Risk Management Risk Culture

13 risk management myths GRC professionals need to know

Caleb

Graphic of boxing gloves touching with the text

Few functions are as misunderstood as risk management.

GRC professionals work tirelessly to comply with regulation, mitigate or manipulate risks, and help scale businesses.

But people still get plenty wrong about the profession – including GRC professionals themselves. We’re here to put 13 common risk management myths to rest.

Here's the list at a glance - let's dive straight in with a big one.

Risk management is one department’s responsibility
Risk management is just about compliance
Risk management is just about avoiding risk
Risk management is a one-time activity
Risk management is too expensive/time-consuming
Risk management is about eliminating all possible risks
All forms of risk are bad
Your current processes have it covered
You don’t need contingency plans
Risk management is 100% data-driven
Risk management is pessimistic
There’s a catch-all solution to risk management
Risk management is boring

Myth 1: risk management is one department’s responsibility

Probably the most commonly held belief on this list.

To be fair, it is confusing. Yes, there’s someone with the specific title of Risk Manager. No, it’s not only their responsibility to manage risk.

Your risk strategy – along with the day to day identification and control of risks – is the work of your risk team, be that a one-person show or a full function.

But, as Pete Drucker once said, “culture eats strategy for breakfast.”

Paul Miller, Management Analyst at the National Institutes of Health, puts a bit more GRC meat on that bone.

“If an ERM program is only looking at organisational performance metrics to determine effectiveness, then these ERM programs are at risk of only seeing half the picture.

“Even the most comprehensive ERM framework requires the support of a positive organisational risk culture”.

But even risk culture is made more confusing than needed.

Take it from the IRM - it’s just the term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose.

That final bit’s the key. Everyone in your business has a common purpose, and is therefore responsible for understanding the threats and opportunities that barrel your way.

Myth 2: risk management is just about compliance

Regulation is ramping up and the fines are rolling in – make no mistake, compliance is more vital than ever.

In fact, if it was a country, US regulation alone would be the the world's 8th largest economy.

But GRC done right isn’t just about ticking boxes and keeping an eye on those horizon scanning emails.

There are countless other business – and human – elements to it.

Myth 3: risk management is just about avoiding risk

GRC professionals need time to really understand risks. Become intimate with them. Decide if they’re a force for good or evil.

A quote from Hannah Soulsby of Equals Money, saying "Risk management done right means understanding the breadth of risks an organisation might face and putting in place a plan for each which is suitable, measurable and achievable. Deploying resource in the right places - without creating blind spots - is the key to sound risk management."

That’s where the management aspect of risk management comes in.

And it’s more important than ever. Read our blog about its ongoing relevance here.

Myth 4: risk management is a one-time activity

The risks of 2023 aren’t the same as the risks of 2003.

The risks of this week may not even be the same as the risks of last week.

Unfortunately, risk management can’t be switched to Rest Mode. It’s a full-power, full-time activity, and while creating processes can and should have structure, the act of risk management itself has no start, middle, or end.

Put it this way: risk isn’t static – markets and hazards won’t stay still just because you’ve established a risk committee – so your risk management shouldn’t be, either.

Myth 5: risk management is too expensive/time-consuming

Of course there are costs associated with risk management.

Salaries, software, audits – it doesn’t come cheap.

But the costs of failing to manage risk aren't as widely discussed.

$4 million – the average revenue loss organisations face for a non-compliance event
$1.03 million – the average saved by businesses through regulatory monitoring
45% - the increase in cost of non-compliance since 2011

And tackling risk being too time-consuming is a view usually brought about by looking at risk management as a nice-to-have rather than a business function like any other.

Like marketing or sales, true results take time, and risk management’s success is made harder to measure by the intangible parts of the job.

Risk functions can waste a lot of time on legacy processes, too. Manually searching for data, relying on spreadsheets – it isn’t all necessary.

Picking the right risk management software can save risk teams hours every week by keeping it all in one handy location and automating slower processes.

To find out more about why risk management software is becoming more widely used, read our blog on using RiskTech in an economic crisis.

Myth 6: Risk management is about eliminating all possible risks

There’s more to risk management than ticking risks off a list.

Risk practitioners aren’t a pest control squad. There are no hazmat suits. No end goal of total sanitation.

In fact, risk management doesn’t really have an end goal at all. It’s your job as a risk manager to help businesses mitigate, control, and even benefit from risks.

Yes, that ultimately means creating processes for identifying and tackling risks before they grow.

But like we mentioned before – that’s not a one-time thing. Sadly, GRC professionals don’t get to create the perfect risk management process and then sit back and relax.

