Don’t lose your job to AI, supercharge your risk management team and level up your AI skills with expert insights and hands-on workshops from industry-leading companies. Register now to benefit from early-bird discount.

Our aim is to empower risk management teams globally with actionable and simple case studies on AI application to improve risk management and decision making. The conference is designed to fit both new and mature risk professionals, from writing a simple risk policy in Gemini to running complex monte-carlo simulations in ChatGPT. Fully online, RAW2024 can be accessed on any device, from any location, and watched unlimited times, ensuring maximum flexibility and convenience.

Join the ranks of over 20,000 risk and decision professionals who have benefited from RISK AWARENESS WEEK over the past five years. By registering early, you gain exclusive access to premium workshops and early bird discounts. RAW2024 is your investment in professional development with hands-on workshops from industry leaders and CPD credits. Will you be part of the revolution or be left behind? Join us at RAW2024 and become an AI-powered risk leader. Make October the risk awareness month by using #RAW2024 hashtag to inspire others and build our community. Secure your spot today and take the first step toward transforming your risk management career. Use AI to solve more complex problems, perform risk analysis quicker, get promoted sooner.

RAW2024 is an investment in your professional future, offering strategies that you can implement immediately to start using AI to make better, data-informed decisions. Whether you’re aiming to climb the career ladder, strengthen your team’s capabilities, or pivot to a role where risk management is key, RAW2024 is your springboard.

I’ve done a fair share of hiring risk managers for myself and sometimes when friends CROs ask me to interview some candidates for them. I strongly believe these are the qualities a good risk manager should have. I am also one of the rare people who think accountants and lawyers do not turn into good risk managers, 99% of the time. Here are the questions I like to ask. Let me know how many would you feel comfortable answering right now and what other questions would you ask in the comments.

Profit and revenue growth

• How can your risk analysis help us identify potential opportunities or threats that could impact our revenue growth? Ask RAW@AI for a good 💡 answer. 
• Can you share an example where your risk insights significantly improved a company’s profitability?

Cost efficiency

• How can you use risk management to identify and eliminate unnecessary costs while ensuring we remain compliant and efficient? Ask RAW@AI for a good 💡 answer. 
• How have you helped a company save costs through better understanding and managing uncertainties? This one is a favourite of mine and something that got me named Risk Manager of the Year by FERMA in 2021.

Strategic goals

• How do you increase the chance of achieving strategic goals by managing uncertainties in the market?
• Can you provide an example of how your risk assessment influenced a strategic decision?

Operational efficiency

• How can you help us streamline our operations to reduce disruptions and improve productivity? This is area is a huge opportunity for organisations to overcome “flaw of averages”
• How can you use risk management techniques to identify operational bottlenecks or inefficiencies?

The “flaw of averages” refers to the common mistake, popularised by Sam Savage, of using average values to make decisions under uncertainty, which often leads to incorrect conclusions. Here’s a simple explanation:

• Imagine you are planning a project and estimate that, on average, it will take 10 days to complete. If you plan everything based on this single average value, you might overlook the reality that the project could take 5 days (if everything goes perfectly) or 15 days (if there are delays).
• By focusing only on the average, you ignore the variability and range of possible outcomes. This can lead to missed deadlines, budget overruns, or other unexpected outcomes.

In essence, the flaw of averages means that relying on average values alone can give a false sense of certainty and result in poor decision-making. Instead, it’s crucial to consider the full range of possible outcomes and their probabilities to manage uncertainty effectively.

Compliance and governance 

• How can you insure we have necessary risk disclosures and risk reporting without creating unnecessary bureaucracy? Ask RAW@AI for a good 💡 answer. 
• What are some of the legal requirements that are relevant for our industry?

Want to hire good risk managers? Come to RAW2024 to network with some of the best risk specialists.

Every year I update my must read list for risk and insurance managers. Kahneman’s Thinking Fast and Slow has been there since the very beginning. A risk manager on my team just finished reading it and he used RAW@AI to summarise they key points for risk professionals. Enjoy!

