Penny Cagan turns complexity into clarity by elevating communication as the discipline that drives operational risk understanding, influence, and action.
In today’s complex organizations, risk is embedded in decisions, operations, technology, and strategy. Yet even with advanced analytics and well-defined frameworks, critical risks still can go unrecognized or unaddressed.
The challenge is rarely a lack of insight— it is whether that insight is understood well enough to inform decisions. Risk only creates impact when it is clearly communicated, trusted by stakeholders, and applied at the right moment.
Across senior leadership roles at UBS, MUFG, JPMorgan Chase, Citigroup, EY, and Fitch Ratings, and through her work as a senior advisor, educator, and founder of AIxRisk, Penny Cagan helps to ensure that risk is not only identified—but understood, contextualized, and used to guide action.
Her thinking continues to shape the field. In her recent capstone article in Intelligent Risk, the journal of The Professional Risk Managers’ International Association (PRMIA), and in her upcoming book, “Managing Operational Risk in a Changing World,” Penny underscores a critical insight: as risk becomes more complex, the ability to communicate it clearly becomes even more essential.
This feature explores how Penny’s approach is reshaping operational risk leadership – from frameworks and reporting to AI-driven environments – and how she is preparing the next generation to lead with confidence in rapidly evolving conditions.
When Risk Fails, Communication Fails
Even the most sophisticated analytics can fail if leaders don’t understand them. Signals may exist, but they don’t translate into action. Reports are produced, yet they are not always used. In these moments, the breakdown is rarely analytical—it is communicative.
Starry Blue Brilliance: In your experience, what are the biggest challenges risk functions face in making risk information clear, actionable, and trusted?
Penny Cagan: Risk communications, including senior management, board, and regulatory reporting are among the most important activities a risk manager can undertake. They are how a risk function communicates with these critical constituents.
One of the biggest challenges is that risk functions can sometimes overcomplicate the message, and as an aggregator of operational risk reporting in my past life, I have often found myself rewriting the messaging that the operational risk functions have submitted. This is especially a challenge when it comes to communicating technology, cyber, and quantitative risk information, as these functions have a tendency to speak their own language.
It is important to communicate in language lay people can understand and to be clear what the message is and why it is being communicated. It needs to pass the old “so what” test. In addition, board reporting needs to pass the action test – what is wanted from the board and why is this information being included in their report? Again, what is the “so what.” And in today’s environment, with more data, more speed, and more interconnected risk, the job is not just to report risk, but to translate it into something people can actually understand and act on.
“It needs to pass the old ‘so what’ test.”
Penny Cagan
Making Frameworks Meaningful
Frameworks like Risk and Control Self-Assessments (RCSA) are foundational in operational risk management, but they often become exercises in documentation rather than tools that guide decisions.
Penny has led the design, implementation, and transformation of these frameworks across global institutions, focusing both on structure and practical application. Her approach helps to ensure that outputs are interpretable, relevant, and directly connected to business decisions.
SBB: How do you help to ensure that risk frameworks are both robust and genuinely actionable?
PC: I confess that I am a bit of a framework geek as I believe they provide an organization with structure and guardrails in the management of risk. However, my motto has always been that a framework is only as effective as its ability to be implemented. Frameworks need to be bespoke for each institution and consider its size and complexity. One of the greatest challenges in risk management is understanding that basic principle and not jamming a framework down the throat of an organization.
There have been efforts in large institutions to simplify frameworks that might have grown to the point that they are difficult for the business to implement. I support this work. The challenge resides in developing a framework that can be seamlessly integrated into an organization’s processes and controls, and there are a lot of opportunities today with new technologies to do so.
Finally, a framework and the team that has created and implemented it, has failed if it’s a documentation exercise and the front-line business views it as necessary paperwork that they need to complete to get on with their real business purpose. This is not just a failure of framework design, but a failure of communication and credibility of the risk organization.
“My motto has always been that a framework is only as effective as its ability to be implemented.”
Penny Cagan
Communicating Risk in an AI-Driven World
As risk becomes more complex, the challenge of communication only intensifies.
As artificial intelligence and advanced analytics accelerate the pace of decision-making, they also increase the volume and complexity of information organizations must process. More data and more signals do not automatically translate into greater understanding.
