consistent, defensible, and machine-consumable.

That demand is instructive. It confirms that the value lies not in the interface but in the model beneath it. Structured threat libraries, transparent scoring, cross-discipline integration, and measurable control effectiveness can be consumed programmatically — supporting automation, aggregation across business units, supplier risk integration, and executive reporting without manual manipulation.

‍

What a Viable Risk Solution Requires

A viable risk solution must model risk rather than merely record it. It must be built on structured threat libraries, define transparent scoring logic, integrate multiple disciplines, measure control effectiveness, and generate board-defensible outputs that reflect the contextual reality of each organisation’s implementation.

The most expensive risk solution is always the one that has to be replaced — usually after an incident makes the gap visible.

‍

Need Help Navigating Your Risk

Get in touch. We'd love to help.

‍