“I dream of living in a world where we get rid of every possible risk. We all do” says Matt Rudd, Head of Product at RiskSmart and experienced Risk Analyst.

“But it’s just not possible. Instead, risk managers can (and do) focus on prioritisation, using everything from data to intuition to people skills to back them up.

“That’s why it’s best described as both an art and a science.”

Myth 7: all forms of risk are bad

Risk is often bad news.

Utility failures
Climate change
Compliance failures
Reputational damage
Supply chain disruption
Health and safety hazards
Low customer satisfaction
New competitors eating up the market
Macroeconomic changes (inflation, interest rates)

It's not hard to see why risk gets a bad name.

But let’s go back to the definition of risk, as provided by ISO 31000: “the effect of uncertainty on objectives”.

Uncertainty doesn't spell disaster. In fact, the best risk managers know when uncertainty can be turned into opportunity.

Myth 8: your current processes have risk management covered

Oh, great. That’s that, then. Except…

What happens when those risks change?

What happens when new risks emerge?

What happens when an audit finds you need new processes?

What happens when new senior leadership demand a risk overhaul?

Not experiencing the downsides of a risk event doesn’t mean your current processes are airtight.

Complacency is the enemy of effective risk management.

Myth 9: you don’t need contingency plans

Risk managers aren’t sages. Genies. Clairvoyants.

Even the very best risk managers – backed up by all the data, people skills, and sheer talent possible – don’t get everything right.

Businesses around the world have experienced a decade of instability.

As Jerry Heimann notes, it’s “better to have the contingency ready for implementation than to have to develop one as the risk is taking its toll”.

Myth 10: risk management should be 100% data-driven

Let’s get this out of the way: the fact that only 29% of respondents to a 2021 Caseware survey said they regularly use data analytics in their audits is concerning.

However, there’s much more to risk management than data.

“The Chief Risk Officer needs to be a finance professional, a scientist (including natural and political), and even a philosopher” explains Anne-Marie Straatthof in The Chief Risk Officer’s Crucial Role for The Banker magazine.

The CRO at the European Bank for Reconstruction and Development goes on to explain: “in terms of emotional intelligence, the CRO needs to be resilient, collaborative, and compassionate more than ever before”.

The success of the risk function being dictated by factors other than data is supported by Mahesh Aditya, Group CRO at Banco Santander, too.

“The CRO should be known as that person in the room who will not let something go unnoticed […] we [CROs] are now required to understand operations better, what’s going on under the hood and in the trenches of the business, as well as determine what to do about it.”

A quote from Evgueni Ivantsov saying "The CRO faces the challenging task of managing a wide spectrum of traditional and emerging risks that interplay with each other, creating a unique and dynamic risk landscape."

You can learn more about why data is still an essential part of risk management here.

Myth 11: risk management is pessimistic

There she is – coming down the hall. The risk manager. The killjoy extraordinaire.

It’s outdated thinking.

In fact, businesses that go beyond the call of duty by doing “more than the basic elements of risk management” outperform their peers financially.

We prefer the term cautious, thank you very much.

Myth 12: there’s a catch-all solution to risk management

We’d love to be able to do the work for you. We really would.

But there’s no catch-all solution to risk management.

Spreadsheets are the most common method of tackling risk, with 1 in 5 GRC professionals relying on their accuracy for success.

Whether or not that’s sustainable is another question, given that almost 90% are thought to contain errors (which are “very difficult to detect and correct”) and that “corporations are highly overconfident in the accuracy of their spreadsheets”.

And it doesn’t stop there. Plenty of horror stories exist, such as JP Morgan’s $6bn loss that stemmed from an incorrect copy/paste job while using Excel to create Value-at-Risk models.

That being said, they’re widely used for a reason. They’re widely accessible, widely understood, and totally free.

Risk management software is becoming more popular, with 70% of risk and compliance experts saying the pandemic has increased their reliance on technology to improve decision making, performance monitoring, and risk management.

Not only that, but 67% of security professionals are looking up upgrade their tools as a means of improving company security.

Myth 13: risk management is boring

Hey, who told you that?

Like any jobs, it can have its downsides. But risk management is about conflict, catalysts, controlling chaos, collaboration (with every department), and carrying the business in new directions.

A quote from Hannah Soulsby of Equals Money saying "By its very nature, risk management is exciting. When you're in an organisation that 'does risk right', you have deep and informed discussions, carry out wargaming scenarios, plan worst-case scenarios, and flex crisis management muscles."

And if it’s just the manual parts of the job getting you down, then it might be time to embrace an automated approach.

For all things no-nonsense risk management straight to your inbox, join hundreds of fellow risk professionals in the RiskSmart community.