We like to think risk management is about objectivity, frameworks, and facts. But the truth is, it is also about the stories we tell ourselves and some of those stories quietly sabotage even the most mature Risk Management Functions. These narratives shape our decisions, often without us even realising it, steering us toward familiar paths rather than the ones that truly mitigate risk.
After years of frameworks, policies, and audits, it is easy to fall into comfortable assumptions, believing that processes alone will protect the organisation. Here are three common lies many risk managers still believe and practical steps to challenge them, rethink assumptions, and strengthen risk oversight.
⚙️ Lie #1: “If it’s documented, it’s managed.”
It feels satisfying to have a well-organised risk register, colourful heat maps, frequently updated, all risks scored and ranked. But documentation does not equal control.
In reality, many risk registers are snapshots of intention, not proof of action. They describe risks, but they rarely demonstrate whether those risks are actually mitigated.
The truth:
A risk is only “managed” when mitigation measures are tested, owned, and evidenced.
Try this:
-
Link every top risk to specific mitigation activities, and show evidence that they are working.
-
Replace static registers with live dashboards that reflect change in real time.
-
Ask yourself: " If this risk materialised today, could we show what we have done to reduce it ? "
⚡ Lie #2: “Low probability means low priority.”
This one’s comforting, and dangerous.
We love numbers because they make uncertainty feel manageable. But by focusing too much on probability, we often ignore high-impact events that are “unlikely”… until they effectively happen.
Pandemics, data breaches, geopolitical shocks, and AI failures were all “low probability”, until they reshaped entire industries.
The truth:
Rare events are often the ones that define an organisation’s resilience.
Try this:
-
Include “black swan” scenarii in your regular reviews.
-
Model impact first, probability second.
-
Treat low-likelihood events as strategic exercises, not outliers to ignore.
🧩 Lie #3: “Risk management is everyone’s job.”
It sounds empowering, and in theory, it should be true. But when everyone owns risk, no one really owns it.
Many organisations diffuse accountability in the name of a “risk-aware culture.” The result? Risks float in collective ambiguity, with no clear owner or decision-maker.
The truth:
Distributed accountability still needs strong coordination.
Try this:
-
Assign one clear owner for every material risk.
-
Support them with cross-functional collaboration, but keep final accountability visible.
-
Build reporting lines that make ownership traceable, from process to board level.
💡 The Real Lesson
Risk management does not fail because of missing data but mostly fails because of false comfort. We believe we have done enough, when in fact we have only done what feels tidy.
The best risk managers aren’t fortune-tellers; they’re myth-busters, constantly challenging their own assumptions, frameworks, and metrics.
So next time you update your risk register, ask yourself: “ Am I managing risk, or managing the illusion of control ? ”