Skip to main content
Marsh logo

Article

Evolving enterprise risk management in the mining sector

Discover how UK mining companies enhance risk management with effective ERM, governance, and ESG integration to build resilience and drive success.

26/11/2025 · 4 minute read

Introduction

Global mining companies are operating in an increasingly complex environment. Volatile commodity markets, geopolitical instability, community expectations, and stricter regulations have made enterprise risk management (ERM) not just a compliance function, but a catalyst for strategic resilience.

Across the mining industry, ERM teams are being asked to interpret uncertainty at a faster rate and in greater depth than ever before. Given this, colleagues from Marsh’s Risk Consulting Practice sat with risk leaders across a diverse range of international mining organisations to gain an understanding of current approaches, future priorities, and the challenges they face in enhancing maturity. It became clear through these interviews that ERM is evolving and gaining a higher profile across the industry, supported by formal frameworks and strong executive sponsorship. However, capability gaps remain in areas such as culture, data integration, and aligning sustainability and enterprise risk objectives.

Based on the commonalities and differences between risk management approaches from the industry’s ERM leaders, this paper explores four key themes:

  1. Strategy and governance: How leadership and structure influence effectiveness
  2. Core risk management processes: Where process maturity is advancing or lagging
  3. Resources, systems, and infrastructure: How data and capability shape insight
  4. Environmental, social, and governance integration: How sustainability and risk management are converging

1. Strategy and governance

The governance of risk within mining organisations has matured significantly over the past decade. Leadership commitment is now more visible, and board-level ERM, risk, and audit committees are well-established. In many firms, senior executives — particularly those with operational or financial backgrounds — have become vocal sponsors of risk management, recognising its link to business resilience and investor confidence.

In many jurisdictions, corporate governance is strengthening, putting greater emphasis on internal controls and stress testing. This is partly driven by corporate failures in various sectors and the need for increased ESG assurance and reporting on critical social risks, which are common in some areas of the mining sector.

Common strengths

Across the participating mining companies, risk governance structures were generally clear and well-documented. Several have adopted ISO 31000 or COSO ERM frameworks as their backbone, giving a consistent language and process for risk identification, ownership, and review. Appetite statements have been formalised in most organisations, with thresholds defined across financial, operational, and reputational dimensions. More mature organisations tend to use key risk indicators (KRIs) to track alignment with these appetites and establish predefined remediation plans when thresholds are breached. In some cases, risk committees are finding the use of appetite dashboards and KPIs more instructive than traditional risk registers. In more mature mining businesses, leading and lagging indicators are used effectively and can be accessed in real-time by executives.

Some miners have also integrated ERM more directly into their strategic planning cycles. Leadership teams review top-tier risks alongside business plans, ensuring risk and strategy are treated as complementary disciplines. This has been particularly effective when organisations are pursuing diversification or acquisitive growth strategies, enabling risk appetite to act as a practical guardrail for investment decisions. However, the level of incorporation of risk or scenario planning into the business planning process varies, and in many cases, it is performed at the discretion of the CFO and CEO, often without risks being fully quantified.

Observed differences and maturity gaps

While governance structures were in place, the level of engagement from senior leadership varied. In some organisations, the CEO or CFO personally sponsors ERM initiatives, while in others, engagement is concentrated among a few operational leaders. The interpretation of “risk appetite” can also differ across business units; what constitutes “tolerable exposure” for exploration or drilling is not always consistent with procurement or logistics.

Cultural factors remain a constraint. Several ERM leads noted that risk owners are not always comfortable highlighting vulnerabilities in their areas. Optimism bias and a desire to “own” performance rather than uncertainty can result in underreporting of significant exposures. This is particularly evident in smaller or more centralised companies, where peer challenge and independent validation are less formalised.

In some organisations, there was a perception that risk management is there to “point fingers”. This was coupled with a lack of a “just culture” and recent incidents still in the memory of staff, which discourages open discussion about risks and control deficiencies.

Many organisations commented that there was a potential risk culture misalignment between the head office, staff at operational sites, and contractors or third parties operating onsite. Many organisations are aware of this issue, but few have resolved it. In Marsh’s experience, top-down, department-wide, and bottom-up participation in core risk management processes are key contributions to a mature ERM approach.

Enhancements and future focus

To maintain momentum, many miners are focusing on deepening the integration between ERM and executive decision-making. Clearer escalation processes are being defined for appetite breaches, so that accountability for action is explicit rather than assumed.

Risk culture is another major focus area. Organisations are moving towards more systematic measurement of culture through maturity assessments, focus groups, and employee perception surveys. Leadership calibration sessions, where executives collectively review and test their shared understanding of risk appetite, emerged as good practice. It should be noted that trust in staff, as indicated by online surveys, is often not high due to the inability to investigate and receive meaningful feedback. Running confidential focus groups with staff groups of the same seniority to benchmark just culture and inform cultural transformation strategies is seen as the way forward by many.

