Why insurers are losing sleep over risk convergence

Risks from climate volatility, liability pressure and cyber exposure rarely happen in isolation. David Reynolds, head of risk engineering and surveys at RiskSTOP, explains why converging threats are becoming harder to manage.

There’s a particular sound that tells you something’s wrong in a building. Not the obvious crash of a break-in, but the quieter ones. A steady drip where there shouldn’t be one, a fan running harder than usual, a door that no longer shuts cleanly. You can walk past those signals for weeks, until the day they become a flooded plant room, a closed site, or a claim nobody enjoyed handling.

Increasingly, this is how things are shaping up – not one “big bad” risk, but lots of smaller pressures interacting and accelerating one another.

As I see it, the challenge isn’t any single exposure. It’s the way risks now stack up, overlap and compound. It often happens faster than governance, maintenance cycles, or procurement processes were designed to handle.

Climate and property: the baseline has shifted

This is how things are shaping up – not one ‘big bad’ risk, but lots of smaller pressures interacting and accelerating one another.

David Reynolds, RiskSTOP

We’re now operating in an environment where UK weather extremes are increasingly being described as the norm, not the outlier. That matters because property risk decisions, such as drainage capacity, inspection routines, planned maintenance, and resilience investment, have historically been based on “what usually happens”.

For large estates and ageing portfolios, this translates into more scrutiny on flood exposure, structural vulnerability, and the practical question: “How quickly could you reinstate, and at what cost, if the worst happens?”

The National Audit Office has also highlighted how extreme weather and flooding resilience remains a serious national challenge. That really should sharpen minds around business continuity at an organisational level.

Liability: social inflation keeps squeezing decisions

Alongside the physical risks, liability is feeling less forgiving. “Social inflation” is the industry shorthand, but the lived reality is straightforward – rising legal costs, a more litigious environment and higher expectations of duty of care, with decisions judged on the evidence behind them. 

For employers, organisations with heavy footfall and anyone delivering professional advice or services, the message is the same – documented rationale and demonstrable controls matter more than ever. 

Cyber and supply chain: your risk is only as strong as your third party

Most firms have improved their cyber hygiene. The growing weak point is the ecosystem around them – vendors, platforms, outsourced functions and software dependencies.

Recent reporting has pointed to a sharp rise in breaches involving third parties. EU cybersecurity agency ENISA’s 2025 threat landscape also places supply-chain dynamics firmly among the key trends risk leaders need to take seriously.

What does that look like operationally? A supplier goes down and you lose access to a critical system. A trusted partner becomes the entry point. A “small” incident becomes a material interruption because dependency mapping was incomplete.

Business interruption and regulation: friction is becoming a loss driver

Business interruption is still one of the most disruptive outcomes – and not always because a site is physically damaged. Regulatory volume, policy uncertainty and data transparency challenges are now firmly in the mix when organisations think about continuity and resilience.

In practice, that means business interruption conversations increasingly sit across:

•  operational resilience and governance
•  data and reporting readiness
•  environmental and sustainability requirements
•  supplier and process dependencies.

The big picture for risk management

If you’re an insurer, a broker or a risk manager right now, you’re not losing sleep over one thing. You’re losing sleep over convergence – weather volatility meeting ageing assets, liability pressure meeting higher duty-of-care expectations, cyber threats meeting outsourced complexity, and regulation meeting operational reality.

My closing thought is simple – resilience in 2026 is less about having more risk management frameworks. It’s more about having practical controls you can evidence. The sort you can point to in a boardroom, on a site walk, or during a claim review and say: “This is what we did, this is why we did it and this is how we know it worked.”

Sponsored content