Through her work with AIxRisk, Penny is exploring how emerging technologies are reshaping both risk itself and the expectations placed on those who communicate it. In faster-moving environments, the cost of misunderstanding increases—making clarity, translation, and context more critical than ever.
SBB: How is AI changing not just the nature of risk, but the way it must be communicated?
PC: I consider AI from two perspectives – I call it Side A and Side B (if you remember old 45 records where there was the hit song on one side and the potentially more interesting song on the other).
Side A is AI risk – that is the risk of deploying AI to manage processes and activities. It requires strong AI governance to manage this risk. AI risk resides both internally with how it is used to create models and increasingly, agents to conduct risk and control activities without human intervention. It also exists externally, with deep fakes that can impersonate clients and be used for nefarious purposes. Deep fakes are creating an existential identity crisis because it is becoming harder to prove that we are who we are when our voice and physical presence can be impersonated.
Both internal and external AI risk can be managed mostly through our current risk frameworks – including governance, risk assessment, risk appetite, scenario analysis, metrics, monitoring and training. But they require new thinking in the development of effective controls. Agentic especially requires different monitoring techniques than is being used to manage static risks, and there is a lot of interesting work going on in the behavioral analytics space to monitor the behavior of agents in much the same way employee behavior is monitored.
Side B of the equation and using AI to manage risk is very promising. I have spent too many years of my life manually aggregating data and reading through hundreds of RCSA results to glean insights and trends. AI can be a powerful tool and as I write this, I hope there is no one staying up late tonight aggregating issue management and loss data to determine a RCSA rating. It provides a good head start and creates multiple levels of efficiency in the effort to determine risk levels, control effectiveness, including control testing, and identifying risk themes and trends. There is no reason that a risk department should be bogged down with the manual mechanics of identifying and assessing risk today. That feels monumental to me.
“Deep fakes are creating an existential identity crisis because it is becoming harder to prove that we are who we are when our voice and physical presence can be impersonated.”
Penny Cagan
A Critical Inflection Point for Risk Leadership
In her recent capstone article for Intelligent Risk, Penny describes the current moment as a turning point. While regulatory pressure in some areas may be easing, the underlying risk environment is becoming more interconnected and consequential.
This shift challenges a common assumption—that less regulation means less risk. Instead, operational risk is intensifying, driven by AI, geopolitical instability, cyber threats, and systemic dependencies.
In this environment, organizations must move beyond documenting risk to demonstrating resilience – communicating not just what risks exist, but how they would respond under stress and uncertainty.
SBB: In your Intelligent Risk article, you describe this moment as a critical inflection point. How should organizations rethink the way they communicate operational risk as regulatory expectations evolve but underlying risks intensify?
PC: One of the points I make in the article I recently published in Intelligent Risk is that organizations should be very careful not to confuse a lighter regulatory environment with a lighter risk environment. The underlying risks are not diminishing. In many cases, they are intensifying—driven by technology, cyber threats, geopolitical volatility, third-party dependencies, and the increasing interconnectedness of business models.
That means the way we communicate risk also must evolve. It is no longer enough to rely on static reporting or backward-looking summaries that check a governance box. Risk communication must become more dynamic, more connected to decision-making, and more honest about where the real vulnerabilities are. As discussed above, we now have the tools to expedite moving from backward-looking risk assessments to dynamic views of risk exposures.
I think organizations need to move from simply documenting risk to showing how they will respond under stress, which puts resilience and outcome-based risk management at the top of the risk agenda. It is about being able to demonstrate that boards and senior management need more than a list of top risks. They need to understand how those risks could materialize, where the organization is most exposed, how resilient key processes really are, and what management is doing about it. In that sense, communication becomes part of resilience itself. It is how leadership understands not just what could go wrong, but how prepared the organization is to respond.
“Organizations should be very careful not to confuse a lighter regulatory environment with a lighter risk environment.”
Penny Cagan
Teaching the Next Generation
As an adjunct lecturer at Columbia University and New York University (NYU), Penny is shaping how future risk leaders think about their role. Her teaching reflects a core belief: technical expertise alone is not enough—leaders must also be able to communicate complexity with clarity and purpose.