The future of governance in mining ERM will likely depend less on structural reforms and more on behavioural consistency, where risks are discussed openly, interpreted uniformly, and acted upon promptly.

Back to top

2. Core risk management processes

Mining companies have long been accustomed to complex risk landscapes. From geotechnical hazards and energy security to regulatory change and market volatility, the range of exposures is broad and interconnected. All the organisations engaged had structured, repeatable risk processes, but the level of sophistication in assessment and reporting varied.

Common strengths

ERM frameworks across the sample are typically underpinned by formal risk registers, committee reviews, and clear ownership models. Risk workshops are held at the business unit level, cascading upwards to the group, and top-tier risks are reviewed by executive or board committees at least quarterly.

Several organisations have built productive links between ERM and business continuity or crisis management teams, ensuring that acute and chronic risks are considered together. A few companies also integrate risk discussions into financial planning, testing the resilience of forecasts to commodity price shocks, supply disruptions, or political developments. Where quantitative analysis is applied, it is most often seen in contexts related to catastrophic loss or trading risk, sometimes in partnership with finance or insurance teams.

Marsh sees an increasing need for a quantitative risk scenario approach that integrates expertise and data from strategy, finance, risk, and operational departments. Figure 1 illustrates an example of stress testing and resilience of forecasts conducted by a more mature mining organization.

Figure 1. Illustrative results from stress testing (combined effect of market price, damage to mine, and loss of excess)
 

Storyline: Shortly after a natural catastrophe, the commodity prices falls, and key production inputs are reduces due to supply chain issues.

Observed gaps and challenges

Despite structured frameworks, maturity in quantification remains mixed. Only a minority of organisations employ quantitative or scenario modelling as a regular part of their risk assessments. For most, scoring is semi-quantitative and heavily reliant on the judgment of risk owners. This introduces inconsistency: two risk owners may assign different scores to similar events, and disagreements can emerge during committee reviews.

An issue for mining and other heavy engineering businesses is making ERM relatable to operational staff. Many struggle to embed risk registers for operational risks, and some look to use bowties or other more visual and practical methods to encourage risk conversations. These approaches are generally considered to have more potential for success than sole reliance on the classic risk register.

Another recurring issue is the disconnection between ERM and internal audits. While both functions contribute to the control environment, few companies maintain a shared control library linking audit findings to risk effectiveness scores. As a result, lessons learned from audits are not always fed back into the enterprise risk register or used to update control ratings or inform in-depth reviews. This gap can limit continuous improvement from spreading throughout the organisation's layers.

In some firms, ERM’s role in modelling or due diligence remains peripheral. Scenario analysis for strategic initiatives, such as acquisitions or new country entries, is sometimes led independently by corporate strategy teams, with ERM consulted only at later stages.

Enhancements and future focus

Leading miners are focusing on standardising risk scoring and integrating control effectiveness assessments. Developing a shared control library (maintained jointly by ERM and audit) can help close the loop between assurance and risk management.

Expanding the use of scenario analysis is another priority. Forward-looking modelling not only strengthens strategic decision-making but can also support capital allocation by clarifying the potential broad financial implications of traditionally considered non-financial risks.

Adapting the ERM approach between corporate and operational areas is key to engagement and maintaining a value-added process. It doesn’t have to be the same for all staff as long as the risk conversation is happening.

Finally, several organisations recognised the importance of continuous improvement cycles rather than static annual reviews. Embedding quarterly reassessment processes and connecting these to operational metrics can provide a more dynamic picture of emerging threats and control performance.

Back to top

3. Resources, systems, and infrastructure

Risk teams in mining organisations tend to be small but influential. Most operate a hybrid model — maintaining a central function supported by embedded risk coordinators within each business unit or commodity group. This structure can prove effective for cascading standards while maintaining local relevance.

Common strengths

ERM teams across the sector demonstrated a high degree of professionalism and business awareness. They often have direct access to board or audit committees and maintain close relationships with finance, health, and safety functions. When risk professionals sit within operational teams, engagement is often stronger and adoption of ERM practices is more consistent.

Reporting is generally well established. Board dashboards and executive summaries are produced regularly, focusing on top risks, trends, and changes. Some companies have streamlined their reporting cadence, moving from comprehensive quarterly reports to concise “risk change” updates that highlight only what has shifted and why. This approach keeps leadership attention focused and is viewed as good practice.

Differences and pain points

Across the sample, no organisation had a fully integrated group-wide governance, risk, and compliance (GRC) system. Risk data is typically dispersed across spreadsheets, SharePoint sites, and legacy tools, often resulting in duplication or data loss. Manual reporting remains common, and risk owners resist additional administrative burden.

