Transform · Perform · Sustain

Where structure meets consequence.

Trellis Consulting provides rigorous, cross-disciplinary advisory to organisations navigating risk, regulatory complexity, and the pressures of a fast-changing operating environment. Built on expertise. Focused on outcomes.

End-to-end.
Strategy to deployment. One advisory relationship.
7+
Service Disciplines
Current Focus Areas
Crisis Response ESG Strategy Operational Resilience Design Audit Readiness Process Automation
Scroll
Crisis & Incident Management
Risk Management
Business Continuity & Resilience
Training & Capacity Building
ESG & Sustainability
Auditing Services
Business Process Optimisation
Strategic Partnerships & Transaction Advisory
Our Purpose

Organisations that endure are built, not assumed.

Trellis Consulting exists to close the gap between governance frameworks and operational reality. We build the structures that hold when pressure arrives.

About Trellis

Advisory built on depth. Delivered with precision.

Trellis Consulting is a specialist advisory firm. Our work spans the full resilience lifecycle: from risk identification and strategic framework design, through governance structuring, regulatory compliance, and crisis preparedness, to post-event recovery and sustainability integration.

We work with cross-sector corporates that demand more than templated solutions. Our engagements are substantive, context-specific, and built to last.

What We Do

Eight disciplines. One coherent practice.

High demand in SA & SADC

Crisis & Incident Management

Framework design, playbook development, and live simulation. Built for the moment when everything depends on structure.

Explore

ESG & Sustainability

Sustainability strategy development and deployment, ESG framework integration, and independent sustainability auditing.

Explore

Risk Management

Enterprise risk frameworks, risk appetite design, and integrated risk reporting across complex, multi-entity operating environments.

Explore

Business Process Optimisation

Identify, map, and prioritise processes for agentic automation. The starting point for organisations serious about operational transformation.

Explore
Further capabilities

Business Continuity & Resilience

BIA, BCP design, MTPD analysis, and recovery strategy. Continuity that functions under real-world conditions.

Explore

Training & Capacity Building

Executive-level simulations, operational workshops, and sustained capability programmes. Knowledge that transfers.

Explore

Auditing Services

Independent framework audits, compliance gap analysis, and governance assurance. An honest view, not a comfortable one.

Explore

Strategic Partnerships & Transaction Advisory

Identifying and connecting the right capital partners, development funders, and dependable suppliers to unlock projects and commercial opportunities.

Explore
How We Work

Advisory is a practice, not a product.

01

Diagnose

We begin with a thorough understanding of your operating context, risk exposure, and existing capability. No assumptions. No templates.

02

Design

We develop frameworks, playbooks, and strategies that are specific to your organisation. Fit for purpose means fit for your purpose.

03

Deploy & Sustain

We embed capability, not dependency. Our engagements close with your team confident, tested, and independently capable.

Geographic Footprint

Operating across Southern Africa and the broader region.

South Africa Zambia Zimbabwe Botswana Namibia Mozambique Tanzania Malawi

The work starts with a conversation.

Tell us about your organisation's current pressures. We will tell you whether we are the right fit.

Who We Are

Grounded in practice.
Uncompromising in standards.

Trellis Consulting was built on the belief that good advisory changes how organisations behave, not just how they document. We work at the intersection of strategy, governance, and operational reality.

The Firm

Built for complexity. Focused on outcomes.

Trellis Consulting (Pty) Ltd is a multi-disciplinary advisory firm specialising in organisational resilience, risk, governance, sustainability, business process optimisation, and capability development. We work with corporate clients who require rigorous, context-specific advisory rather than packaged compliance products.

Our name reflects our philosophy. A trellis provides structure that enables growth. It does not grow for you. It creates the conditions for growth to happen. That is what we do.

Our Values

The principles that govern our work.

01

Intellectual Rigour

Every recommendation we make is earned. We do not speculate. We do not extrapolate carelessly. We work until the answer is defensible.

02

Context Over Convention

Southern African operating environments require Southern African solutions. International frameworks are reference points, not blueprints.

03

Candour

We tell clients what they need to hear. Our value lies in honest assessment, not comfortable agreement.

04

Transfer, Not Dependency

Every engagement ends with our clients more capable than when we arrived. Building internal capability is a deliverable, not an afterthought.

05

Regional Depth

Southern Africa is our home market. We understand its regulatory nuance, its political economy, and its institutional character.

Our Track Record

Results speak plainly.

16+
Years of Regional Expertise
9
Service Disciplines
100%
Context-Specific Engagements
Zero
Off-the-Shelf Solutions

The right advisory relationship changes everything.

If your organisation is navigating genuine complexity, we should talk.

What We Offer

Nine disciplines. One integrated practice.

Each service line is substantive in its own right. Together, they form a coherent advisory relationship capable of addressing your organisation's full resilience and governance agenda.

01
01

Crisis & Incident Management

When a crisis breaks, structure is the only thing that protects you.

Most organisations discover their crisis management gaps during an actual crisis. Trellis works before the event. We design Crisis Management Frameworks (CMF) grounded in your organisational structure, stakeholder complexity, and regulatory environment. We build playbooks for specific threat scenarios. We run simulations that expose capability gaps before they become consequential.

Our frameworks are operational, not ceremonial. They are written to be used under pressure, by real people, in real time.

Crisis Management Framework (CMF) design and documentation
Scenario-specific incident response playbooks
Crisis Management Team (CMT) and CSIRT structure design
Executive and operational tabletop simulations
Post-incident review and framework recalibration
Regulatory notification protocols (POPIA, FSCA, PA/SARB)
02
02

Risk Management

You cannot manage what you have not honestly identified.

Trellis designs enterprise risk frameworks that reflect the actual risk landscape of your organisation, not a theoretical one. We work with boards, executive committees, and risk functions to develop risk appetite statements, risk registers, and integrated reporting structures that enable genuine decision-making.

Risk management in Southern Africa requires regulatory literacy, sector knowledge, and the ability to translate complex exposure into boardroom language. We bring all three.

Enterprise Risk Management (ERM) framework design
Risk appetite and tolerance statement development
Risk register design and facilitation
Board and ExCo risk reporting frameworks
Third-party and supply chain risk assessments
Regulatory risk mapping (FSCA, PA/SARB, POPIA, NCA)
03
03

Business Continuity & Resilience

Continuity is not a document. It is a capability.

We design Business Continuity Plans (BCP) and programmes that function under real disruption conditions. Our process is anchored in Business Impact Analysis (BIA) methodology: we identify critical processes, establish Maximum Tolerable Periods of Disruption (MTPD), define Recovery Time Objectives (RTO), and build recovery strategies accordingly.

The result is a continuity capability that has been tested, not just documented.

Business Impact Analysis (BIA) design and facilitation
Business Continuity Plan (BCP) development
MTPD and RTO analysis per critical process
IT Disaster Recovery (DR) strategy advisory
BCP testing, exercising, and maintenance programmes
ISO 22301 alignment and gap assessment
04
04

Training & Capacity Building

Capability is the only resilience that compounds.

Trellis designs and delivers training programmes that build genuine capability across executive, management, and operational levels. We move beyond awareness sessions. Our programmes are immersive, scenario-based, and calibrated to the specific responsibilities of each audience.

We also develop internal training materials and facilitation guides that allow your organisation to sustain capability development independently after our engagement closes.

Executive crisis leadership workshops and simulations
Operational team incident response training
Risk management capacity programmes for non-risk functions
BCP and continuity awareness training
ESG and sustainability literacy programmes
Custom facilitation guides and internal training materials
05
05

ESG & Sustainability

Sustainability strategy without implementation architecture is aspiration, not work.

Trellis provides ESG and sustainability advisory that spans strategy, implementation, and assurance. We help organisations move from ESG intent to ESG architecture. That means building sustainability strategies with clear objectives, measurable targets, and credible deployment roadmaps.

We also conduct independent sustainability strategy audits, providing boards and stakeholders with an honest assessment of ESG performance, disclosure quality, and strategic coherence.

Sustainability strategy development and deployment roadmaps
ESG framework integration (GRI, TCFD, ISSB/IFRS S1 & S2)
Materiality assessment facilitation
ESG target-setting and performance measurement design
Independent sustainability strategy auditing
Sustainability disclosure review and gap analysis
06
06

Auditing Services

Independent review is only valuable when it is genuinely independent.

Trellis conducts independent framework audits across all of our service disciplines. We assess the design adequacy, operational effectiveness, and regulatory alignment of existing frameworks. Our audit reports are structured, evidence-based, and actionable.

We do not audit our own work. Where we have designed a framework, we refer independent audit to a trusted third party. This is a non-negotiable commitment to objectivity.

Crisis and incident management framework audits
BCP and business continuity programme audits
Risk management framework effectiveness assessments
Sustainability strategy and ESG disclosure audits
Governance and policy framework gap analysis
Regulatory compliance posture assessments
07
07

Business Process Optimisation

Automation without prioritisation is acceleration in the wrong direction.

The emergence of agentic AI creates a genuine inflection point for operational efficiency. But the organisations that benefit most are not those that automate fastest. They are those that automate the right things first. Trellis helps organisations identify, map, and rigorously prioritise business processes for agentic automation.

Our methodology distinguishes between processes that are suitable for automation, those that require redesign before they can be automated, and those where human judgement remains irreplaceable. The output is a prioritised automation roadmap grounded in operational reality, not vendor enthusiasm.

End-to-end business process discovery and mapping
Automation readiness assessment per process
Prioritisation framework design (impact, complexity, risk)
Agentic automation opportunity identification and scoping
Process redesign recommendations pre-automation
Automation governance and oversight framework design
Change management and workforce transition advisory
08
08

Strategic Partnerships & Transaction Advisory

The right connection, made at the right time, changes the trajectory of a project.

Many high-potential projects and commercial opportunities stall not because of poor execution or weak fundamentals, but because the right partners, funders, or suppliers are not in the room. Trellis bridges that gap. We leverage an established network across development finance, renewable energy, commodities, and mining sectors to identify and introduce the right counterparties for your specific opportunity.

Our work in this space is relationship-led and highly selective. We have facilitated the identification of funding and development partners for renewable energy projects across the region, and connected buyers and project developers with dependable, vetted suppliers of commodities and mining consumables. We do not act as brokers. We act as trusted advisors who know which doors to open and how to open them.

Funding and development partner identification for capital projects
Renewable energy and green infrastructure partnership facilitation
Commodity and mining consumables supplier sourcing and vetting
Investment readiness advisory for project developers
Counterparty due diligence support
Strategic introduction and relationship facilitation
Off-take agreement and supply contract structuring advisory

Tell us where the pressure is.

We will design an engagement that addresses it directly.

Insights & Articles

Thinking from the field.

Perspectives on resilience, risk, governance, and sustainability across Southern Africa. Grounded in practice. Written plainly.

The Fastest Car Knows When to Brake: What Lewis Hamilton’s Barcelona Win Teaches Us About Risk

Hamilton won the 2026 Spanish Grand Prix. The story is not about speed. It is about confidence, calibration, and the gap between having a capable framework and having one that your team actually trusts.

Fuel, Fertiliser, El Niño: The Three-Wave Food Security Risk Facing South Africa

A strong harvest has bought South Africa time. It has not removed the risk. Three shocks are converging on the food basket, and most people are only seeing the first one.

60 Hours Underground: What Newmont's Red Chris Rescue Teaches Every Industry About Crisis Preparedness

In July 2025, three miners spent 60 hours trapped under a rockfall in remote British Columbia. Every worker came home. The way Newmont managed the crisis is a masterclass worth studying.

When the Lights Go Out: How Prepared Is Your Organisation for a Crisis?

On 19 July 2024, a single software update paralysed 8.5 million systems worldwide. What followed was a masterclass in what crisis preparedness looks like, and what it does not.