1. The two systems – There are two ways of thinking: System 1 and System 2. System 1 is fast, automatic, and works without much effort. It’s the part of our brain that helps us make quick decisions. System 2 is slower, more deliberate, and takes more effort. It helps us when we need to think carefully, especially in difficult situations. These two systems work together, with System 1 handling easy tasks and System 2 stepping in when things get more complicated.
2. Attention and effort – System 2 needs focus and energy to work. When we concentrate on something, like reading or learning a new skill, System 2 is in charge. However, because it uses a lot of energy, we often rely on System 1 to handle most tasks. System 2 kicks in when something requires careful thought or when System 1 makes a mistake.
3. The lazy controller – System 2 is often lazy and lets System 1 take the lead, which can lead to errors. For example, when we make quick decisions without much thought, it’s usually System 1 at work. System 2 should check and correct System 1, but because it’s lazy, it doesn’t always do so. This can cause us to rely on shortcuts that might not be accurate.
4. The associative machine – System 1 is always making connections between ideas, even when they aren’t really related. For instance, seeing the word “banana” might make you think of “yellow.” Here, Kahneman talks about how System 1 quickly forms connections and patterns, even when they don’t really exist. This can affect our thoughts and decisions without us realizing it. System 1 is always trying to make sense of things by linking ideas together, which can sometimes lead to wrong conclusions.
5. Cognitive ease – When things feel easy and familiar, System 1 works smoothly, giving us confidence in our decisions. But this ease can make us overlook important details.
6. Norms, surprises, and causes – System 1 expects the world to follow patterns. When something surprising happens, it quickly tries to find a cause. This quick thinking can help us make sense of the world, but it can also lead us to make assumptions that aren’t always correct.
7. A machine for jumping to conclusions – System 1 often jumps to conclusions with limited information. System 2 is supposed to check these conclusions, but it doesn’t always do so. This can lead to quick decisions that might not be well thought out.
8. How judgments happen – This chapter explains how System 1 forms judgments quickly based on what’s easy to see or remember. System 2 should review these judgments, but it often doesn’t, especially if it’s tired or distracted. This can result in decisions that aren’t accurate.
9. Answering an easier question – When faced with a difficult question, System 1 often replaces it with an easier one, leading us to give an answer that feels right but doesn’t actually address the real question. This is why we sometimes answer questions about complex issues with simple, unrelated answers.
10. The law of small numbers – System 1 tends to make decisions based on small amounts of information, which can lead to errors. For example, if we see a few examples of something, we might think it’s common, even if it’s not. System 2 should help by seeking more information, but it often relies on what System 1 provides.
11. Anchors – The first piece of information we receive, called an “anchor,” strongly influences our decisions. Even if the anchor is irrelevant, it can affect how we think about a situation. This is why first impressions or initial numbers can have a big impact on our choices.
12. The science of availability – This chapter explains how System 1 relies on information that is easy to remember. This can make us think that something is more common or important than it actually is. System 2 should help by considering all the information, but it often goes along with what System 1 suggests.
13. Availability, emotion, and risk – Kahneman talks about how emotions influence System 1’s decisions, especially when it comes to risks. For example, if something bad happened recently, we might overestimate the chances of it happening again. This emotional influence can lead us to misjudge risks.
14. Tom W’s specialty – Here he tell how System 1 quickly stereotypes or categorizes people and things. This can lead to judgments based on incomplete or misleading information. System 2 should help by thinking more carefully, but it often doesn’t, leading to mistakes.
15. Linda: less is more – In this chapter, Kahneman discusses how System 1 makes decisions based on stories that seem to make sense, even if they are logically flawed. This can cause us to make errors in reasoning, especially when we rely on intuition rather than careful thinking.
16. Causes trump statistics – System 1 is drawn to stories about causes and effects, even when they aren’t supported by statistics. For example, we might believe a single dramatic story more than a set of boring statistics. This can lead us to make decisions based on compelling stories rather than actual data.
17. Regression to the mean – Extreme events are often followed by more typical ones. For example, a sports team that has an exceptionally good season is likely to have a more average season the next year. System 1 struggles with this concept and often expects patterns where there are none.
18. Taming intuitive predictions – System 1 makes quick predictions that can be inaccurate because they’re based on limited information. System 2 can improve these predictions by taking the time to think carefully and consider all the details, but it requires effort and isn’t always done.
19. The illusion of understanding – This chapter explains how System 1 often believes it understands things better than it actually does. This can lead to overconfidence and errors in judgment. System 2 should help by questioning these assumptions, but it often doesn’t, leading to mistakes.
20. The illusion of validity – System 1 sticks with its first judgments, even when evidence suggests they’re wrong. This creates a false sense of certainty, leading us to trust our first impressions more than we should.
21. Intuitions vs. formulas – Here Kahneman tells that System 2 is better at making decisions using formulas or rules rather than relying on System 1’s intuitions. Even experts can make mistakes if they don’t use systematic approaches. System 2 should help by applying these rules, but it often relies too much on intuition.
22. Expert intuition: when can we trust it? The author explains that expert intuition can be reliable when it’s based on experience in a stable environment. However, in unpredictable situations, even experts can make mistakes. System 2 should help by questioning intuitive decisions, but it might not always do so.
23. The outside view – Taking a broader perspective, known as the “outside view,” helps prevent biases and errors that come from focusing only on the immediate situation. By looking at similar situations and their outcomes, we can make better decisions.
24. The engine of capitalism – Optimism and overconfidence drive entrepreneurial ventures, fueling innovation and growth. However, they also increase the risk of failure. It’s important to balance enthusiasm with a realistic assessment of risks to avoid costly mistakes.
25. Bernoulli’s errors – Traditional economic theories assume people make rational decisions to maximize happiness, but in reality, decisions are often influenced by irrational factors. For example, people tend to fear losses more than they value gains, leading to decisions that aren’t always logical.
26. Prospect theory – Kahneman talk about Prospect Theory, which explains how people make decisions based on perceived gains and losses rather than just the final outcome. System 1’s influence can lead to irrational decisions, such as being more afraid of losing something than being excited about gaining something.
27. The endowment effect – People tend to overvalue what they already own, making them reluctant to trade or sell, even when it would be beneficial. This is known as the endowment effect, where ownership increases the perceived value of an item.
28. Bad events – People are more sensitive to potential losses than gains. This can lead to risk-averse behavior, where we avoid taking risks even when they might lead to better outcomes. The fear of losing often outweighs the hope of gaining.
29. The fourfold pattern – Attitudes toward risk change depending on whether people are dealing with gains or losses and whether the probabilities are high or low. This can lead to inconsistent behaviors, as people might be risk-averse in some situations but risk-seeking in others.
30. Rare events – This chapter discusses how System 1 tends to overestimate the likelihood of rare events, especially when they are dramatic or emotional. This can lead to disproportionate responses to low-probability risks, such as being overly afraid of unlikely dangers.
31. Risk policies – In this chapter, Kahneman emphasizes the importance of having clear policies to guide decisions about risk. Instead of relying on System 1 quick instincts, which can be influenced by emotions or recent experiences, policies help ensure that decisions are more consistent and rational. System 2 should enforce these policies, even though it might be tempted to go along with System 1 faster, easier choices.
32. Keeping score – Kahneman explains how people tend to keep mental “scores” of their decisions, focusing on short-term gains and losses. This scorekeeping is influenced by System 1, which makes us more concerned with immediate results than long-term outcomes. This can lead to decisions that feel good in the moment but aren’t the best in the long run. System 2 should help by looking at the bigger picture, but it often gets caught up in System 1’s focus on short-term wins.
33. Reversals – How a problem is framed can change whether we are risk-averse or risk-seeking. For example, people might choose differently if a situation is presented as a loss rather than a gain. Re-examining the framing helps avoid being misled.
34. Frames and reality – Kahneman continues to discuss framing, explaining that System 1 is very sensitive to how choices are presented, or “framed.” This can lead to decisions that are based more on how the options are described than on the actual facts. System 2 can help by stepping back and considering the objective reality, but it often lets System 1 take control, which can lead to biased decisions
35. Two selves – In this chapter, Kahneman introduces the idea of the “experiencing self” and the “remembering self.” The experiencing self is how we feel in the moment, while the remembering self is how we look back on those moments later. System 1 influences both selves, but they often lead to different decisions. For example, we might make choices that don’t make us happy in the moment but that we think will be memorable later.
36. Life as a story – Kahneman explains how the remembering self often shapes our decisions by focusing on how we expect to remember events, rather than on how we experience them at the time. This can lead to choices that prioritize creating memorable stories over actually enjoying life as it happens. System 1 is driven by these stories, while System 2 should help by considering our overall happiness, but it doesn’t always succeed.
37. Experienced well-being – There is often a gap between how we feel in the moment and how we remember those moments later. This difference can lead us to make decisions that don’t necessarily improve our overall happiness. Understanding this gap can help us make choices that lead to greater long-term well-being.
38. Thinking about life – Our satisfaction with life is influenced by both quick judgments and reflective thinking. Recognizing the roles of both System 1 and System 2 can help us make better decisions that lead to lasting happiness.

