A formal definition of Risk Transformation does not exist – loosely it is the continual evolution of an organisation’s risk function, systems and processes. So in order to examine risk transformation fully, we need to delve deeper into the risk management business model. Risk management is a “value shop” – a process of value creation for knowledge-intensive industries that involves five primary activities: problem finding, problem solving, choice, implementation, follow up and control. Embracing the value shop model represents a potentially more useful approach for planning risk transformation than perpetuating a “backward looking” risk function, focussed on tactical improvements to the linear COSO risk activities of objective setting, event identification, risk assessment, information and communication and risk response. The ISACA Business Model for Information Security™ (BMIS™) is a useful framework for articulating the levers that can be adjusted within a risk transformation program. These are organisational design and strategy, people, process and technology; and their interconnections – governing, culture, enabling and support, emergence (or continuous improvement), human factors, and architecture. Most organisations are focussed on risk identification and rating, with half developing dashboards, less improving governance, and only a third addressing skills and culture.