ESG Is Not the Problem. The Gap Between Strategy and Deployment Is.

The backlash against ESG is real. Some of it is deserved. But the organisations compounding on sustainability built it into their operating architecture, not their annual report. The problem is not ESG. It is the gap between strategy and deployment.

Risk Appetite vs. Risk Tolerance: A Distinction That Matters

Boards that conflate risk appetite and risk tolerance make systematically different decisions from those that distinguish them. Boeing’s 737 MAX shows what happens when operational tolerances drift silently away from stated appetite. And why risk-governance theatre is not the same as risk governance.

Outsourced, Not Offloaded. Why Compliance Checks Cannot Protect You From Third-Party Risk.

Marks & Spencer had a vendor management programme. It had compliance checks. A helpdesk agent reset a password for the wrong person. What followed cost £300 million. Outsourcing transfers the function. It does not transfer the risk.

Get In Touch

Let us understand your challenge.

Every engagement begins with a direct conversation. No intake forms. No automated pipelines. A straightforward discussion about where you are and whether Trellis is the right fit.

Geographic Focus

Southern Africa and the broader region.

Response Commitment

All enquiries receive a substantive response within one business day.

Engagements

We accept a limited number of engagements per year. This is deliberate. It ensures quality.

Service Lines
Crisis Management Risk BCP Training ESG Auditing
Enquiry Form

Tell us about your organisation.

Your information is treated with strict confidentiality. Trellis does not share enquiry details with third parties.

Crisis Management April 2026 12 min read

When the Lights Go Out: How Prepared Is Your Organisation for a Crisis?

A single software update paralysed 8.5 million systems in July 2024. What followed was a masterclass in what crisis preparedness looks like. And what it does not.

At 04:09 UTC on 19 July 2024, CrowdStrike pushed a routine content update to its Falcon security platform. Within minutes, blue screens of death began appearing on Windows machines across six continents. By the time most executives arrived at their desks that morning, the crisis was already global.

The numbers that followed were staggering. 8.5 million Microsoft Windows systems crashed, less than one percent of all Windows machines globally, but concentrated almost entirely in enterprises running critical infrastructure. Airlines grounded flights. Hospitals reverted to paper records. Banks froze transactions. Emergency services lost communications. Delta Air Lines alone cancelled over 7,000 flights and estimated losses of approximately $500 million. Insurers projected total losses to US Fortune 500 companies at $5.4 billion.

CrowdStrike responded quickly. CEO George Kurtz issued a public statement within hours. A preliminary Post-Incident Review was published within five days. A technical fix was distributed. But the damage, financial, reputational, and operational, was already done. Delta filed a lawsuit. Regulators opened inquiries. A class action followed.

The CrowdStrike incident was not a cyberattack. It was a software update. And yet it triggered one of the most consequential operational crises in corporate history. The lesson is not that CrowdStrike was negligent. The lesson is that no organisation, regardless of size, sophistication, or sector, is immune to a crisis arriving without warning.

"By failing to prepare, you are preparing to fail."

Benjamin Franklin

The Seven Crises That Threaten Every Organisation

PwC's Global Crisis Survey, conducted across 2,084 senior executives in 43 countries, identified seven broad categories of corporate crisis. These are not theoretical constructs. They are the documented experience of organisations that have lived through them. Nearly all business leaders, 95%, expect to face a crisis. 69% already have, within the last five years alone.

The seven types are:

1. Operational Crisis

The most frequently experienced category. Includes supply chain failure, competitive disruption, process breakdowns, and business continuity failures. Experienced by over half of all surveyed organisations. The CrowdStrike incident falls here.

2. Technology & Cyber Crisis

System failures, data breaches, ransomware, and cyberattacks. Cited by one third of surveyed organisations. Larger organisations with more than 5,000 employees face cybercrime-specific crises at a rate of 26%, making it their single most common crisis type.

3. Financial & Liquidity Crisis

Cash flow collapse, credit events, market shocks, and insolvency risk. Financial and technology crises are statistically tied as the most common crisis triggers at 23% each. In African markets specifically, financial liquidity crises account for 12% of the most disruptive events experienced.

4. Humanitarian Crisis

Natural disasters, public health emergencies, workplace safety incidents, and climate-induced disruptions. Cited by 29% of organisations. Between 2022 and 2024, an average of 350 significant natural disasters occurred annually worldwide, with economic damages exceeding $300 billion per year.

5. Legal & Regulatory Crisis

Regulatory investigations, litigation, compliance failures, and enforcement actions. Cited by 28% of organisations. In established markets, legal and regulatory crises are among the top concerns for boards and audit committees.

6. Human Capital Crisis

Leadership failures, talent loss, ethical misconduct, and workforce disruption. PwC's 2023 survey identified employee retention and recruitment as the second most disruptive event type experienced by organisations globally, behind only the COVID-19 pandemic.

7. Reputational Crisis

Brand damage, social media escalation, ethical exposure, and stakeholder trust collapse. Reputation is estimated to account for as much as 28% of the total market capitalisation of S&P 500 companies. A single viral event can dominate headlines within hours. Research suggests 28% of corporate crises now spread to international media within 60 minutes of their start.

Crisis Frequency: Large vs. Medium Organisations

Based on PwC Global Crisis Survey data (2019, 2023) across 2,084+ senior executives in 43 countries. Large organisations: 5,000+ employees. Medium organisations: 500–4,999 employees.

Sources: PwC Global Crisis Survey 2019; PwC Global Crisis and Resilience Survey 2023; World Economic Forum. Figures represent percentage of organisations in each category that have experienced each crisis type.

"In crisis management, be quick with the facts, slow with the blame."

Leonard Saffir, Crisis Communications Strategist

Five Ways to Prepare Before the Crisis Arrives

PwC's research is direct on one point: organisations that prepare for crises systematically outperform those that improvise. They recover faster. They lose less. They retain stakeholder trust at higher rates. And yet 29% of companies have no staff dedicated to crisis preparedness or response whatsoever.

Preparation is not a luxury. It is a competitive and governance imperative. Here are five areas where the work must happen before the crisis, not during it.

01

Build a Crisis Management Framework. Before you need it.

A Crisis Management Framework (CMF) is not a document. It is a decision architecture. It defines who leads, who communicates, who decides, and under what authority. It maps escalation paths, assigns roles to specific individuals, and establishes the conditions under which each level of response is triggered.

The CrowdStrike incident exposed a painful truth about many organisations: their crisis plans existed on paper but had never been operationalised. Systems recovery took days or weeks for companies that should have been back online in hours. The difference, in almost every case, was whether they had a tested, role-specific response plan or merely a generic one.

Your CMF must be specific to your organisation. It must assign real names, not job titles. It must define your Critical Incident Levels. And it must be reviewed at least annually.

02

Develop Scenario-Specific Playbooks.

Generic crisis plans fail under pressure because they were never designed for the specific scenario unfolding. A ransomware playbook and a product recall playbook are entirely different documents. Each must include a defined first-hour response checklist, stakeholder notification sequences, regulatory notification obligations, and media communication protocols.

For organisations operating in South Africa and the broader region, playbooks must account for specific regulatory obligations. Under POPIA and the Joint Standard 2 of 2024, there are defined notification timelines for data breaches. The FSCA and Prudential Authority have their own incident reporting requirements. These are not optional. And they are time-bound. Discovering your notification obligations mid-crisis, rather than having them embedded in a playbook, is an avoidable and expensive mistake.

03

Run Simulations. Not just tabletops. Real simulations.

A tabletop exercise is valuable. But it is not sufficient. Real crisis capability is built through pressure-tested simulations that force decision-makers to operate under time constraints, incomplete information, and escalating complexity. The goal is not to produce a good performance in a controlled setting. The goal is to expose the gaps before a live event does.

PwC's research found that organisations which had conducted regular crisis simulations recovered from crises significantly faster and with lower financial and reputational damage than those that had not. Nearly three-quarters of organisations that experienced a serious crisis sought external help during or after it. The organisations that had simulated were better equipped to use that help productively.

Simulations should span all levels: board and ExCo for strategic decision-making, Crisis Management Teams for operational coordination, and frontline teams for incident response execution.

04

Establish Your Communication Architecture in Advance.

In a crisis, communication delays cost you control of the narrative. Research from Dataminr suggests that 28% of corporate crises now spread to international media within 60 minutes of their start. If your communication architecture, who says what, to whom, through which channels, and in what sequence, is not established before the event, you will be improvising in the most unforgiving environment possible.

Your communication architecture must include pre-approved holding statements for the most likely scenarios, defined spokespersons with media training, a stakeholder notification hierarchy, and social media monitoring protocols. Silence is never neutral. As one crisis communications expert noted: a lack of response provides an opportunity for the public to fill in the blanks, and what they fill in is rarely favourable.

05

Integrate Crisis Preparedness with Business Continuity.

Crisis management and business continuity are distinct disciplines. But they must be integrated. A crisis without a business continuity plan is an event from which you may not recover operationally. A business continuity plan without crisis management governance is a technical document with no command authority behind it.

The organisations that recovered from the CrowdStrike outage most quickly were those that had tested disaster recovery plans, defined Maximum Tolerable Periods of Disruption for their critical processes, and pre-established alternative operational procedures. PwC's 2023 data shows supply chain disruptions have doubled since 2019, making operational resilience, the integration of crisis management, BCP, and recovery planning, a board-level strategic priority rather than an IT department concern.

"The secret of crisis management is not good vs. bad. It is preventing the bad from getting worse."

Andy Gilman, President & CEO, Comm Core Consulting Group

The Question Is Not If. It Is When.

The CrowdStrike incident was not exceptional. It was representative. It demonstrated that crises do not announce themselves, do not respect sector boundaries, and do not give unprepared organisations the benefit of additional time. What distinguished the organisations that recovered in hours from those that took days was not luck. It was preparation.

PwC's research is unambiguous: companies with active crisis preparedness programmes suffer less financial damage, recover faster, and emerge from crises with their stakeholder relationships more intact than those that do not. The investment in preparation is not a cost. It is a form of capital preservation.

Stephen Covey framed it plainly: "If you don't choose to do it in leadership time up front, you do it in crisis management time down the road." The cost of the latter is always higher.

Trellis Consulting

Is your organisation prepared?

Trellis Consulting designs Crisis Management Frameworks, incident response playbooks, and crisis simulations for organisations that take preparedness seriously. If you want an honest assessment of where your organisation stands, reach out.

info@trellisconsulting.co.za
Sources
  • PwC Global Crisis Survey 2019. Crisis preparedness as the next competitive advantage. PwC Global. pwc.com
  • PwC Global Crisis and Resilience Survey 2023. The Resilience Revolution. PwC Global. pwc.com
  • World Economic Forum (2019). Almost all businesses expect to face a crisis. weforum.org
  • Gartner (2024). What You Need to Know About the CrowdStrike Outage. gartner.com
  • TechTarget (2024). CrowdStrike outage explained: What caused it and what's next. techtarget.com
  • Microsoft Official Blog (2024). Helping our customers through the CrowdStrike outage. blogs.microsoft.com
  • Cloud Security Alliance (2025). What We Can Learn from the 2024 CrowdStrike Outage. cloudsecurityalliance.org
  • Dataminr (2024). The Value of Time in Corporate Crisis Response. dataminr.com
  • Ken Research (2026). Global Crisis Management Market, Demand Analysis and Trends to 2030. kenresearch.com
  • Group Caliber (2026). Kisscams and Culture Wars: Crisis Management in 2025. groupcaliber.com
Key Statistics
95%
of business leaders expect to face a crisis
69%
have experienced at least one crisis in the last 5 years
29%
of companies have no staff dedicated to crisis preparedness
$5.4bn
estimated losses to US Fortune 500 from CrowdStrike outage alone
Related Services
Crisis Management May 2026 10 min read

60 Hours Underground: The Real Lesson About Crisis Preparedness

In July 2025, three mine workers spent more than 60 hours trapped underground after a rockfall in remote British Columbia. Every worker came home. What made the difference was not improvisation. It was preparation.