Tomorrow’s risk professionals will operate in environments that are more dynamic, data-rich, and interconnected. Their effectiveness will depend not only on what they know, but on how well they can make others understand it.
SBB: What differentiates emerging risk leaders who are able to communicate complexity effectively?
PC: The ones who stand out are not always the ones with the most technical knowledge. They are the ones who can take complexity and make it understandable to a non-technical audience. It comes down to strong and deep communication and interpersonal skills. Communication is a very important skill in risk management because if people do not understand the risk, they are far less likely to act on it appropriately.
The strongest emerging leaders know how to translate complex risk methodologies and themes to senior management and the board. They can move from technical detail to business relevance. They can explain not just what the issue is, but why it matters, what the implications are, and what decision needs to be made. They also understand their audience. Communicating with a business line leader is different from communicating with a board, and strong leaders know how to adjust without losing substance.
I also find that the best emerging leaders are what I like to call “connective thinkers”. They see how risks interact across functions, technologies, and external dependencies, and they help others see those connections as well. I really stress in the classroom in the interconnectedness among risk types, and the importance of looking across to understand how they drive and enhance each other.
For instance, I have always argued that operational risk is a driver of most other risks, because if you get the operational processes wrong, you have the knock-on effect of having compliance, credit, market, or liquidity issues. When I teach ERM in the classroom, I stress the importance of thinking how one risk type can impact another. This is increasingly important because risks today rarely sit neatly in one category.
Authoring the Practitioner’s Playbook
Penny’s upcoming book, “Managing Operational Risk in a Changing World,” brings together decades of frontline experience with today’s most pressing challenges, including AI, cyber threats, climate risk, ESG, DE&I, and pandemics.
Designed for both practitioners and students, the book translates complex frameworks and methodologies into practical application. It reflects her signature approach: making risk concepts usable, relevant, and aligned with real-world decision-making.
SBB: What inspired you to write “Managing Operational Risk in a Changing World,” and how does it reflect your approach to communication in risk leadership?
PC: I was first inspired to write the book by a conversation with Philippa Girling who wrote the seminal Operational Risk textbook that I use in my Operational Risk classes. When I inquired if she was going to update the textbook, she indicated that she had moved on to other (really cool) things in her life. She suggested that I “take up the mantle.”
When I thought about the book I wanted to write, I felt that it was important to tell my story of working as both a peddler of an operational risk solution (the FIRST Operational Risk database that I developed and brought to market), and a risk practitioner. I wanted to share my perspective from decades of risk management experience with my students and the risk community. I also wanted to create a book that would be useful. For instance, for each chapter on operational risk types, such as fraud, third party, cyber, AI, data, transaction processing, resilience, I provide sample scenarios and metrics that can be lifted and customized by risk professionals.
I also wanted to provide practical applications in the framework chapters, such as the ones on RCSA, Scenario Analysis, Governance, and Loss Data, for organizations that are setting up new programs or maturing the ones they have. Ultimately, I wanted the text to be useful for a large variety of readers.
I also provided chapters that I have not seen in other books in this genre on managing regulatory relationships (what I call the 4th Line), and establishing operational risk functions across the three lines of defense. I wanted to make sure that the people element in managing risk was not overlooked.
I interviewed nine risk professionals on various topics, because I did not want the voice to be only my own. They provide perspectives over their long careers on risk, compliance, and regulatory management, AI and Data risk management, third party risk management RCSA, Scenario Analysis, and cyber. Ultimately, it was important to create a text that bridges the gap between framework and practice. This brings me back to my response to the first question in this interview: a framework is only as useful as its ability to be implemented. It is my hope that this book helps with the practical implementation of operational risk management.
Organizations continue to invest heavily in tools, frameworks, and analytics. But these systems only create value when the insights they produce are clearly understood and used.
Penny Cagan’s career demonstrates that risk leadership is not defined by the volume of information produced, but by how effectively it informs decisions. A defining voice in risk helps to ensure that complexity does not obscure what matters—it illuminates it.
As risk environments evolve and decision cycles accelerate, communication becomes more than a support function. It becomes part of how organizations build resilience and make decisions under uncertainty. In that sense, clarity is not an enhancement to risk leadership – it is what enables it.
Leave a Reply