Most organisations that have faced significant litigation involving their risk management have been surprised by what the expert witness process reveals. Not by the existence of the process — most legal teams have some understanding that expert witnesses may be engaged — but by the depth and specificity with which their risk management frameworks, decisions, and culture are examined when someone who knows the field looks at the documentary record without prior allegiance to either party.
What an Expert Witness Actually Does
An expert witness in risk management litigation is engaged to provide an independent opinion on whether an organisation's risk management met the standard of care that a reasonably competent organisation in that sector would have applied in the relevant circumstances. That standard is not a fixed benchmark — it is determined by reference to professional standards, industry practice, published guidance, and the specific context of the organisation and the incident.
The expert reviews the documentary record: policies, procedures, risk registers, training records, incident reports, board and committee minutes, management decisions, and communications. The expert also considers what the organisation should have known — what information was publicly available, what its own data should have indicated, what its governance processes should have produced — and assesses the gap between what was reasonable and what actually occurred.
What the Documentary Record Reveals
The documentary record is almost always more revealing than the organisation expects. Emails and message threads show the actual reasoning behind decisions, which frequently differs from the reasoning documented in formal records. Risk registers show what was known and when. The absence of entries shows what was not identified. Minutes of board and audit committee meetings show whether risk matters were genuinely discussed or noted and filed. Training records show who was trained and how recently. Incident records show the precursors that preceded a significant event.
The single most common finding in my expert witness work is the gap between the risk management framework as documented and the risk management framework as practised. The policy says one thing. The emails say another. The risk register was last updated eighteen months before the incident. The control that was supposed to prevent the harm was not regularly tested. The board paper that disclosed the risk was presented in terms that minimised rather than illuminated the exposure.
This gap is not necessarily evidence of bad faith. It is frequently evidence of the gap between the aspirations captured in documentation and the operational reality of how risk management is actually practised in a busy organisation. But in litigation, the gap between documentation and practice is precisely the space where liability is found.
The Standard That Is Applied
The standard applied in risk management litigation is typically framed as "what would a reasonably competent organisation in this sector have done in these circumstances?" This standard has several important characteristics. It is objective, not subjective — the question is not whether the organisation was doing its best, but whether its performance met an objective standard. It is contextual — the resources, information environment, and regulatory context of the organisation are relevant. And it is backward-looking — the standard is applied to decisions made under uncertainty, judged with the benefit of hindsight, which creates an inherent tension that courts and expert witnesses are trained to manage.
Increasingly, published standards and guidance are relevant reference points. ISO 31000, ISO 31030, the NIST Cybersecurity Framework, APRA prudential standards, and industry-specific regulatory requirements all contribute to defining what reasonable practice looks like in specific sectors. An organisation that was unaware of, or had not meaningfully engaged with, a directly applicable published standard, is in a difficult position when asked to explain its risk management approach.
The Board Accountability Dimension
Expert witness examination of risk management regularly surfaces board accountability questions. Did the board receive adequate information about the risk that materialised? Did the risk appear in board reporting? Was it disclosed in terms that communicated its materiality, or was it buried in a long list of lower-priority items? Did the board ask the right questions? Were those questions answered adequately?
In cases where the answer to these questions is unfavourable, the board faces a difficult dilemma. Either the board was not adequately informed — in which case the information flows and management reporting processes are in question — or the board was adequately informed and did not act — in which case the board's oversight function is in question. Neither position is comfortable, and the expert witness process surfaces both.
Preparing for Scrutiny Before It Arrives
The most useful insight from expert witness work is that the standard for defensible risk management is the same whether or not litigation ever occurs. Organisations that run their risk management programmes to a standard they would be comfortable defending under scrutiny — clear reasoning, documented decisions, proportionate controls, genuine board engagement, regular review and testing — are better protected when something goes wrong, and they also make better decisions in the normal course of operations.
The organisations I have reviewed in litigation contexts that performed best were not those that had the most sophisticated frameworks. They were those where the gap between documentation and practice was smallest — where the risk management framework described something that the organisation actually did, tested, and maintained. That gap is the single most important factor in determining whether a risk management programme is defensible under scrutiny.
Tony Ridley provides expert witness services in risk management litigation. Enquiries from legal teams are welcome via the contact form.