In July 2025, three mine workers spent more than 60 hours trapped underground after a rockfall at Newmont’s Red Chris mine in remote British Columbia, Canada.

Every worker came home.

That is the fact that matters most.

The incident happened on the morning of 22 July 2025, when a rockfall blocked access to an underground work area. Three drilling contractors working for Hy-Tech Drilling were beyond the affected area when it occurred. They moved to a refuge chamber before a second fall of rock cut off the access route completely.

Communications were lost. The route back was blocked by a large mass of fallen rock. The mine was remote. The physical conditions were dangerous.

For more than 60 hours, the three workers waited underground while rescue teams worked to reach them.

By the evening of 24 July 2025, all three had been safely brought to surface. Their employer described the moment as “euphoric.” British Columbia Premier David Eby praised “the heroic work of the rescue team.” Newmont CEO Tom Palmer said the lessons would be shared across the broader mining industry.

The rescue was not successful because the company improvised well under pressure.

It was successful because key decisions had already been made before the crisis began.

“If you don’t choose to do it in leadership time up front, you do it in crisis management time down the road.”

Stephen Covey, The 7 Habits of Highly Effective Families

What Newmont Got Right

The Red Chris rescue is worth studying because it shows what crisis preparedness looks like when the pressure is real.

The three workers had access to a refuge chamber. For non-miners, think of this as a hardened emergency shelter underground. It provides breathable air, water, food and protection when the normal way out is blocked.

That refuge chamber bought time.

Time is one of the most valuable assets in any crisis. Without it, leaders panic, teams rush and mistakes multiply. With it, the response can be methodical.

Newmont also activated its emergency protocols immediately. Operations were suspended. Specialist rescue teams were mobilised. Technology was used where human entry was too dangerous, including drones and remote-controlled equipment to assess conditions and clear rock safely.

This was not technology for technology’s sake. It was capability matched to a specific rescue problem.

The company also communicated publicly before the rescue had been completed. Newmont confirmed the incident, explained the rescue approach and committed to updates. Government, rescue teams, the company and the Tahltan Nation were visibly coordinated.

That matters.

In a crisis, silence creates space for speculation. Clear communication does not remove uncertainty, but it does reduce confusion.

“In crisis management, be quick with the facts, slow with the blame.”

Leonard Saffir, Power Public Relations (1993)

Finally, Newmont committed to learning from the incident and sharing lessons across the industry. That is the difference between treating a crisis as an event and treating it as a source of institutional learning.

The question for organisations is not whether they operate mines exactly like Red Chris. Most do not. The question is whether they have answered the same crisis questions in advance.

  • Who leads?
  • Who communicates?
  • Who notifies families, regulators and communities?
  • What equipment is already available?
  • What decisions are automatic?
  • What must never be left to improvisation?

Why This Matters

Mining remains a high-consequence environment. Even with significant improvements in safety performance, risks such as rockfalls, seismic events, shaft incidents and infrastructure failures cannot be eliminated entirely.

Recent incidents have shown how quickly operational disruptions can become crisis management challenges. Whether workers are trapped underground, critical infrastructure fails or rescue operations become prolonged, preparedness, communication and coordination determine how effectively organisations respond.

And the lesson extends beyond mining.

Banks, insurers, manufacturers, logistics companies, hospitals, municipalities, energy providers, ports and data centres all have their own version of the underground refuge chamber. It may be a backup power system, a cyber incident playbook, an emergency supplier arrangement or a tested evacuation plan.

The principle is simple: the thing that saves you in a crisis must exist before the crisis.

“Effective crisis management is 90% preparation and 10% execution.”

Michael Sengstack, Crisis Management Practitioner

Four Lessons for Every Organisation

01
Build the safety net before you need it.

Newmont’s refuge chamber was not created after the rockfall. It was already there. Every organisation should ask: what is our refuge chamber? Preparedness is not a document. It is capability.

02
Remove hesitation from the first response.

In a crisis, hesitation is expensive. Newmont did not wait for the situation to become publicly visible before acting. Emergency protocols were activated and specialist support mobilised. A good crisis framework removes uncertainty when time matters most.

03
Communicate before speculation takes control.

Newmont communicated while the rescue was still underway. Stakeholders do not need perfection. They need honesty, discipline and useful facts: what happened, who is affected, what is being done, who is leading, and when the next update will come. Silence is rarely neutral. It is often interpreted as avoidance.

04
Treat the review as part of the response.

The work does not end when people are rescued or operations resume. The post-incident review is where an organisation converts pain into capability. What failed? What worked? What assumptions were wrong? A crisis that teaches only one team has not taught enough.

“There is no worse mistake in public leadership than to hold out false hope soon to be swept away.”

Winston Churchill

The Question Leaders Should Ask Now

The Red Chris rescue is not really a story about Canada. It is a story about the difference between preparedness and hope.

Hope saysthe incident will not happen.

Preparedness saysit might, and we must be ready.

Hope assumespeople will know what to do.

Preparedness testswhether they actually can.

Hope waitsfor the crisis.

Preparedness buildsthe response before anyone needs it.

The workers came home because the organisation had prepared for the possibility that something could go wrong underground.

The refuge chamber was there.

The protocols were activated.

The rescue capability was mobilised.

The communication was coordinated.

The learning was treated as part of the response.

That is the standard every high-consequence organisation should be testing itself against.

Not when the crisis arrives.

Now.

Trellis Consulting

Is your crisis framework built for your operating reality?

Trellis Consulting designs Crisis Management Frameworks, scenario-specific playbooks, and crisis simulations for organisations in complex, high-consequence operating environments. We work across sectors, and we understand the regulatory context that shapes how a crisis must be managed. If you want to know whether your organisation is prepared, the place to start is a direct conversation.

info@trellisconsulting.co.za
Sources
  • Newmont Corporation (2025). Media Statement: Fall of Ground Incident at Red Chris Mine, 23 July 2025. newmont.com
  • CBC News (2025). Rescued workers being reunited with families after 60 hours trapped in B.C. mine. 25 July 2025. cbc.ca
  • Canadian Mining Journal (2025). Miners freed: 60-hour ordeal ends at Red Chris Mine. 25 July 2025. canadianminingjournal.com
  • International Mining (2025). Newmont Red Chris workers brought to surface in meticulously executed rescue plan. 28 July 2025. im-mining.com
  • Government of British Columbia (2025). Minister’s statement on the rescue of three workers at Red Chris mine. news.gov.bc.ca
  • Global News / Canadian Press (2025). Goosebumps and euphoria after workers trapped in B.C. mine were freed. 26 July 2025. globalnews.ca
  • Covey, S.R. (2014). The 7 Habits of Highly Effective Families. St. Martin’s Press. [Source of Covey quote]
  • Saffir, L. & Tarrant, J. (1993). Power Public Relations: How to Get PR to Work for You. NTC Business Books. [Source of Saffir quote]
Key Facts
60+
Hours three Newmont contractors spent underground at Red Chris
Zero
Fatalities. All three workers recovered safely.
72h
Minimum refuge chamber capacity. Pre-positioned before the incident.
90%
Of effective crisis management is preparation. Only 10% is execution.
Related Services
Risk Management February 2026 14 min read

Risk Appetite vs. Risk Tolerance: A Distinction That Matters

Boards that conflate these two concepts make systematically different decisions from those that distinguish them. The Boeing 737 MAX shows what happens when operational tolerances drift silently away from the appetite the organisation stated at the top.

Boards that conflate risk appetite and risk tolerance make systematically different decisions from those that distinguish them.

The Boeing 737 MAX shows why the distinction matters. It was not simply a story about technical failure. It was a story about the gap between what an organisation said it stood for and what it was prepared to accept at programme level.

In 2011, Boeing faced a strategic problem. Airbus had launched the A320neo, a more fuel-efficient upgrade of its bestselling aircraft, and airlines were buying it. Boeing had two broad choices: develop a clean-sheet aircraft, or upgrade the existing 737. A new aircraft would take significantly longer and cost far more. An upgrade could be delivered faster, at lower cost, and sold to airlines as requiring minimal additional pilot training.

Boeing chose the upgrade. It would become the 737 MAX.

By the time the MAX entered service in 2017, Boeing had internal evidence that failure scenarios involving the Maneuvering Characteristics Augmentation System, known as MCAS, could be more severe than the assumptions embedded in its safety analysis and training approach. Internal simulator testing had shown that delayed pilot response to uncommanded MCAS activation could be catastrophic. Yet Boeing continued to assume that pilots would recognise and respond quickly, and it did not require pilots to be specifically trained on MCAS failure scenarios.

Lion Air Flight 610 crashed on 29 October 2018, killing 189 people. Ethiopian Airlines Flight 302 crashed on 10 March 2019, killing 157 more. The global 737 MAX fleet was grounded for 20 months. Boeing ultimately agreed to pay more than $2.5 billion in penalties, compensation and related payments. Its CEO resigned. The United States Department of Justice opened a criminal investigation.

The point is not that Boeing formally labelled the MCAS decisions as “risk appetite” and “risk tolerance” decisions. The point is that, in risk-governance terms, that is exactly what they became.

Boeing’s public identity and operating ethos rested on engineering excellence and safety. In risk-appetite terms, that implied an extremely low tolerance for catastrophic safety failure. But at programme level, specific assumptions were accepted about aircraft behaviour, pilot response, training requirements and certification. Those assumptions represented operational tolerances. They defined what the organisation was prepared to live with in practice.

That is where the gap opened.

Available investigation and litigation records indicate that critical MCAS safety information did not reach the board in a way that enabled effective challenge before the first crash. The board existed. Committees existed. Risk processes existed. But the information that mattered most did not travel with sufficient clarity from the technical level to the governance level.

That is the distinction this article is about.

Risk appetite is what the organisation says it is willing to pursue.
Risk tolerance is what the organisation is prepared to accept in practice.
When the two drift apart, risk becomes invisible until it becomes irreversible.

Risk Appetite: The Strategic Position

Risk appetite is the amount and type of risk an organisation is willing to accept in pursuit of its objectives. It is usually set at board level and expressed in strategic terms.

It answers questions such as: are we willing to accept earnings volatility in pursuit of growth? Are we prepared to enter markets with higher regulatory uncertainty? How much operational disruption are we willing to absorb? Which risks are we prepared to take, and which are unacceptable regardless of reward?

Risk appetite is not merely a number. At its best, it is a strategic position expressed through both qualitative statements and quantitative boundaries. It tells management where the organisation is willing to play, how aggressively it is willing to pursue opportunity, and where it will not compromise.

A bank may have appetite for credit risk, but very limited appetite for liquidity risk. An insurer may have appetite for underwriting volatility, but no appetite for conduct failures. A mining company may have appetite for commodity-cycle exposure, but no appetite for preventable fatalities.

That is the function of appetite. It sets the philosophy of risk-taking.

But appetite does not govern behaviour automatically. It must be translated. That is where tolerance matters.

Risk Tolerance: The Operational Boundary

Risk tolerance is the acceptable level of variation from a specific objective, risk or control requirement. It is more granular than appetite. It is where the board’s philosophy becomes an operational boundary.

Tolerance may be expressed as a number, threshold, trigger, limit, control requirement, escalation point or prohibited condition.

A hospital system may have a risk appetite statement that says it will not accept risks that compromise patient safety. Its tolerance for a specific procedure might include infection-rate thresholds, minimum staffing levels, escalation requirements and conditions under which surgery must not proceed. A bank may state low appetite for regulatory breaches. Its tolerance position may define reporting deadlines, breach escalation thresholds, remediation timelines and unacceptable repeat findings. A logistics company may prioritise driver safety. Its tolerance framework should define maximum driving hours, vehicle-maintenance limits, fatigue triggers and non-negotiable stop-work conditions.