I believe there are 3 things risk managers of the future will be doing. Today, most of you are doing number 1, some, very few, are doing number 2 and almost no one is doing number 3. Risk managers of the future will be spending 50% of their time on number 3, 49% of their time on number 2 and 1% on number 1%. Risk managers of today are spending 95% on number 1, 5% on number 2 and 0% on number 3. No wonder executives see no value in risk management.

1. Maintaining an effective ERM (Enterprise Risk Management)

Most of you are doing this already. You develop and implement some sort of risk governance documents, develop a risk register, maybe even establish a risk committee. I get it, you had no choice, the regulator/auditor/COSO/someone’s mum made you do it.

Maintaining a list of the most significant risks is not going to change how the organisation is run but it gives you a warm feeling of accomplishment. Having such list – your risk register – does serve a useful role as a checklist for reminding you to check that most significant risks are integrated into business plans and decisions. And it is useful to have something colourful to show auditors once a year.

Do it if you have to, just don’t waste too much on it. The next two groups of activities should take up the majority of your time, because they bring disproportionate value to the bottom line.

“Number 3 is huge because it changes everything we do day-to-day as risk managers.”

2. Integrating risk analysis into decision-making

The second bucket is about embedding risk analysis directly into specific decision-making processes. You can easily start by reviewing board agendas, executive committee agendas, and creating processes where a risk assessment will be performed for every decision before that decision is brought in front of executives.

Every large contract, every investment, every significant decision should be supplemented with a mini risk assessment. This assessment should outline how certain risks are mitigated or introduced by the decision. It’s about understanding the trade-offs and making informed choices.

Whether deciding to build new data centres in specific locations or choosing between different configurations for a coal mine, integrating risk analysis ensures decisions are made with a clear understanding of how associated uncertainties affect the final choice. Sometimes there are multiple good choices and there is a trade off between benefit and decision makers appetite for risk.

