Face the Risk Blog

Lessons from St Andrews: The Blind Spot in Risk Management

Written by FaceTheRisk | Jul 16, 2026 11:28:49 AM

St Andrews is a treasured location that teaches many lessons about golf and life. On our recent visit to St Andrews we were duly impressed by its majesty, and the tireless efforts to protect St Andrews for the future. What would happen if we used Face the Risk to help ensure that efforts to protect St Andrews not only "tracked risk", but helped to measure  and prioritise risks properly--which means contributing to its objectives.

For board members and senior risk leaders, the challenge has never been awareness of risk. It's been confidence in the numbers. Most risk registers tell you what could go wrong. Very few tell you how much risk you have, how much it will cost to reduce risk, which controls are worth funding, and how your decisions change when strategic priorities shift.

That gap — between tracking risk and actually reducing it — is where boards are most exposed. And it's exactly the blind spot that Face the Risk was built to close.

To demonstrate what closing that gap looks like in practice, and to show that you can get started right away, we used our AI tool build a pilot risk model for one of the most recognisable organisations in the world of sport and tourism: the St Andrews Links Trust. Don't worry, the model also allows for collaborative reviews of the data by subject matter experts and prioritisations of impacts to objectives from senior leadership. AI is only a tool used to help build the structure, and guide decision makers to vet the model. Human judgment remains paramount.

About the Organisation

The St Andrews Links Trust manages seven public golf courses, including the Old Course — Europe's largest public golf complex. It is a significant economic institution as much as a sporting one.

Key figures drawn from publicly available records:

  • Workforce: Approximately 250 permanent employees, rising to 400 at peak season
  • Annual economic contribution: £370 million to the local economy
  • Estimated enterprise value: Using a standard tourism and leisure asset valuation multiple of 10–20x annual earnings, enterprise value ranges from £3.7 billion to £7.4 billion. For this pilot model, we set the working figure at £4.2 billion.

At that scale, the cost of unmanaged risk is not abstract. It demands the same rigour applied to any major capital decision.

Building the Pilot Model

Using the Face the Risk AI platform, we constructed a risk model spanning three categories: strategic risk, cyber risk, and operational risk.

To keep the pilot focused, we directed the AI to identify the top nine risks per category27 events in total. From those events, the platform identified 524 associated controls, documented all sources, and preserved the full interrelationships between events, objectives, and treatments.

That last point matters more than it might seem. Traditional GRC tools treat risks in silos. Face the Risk captures how risks connect — so when you fund a control, you understand exactly which events it addresses and how it moves the needle on your objectives.

The completed model was exported directly into Expert Choice Riskion with full parameter documentation — a process that would ordinarily take weeks, compressed into a fraction of the time.

What the Model Revealed

Total Unmanaged Risk Exposure: £2.1 Billion

With no treatments applied, the model estimated total risk exposure at £2.1 billion. For a board, that number reframes the conversation around risk investment entirely.

Sorting the 27 events by category produced an immediate and board-relevant insight: operational and strategic risk were roughly equal in magnitude, with cyber risk comparatively lower. This cross-silo view — rarely available from standard GRC reporting — is precisely what leadership needs to make informed resource allocation decisions.

After controls were applied at a budget of £28 million, projected remaining risk dropped to £189 million. At a budget of £56 million, projected remaining risk fell further to £131 million — a return of 35 to 1.

The largest remaining risks centred on climate-related threats — drought, extreme rainfall, and sea level rise — alongside operational infrastructure risks also driven by sea level rise. Cyber risk, while lower in overall magnitude, was led by the potential exploitation of web applications and websites.

These findings illustrate a critical point: a well-constructed model surfaces the risks that matter most — not just the ones most commonly tracked.

The Efficient Frontier: A Better Language for Budget Decisions

One of the most powerful outputs for senior leadership is the Efficient Frontier — a visualisation of optimised risk reduction at different budget levels.

Budget Projected Remaining Risk
£0 £2.1 billion
£28 million £189 million
£56 million £131 million

Each point on the frontier represents an optimal set of treatments, selected through simulation to maximise risk reduction per pound spent. Because the model captures how each control contributes across multiple events, it eliminates the double-counting and risk overestimation endemic to conventional GRC tools.

Boards can also compare the efficient frontier against custom scenarios — representing current programmes, alternative control sets, or specific regulatory constraints. This turns budget discussions from opinion-based to evidence-based.

Three Analytical Layers Boards Rarely See

1. Risk Maps That Reflect Reality

Most organisations are familiar with the 6x6 or 9x9 risk matrix — events labelled high, medium, or low based on scoring methods that are, at best, inconsistent. Face the Risk takes a fundamentally different approach.

Rather than relying on arbitrary scoring, the risk map plots events against each other according to their actual likelihood and impact measures. You can still categorise risks as high, medium, or low — but now those categories are grounded in relative comparison, not subjective judgment.

Critically, the map shows the same events before and after treatment simultaneously, making the value of funded controls immediately visible to any board member. Thresholds are fully customisable. A common benchmark: anything below 0.5% of enterprise value is acceptable; anything above 1.5% warrants immediate board attention.

2. Bowtie Analysis for Meaningful Governance Conversations

Every one of the 27 events has a dedicated bowtie — a structured view of causes, impacts on organisational objectives, and funded versus unfunded treatments. This creates a governance forum grounded in evidence. Teams can challenge whether likelihood or impact has been rated accurately, propose alternative controls, and identify whitespace controls — gaps in the current risk programme that may need to be addressed. Boards stop debating opinions and start debating evidence.

3. Objective Weighting That Reflects Strategic Priorities

Standard GRC frameworks treat all organisational objectives as equal. They are not. Face the Risk allows senior leadership to adjust the relative importance of each objective, reflecting actual strategic priorities. The model then recalculates risk reduction scenarios in real time. Using ratio-scale survey methods, this also enables sensitivity analysis — showing boards how risk decisions would shift as priorities evolve. Senior leadership can compare various risk reduction scenarios and see in real time how their decisions might change with shifting objectives.

The Lesson for Your Organisation

St Andrews is a high-profile example, but the blind spot it reveals is universal.

Organisations of every size and sector are making risk investment decisions based on incomplete models — registers that track events without capturing interrelationships, controls that are funded based on intuition rather than optimisation, and board reports that reflect compliance obligations rather than genuine strategic exposure.

The lesson from St Andrews is straightforward: when you model risk properly, the numbers change. The priorities change. The budget conversations change. And the board's ability to govern risk — rather than simply report on it — changes fundamentally.

Face the Risk was built to make that shift possible. Not in months, but in days.

Ready to Build Your Pilot?

The St Andrews model was built entirely from publicly available data. The full capability of the platform emerges when organisations bring their own datasets, internal documentation, and specific guidance on sources and constraints.

The platform supports:

  • Custom datasets and proprietary source materials
  • Project risk alongside operational, strategic, and cyber risk
  • Regulatory "must" constraints integrated into control portfolios
  • Multiple budget scenario comparisons against optimised frontiers
  • AI-accelerated model building that compresses weeks of analysis into hours

If you're ready to move beyond tracking risk and start reducing it, we'd like to help you build your own pilot model.

Visit www.facetherisk.com or contact us at info@facetherisk.com to request access and get started.