Appetite tells the organisation what it stands for. Tolerance tells people what to do when trade-offs appear.

The danger is that organisations often state appetite at the top, but set tolerances far below the boardroom. Product teams, engineers, underwriters, traders, claims teams, procurement teams and project managers all make tolerance decisions. Some are formal. Many are informal. Some are documented. Many are embedded in operating practice.

Over time, those decisions can drift away from the appetite statement without anyone making a single dramatic decision to allow it. That is where risk accumulates.

A Simple Analogy

Think about driving.

Your appetite for road risk might be: I drive safely and do not take unnecessary risks. That is your philosophy. Your tolerance is how fast you actually drive on a specific road in specific conditions. If the speed limit is 120km/h and you drive at 130km/h on a clear day, you have made a tolerance decision that deviates from your appetite statement. If you drive at 150km/h in rain with worn tyres, the deviation has become dangerous.

Your appetite statement has not changed. Your actual tolerance has.

The gap between the two is where risk lives.

Organisations do this constantly. They state their appetite in governance documents, board packs and strategy presentations. Their actual tolerances are set through pricing decisions, project deadlines, control exceptions, resourcing constraints, policy waivers, technology workarounds and escalation failures.

The organisation may still say the right thing. The question is whether it is accepting something different.

Why Traditional Risk Reporting Often Misses the Gap

The Boeing case raises a second question. If the board existed, committees met, risk processes operated and reports were produced, why did the board not have the information it needed?

Part of the answer lies in how risk is reported. Traditional board risk reporting often relies on quarterly heat maps, top-ten risk lists and traffic-light dashboards. These tools are not useless. They provide structure. They create a common language. They help boards orient themselves.

But they are insufficient when used as the primary instrument of risk intelligence.

Limitation 1: Static by design

A heat map captures risk exposure at a point in time, often prepared weeks before the board meeting. By the time the board sees it, the risk may have moved. A heat map can tell the board a risk is rated ‘medium.’ It does not tell the board whether the organisation is operating within appetite, approaching the edge of tolerance, or already accepting exposure that contradicts its stated position.

Limitation 2: Appetite and tolerance are conflated

Traditional reports show risk ratings, but not the relationship between the organisation’s stated appetite and the actual tolerances being accepted in the business. A top-ten risk list shows what management considers material. It does not show whether tolerances are drifting at business-unit, product, programme or control level.

Limitation 3: Nuance is lost in translation

The practitioner’s assessment may contain assumptions, qualifications, control weaknesses, data limitations and scenario concerns. By the time it reaches the board, these may have been compressed into a colour, score or short paragraph. A traffic-light dashboard can simplify complexity. It can also hide it.

Limitation 4: Risk is disconnected from strategy

A board does not govern a risk register. It governs the organisation’s strategic direction. Risk reporting that shows risks in isolation from the strategic objectives they threaten is reporting to the wrong audience.

The issue is not whether heat maps should disappear. The issue is whether they are being asked to do more than they can do.

What Better Board Risk Reporting Looks Like

Effective board risk reporting should do five things.

01
Separate the appetite declaration from the tolerance position.

The board should see the stated appetite for each material risk area and the current tolerance position being accepted in practice. Where actual tolerance is approaching, stretching or breaching appetite, this should be explicit. It should not be buried inside a colour rating.

02
Connect risk to strategy.

Boards do not need abstract risk labels. They need to know which strategic objectives are threatened. Not ‘supply chain risk, rated amber,’ but ‘supplier concentration threatens our ability to meet the Q3 production commitment, which underpins our revenue guidance.’

03
Use the heat map as a navigation tool, not the destination.

The heat map should help the board decide where to look. It should not be treated as the answer. The real discussion should focus on movement, tolerance, control effectiveness, decision points and strategic consequence.

04
Preserve the practitioner’s rigour.

The board pack must be concise, but the underlying analysis should not disappear. Data sources, assumptions, control assessments, tolerance thresholds and scenario analysis should be available in a structured annex. Board members should not be forced to choose between a dense spreadsheet and a one-page dashboard that hides the important work.

05
Be dynamic and forward-looking.

A stable ‘medium’ risk may be less important than a ‘low’ risk moving rapidly toward a tolerance breach. Good reporting shows direction of travel. It includes early-warning indicators, emerging risk signals, stress scenarios and explicit triggers for escalation. The strongest risk reports do not merely describe the current position. They tell the board where the organisation is heading.

The Practitioner’s Responsibility

There is a version of this debate that places the burden entirely on the board. Boards should ask better questions. They should demand more transparency. They should challenge management harder.

That is true, but incomplete.

Risk practitioners carry an equal responsibility. Their job is not only to assess risk. It is to convert technical risk work into decision-useful intelligence.

A technically excellent risk register that lands in the boardroom as a dense spreadsheet has not completed the job. A simplified dashboard that removes the tolerance analysis has also not completed the job.

The task is to do both: preserve rigour and create clarity. That requires the practitioner to think like a strategist, communicate like an executive, and still work with the discipline of a technical specialist.

The Practitioner’s Five Statements
This is the appetite.
This is the tolerance being applied.
This is where the two are aligned.
This is where they are drifting.
This is the decision now required.

Without that translation, risk management becomes administrative rather than strategic.

The Standard Worth Holding

Risk appetite and risk tolerance are not administrative constructs. They are the operating system of sound risk governance.

When they are clearly defined, properly distinguished and honestly reported, boards can make better decisions. Organisations can take risk deliberately rather than accidentally. The gap between what an organisation says it stands for and what it actually accepts can be narrowed.

Boeing’s failure was not that it lacked engineers, committees, reports or processes. It was that critical safety information did not reach the governance level with the clarity required for effective challenge. The organisation’s public commitment to safety and the operational tolerances accepted within the MAX programme moved too far apart.

That is the lesson.

The question for every board and every risk practitioner is not whether the organisation has a risk framework. Most organisations do.

The question is whether the framework is doing what it is supposed to do.

Does it show the board where appetite and tolerance are aligned?
Does it reveal where tolerances are drifting?
Does it connect technical risk to strategic consequence?
Does it preserve enough nuance for challenge?
Does it help decision-makers act before a breach becomes a crisis?

If not, the organisation may not have a risk-governance framework.

It may only have risk-governance theatre.

Trellis Consulting

Does your board have the risk intelligence it needs to govern?

Trellis Consulting designs enterprise risk frameworks, risk appetite and tolerance structures, and board-level risk reporting architectures for organisations that take governance seriously. If the gap between your risk assessment work and your board reporting is wider than it should be, that is the right place to start a conversation.

info@trellisconsulting.co.za
Sources
  • Harvard Law School Forum on Corporate Governance (2024). Boeing 737 MAX: Board Governance Failures. Tayan, B. & Larcker, D. corpgov.law.harvard.edu
  • Defense Acquisition University (2023). Examining Risk Management Failures: The Case of the Boeing 737 MAX Program. dau.edu
  • Global Risk Management Institute (2025). The Boeing 737 MAX: A Case Study. grm.institute
  • ISACA (2022). Risk Appetite vs Risk Tolerance: What is the Difference? isaca.org
  • TechTarget / Informa (2024). Risk appetite vs. risk tolerance: How are they different? techtarget.com
  • Optro.ai (2025). Risk appetite vs. risk tolerance: definitions, examples, and governance shifts. optro.ai
Key Definitions
Risk Appetite
The amount and type of risk an organisation is willing to accept in pursuit of its objectives. Strategic. Set at board level. The philosophy of risk-taking.
Risk Tolerance
The acceptable level of variation from a specific objective, risk or control requirement. Operational. Expressed as a threshold, limit, trigger or prohibited condition.
The Gap
When tolerances drift away from appetite without explicit decision, risk accumulates invisibly. That is the governance failure this article is about.
Boeing 737 MAX
346
Lives lost across two crashes, 2018–2019
20 months
Global fleet grounding
$2.5bn+
Penalties, compensation and related payments
Related Services
ESG & Sustainability March 2026 13 min read

ESG Is Not the Problem. The Gap Between Strategy and Deployment Is.

The backlash against ESG is real. Some of it is deserved. But it is not a backlash against sustainability itself. It is a backlash against the version that produces glossy reports, vague targets, weak ownership, and very little operational change.

The backlash against ESG is real. Some of it is deserved.

But it is not really a backlash against sustainability, responsible governance, climate risk management, supply-chain resilience, fair labour practices, or ethical conduct. It is a backlash against performative ESG: the version that produces glossy reports, vague targets, weak ownership, and very little operational change.

That distinction matters.

Because the organisations that built sustainability into their operating architecture are not retreating. They are compounding.

In 2011, Patagonia placed a full-page advertisement in The New York Times on Black Friday. It showed one of its most popular fleece jackets. The headline read: “Don’t Buy This Jacket.”

The copy explained the environmental cost of producing the garment: 135 litres of water, 20 pounds of carbon dioxide, and waste equivalent to two-thirds of the jacket’s weight. It asked customers to think before buying, repair before replacing, and reconsider before consuming.

Most companies would have considered that commercially suicidal.

Patagonia ran it anyway.

The campaign did not destroy the business. Patagonia’s sales grew in the period that followed. In 2022, founder Yvon Chouinard transferred ownership of the company, valued at approximately $3 billion, to the Patagonia Purpose Trust and the Holdfast Collective, with the declaration: “Earth is now our only shareholder.” Patagonia remains a private company, but it is widely regarded as a billion-dollar business whose reputation is inseparable from the credibility of its environmental commitments.

Patagonia did not succeed because it published a sustainability report. It succeeded because sustainability was not a layer added to the business. It was part of the architecture of the business.

That is the point many organisations miss.

ESG fails when it is treated as a communications exercise. It becomes credible only when it changes how the organisation allocates capital, manages risk, buys from suppliers, designs products, measures performance, rewards executives, and governs itself.

The problem is not ESG. The problem is the gap between strategy and deployment.

“ESG is not about philanthropy. It is about risk management.”

Mark Carney, Former Governor, Bank of England and Bank of Canada

Let’s Address the Scepticism Directly

There is a version of ESG that deserves scepticism.

It is the version that announces net-zero commitments without a credible transition plan. The version that produces sustainability reports filled with aspiration but no deployment roadmap. The version that appoints a sustainability officer, gives them no budget, no authority, no board access, and then measures success by the thickness of the annual report.

When this is dishonest, we call it greenwashing. When organisations become nervous about scrutiny and stop communicating their sustainability work altogether, we call it greenhushing.

The examples are not theoretical. Deutsche Bank’s asset management arm, DWS, was fined €25 million by German prosecutors in April 2025 after an investigation into misleading statements about its ESG credentials. HSBC exited the Net-Zero Banking Alliance in 2025. Global sustainable funds recorded outflows of more than $8 billion in the first quarter of 2025, with US investors accounting for most of the withdrawals.

So yes, the backlash is real.

But the backlash against performative ESG is not an argument against substantive ESG. It is an argument for the difference between the two.

The organisations retreating are often retreating from the label, the marketing, or the commitments they never had the operating model to deliver. The organisations that embedded sustainability into governance, risk management, procurement, capital allocation and performance management are not asking whether ESG is fashionable. They are asking whether the business is resilient.

“When sustainability is viewed as being a matter of survival for your business, you can create massive change.”

Cameron Sinclair, Architect and CEO, Worldchanging Institute

The Implementation Gap Is the Real Problem

The strongest evidence against performative ESG is not ideological. It is operational.

A 2025 article in Frontiers in Sustainability, citing an early assessment of 312 EU companies across 18 sectors, reported that only 37% had fully established double materiality assessment processes by Q4 2024. A further 54% were only partially prepared.