For example, during an investment decision, simulating how volatility in key assumptions affects the choice can reveal that what appears as the best option on paper, might not be the soundest real-world choice. Such analysis should be specific to the decision, not general or routine. Yes, that means dozens of risk assessments each month and it takes up a lot of time. I usually start with the most significant and costly decisions and slowly expand the scope. Plus I use RAW@AI to automate a lot of risk analysis and with the multi agent AI model I am building at the moment, this will become a piece of cake.

Some organisations are already doing it. For example, most are doing some form of vendor risk analysis or new contract risk assessments or project risk assessments. These are all good examples. If you investigated the methodology procurement or compliance or project teams are currently using you would discover huge opportunities for improvement, because while they claim to be risk based, most are not. This includes most if not all software vendors who actually make decision making worse by selling untested and unvalidated risk methodologies.

3. Fighting the averages

The last one is huge. Risk managers of the future realise that their priority is not ERM, not even risk-based decision making, their true strategic mission is to nudge the organization from a deterministic world to a stochastic world. I believe sooner or later, the global business society will mature to appreciate that many aspects of our lives are stochastic—characterized by uncertainty and volatility.

Imagine a business plan or a budget, where assumptions are made—like foreign exchange rates, recovery rates, equipment availability, employee performance, etc. Say, your budget uses 5X per USD as a budget foreign exchange rate. In reality, the foreign exchange rate fluctuates, sometimes spiking or diving, all the time. The same goes for raw material prices and availability, electricity prices, gas prices, and more. Traditional deterministic models fail to capture this volatility.

“Everything in life is stochastic. There is always some deviation, some sort of volatility that exists.”

Risk professionals are uniquely positioned to appreciate this volatility and should work to reintroduce it into organizational conversations, business plans, budgets and decisions. We need to replace single point estimates and averages with full distributions or at least risk-adjusted scenarios like P90 or P80. This shift is ground breaking and will fundamentally change how risk management is performed.

This may not feel like much at the moment, or at least until you try it, but it challenges risk management to the core. This will require new skills, new approaches and new methodologies. Risk managers of the future will have a mission – fighting the averages and embracing the full spectrum of possibilities, never ignoring the real-world volatility.

This means going through business plans and budgets and challenging every single significant assumption, replacing the single number estimates with distributions and then running monte carlo optimisations.

These three buckets redefine our daily practices and elevate the impact of risk management beyond compliance and control. Risk managers can and will have direct and immediate impact on decision making, corporate planning and performance management.

I encourage all risk professionals to start integrating these principles into their work. The shifts might be challenging, but the value they provide is immense—in terms of operational efficiency, financial performance, and strategic resilience. Give chance a chance, as Sam Savage says, fight the averages, and integrate risk analysis into every decision and business plan the organisation makes.

Ask questions, share your experiences, and consider joining Risk Awareness Week 2024 for a deeper dive into these concepts. I’ll see you online as we continue shaping the future of risk management together.

Feel free to type your questions or comments, try our RAW@AI chatbot for quick answers, and explore practical applications of these methodologies in your own organizations. Good luck on your risk management journey!

For more insights and practical tips, subscribe to our Risk Academy YouTube Channel or visit Risk Awareness Week.

Risk management is not about identifying, assessing, and mitigating risks; it’s about changing how the company operates and making decisions with risks in mind.

Imagine you are building a world class risk management team for a non-financial company, who would you hire? In  my risk management team I need a researcher, a decision analyst, a quant and a culture ambassador.

The researcher

I need someone to spend time scouring through reports, news articles, and regulatory updates to identify emerging risks and trends. This demands a keen eye for detail and a deep understanding of the industry. The researcher must be able to connect the dots between seemingly disparate pieces of information, anticipating how changes in one area could ripple across others. This might involve understanding how a natural disaster in one part of the world could disrupt supply chains, or how a political shift in another country could affect trade policies and create new risks for the organization. Ultimately, the researcher’s role is to provide a clear-eyed assessment of the risk landscape, enabling the organization to make informed decisions and take proactive measures to protect its interests.

An AI model or a specialised risk management chatbot like free RAW@AI can rapidly analyze vast amounts of unstructured data from diverse sources, summarizing key insights and highlighting potential threats. AI can also be trained to continuously monitor information feeds, alerting the team to relevant developments in real-time. According to a 2022 report by IBM, AI systems detected and responded to security breaches an average of 40% quicker than human-led teams. This frees the researcher to focus on deeper analysis and strategic decision-making.

Here are just some of the tasks AI can perform quicker and comparable in quality:

• Continuously scanning massive volumes of news, social media, and regulatory updates for emerging risks (it’s possible, I don’t have a chatbot for that yet, let me know if you found something).
• Identifying patterns and correlations in large datasets to predict potential future risks (RAW@AI GPT, required ChatGPT Plus subscription to use, does that easily and quickly).
• Quickly condensing lengthy reports and documents into concise summaries (RAW@AI GPT, required ChatGPT Plus subscription to use, does that easily and quickly).
• Analyzing competitor actions and market trends to assess potential threats and opportunities (free RAW@AI can do it, no registration required).
• Exploring different potential future scenarios and their impact on the organization (free RAW@AI can do it, no registration required).
• Automatically identifying and classifying risk factors from unstructured text (free RAW@AI can do it, no registration required).
• Conducting comprehensive literature reviews and summarizing key findings (free RAW@AI can do it, no registration required or use RAW@AI GPT, required ChatGPT Plus subscription to use).
• Monitoring regulatory changes and assessing their impact on the organization.
• Identifying unusual patterns or outliers in data that may indicate emerging risks (RAW@AI GPT, required ChatGPT Plus subscription to use, does that easily and quickly).