The absence of leading indicators is another limitation. Many miners rely on lagging metrics (incidents, losses, or audit findings) rather than predictive analytics. Consequently, leadership discussions tend to focus on what has happened rather than what may happen next.

Interface challenges persist between ERM, internal audit, safety, and insurance teams. Information sharing is often driven by personality rather than process, which can limit insight generation.

Enhancements and future focus

Digital enablement is becoming a key focus area. Several organisations are evaluating new GRC platforms or interoperable solutions that connect ERM, incident management, and sustainability data. The goal is not only efficiency but also analytical capability, automating aggregation, trend analysis, and visualisation.

Developing dashboards with forward-looking indicators, such as early warning triggers for commodity volatility or regulatory changes, can enhance strategic foresight.

In parallel, ERM teams are seeking to enhance their analytical skill base. Upskilling risk professionals in data interpretation and scenario modelling can enable richer insights without increasing headcount.

Finally, strengthening cross-functional collaboration remains essential. Regular joint forums with internal audit, insurance, and safety teams can align priorities and prevent duplication of effort, supporting a more cohesive view of enterprise resilience.

Back to top

4. ESG integration

ESG has emerged as a defining lens through which investors, regulators, and communities evaluate the mining sector. For risk functions, this shift has created both a challenge and an opportunity: to integrate ESG-related risks and opportunities into the enterprise framework, rather than treat them as parallel agendas.

Current state

All organisations reviewed have formal ESG committees, often chaired by senior executives and supported by dedicated sustainability teams. Compliance with frameworks such as the Corporate Sustainability Reporting Directive (CSRD) and the European Sustainability Reporting Standards (ESRS) is a high priority. In some cases, ERM teams have adapted their KRIs to include ESG-related triggers, pollution thresholds, safety incidents, or community grievances, reflecting a growing recognition of these issues as enterprise-level risks.

Observed gaps

Despite structural overlap, integration between ESG and ERM systems remains limited. In several organisations, the sustainability team operates its own data platform, separate from the ERM system. As a result, ESG incidents are not consistently captured in risk reporting, and cross-analysis between ESG metrics and business risks is difficult.

ESG priorities are also unevenly represented in leadership discussions. While compliance and disclosure receive attention, the strategic implications — such as access to finance, stakeholder trust, or a license to operate — are less systematically linked to the risk appetite framework.

Enhancements and future focus

The next stage of maturity will likely involve merging ESG and ERM data streams to provide a holistic view of sustainability-related risks. Embedding ESG indicators into appetite statements and scenario testing can help companies assess exposure to transition and physical risks more rigorously.

Equally, elevating ESG to a standing agenda item in risk committees can strengthen governance and reinforce the connection between sustainability performance and enterprise resilience.

Those organisations that succeed in embedding ESG within their risk frameworks will be better positioned to demonstrate accountability, attract capital, and anticipate stakeholder expectations.

Back to top

5. Conclusion

The mining sector has made significant strides in maturing its approach to enterprise risk management. Governance structures are generally robust, executive sponsorship is increasing, and risk discussions are more closely aligned with strategy. Yet challenges remain, particularly in building a consistent culture, integrating systems, and connecting ERM with ESG, insurance, and assurance functions.

The next wave of ERM maturity in mining will depend on digital integration, cultural reinforcement, strategic alignment, and data-informed scenario analysis. Technology can provide the visibility; culture can promote transparency; and strategic integration can embed ERM as a value-creating function rather than a defensive one.

At Marsh’s Risk Consulting Practice, we support mining clients globally in designing and implementing these capabilities, from refining governance models and developing control frameworks to enabling GRC systems and enhancing risk culture. By building cohesive, insight-driven ERM frameworks supported by robust digital systems, mining organisations can strengthen resilience and unlock more confident decision-making in an increasingly uncertain world.

Our people

David Stark

David Stark

Consulting Director & Practice Leader of Enterprise Risk Services

  • United Kingdom

Related insights

Workers at a copper mine use surveying techniques to measure and map the open pit mine, ensuring safe, efficient, and environmentally responsible mining operations. ID_f1d45a73-e20f-4e98-84c4-9de93375c33b --ar 16:9 --v 6.1 Job ID: e5b01a8c-7136-403c-9d93-f502105aed33

Article

The benefits of stress testing to enhance resilience in the mining sector

26/03/2025
Placeholder Image

Report

Mining Market Update 2024

26/11/2024
Placeholder Image

Article

Geopolitics and geology: Enhancing mining companies’ resilience amid political risk uncertainty

06/05/2024
White sand mining tractor

Report

Mining market update 2023

15/11/2023
View more