EY’s 2025 Global Climate Action Barometer found that 92% of companies analysed assess the qualitative or quantitative impact of physical climate risks. But only 44% reported having adaptation measures in place.

Read those numbers again.

Almost everyone is assessing the risk. Fewer than half are adapting to it.

That is not a knowledge problem. It is a deployment problem.

This is where the board-to-operations breakdown lives. At board level, commitments are made in strategic language: reduce Scope 1 and 2 emissions, improve gender representation, strengthen supplier standards, manage climate risk, improve disclosure quality. These commitments land in the annual report and investor presentation.

But at operational level, the procurement team is still measured primarily on cost. Finance is still allocating capital without a sustainability lens. HR is still managing incentives around traditional performance metrics. Risk teams are identifying ESG exposures, but line management is not always required to own the mitigation.

The ESG strategy and the operating model run on parallel tracks. They speak to each other in reporting season, but not in the daily machinery of the business.

That is not a failure of intent. It is a failure of architecture.

“Ambition, authenticity and alignment. Ambitiousness in ESG strategy unlocks value and innovation. Authenticity means putting it at the core of the business rather than treating it as a peripheral issue. Alignment means connecting the overall strategy to everything: hiring, remuneration, procurement.”

Michele Lemmens, Head of Business Sustainability, Tata Consultancy Services

What Practical ESG Actually Looks Like

Practical ESG is not a framework document. It is not an ISSB disclosure, a GRI index, or a polished sustainability report. Those are outputs. Practical ESG is the operating discipline that produces outputs worth disclosing.

It has five characteristics.

01
It starts with honest materiality.

A proper materiality assessment identifies the ESG issues most likely to affect the organisation’s performance, stakeholders, licence to operate and long-term resilience. Done properly, it is uncomfortable. It surfaces issues the organisation may prefer not to prioritise. A materiality assessment that only identifies areas where the company is already performing well has not been done properly. It has been curated. The point is not to look good. The point is to know what matters.

02
It produces a deployment roadmap.

A sustainability strategy that says “we are committed to reducing our environmental footprint” is not a strategy. It is a declaration. A strategy says: by this date, we will complete our emissions baseline; by this date, we will set measurable targets; by this date, we will integrate ESG criteria into procurement; by this date, we will link executive scorecards to agreed sustainability outcomes. The roadmap defines ownership, funding, milestones, dependencies and consequences. Without those, the strategy is aspiration.

03
It integrates into business processes.

ESG fails when it sits beside the business. It succeeds when it is embedded into the processes through which the business already makes decisions: capital allocation, procurement, product design, underwriting, remuneration, risk management, compliance, supplier onboarding, performance reviews and internal assurance. Microsoft has linked elements of executive compensation to sustainability-related objectives. The principle is simple: what gets governed gets managed. What gets measured gets discussed. What affects remuneration gets taken seriously.

04
It uses honest management metrics.

An ESG strategy must define its measures before results are known, not after. Energy consumption. Scope 1 and 2 emissions. Supplier assessment coverage. Gender representation by management level. Lost-time injury rates. Ethics breaches. Regulatory incidents. These are not just disclosure metrics. They are management metrics. The board should review them alongside financial and risk performance. Regressions should be acknowledged. Targets should be adjusted only with transparent rationale, not quietly abandoned when they become inconvenient.

05
It is assurance-ready.

The most credible ESG programmes can withstand independent scrutiny. As ISSB-aligned reporting, CSRD, ESRS and other sustainability disclosure regimes mature, assurance expectations will increase. Investors, regulators, auditors and boards will all ask the same question: can we trust the data? Organisations that build assurance-ready systems now, with proper data governance, ownership, evidence trails and review mechanisms, will be better positioned than those that treat ESG data as a communications input rather than a governance asset.

“Many business leaders are seeing the relationship between long-term success and sustainability, and that is very heartening.”

Jacqueline Novogratz, Founder and CEO, Acumen

The Board’s Role: Strategy, Not Ceremony

The board’s role is not to applaud the sustainability report once a year. It is to govern the architecture.

That means the board should approve the sustainability strategy and deployment roadmap, not just the disclosure. It should review material sustainability risks in the same governance cycle as financial, operational and strategic risks. It should challenge management on greenwashing risk, data quality, capital allocation and execution.

It should also ensure that sustainability has the resources required to move from ambition to implementation.

A sustainability strategy without budget is a wish list.

A sustainability officer without authority is a press release.

A board agenda item without operational consequence is ceremony.

The serious board question is not: “Do we have an ESG report?”

It is: “Have we embedded the material ESG issues into how this organisation is governed, managed and measured?”

What the Sceptics Get Right

The ESG sceptics are not wrong about everything.

They are right that some ESG activity has been ideological, performative and disconnected from financial reality. They are right that ESG reporting has become complex. The proliferation of GRI, ISSB, TCFD, CSRD, ESRS, SFDR and other frameworks has created a real compliance burden. The EU’s 2025 Omnibus simplification package acknowledged this by proposing changes to sustainability reporting and due-diligence rules, targeting a 25% reduction in administrative burdens for companies and 35% for SMEs.

They are also right that ESG cannot be copied and pasted from large corporates into small and medium enterprises. A 200-person company does not need the same architecture as a multinational bank or mining house.

But the sceptics are wrong when they conclude that ESG itself is the problem.

The physical risks of climate change are already affecting insurance markets, infrastructure planning, agriculture and supply chains. Poor labour practices can become disruption, litigation, reputational damage and regulatory enforcement. Weak governance can become fraud, misconduct, capital destruction and loss of trust. Supplier failures can become operational failures.

These are not abstract moral concerns. They are business risks.

The answer to weak ESG is not to abandon ESG. It is to make it practical, material, governed and operational.

The Practical Test

Any organisation reviewing its ESG posture should ask four questions.

Can we name our three most material ESG risks, the specific ones most likely to affect our business performance, resilience or stakeholder trust?
Do we have measurable targets for each, with a named owner, defined budget and clear timeline?
Are those targets reviewed by the board in the same cycle as financial and risk performance?
Would an independent reviewer find our sustainability data accurate, defensible and supported by evidence?

If the answer to all four is yes, the ESG programme is becoming operational. If the answer to any of them is no, the gap between ESG commitment and ESG architecture is where the risk lives.

Patagonia did not answer these questions perfectly on day one. It built credibility over years of operational decisions. The “Don’t Buy This Jacket” advertisement was not the strategy. It was a signal that the strategy was real.

The question is not whether organisations should have a sustainability strategy. The market, the regulatory environment and the operating context have already answered that.

The real question is whether the strategy is architecture or aspiration.

One of those protects the organisation. The other only protects the narrative.

Trellis Consulting

Is your ESG strategy architecture or aspiration?

Trellis Consulting designs sustainability strategies with deployment roadmaps, materiality assessments, and ESG framework integration for organisations that want their commitments to hold under scrutiny. We also conduct independent sustainability strategy audits for boards that want an honest view of where they actually stand. If either is relevant to your organisation, the place to start is a direct conversation.

info@trellisconsulting.co.za
Sources
  • Frontiers in Sustainability (2025). ESG performance in the regulatory transformation era: a systematic thematic review (2020–2024). Leal Filho et al. frontiersin.org
  • EY (2025). Global Climate Action Barometer 2025. ey.com
  • Watson Farley & Williams (2025). The rise of greenwashing amid growing ESG pressures. wfw.com
  • Corporate Compliance Insights (2025). Fractured & Fraught: The State of ESG in 2025. corporatecomplianceinsights.com
  • European Commission (2025). Omnibus I simplification package: proposed changes to CSRD and CSDDD. ec.europa.eu
  • Causeartist (2025). Business Case Study: Patagonia. causeartist.com
  • Strategic Leaders (2024). How Patagonia Aligns Strategy Execution with Environmental and Social Responsibility. strategicleaders.com
  • IMD Business School (2026). 8 Best Practices in ESG Reporting for a Sustainable Strategy. imd.org
The Implementation Gap
92%
of companies assess physical climate risk
44%
have actually implemented adaptation measures
37%
of 312 EU companies had fully established double materiality processes by Q4 2024
€25m
Fine paid by DWS (Deutsche Bank) for misleading ESG credentials, April 2025
The Practical Test
Can you name your three most material ESG risks?
Do you have measurable targets with named owners?
Does the board review them alongside financial results?
Would your sustainability data survive independent scrutiny?
Related Services
Risk · ESG · Resilience June 2026 14 min read

Fuel, Fertiliser, El Niño: The Three-Wave Food Security Risk Facing South Africa

A strong harvest has bought the country time. It has not removed the risk. Three shocks are converging on the South African food basket, and most people are only seeing the first one.

Three shocks are converging on the South African food basket.

Most people are seeing only the first one. They think this is about fuel prices. More specifically, they think it is about what motorists pay at the pump.

But for food security, the more important number is diesel.

In April 2026, South Africa’s household food basket rose by 2.3% in a single month. That was R123.56 more in one month. Painful. Visible. Real.

But it may also be the least important signal.

Behind that number sits a convergence of three supply-side shocks: fuel and logistics, fertiliser, and weather. Each is material on its own. Together, they create a more dangerous 2027 risk environment.

South Africa has one important advantage right now: the Crop Estimates Committee’s April 2026 production forecast points to a strong 2025/26 summer grain and oilseed harvest. The stores are not empty. That matters.

But abundance should not be mistaken for safety.

A full silo is not a strategy. It is a window.

“Risk comes from not knowing what you’re doing.”

Warren Buffett, Chairman and CEO, Berkshire Hathaway

The Risk Is Convergence, Not Inflation

The better framing is not inflation. It is convergence.

The three shocks are not arriving at exactly the same time. They are arriving close enough that the buffer between them is thin.

Fuel affects the cost of producing, moving and preserving food now. Fertiliser affects the cost and viability of planting later in 2026. Weather affects the yield of what is harvested in 2027.

That is the structure of the risk.

Wave One: Fuel and Logistics

Official fuel-price adjustments show that South Africa experienced a historic fuel-price shock across April and May 2026. Inland petrol 93 moved from about R20.19 per litre in March to R23.25 in April and R26.52 in May. But for food security, diesel matters more. Wholesale diesel moved even more sharply, rising from around R18.60 in March to above R26 in April and above R32 in May. Government’s temporary fuel levy relief softened the blow, but it did not remove it. Diesel powers the tractors that prepare fields and harvest crops. It powers the trucks that move grain, livestock, fresh produce, processed food, fertiliser and packaging. It sits inside cold chains, distribution centres, generators, irrigation systems, and last-mile delivery routes. When diesel rises sharply, food inflation does not need to begin with scarcity. It can begin with movement. Every kilometre becomes more expensive. Every refrigerated load costs more to preserve. Every rural delivery route becomes harder to absorb. June brought partial relief for diesel, but the May spike had already reset cost assumptions across the food chain. Supply chains do not reprice as neatly as fuel stations do. Disruptions in Middle East trade routes have added further uncertainty to global logistics. Rerouting around the Cape of Good Hope can extend transit times materially. For imported food, fertiliser, agrochemicals and packaging inputs, time is cost.

Wave Two: Fertiliser

The second wave is less visible, but it may matter more. The World Bank’s April 2026 Commodity Markets Outlook projected a 60% annual increase in urea prices in 2026. Fertiliser affordability is now at its weakest level since the post-Ukraine shock of 2022. South Africa is import-exposed. Fertiliser is globally traded, dollar-priced, and geopolitically sensitive. The Strait of Hormuz is a significant corridor for global fertiliser-related trade. Disruption risk there does not stay there. It travels through invoices, planting decisions and farm margins. South African summer grain farmers begin planting later in 2026. They are pricing inputs now. A farmer facing record-high input costs does not simply absorb the cost. They plant less, delay decisions, reduce fertiliser application, or take on more financial risk. The impact is not immediate. It appears months later, in area planted, yield potential and final harvest volumes. That is why fertiliser is a delayed food-security shock. The crop affected by these input decisions will be harvested in 2027.