The decision analyst

I need a decision analyst to serve as a bridge between quantitative risk analysis and decision-making. The analyst helps me identify opportunities to integrate risk analysis into various business processes, such as investment decisions, project evaluations, and operational planning. I also use analysts to review decision models, identify and challenge key assumptions as well as later translate quantitative results into actionable insights and monitor risk mitigation.

AI has already transformed the role of the decision analysts by automating time-consuming tasks and augmenting their analytical capabilities. Here are some of the tasks that AI can perform with increasing speed and accuracy:

• Identifying potential biases or limitations in existing decision-making models, suggesting improvements, and assessing the suitability of different risk assessment methodologies (free RAW@AI can do it, no registration required or use RAW@AI GPT, required ChatGPT Plus subscription to use).
• Critically analyzing the underlying assumptions of risk models and assessing their validity (free RAW@AI can do it, no registration required or use RAW@AI GPT, required ChatGPT Plus subscription to use).
• Interpreting the output of quantitative risk models and communicating findings in a clear and concise manner to both technical and non-technical stakeholders (free RAW@AI can do it).
• Tracking the implementation and effectiveness of risk mitigation measures, identifying emerging risks, and recommending adjustments as needed (free RAW@AI can do it).

The quant

Next I need a quant, a mathematical genius who can apply quantitative techniques to model and measure effect of risks on decisions. This individual should be able to construct intricate models that simulate potential scenarios, assess the effect of various events on cash flows, and quantify the financial implications of different decisions. A deep understanding of statistics, probability theory, and financial mathematics is essential, as is expertise in programming and data analysis tools. If you ever tried, you know how difficult it is to hire one who understands risk management in non-financial companies.

You would be surprised by some AI models can now do all this and more. AI models with access to python environment can perform calculations more complex than 95% of risk managers out there. Here are just some of the tasks AI can perform quicker and with less errors:

• AI can quickly clean and standardize large datasets, ensuring data quality and consistency for subsequent analysis (RAW@AI GPT can now do this).
• AI can automate the process of calibrating and validating risk models, ensuring that they are accurate and reliable (RAW@AI GPT can now do this).
• AI can run thousands of simulations to assess how changes in model parameters or assumptions affect the overall risk profile, providing valuable insights into the key drivers of risk (RAW@AI GPT can now do this).
• AI can generate a wide range of potential scenarios, allowing for assessment of the impact of different events on the organization’s financial position (RAW@AI GPT can now do this).
• AI can quickly backtest risk models against historical data to evaluate their performance and identify potential weaknesses and more (RAW@AI GPT can now do this).

The culture ambassador

Finally, I need a culture ambassador, someone who can foster a strong risk awareness and accountability culture throughout the organization. This person should be a natural extravert, able to inspire and motivate others to embrace risk management as an integral part of their roles and the decisions they make. They should be skilled communicators, able to translate complex risk concepts into easily understandable language for employees at all levels. They should also be adept at designing and implementing engaging training programs and communication campaigns that promote risk awareness and encourage proactive risk mitigation behaviors. Just like a RISK AWARENESS WEEK 2024 later this year.

You guessed it, AI can now support many aspects of building a risk culture, making it more accessible and engaging for employees:

• AI can tailor risk management training materials to the specific roles and knowledge levels of individual employees, making the learning experience more relevant and effective (free RAW@AI can do it).
• AI can create realistic risk scenarios and simulations, allowing employees to practice their risk management skills in a safe and controlled environment (free RAW@AI can do it).
• AI can gamify risk management training, making it more engaging and fun for employees (free RAW@AI can do it).
• AI can provide employees with immediate feedback on their risk management decisions, helping them learn and improve their skills (free RAW@AI can do it).
• AI can help translate complex risk concepts into plain language, making it easier for employees to understand and apply risk management principles in their day-to-day work (free RAW@AI can do it).

See you at RAW2024.

A study published in the Annals of Oncology found that a deep learning algorithm achieved a 95% accuracy rate in detecting melanoma from skin lesion images, outperforming a panel of 58 dermatologists whose average accuracy was 86.6%.  In another study published in Nature, a deep learning system was able to identify breast cancer from mammograms with greater accuracy than radiologists. The AI system demonstrated a reduction of 1.2% (UK set) and 5.7% (US set) in false positives, and 2.7% (UK set) and 9.4% (US set) in false negatives. Research in the journal JAMA Network Open demonstrated that an AI algorithm was able to diagnose lymph node metastasis in breast cancer patients with an accuracy of 99.5%. This surpassed the 96.9% accuracy demonstrated by human pathologists. Research conducted by Siemens in 2019 demonstrated that AI-driven predictive maintenance tools could forecast equipment failures with up to 30% greater accuracy than experienced maintenance personnel. And according to a 2021 study by J.P. Morgan, AI and machine learning models reduced default prediction errors by approximately 25% over traditional statistical models.

