Lessons from ESRM UK 2025: Why Risk is About Outcomes, Not Obstacles

Enterprise Security Risk Management UK Event

Risk and Compliance leaders from across the UK gathered in London for ESRM UK 2025, a flagship event exploring the evolving world of Enterprise Security Risk Management. Hosted on March 5th, the conference brought together experts from major organizations including Co-op, Jaguar Land Rover, and General Bank of Canada, to tackle the biggest challenges facing risk, compliance, and security teams today.

From the ever-increasing regulatory landscape to the power of risk storytelling, one theme stood out across every session: outcomes matter more than ever. Risk professionals aren’t just here to tick compliance boxes, they’re here to drive strategy, build business confidence, and secure long-term success. Here’s what we learned.

Risk is about outcomes – not just avoiding threats

The ESRM UK London event reinforced a crucial truth: risk management isn’t about stopping bad things from happening—it’s about creating confidence in the outcomes a business wants to achieve.

Stefan Gershater (Co-op) put it bluntly: “There’s no such thing as a risk appetite, what you have an appetite for is an outcome.”

This idea should be at the core of how risk professionals operate. If we want buy-in, investment, and influence, we must connect risk to real business goals – growth, efficiency, resilience, not just compliance.

This isn’t just our takeaway from the ESRM event; Michael Rasmussen (GRC 2020) explored the same theme in his latest blog, which we featured as CoreStream GRC’s weekly recommended read, here. Risk teams that position themselves as enablers of strategy, not blockers, are the ones that thrive.

Ditch the spreadsheets, drive the strategy: ERM in 2025

One of the biggest takeaways from ESRM UK 2025 was that mid-sized organizations are under intense pressure to modernize their risk management approach—and spreadsheets simply aren’t cutting it anymore. While they might have been the go-to solution for risk tracking in the past, organizations with 10,000 employees are realizing that outdated, manual processes create more problems than they solve.

Many organizations still rely on spreadsheets for risk management, but this approach comes with serious limitations:

• Siloed data – Risk information is often scattered across multiple departments, leading to inconsistent reporting and a lack of visibility at the executive level.
• Manual, time-consuming processes – Collecting, updating, and verifying risk data takes weeks or even months, making it impossible to provide real-time insights.
• Human error – With multiple versions floating around, mistakes creep in, increasing the risk of inaccurate reporting, which, in turn, can lead to compliance failures.
• Limited scalability – As organizations grow, their risk management needs become more complex. Spreadsheets struggle to support cross-regional teams, multi-lingual compliance needs, and M&A integrations.
• Regulatory pressure – With regulations like DORA and NIS2 tightening compliance expectations, businesses need a robust, automated system to track and report risk effectively.

How an Enterprise Risk Management software solution solves these challenges

To stay ahead of regulatory demands and improve efficiency, organizations are moving away from spreadsheets and adopting ERM platforms that provide:

• A trusted single source of truth – a centralized risk platform eliminates data silos, providing a clear, real-time view of risks across all business units.
• Automated workflows – no more manual data collection- automated risk assessments, approval processes, and reporting reduce administrative burden and free up teams to focus on high-value risk analysis.
• Better collaboration – a unified GRC platform allows risk, audit, and compliance teams to work together seamlessly, breaking down silos and ensuring alignment.
• Stronger compliance & reporting – with built-in frameworks aligned to ISO 27001, NIST, DORA, and NIS2, organizations can generate audit-ready reports at the click of a button.
• Scalability & flexibility – whether managing risk across multiple geographies, industries, or business units, an ERM tool supports customization and growth.
• Executive-friendly insights – with dynamic dashboards and board-level reporting, risk professionals can speak the language of leadership, making it easier to secure buy-in and investment.

Risk teams often struggle to get the resources they need because they’re seen as cost centers rather than business drivers. But the right Enterprise Risk Management (ERM) approach can change that perception.

Securing the supply chain: a business imperative

The discussion on supply chain risk made one thing clear: a weak link in your supplier network can bring down your entire operation.

Anthony Attwood (Jaguar Land Rover) stressed that the key to effective supplier security isn’t just ticking compliance boxes, it’s about actively engaging suppliers to understand their risks, strengthen their security posture, and build long-term resilience.

“You can’t secure a supply chain by throwing policies at it, you need real relationships. That means working collaboratively with suppliers, understanding their challenges, and helping them improve their security posture. The stronger the partnership, the lower the risk for everyone.”

But the challenge isn’t just external, many organizations struggle with internal silos that make supply chain risk management fragmented and inefficient. A unified risk approach, supported by automation and real-time insights, helps organizations shift from firefighting to foresight.

Staying ahead of the regulatory curve: why DORA & NIS2 matter

With DORA and NIS2 now in effect, regulatory expectations around cyber resilience, incident response, and third-party risk management have never been higher. While DORA currently applies to financial services, and NIS2 focuses on critical infrastructure and essential services in the EU, their influence is already being felt beyond their immediate scope. Many organizations—even those not yet directly impacted—are proactively strengthening their risk and compliance frameworks in anticipation of future regulatory expansion.

Why? Because regulatory trends rarely stay contained. Similar frameworks are already being discussed in healthcare, manufacturing, and other high-risk industries. If your business operates across multiple jurisdictions or works with companies subject to these rules, you may be indirectly affected sooner than you think.

The smartest organizations aren’t waiting—they’re future-proofing their risk strategies now by aligning with best practices from DORA, NIS2, and existing standards like ISO 27001 and NIST. The more you embed resilience, automation, and clear risk insights today, the easier it will be to adapt to new compliance demands tomorrow. Audit once, comply many is the name of the game.

Storytelling: the secret weapon for a strong GRC culture

Risk professionals often struggle to embed a risk-aware culture because they rely too much on data and compliance checklists instead of compelling narratives.

• Frame risk in terms of real-world impact. Instead of talking about controls and frameworks, tell stories about actual security incidents and their consequences. Particularly ones that have happened previously in the business or industry.
• Find common ground. Lorraine Pintér (DPO) emphasized that security, privacy, and risk teams often share the same challenges—winning over stakeholders, embedding best practices, and improving resilience. Instead of working in silos, they should align efforts and tell a unified story.
• Make it personal. Risk isn’t just about preventing disasters—it’s about ensuring people can do their jobs effectively and safely. Employees won’t engage unless they see how risk affects them directly.

Ultimately, a true GRC culture isn’t built on policies—it’s built on stories that make risk real, relatable, and urgent.

If we want real change, we need to tell better stories—ones that make risk feel real, relevant, and impossible to ignore.” – Cal Brown, Lead Security Storyteller, BT

Conclusion: making Risk a business advantage

The message from ESRM UK London was clear: business outcomes are everything.

Risk teams that position themselves as strategic enablers, rather than compliance enforcers, will have greater influence, bigger budgets, and stronger buy-in from leadership.

At CoreStream GRC, we believe that risk shouldn’t be a barrier to growth, it should be a catalyst for it. By digitizing ERM, securing supply chains, simplifying compliance, and embedding risk storytelling into company culture, businesses can transform risk management into a competitive advantage.

Does your organization think about risk in terms of outcomes, or is it still stuck in compliance mode? If you need help transitioning to an outcome focused GRC program, book a workshop session with our experts today!