Wave Three: El Niño

The United States National Oceanic and Atmospheric Administration’s Climate Prediction Center placed the probability of El Niño at 82% for May to July 2026, rising to 96% for December 2026 to February 2027. The South African Weather Service has also indicated a likely transition toward El Niño conditions, while cautioning that seasonal forecasts still carry uncertainty. That caveat matters. El Niño does not guarantee drought everywhere in southern Africa. It does not guarantee a failed crop. But it raises the probability of hotter and drier conditions during the summer grain season. South Africa has lived this risk before. During the severe 2015/16 drought linked to a strong El Niño, maize production fell below domestic consumption requirements and the country had to import maize. The double bind is direct: high input costs can reduce the area planted or the intensity of fertiliser use; El Niño can reduce yields on what is planted. These forces do not average out. They compound.

“We do not rise to the level of our expectations. We fall to the level of our preparation.”

Archilochus, Greek Poet, 7th century BC

The Household Baseline Is Already Fragile

This is not only a 2027 problem. The household baseline is already under pressure.

The Pietermaritzburg Economic Justice and Dignity Group’s Household Affordability Index is not official inflation data. It is a widely cited civil-society affordability measure focused on the lived cost of a basic basket for low-income households. Read alongside Stats SA’s CPI data and agricultural-market analysis, it gives a sharper view of household stress than headline inflation alone.

The May 2026 Household Affordability Index recorded the household food basket at R5,479.26. The National Minimum Wage for a 20-working-day month yields R4,836.80.

That is already a R642.46 shortfall before rent, transport, electricity, school costs or debt service.

After PMBEJD’s estimated transport and electricity costs of R2,781.85 are deducted, a minimum-wage worker has R2,054.95 left. The basic nutritional food basket for a family of four costs R3,795.23. That leaves a shortfall of R1,740.28, or 45.9%.

This is the baseline against which the next shocks arrive.

It is possible to have record harvests in the national system and record hunger in households. That is the uncomfortable truth of food security. Availability is not the same as affordability.

The 2.9% food and non-alcoholic beverages inflation headline risks understating the lived reality. Meat inflation was still 9.4% year-on-year in April 2026. Electricity and transport are already crowding out food spending for low-income households.

The country is not entering the 2027 risk window from a position of household strength.

“Unprecedented events occur regularly. Be prepared.”

Seth Klarman, Founder and CEO, Baupost Group

The Monetary Shock Has Now Joined the Picture

South Africa entered 2026 with headline inflation at 3%, a 21-year low, and the SARB on an easing cycle. That easing cycle is now under pressure.

At its May 2026 meeting, the SARB raised the repo rate by 25 basis points to 7.00%, effective 29 May 2026, with the prime lending rate moving to 10.50%. The Bank raised its 2026 inflation forecast to 4.4% and modelled risk scenarios involving a prolonged Middle East crisis, higher oil and food prices, a weaker rand, an El Niño event, and non-linear inflation effects.

This matters because food insecurity is not only a food-price problem. It is a household cash-flow problem.

For low-income households, higher rates do not arrive only through bond repayments. They arrive through the cost of credit used to survive lean months, transport finance, informal lending, store accounts, and debt servicing.

The deficit already exists. Higher rates harden it.

What the State Should Do While the Shield Holds

South Africa’s strong 2025/26 summer grain and oilseed harvest is keeping physical scarcity at bay. That is precisely why the next few months matter.

1. Build strategic food buffers

South Africa should reassess whether a portion of the current harvest should be used to strengthen national or targeted grain reserves. Exporting into favourable conditions may make commercial sense. But when global supply risk is elevated, domestic buffer stocks become a resilience instrument. Abundance is a policy opportunity. It is not a reason to stand down.

2. Mitigate fertiliser cost risk

The fertiliser-to-harvest lag is unforgiving. Decisions made in 2026 will show up in 2027. Government should urgently explore targeted support for vulnerable producers, import coordination, concessional finance for input purchases, and domestic supply prioritisation where feasible. This does not require blanket subsidies. It requires targeted protection of planting capacity. The window closes when planting begins.

3. Revisit VAT relief on basic nutrition

The zero-rated basket has not kept pace with the lived diet of food-insecure households. Chicken is the primary protein source for many low-income South Africans, yet it is not zero-rated. Before the next wave lifts the floor price of the basket, VAT relief on essential protein should be reconsidered as a direct affordability intervention.

“The time to repair the roof is when the sun is shining.”

John F. Kennedy, Address to a Joint Session of Congress, 1962

What Organisations Should Do

This is not only a government issue. The same convergence shaping food security is also shaping the operating environment for South African organisations.

01
Map diesel and logistics exposure.

Any organisation with distribution, fleet, cold chain, warehousing, field operations or supplier logistics should model its diesel sensitivity now. The question is not whether fuel affects the business. It is where diesel sits in the cost structure, by how much, through which suppliers, and under which contracts. Food producers, retailers, logistics operators, insurers, lenders and employers with distributed operations should understand their exposure to fuel-adjustment clauses, delivery surcharges, generator dependency, refrigerated transport, and rural supply routes. A petrol shock is visible to consumers. A diesel shock is embedded in the price of almost everything consumers eventually buy.

02
Build Wave Two into procurement assumptions.

If your cost base touches grain, animal feed, food manufacturing, packaging, agriculture, retail or catering, fertiliser is already part of your 2027 cost environment. It is not a future risk. It is a 2026 procurement decision arriving as a 2027 price event.

03
Stress-test business continuity plans.

Business continuity plans should be tested against a convergent food-system shock: elevated input costs, logistics disruption, reduced harvest volumes, supplier distress, and a workforce already under household financial pressure. This is especially important for FMCG manufacturers, food retailers, logistics operators, agricultural suppliers, insurers, lenders, and employers of large lower-income workforces.

04
Treat household stress as workforce risk.

The R642.46 gap between the May household food basket and a minimum-wage month is not an abstract poverty statistic. It is a workforce resilience indicator. Financially stressed workers face higher absenteeism risk, lower engagement, greater debt vulnerability, and higher susceptibility to industrial action. Organisations that treat this as a social issue only are missing the operational risk.

05
Update ESG materiality.

Any 2026 ESG materiality assessment that excludes food security, climate-driven agricultural disruption, geopolitical commodity exposure, and supply chain affordability is incomplete. This is not philanthropy. It is operating-context intelligence. Boards should be asking whether their risk, sustainability and resilience frameworks reflect the 2026 to 2027 environment.

The Timeless Lesson

The data points will move. Fuel prices will change. Fertiliser prices will adjust. El Niño forecasts will be updated. The El Niño may be milder or more severe than current probabilities suggest.

But the structure of the risk will remain.

Compound shocks are harder to manage than single shocks because they arrive with different leads and lags. They interact in non-linear ways. They consume the response capacity that would otherwise be available for each event in isolation.

The 2015/16 drought did not arrive with the same combination of global fertiliser stress, elevated fuel volatility, household fragility, and monetary tightening. The buffer was thicker then.

In 2026, the buffer is thinner.

The minimum-wage household is already in deficit. The supply chain has already absorbed a fuel shock. The fertiliser window is narrowing. The probability of El Niño has risen. And the next harvest depends on decisions being made now.

South Africa has a strong harvest.

That is not the end of the story.

It is the opportunity in the story.

A shield is most useful before the next blow lands.

The question is whether we use it.

Trellis Consulting

Has your organisation stress-tested its risk framework against the 2026–2027 convergence window?

Trellis Consulting works across risk management, business continuity, and ESG to help organisations understand compound exposures, stress-test their frameworks against emerging scenarios, and build the governance structures to act ahead of a crisis rather than inside one. If the convergence window described in this article is relevant to your operating environment, we should talk.

info@trellisconsulting.co.za
Sources
  • Pietermaritzburg Economic Justice and Dignity Group (2026). May 2026 Household Affordability Index. 27 May 2026. pmbejd.org.za
  • World Bank (2026). Commodity Markets Outlook, April 2026. worldbank.org
  • NOAA Climate Prediction Center (2026). ENSO: Recent Evolution, Current Status and Predictions. Updated 14 May 2026. cpc.ncep.noaa.gov
  • South African Weather Service (2026). Seasonal Climate Watch, May 2026. weathersa.co.za
  • Sihlobo, W. / Agbiz (2026). A possible El Niño in the 2026-27 season presents risks for South Africa’s agriculture. 13 April 2026. wandile.substack.com / agbiz.co.za
  • Agbiz (2026). SA Agricultural Market Viewpoint. 18 May 2026. agbiz.co.za
  • Statistics South Africa (2026). Consumer Price Index, April 2026. statssa.gov.za
  • Crop Estimates Committee / DALRRD (2026). Area Planted Estimate and Fourth Production Forecast for Summer Crops. 23 April 2026. dalrrd.gov.za
  • South African Reserve Bank (2026). Statement of the Monetary Policy Committee, May 2026. Effective 29 May 2026. resbank.co.za
  • Department of Mineral and Petroleum Resources / Central Energy Fund (2026). Fuel Price Schedules and Media Statements, April–June 2026. dmpr.gov.za / cefgroup.co.za
  • National Treasury (2026). Extension of short-term relief measures to address fuel price increases. 28 April 2026. treasury.gov.za / gov.za
The Timeline
Now – July 2026
Fuel shock compounds. SARB hiked 25bps effective 29 May. Prime rate 10.50%. Harvest buffer holds. Household deficit already R642.
Sept – Dec 2026
Fertiliser input costs bite. SAFEX prices begin pricing El Niño and fertiliser premium. Planting decisions under pressure.
Q1 – Q2 2027
Convergence point. Low potential yields meeting high input cost floor, elevated financing costs, structurally weak rand.
Key Data Points
R642
Monthly shortfall: min wage vs food basket, May 2026
45.9%
Nutritional food basket shortfall for min-wage family of four after transport and electricity
60%
Projected urea price increase for full year 2026 (World Bank)
96%
NOAA probability of El Niño, Dec 2026–Feb 2027
Related Services
Auditing January 2026 15 min read

Outsourced, Not Offloaded. Why Compliance Checks Cannot Protect You From Third-Party Risk.

Marks & Spencer had a vendor management programme. It had compliance checks. A helpdesk agent reset a password for the wrong person. What followed cost £300 million and 46 days of suspended operations. Outsourcing transfers the function. It does not transfer the risk.

On 17 April 2025, attackers posing as a Marks & Spencer employee contacted a third-party IT helpdesk. They had done their preparation. They knew enough about the organisation, the people, and the processes to be convincing. The helpdesk agent, operating to a scripted process, reset an account password. The attacker now had a foothold inside M&S’s systems.

M&S detected the intrusion two days later. By then, the damage was already seeded.

The attackers, later identified as the Scattered Spider collective deploying DragonForce ransomware, had stolen the Windows domain’s NTDS.dit file as early as February 2025, cracking password hashes for all domain users and patiently building access over weeks. In April they struck. Virtual machines were encrypted. Stock ordering and fulfilment systems went down. Online clothing orders were suspended for 46 days. Food stores ran short of fresh products. Customers could not use gift cards. M&S’s chairman Archie Norman testified before the UK Parliament’s Business and Trade Committee in July: the entry was a ‘sophisticated impersonation’ and ‘part of the point of entry also involved a third party.’

The financial impact: £300 million in lost operating profit. The reputational impact, the humiliation of a 141-year-old retail institution reverting to pen-and-paper stock management, cannot be offset by insurance.