And yet, every time me or one of my team members do a webinar on using AI for risk management, the only question that people ask is “how accurate is AI”. Every bloody time.

So let me share a story. In my last 5 Head of Risk roles, I had access to both world-class team of quant risk professionals and access to different AI models, including the ones built in-house. And you know what, I have spent considerably more time verifying, checking, correcting and validating my human risk team’s deliverables than I do now verifying RAW@AI deliverables. What used to take my team weeks to do, now can be done by AI + python in hours.

AI doesn’t have to be always right, it just has to be less wrong than humans

In my mind, for AI to be universally adopted by risk professionals, it doesn’t need to be perfect—it just needs to be better than humans at making fewer mistakes. This is something Douglas Hubbard calls “beat the bear” fallacy. Imagine two campers confronted by a bear; one doesn’t have to outrun the bear to survive, he just needs to outrun the other camper. Similarly, AI doesn’t have to be flawless; it just needs to outperform human error rates and speed of analysis.

Humans are great at many things, but we can get tired, we can overlook details, we have blind spots to certain risks and we all have our biases. Some risk managers came from accounting background and have little understanding of risk math. All these limitations make risk managers less effective, especially when dealing with probability theory, complex, interrelated risks and decisions. AI, on the other hand, can handle huge datasets, large volumes of text and complex calculations without getting weary or overly biased. AI still makes mistakes. That isn’t the question. Does it make less or more mistakes than an alternative, that is the right question.

My RAW@AI, for example, can consistently outperform most Big 4 risk consultants and RM1 risk managers. Try it.

The more data you have, the more AI outperforms humans

Large volumes of data is what gives AI its risk management superpower. Unlike humans, AI can quickly go through huge amounts of both structured data (risk registers, spreadsheets and databases) and unstructured data (risk reports, interview transcriptions, annual reports, and research papers). This ability lets AI gather a wide and current view of potential risks and quantify most risks on the planet. Most risk managers can of course do the same, but it will take them 10X time to achieve comparable level of quality.

The human brain is incredibly adept at recognizing familiar patterns, but it struggles with the sheer complexity and subtlety of patterns found in today’s probabilistic risk landscape. AI, on the other hand, excels at finding complex and non-linear relationships withing massive datasets (distilling large texts into key points, not so much, but it’s only a question of time).  This can reveal hidden connections between seemingly disparate events or data points, highlighting risks that would otherwise go unnoticed until it’s too late. According to a 2022 report by IBM, AI systems detected and responded to security breaches an average of 40% quicker than human-led teams.

You no longer need math PhD to do quant risk analysis

In the past, every time I joined a company I would struggle to find quants who understand risk management and capable of abstract thinking to integrate into decision making. If you ever tried hiring a quant for risk management, you know what I mean.

Well, AI is changing the game. AI models with access to Python environment are putting powerful quantitative tools into the hands of a wider range of professionals. AI models take care of the complex math, allowing risk managers to focus on empowering risk taking and integrating risk analysis into the decision making. Just like calculators made complex computations accessible to everyone, AI and SIPmath are doing the same for risk modelling. You don’t need to understand the inner workings of a calculator to get the answer, and you no longer need to be a mathematics whiz to perform sophisticated risk analysis.

You still need to be able to double check the calculations, because calculation errors are frequent. But you know what is even more frequent? Calculation errors by human risk managers. Much more frequent :)) The question isn’t whether AI will transform risk management. It’s whether you will upskill quickly enough to utilize AI and guide its insights, or your team will be replaced by the next version of RAW@AI.

Learn how to start using AI models in your risk department at #RAW2024. 

Douglas Hubbard made popular another term “algorithm aversion”. It describes the phenomenon where people prefer human judgment over algorithmic or machine-generated solutions, even when the algorithm performs better or equally well. This aversion often persists even after the person has experienced the algorithm’s superior performance, typically due to biases or a lack of trust in automated systems. Looks at just some of the studies on algorithm aversion, it’s not new:

1. Dietvorst, B. J., Simmons, J. P., & Massey, C. (2015). “Algorithm Aversion: People Erroneously Avoid Algorithms After Seeing Them Err.” Published in the Journal of Experimental Psychology: General, this study is one of the foundational pieces of research on algorithm aversion. It demonstrated that people are less likely to use an algorithm after seeing it perform imperfectly, despite the fact that the algorithm outperforms humans on average.
2. Logg, J. M., Minson, J. A., & Moore, D. A. (2019). “Algorithm Appreciation: People Prefer Algorithmic to Human Judgment.” Published in Organizational Behavior and Human Decision Processes, this study provided a counterpoint to the typical findings of algorithm aversion, suggesting that under certain conditions, people might prefer or appreciate algorithmic advice over human advice.
3. Onkal, D., Goodwin, P., Thomson, M., Gönül, S., & Pollock, A. (2009). “The Relative Influence of Advice from Human Experts and Statistical Methods on Forecast Adjustments.” This study in the Journal of Behavioral Decision Making explored how professionals adjust their forecasts based on advice from statistical methods compared to human experts, highlighting a bias towards human advice even when statistical methods are known to be more accurate.
4. Prahl, A., & van Swol, L. M. (2017). “Understanding Algorithm Aversion: When Is Advice From Automation Discounted?” This article in the Journal of Forecasting delves into conditions under which individuals may or may not follow automated advice, identifying factors that can influence the acceptance of algorithmic input.
5. Burton, J. W., Stein, M-K., & Jensen, T. B. (2020). “A Systematic Review of Algorithm Aversion in Augmented Decision Making.” This review, published in the Journal of Behavioral Decision Making, consolidates various studies on algorithm aversion, providing a comprehensive overview of how and when algorithm aversion occurs in decision-making processes involving automation.

Important limitations:

• Utilizing AI in risk management involves handling sensitive data, which can raise compliance and privacy issues. Some risks are too sensitive to be analysed by AI, unless it is an in-house closed model.
• Using AI for risk management will probably be considered high risk activity under the EU AI Act and will require significant compliance controls.
• In cases where AI-driven decisions lead to financial losses or compliance breaches, establishing accountability can be challenging. Determining whether the fault lies in the data, model, or decision-making process requires clear protocols.
• Effective use of AI in risk management requires specialized skills that may not be readily available within traditional risk teams. At least hiring or upskilling personnel to work effectively with AI tools is easier than finding a good risk quant who understands decision science and behavioural economics.

When you think of movies, the genres of action, romance, or perhaps drama might come to mind. But what if I told you that some of the most compelling tales of risk management, decision science, and behavioural economics come packaged in the very films we cherish? This isn’t just about Wall Street dramas or high-stakes heist thrillers. Sometimes, the most profound lessons about risk lurk in unsuspected corners, from a romantic comedy to a sci-fi classic. In this article, I’ve created a list of movies that, knowingly or not, offer a masterclass on risk based decision making or what I call RM2. Movies hit us all differently, just like risks do. Check out my list and let me know which ones speak to you or if there’s a film that’s got you thinking about risk based decision making in a whole new light. I’d love to hear your thoughts!

Wall Street

Lesson: The cutthroat world of finance depicted in “Wall Street” highlights the complex interplay between greed, ambition, and ethics. The film explores how a culture of risk-taking can lead to destructive behavior if left unchecked. It also illustrates the importance of long-term vision and ethical grounding in making sustainable financial decisions.

Boiler Room

Lesson: Providing a glimpse into the high-stress environment of investment sales, “Boiler Room” teaches the necessity of transparency and integrity in business. The film emphasizes the dangers of short-term gains pursued without regard for ethics, legal compliance, or the well-being of clients. It’s a powerful warning against creating a business culture where ends justify means.

The Founder

Lesson: Chronicling the rise of a fast-food giant, “The Founder” focuses on innovation, strategy, and entrepreneurship. It delves into the challenges of taking calculated risks and the potential perils of opportunistic decision-making. The story underscores the value of vision and determination but also warns of the risks in stepping over ethical boundaries.

Apollo 13

Lesson: The harrowing account of a failed lunar mission, “Apollo 13,” teaches critical lessons in teamwork, leadership, and crisis management. It illustrates how complex problems can be tackled through collaboration, creative problem-solving, and the ability to make informed decisions under uncertainty. The success in handling the crisis emphasizes the importance of preparedness, contingency planning, and adaptability.

Sully

Lesson: “Sully” showcases the remarkable emergency landing on the Hudson River, emphasizing the vital role of human judgment and intuition in managing risk. Despite technological advancements and automated systems, the film shows that there’s no substitute for experience, intuition, and the ability to make rapid yet thoughtful decisions under intense pressure.

Unstoppable

Lesson: In this thrilling tale of a runaway train, “Unstoppable” explores the urgency of rapid decision-making and the importance of coordination and teamwork. It demonstrates how unforeseen challenges require adaptability, clear communication, and understanding the potential risks and rewards of various strategies.

The Mercy

Lesson: “The Mercy” portrays an ill-fated yacht race, offering a sobering lesson in the importance of self-awareness, realistic goal-setting, and proper preparation. It highlights how over-ambition without adequately understanding and quantifying risks can lead to catastrophic failure. The film’s tragic outcome stresses the importance of humility and prudent risk assessment in pursuing any significant endeavour.

Air (2015), not the Nike one 🙂

Lesson: Post-apocalyptic thriller, “Air” is a study in human behaviour, resource management, and ethical decision-making under extreme scarcity. The film underscores the importance of strategic planning and highlights how poor risk assessment can have severe consequences. It’s a compelling exploration of how we prioritize and act when everything is on the line.

Organisations can only hope to advance their Purpose – and thus create value – by making and implementing decisions. Decision-making approach and competency is thus fundamental to sound governance.