M&S had a vendor management programme. It had a decade-long outsourcing relationship with Tata Consultancy Services, renewed in 2023 for approximately $1 billion. The helpdesk function had been operating for years without incident. By every standard compliance measure, the relationship was managed.

The question the M&S incident forces is not whether the vendor was audited. It is whether the governance framework governing that outsourced helpdesk function was designed to prevent exactly this. Whether the social engineering risk through a third-party access point was identified, rated, and controlled to a specific tolerance. Whether the helpdesk agents handling M&S credentials were trained to a standard that M&S had defined and verified. Whether the right to set and audit those standards was written into the contract.

That is not a compliance question. That is a framework question.

“It’s fair to say that everybody at M&S experienced it. We’re still in rebuild mode and will be for some time to come.”

Archie Norman, Chairman, Marks & Spencer, testimony to UK Parliament, July 2025

The Distinction That Changes Everything

When most organisations talk about managing third-party risk, they mean compliance management. Annual questionnaires. Certification checks. Contractual review. These are compliance checks. They tell you what the vendor says about itself at a point in time.

A compliance audit asks: is this vendor doing what it said it would do? Necessary. Not sufficient.

A framework audit asks: is the governance architecture we have built around this outsourced relationship adequate for the exposure it creates? Are our risk appetite and tolerance statements specific enough to be enforced? Are the controls proportionate to the criticality of what we have outsourced? Have we tested what happens if this vendor fails?

M&S had passed compliance checks. The framework governing the specific risk of social engineering through a third-party helpdesk was not designed to stop what happened. The attackers did not defeat the technology. They defeated the process. And that process, including what standard the helpdesk operated to, what authentication was required before a password reset, sat inside the third party’s operation, outside M&S’s direct control.

That is the governance gap this article is about.

“Your vendors’ problems become your problems, often with financial consequences that show up directly on the balance sheet.”

Safe Security, 2026 Guide to Third-Party Risk Management

JLR: The Same Model. A Larger Number.

Five months after M&S, in late August 2025, Jaguar Land Rover experienced a cyberattack that shut down production at factories across the UK. By 1 September, all production had paused. The pause extended to 1 October. The Cyber Monitoring Centre estimated total economic damage at £1.9 billion, making it the most expensive security breach in British history.

The attack vector bore striking similarity to M&S: social engineering, credential abuse, a third-party access point. The same hacking collective, Scattered Spider, claimed responsibility. And JLR had a significant technology outsourcing relationship with TCS, expanded in late 2023 in a deal worth more than £800 million.

TCS manages IT for more than 200 UK-based companies. M&S, JLR, and Co-op, also attacked in the same wave, were all clients. Three organisations. Same outsourcing model. Same period. Same threat actor. The concentration risk of a single IT outsourcing provider managing access infrastructure for hundreds of enterprises is a systemic governance vulnerability. No individual compliance check on any one of those organisations would have surfaced it.

Two incidents. £2.2 billion in estimated combined economic damage. One shared structural lesson: when you outsource access to your systems, you must govern that access with the same rigour you apply to your own employees.

“Outsourcing critical IT systems without robust oversight introduces major breach risk, especially during periods of low vigilance.”

Strobes Security, Top Data Breaches of May 2025

The Six Risk Categories That Demand Explicit Governance

Third-party outsourcing creates risk across six distinct categories. Each requires an explicit appetite statement and measurable tolerance thresholds.

01
Cybersecurity and Data Risk

When you outsource a function, you extend your data perimeter to the third party’s environment. M&S’s credentials sat inside TCS’s helpdesk environment. The standard to which TCS agents handled password resets was not M&S’s standard. It was TCS’s standard. The gap between those two things was the attack surface.

02
Operational and Concentration Risk

Concentration risk arises when a single third party is the sole or dominant provider of a critical function. TCS managed IT functions for M&S, JLR, Co-op, and more than 200 other UK companies. When the same attack methodology was applied across that client base in the same period, the systemic concentration became visible. The question is not only: how good is this vendor? It is: what happens to us if this vendor becomes the attack surface?

03
Regulatory and Compliance Risk

Outsourcing a function does not outsource the regulatory obligation. Under GDPR and POPIA, the data controller remains legally liable for breaches at data processors. Under financial services regulations, regulated entities must manage third-party relationships with the same rigour as internal operations. When M&S’s customer data was exposed through the helpdesk breach, the regulatory exposure sat with M&S, not with TCS.

04
Financial and Viability Risk

Vendor financial distress or insolvency creates forced emergency transitions that are among the most operationally disruptive events an organisation can face. A vendor that holds critical access, proprietary processes, or embedded system credentials cannot be replaced in 30 days. Financial viability assessment is not a one-time due diligence step. It is an ongoing monitoring obligation for every Tier 1 vendor.

05
Strategic and Reputational Risk

M&S’s 141-year retail brand took a reputational hit that no amount of insurance proceeds will fully recover. Empty shelves, suspended online orders, and 46 days of service disruption were visible to every customer, investor, and competitor. The reputational consequence of a third-party failure is borne by the organisation whose name is on the storefront, not the vendor whose credentials were compromised.

06
Sub-contractor and Fourth-Party Risk

Your third party has their own third parties. When you outsource to a vendor, you inherit their vendor relationships as a layer of exposure you cannot directly see. The Polyfill.io supply chain compromise in 2025 demonstrated how fourth and fifth-party exposure can cascade far beyond the original contracting relationship. Sound framework governance requires at minimum a documented understanding of critical sub-contractors and a contractual right to receive assurance on their controls.

Defining Appetite and Tolerance for Outsourced Services

Most organisations have a risk appetite statement that says something like: we do not accept risks that compromise the confidentiality or availability of critical systems. That is philosophy. It is not governance.

Governance requires that philosophy to be translated into three operational layers.

Service criticality tiering. Assign every vendor to Tier 1 (critical), Tier 2 (significant), or Tier 3 (standard) based on their access to sensitive data, their role in critical processes, and the operational consequence of their failure. A helpdesk provider with the ability to reset credentials for all domain users is a Tier 1 vendor. M&S’s helpdesk was a Tier 1 function. Whether it was governed as one is the question the incident raises.

Risk category tolerance thresholds. For each of the six categories above, define a specific measurable threshold. For cybersecurity risk at a Tier 1 vendor: all agents handling credential resets must operate under a defined verification protocol reviewed and approved by the client organisation, not the vendor. For concentration risk: no single vendor may be the sole provider of a credential-management function without a documented and tested fallback process.

Contractual translation. Tolerance thresholds that exist only in governance documents are not enforceable. They must be written into contracts: right-to-audit clauses, incident notification timelines, minimum training standards for agents handling client-critical functions, sub-contractor disclosure obligations, and defined exit provisions. A vendor that will not accept your tolerance conditions as contractual terms is a vendor whose risk profile exceeds your appetite.

“Third-party risk is not a procurement problem or a compliance problem. It is a governance problem. And governance problems have governance solutions.”

Diligent, Third-Party Risk Management Guide, 2025

How to Audit Third Parties: Framework First, Compliance Second

01
Audit your own framework before you audit the vendor.

The M&S incident was not caused by a failure to audit TCS. It was caused by a framework that did not adequately define, contractualise, or monitor the security standard applying to credential management through a third-party helpdesk. Before conducting a vendor audit, ask whether your framework is calibrated to the risk. Audit your framework annually and after any significant incident at a peer organisation.

02
Apply tiered due diligence proportionate to criticality.

Tier 1 vendors warrant full due diligence: review of specific controls governing their handling of your data and access rights, financial stability assessment, sub-contractor mapping, incident response capability review, and independent verification of relevant certifications. A helpdesk provider with credential reset capability is Tier 1. Applying the same questionnaire to a catering vendor and a credential management vendor is not proportionate governance. It is compliance theatre.

03
Distinguish point-in-time assessment from continuous monitoring.

An annual vendor questionnaire tells you the vendor’s posture on the day it was completed. It would not have detected the compromised TCS credentials used to access M&S’s systems in February 2025, two months before the attack activated. Continuous monitoring, tracking security ratings, disclosed incidents, and threat intelligence on an ongoing basis, is the framework audit layer.

04
Exercise your right-to-audit clauses on a defined schedule.

A right-to-audit clause that is never exercised is contractual decoration. For Tier 1 vendors, the right to audit should be exercised on a scheduled basis, not only triggered by incidents. The specific audit should examine the controls governing the vendor’s handling of your most sensitive access rights.

05
Test the exit plan before you need it.

Every Tier 1 vendor relationship requires a documented and periodically tested exit plan. What would you do if this vendor failed or was compromised tomorrow? What access would need to be revoked immediately? How long would it take to transition to an alternate provider? The inability to answer these questions is itself a material governance finding.

“Review third-party management frameworks regularly and after significant events or incidents, in order to improve the effectiveness of third-party risk controls.”

FCA, Observations and lessons learnt from the July 2024 global IT incident

Outsourced. Not Offloaded.

M&S had a vendor management programme. It had compliance checks. The attackers did not find a technical vulnerability in a poorly maintained system. They found a process gap in a helpdesk operating to its own standards rather than to standards defined, contractualised, and audited by its client.

JLR had outsourced IT management to the same provider. Co-op had done the same. Three attacks in the same wave. The same threat actor. The same social engineering methodology. The case for systemic governance review has never been more urgent or more clearly illustrated.

Outsourcing transfers the function. It does not transfer the risk. That risk stays with the organisation whose name is on the building, whose customers are affected, whose chairman sits before parliamentary committees explaining what happened.

Compliance checks confirm the vendor is doing what it said it would do.

Framework audits confirm that what the vendor said it would do is actually sufficient.

M&S had the former. The incident revealed it did not have enough of the latter.

Trellis Consulting

Is your third-party governance framework adequate for the risk your vendors create?

Trellis Consulting conducts independent framework audits of third-party risk governance programmes, designs TPRM frameworks and risk appetite structures, and develops vendor audit programmes for organisations that take outsourcing risk seriously. If the gap described in this article is present in your organisation, we should talk.

info@trellisconsulting.co.za
Sources
  • Bloomberg / Insurance Journal (2025). M&S Says April Cyberattack Caused by Third-Party Impersonation. July 2025. insurancejournal.com
  • Cybersecurity Dive (2025). M&S chairman calls for mandatory disclosure of material cyberattacks. July 2025. cybersecuritydive.com
  • CM-Alliance (2025). The Marks and Spencer Cyber Attack: Everything You Need to Know. cm-alliance.com
  • IBTimes UK (2025). Marks & Spencer Cuts Ties With Tata Consultancy Services Amid £300m Cyber Attack Fallout. October 2025. ibtimes.co.uk
  • CNBC (2025). Jaguar Land Rover’s cyberattack holds an ominous lesson for British businesses. October 2025. cnbc.com
  • Cyber Monitoring Centre (2025). Jaguar Land Rover cyberattack: £1.9 billion estimated economic damage.
  • FCA (2024). Observations and lessons learnt from the July 2024 global IT incident. Via Hogan Lovells. hoganlovells.com
  • Diligent (2025). Third-party risk management: How to build a scalable program. diligent.com
  • Safe Security (2026). 2026 Guide to Third-Party Risk Management. safe.security
M&S: The Numbers
£300m
Lost operating profit from a breach that entered through a third-party helpdesk.
46 days
Online clothing orders suspended.
£1.9bn
Estimated economic damage from the JLR attack. Same model. Same threat actor.
200+
UK companies with IT outsourced to the same provider.
The Core Distinction
Compliance Audit
Is the vendor doing what it said it would do?
Framework Audit
Is what the vendor said it would do actually sufficient for the risk we are carrying?
Related Services
Risk Management June 2026 12 min read

The Fastest Car Knows When to Brake: What Lewis Hamilton’s Barcelona Win Teaches Us About Risk

Hamilton won the 2026 Spanish Grand Prix at 41. His first Ferrari win. The story is not about speed. It is about knowing exactly when to brake, how late to leave it, and how much the system will give back.

Lewis Hamilton’s first win for Ferrari was not only a story about speed. It was a story about confidence, calibration, and the narrow gap between capability and performance.

On 14 June 2026, after 66 laps at the Circuit de Barcelona-Catalunya, Hamilton crossed the line first. His first Grand Prix victory in nearly two years. Ferrari’s first win of the 2026 season. The first all-British Formula 1 podium since 1968, with George Russell second and Lando Norris third.

The obvious story was the comeback: a 41-year-old seven-time world champion, in a new team, in a new car, in a new regulatory era, winning again at one of Formula 1’s most demanding circuits.

But the more useful story sits beneath the result.

Hamilton did not win simply because Ferrari had the fastest car. Ferrari’s race strategy mattered. Tyres mattered. The Virtual Safety Car mattered. Mercedes’ tyre degradation mattered. Execution mattered.

But one technical detail gives us the better lesson: Hamilton’s brake-disc switch.

By Barcelona, Hamilton was running a Carbone Industrie brake configuration on his Ferrari, moving away from the Brembo configuration historically associated with Ferrari. It was not a simple case of one supplier being better than another. Both Brembo and Carbone Industrie produce world-class Formula 1 braking technology.

The issue was more subtle. It was about feel.

Hamilton had spent years driving with Carbone Industrie brakes during his Mercedes career. He understood their characteristics. He knew the bite point. He knew how they behaved at the limit. He knew how much confidence they gave him under heavy braking.

That mattered because in Formula 1, confidence is performance.

A driver who trusts the brakes can brake later, carry more speed into the corner, rotate the car with greater precision, and get back on the throttle earlier. A driver who does not trust the brakes leaves a margin. That margin may be invisible from the outside, but it shows up on the stopwatch every lap.

Leclerc’s experience underlined the point. After Monaco, he had described his brake situation as ‘borderline dangerous’, while Brembo pushed back against the conclusion. Ahead of Barcelona, Leclerc tested Hamilton’s Carbone Industrie direction. But his weekend still showed the nuance: changing the component is not the same as immediately unlocking confidence. A new tool without accumulated feel can create its own adjustment risk.

That is why the lesson is not that Carbone Industrie was superior to Brembo.

The lesson is that the fastest driver is often the one who has the framework, temperament, confidence, and skill to slow down at the most critical moment.

The fastest car is not merely the one with the most horsepower. It is the one whose driver can trust it enough to brake late without losing control.

Risk management works the same way.

Barcelona 2026: The Result
P1
Hamilton. First Ferrari win of 2026.
0.064s
Off pole in qualifying. Front row for Ferrari.
1968
Last all-British F1 podium. Hamilton, Russell, Norris.

Speed Is Created in the Braking Zone

This sounds counterintuitive until you think about it carefully.

In Formula 1, speed is not only built on the straights. Every car accelerates. Every car produces downforce. Every car reaches extraordinary speeds. The separation often happens in the braking zones.

That is where the driver decides how late to brake, how much speed to carry, how much grip to trust, and how much risk to take. Brake too early, and time disappears. Brake too late, and control disappears. The art is not avoiding the brake. The art is applying it at precisely the right moment.

High performance is not the absence of restraint. It is the disciplined ability to apply restraint late, precisely, and with confidence.

That is the risk management lesson.

The best organisations are not the ones that move fast because they have weak controls. They are the ones that move fast because their controls are trusted, calibrated, and understood. They do not treat risk management as a handbrake. They treat it as the braking system that allows them to carry speed safely.

A board that trusts its risk intelligence can make sharper decisions. An executive team that understands its risk appetite can commit with more confidence. A business that knows where its control limits sit can move faster than one that is constantly second-guessing itself.

The difference is not bravery. It is calibration.

The Difference Between Having Brakes and Trusting Them

Most organisations have risk frameworks.

They have risk registers. Heat maps. Appetite statements. Tolerance thresholds. Committee packs. Escalation protocols. Control attestations. Assurance plans.

On paper, the car has brakes.

The real question is whether leadership trusts them.

A risk framework that the board does not understand is not a brake. It is a dashboard light. A risk appetite statement that is never used in decision-making is not governance. It is decoration. A risk report that arrives after the decision has already been made is not oversight. It is historical commentary.

The issue is not whether the organisation has a risk management system. Most do. The issue is whether that system is calibrated to the organisation’s actual operating context, decision speed, leadership style, and strategic ambition.

A technically complete framework can still fail if the people using it do not trust the feel of it.

That is the Hamilton point. The brake-disc switch mattered because it gave him confidence at the point of maximum consequence. It allowed him to close the gap between what the car could do and what he was willing to attempt.

In governance, that same gap is everywhere. It is the gap between what the board says its risk appetite is and what management actually does. It is the gap between risk reports and business decisions. It is the gap between control design and control reality. It is the gap between capability and confidence.

And in that gap, risk accumulates.

Decorative Risk Management Brakes Too Early

When leaders do not trust the risk framework, they compensate in one of two ways.

Some become reckless. They ignore the framework entirely and rely on instinct. Others become overly cautious. They brake too early. Both are failures of risk governance.

The reckless organisation treats risk management as bureaucracy. It moves fast until it reaches a corner it cannot take. The overly cautious organisation treats uncertainty as danger. It slows down long before the decision requires it. It survives, but it leaves performance on the table.

Neither outcome reflects mature risk management.

Useful risk management gives leadership the confidence to act. Not blindly. Not slowly. Precisely. It helps decision-makers understand where the edge is. It distinguishes between risks that must be avoided, risks that must be mitigated, risks that must be transferred, and risks that must be taken deliberately because they are inseparable from strategy.

That is what good brakes do. They do not prevent speed. They make speed usable.

The Framework Must Fit the Driver

There is another important lesson in the brake-disc story.

A tool that works for one driver does not automatically work for another. Hamilton’s preference for Carbone Industrie mattered because it aligned with his accumulated experience. He knew how to use that system. He knew how it behaved under pressure. He knew what the feedback meant.

Leclerc testing the same direction did not instantly create the same result. That is not a contradiction. It is the point.

Frameworks do not operate in isolation. They operate through people.

A risk methodology imported from another organisation may be technically sound and still fail. A reporting template used successfully by a peer company may not work in your boardroom. A consultant’s framework may look impressive, but if it does not match your organisation’s language, risk maturity, operating rhythm, and decision culture, it will not create confidence.

It may create compliance. It may not create better decisions.

This is why risk practitioners should be careful with borrowed frameworks. The question is not whether the framework is elegant. The question is whether it helps your leadership team make better decisions under uncertainty. If the answer is not clearly yes, the framework is not yet doing its job.

Five Implications for Risk Practitioners

01
Capability without confidence is not enough.

A risk framework can be technically complete and still be practically weak. If executives do not trust it, understand it, or use it when making decisions, it is not functioning as a management system. It is functioning as a governance artefact. The test is simple: can you point to decisions that were materially improved because the risk framework existed? If not, the framework needs work.

02
The feel of the system matters.

In Formula 1, braking feel matters because drivers operate at the limit. In organisations, the same principle applies to executives making decisions under uncertainty. Risk information must feel usable. It must be timely, relevant, contextual, and expressed in the language of the business. If it feels abstract, generic, or compliance-driven, leaders will not use it when the decision is live.

03
The person closest to the risk often sees the misalignment first.

Hamilton reportedly wanted the brake change before it was fully adopted. In organisations, the people closest to the system often know when a framework is not working before the metrics prove it. Frontline teams know when controls are performative. Risk practitioners know when board reports are not influencing decisions. Business leaders know when appetite statements are too vague to guide trade-offs. Mature governance creates channels for these signals to surface before failure makes them obvious.

04
Changing the tool is not the same as building capability.

Leclerc’s experience is a useful caution. Copying Hamilton’s brake direction did not automatically reproduce Hamilton’s confidence. The same is true in risk management. Introducing a new framework, taxonomy, dashboard, or risk appetite methodology does not create maturity by itself. People must learn how to use it. Committees must learn how to challenge through it. Executives must learn how to make trade-offs with it. Without that capability-building, the organisation has changed the component but not the performance.

05
The goal is not better reporting. The goal is better decisions.

Risk management should not be judged by the size of the risk pack, the elegance of the heat map, or the number of risks captured in the register. It should be judged by whether the organisation makes better decisions with it than it would without it. Does it help leadership move faster where the risk is understood? Does it force restraint where the downside is unacceptable? Does it clarify trade-offs? Does it make accountability sharper? Does it reduce surprise? If not, it is not yet a braking system. It is still a dashboard.

The Standard Worth Pursuing

Lewis Hamilton’s Barcelona win was not a simple brake-disc story. It was the product of driver craft, Ferrari strategy, race timing, tyre execution, and a technical configuration that helped him trust the car where trust matters most.

That is what makes the analogy powerful.

The fastest driver is not the one who refuses to slow down. The fastest driver is the one who knows exactly when to slow down, how late to leave it, and how much control the system will give back.

The same is true for organisations. The best risk frameworks do not slow the business unnecessarily. They give the business the confidence to move at the limit of its capability without tipping into recklessness. They help leaders know when to accelerate, when to hold position, and when to brake.

That is the standard worth pursuing.

Not more risk reports. Not prettier dashboards. Not heavier governance.

A risk system that leaders trust when the corner arrives.

Because in Formula 1, as in business, speed without control is not performance. It is exposure.

And the fastest car on race day is often the one whose driver trusts the brakes.

Trellis Consulting

Does your leadership team trust the risk intelligence it receives?

Trellis Consulting designs risk management frameworks that are calibrated to the specific decision-making context of each organisation. If your risk function is producing reports that do not change decisions, the framework is the issue, not the reporting. That is the right place to start a conversation.

info@trellisconsulting.co.za
Sources
  • Formula 1 Official (2026). Hamilton claims stellar maiden Grand Prix victory for Ferrari in Barcelona. 14 June 2026. formula1.com
  • Reuters (2026). Hamilton takes his first win for Ferrari at 41. 14 June 2026. reuters.com/sports/formula1/hamilton-takes-his-first-win-ferrari-41-2026-06-14/
  • The Guardian (2026). Lewis Hamilton tastes victory at last for Ferrari at F1 Barcelona-Catalunya GP. 14 June 2026. theguardian.com/sport/2026/jun/14/lewis-hamilton-tastes-victory-at-last-for-ferrari-at-f1-barcelona-catalunya-gp
  • The Race (2026). Leclerc to trial dropping Brembo brake discs for Barcelona. June 2026. the-race.com
  • The Race (2026). The early verdict on Leclerc’s Ferrari brake experiment. June 2026. the-race.com
  • Autosport / Motorsport.com (2026). Why Charles Leclerc will match Lewis Hamilton’s braking set-up. June 2026. autosport.com / motorsport.com
  • Sky Sports (2026). Hamilton claims first Grand Prix win for Ferrari as Kimi Antonelli retires late on. 14 June 2026. skysports.com
  • Sports Illustrated / On3 (2026). F1 Qualifying Results and Report for the 2026 Barcelona Grand Prix. June 2026. si.com
The Brake Disc Difference
Brembo (Leclerc)
Progressive and consistent across the full braking phase. Strong across a broader temperature range.
Carbone Industrie (Hamilton)
Very strong initial bite at higher temperatures. Peak grip arrives sharply. Requires accumulated driver knowledge to exploit.
The 2026 Context
New hybrid engines harvest far more electrical energy. Less reliance on traditional braking. Discs can run too cold. Feel becomes everything.
The Governance Parallel
Capability without confidence = braking too early
Framework misalignment = the Leclerc margin
Recklessness = ignoring the brakes entirely
Trust in the system = driving at the limit
Related Services