This workshop will show that although the array of current and past approaches to ‘Risk Management’ with their many artefacts and paraphernalia absorb precious resources, they serve only to hinder rather than help sound decision making. We will contend that these ‘Risk management’ belief systems create an illusion of confidence as to which outcomes will flow from decisions and so act as an organisational ‘Kool-aid’ that insidiously undermine sound governance.

We will examine a diverse selection of well known, public domain case studies of decisions that resulted in very serious unintended consequences (ranging from Fukishima to SVB) to illustrate that it was the distraction of ‘Risk management’ that resulted in the defective decisions that made these events possible.

While our presentation will demonstrate how the advocacy of the proponents of these unnatural ‘Risk management’ belief systems to ‘integrate’ them into the (natural) way that organisations (and their ‘Deciders’) actually make decisions distracts and hinders, it will also demonstrate (by contrast) that greater awareness of how decisions are actually made supports and facilitates even better decision-making.

https://2023.riskawarenessweek.com/talks/how-risk-management-hinders-rather-than-helps-decisionmaking-and-actually-degrades-value/

About the speaker

Douglas Hubbard, Founder/President, Hubbard Decision Research. Doug Hubbard founded the uniquely powerful and proven Applied Information Economics (AIE) method. He is an entrepreneur, an accomplished consultant and an author of five books. Mr. Hubbard has transformed Risk Management into a competitive advantage for his clients across the globe.

When you think of movies, the genres of action, romance, or perhaps drama might come to mind. But what if I told you that some of the most compelling tales of risk management, decision science, and behavioural economics come packaged in the very films we cherish? This isn’t just about Wall Street dramas or high-stakes heist thrillers. Sometimes, the most profound lessons about risk lurk in unsuspected corners, from a romantic comedy to a sci-fi classic. In this article, I’ve created a list of movies that, knowingly or not, offer a masterclass on risk based decision making or what I call RM2. Movies hit us all differently, just like risks do. Check out my list and let me know which ones speak to you or if there’s a film that’s got you thinking about risk based decision making in a whole new light. I’d love to hear your thoughts!

Margin Call (Business/Drama)

Lesson: The consequences of inadequate risk assessment. The film provides an intense examination of the financial crisis and the ethical challenges faced by those at the centre of it.

Moneyball (Sports/Drama)

Lesson: The power of data-driven decision-making and challenging conventional wisdom. Billy Beane’s approach to assembling a team teaches us to question established norms and make decisions based on empirical evidence.

Dr. Strangelove (War/Comedy)

Lesson: The catastrophic consequences of poor communication and decision-making in high-stakes environments. It’s a satirical take on the risks of nuclear conflict during the Cold War.

The Big Short (Business/Comedy)

Lesson: A deep dive into the complexities of the financial market and the perils of groupthink. This film elucidates the subprime mortgage crisis and offers a critical perspective on risk assessment.

A Quiet Place (Horror)

Lesson: Every action, or lack thereof, has consequences. This survival horror film demonstrates the importance of situational awareness and the consequences of poor risk assessment in a high-stakes environment.

Silver Linings Playbook (Romantic/Comedy)

Lesson: Personal risk management and the unpredictability of human behaviour. The story underscores the challenges of personal relationships and mental health, and how our decisions, even in love, require a certain assessment of risks and rewards.

The Hurt Locker (War/Drama)

Lesson: Decision-making under extreme stress. As a bomb disposal technician in Iraq, the protagonist constantly weighs the immediate physical risks against the broader strategic goals.

WarGames (Sci-Fi)

Lesson: The unintended consequences of automated decision-making systems. It showcases how reliance on technology without human judgment can lead to unforeseen and disastrous outcomes.

Trading Places (Comedy)

Lesson: Behavioural economics at play in the real world. A bet between two wealthy men results in a social experiment, highlighting how environment influences decision-making and behaviour.

Serendipity (Romantic/Comedy)

Lesson: The role of chance in life decisions and the inherent risks in relying on fate. The protagonists’ decision to leave their future to destiny poses questions about how much of our lives we leave to chance versus how much we control.

For the fifth year running Risk Awareness Week 2023 promises to be the biggest online risk management and decision making event and offers amazing insights, strategies, and discussions revolving around the integration of risk management into decision making. More than 20000 people already viewed the workshops. This year, you wouldn’t want to miss this:

Evolution and future of risk management

The ever-evolving landscape of risk management is shaped by technological advancements, innovative methodologies, and forward-thinking strategies. This theme delves into the future trends and the transformative power of emerging technologies in the realm of risk.

• Future risk management trends: Alex Sidorenko’s insights into the integration of decision science and quantitative risk analysis. Link
• Leveraging technology for proactive risk management: The role of modern technology, including AI, in reshaping risk management. Link
• The future of risk management: Harnessing emerging technologies and trends for a new era of risk management. Link

Decision-making and strategy

Risk management is intrinsically tied to decision-making and strategic planning. This theme emphasizes the importance of integrating risk insights into core business strategies, ensuring that decisions are both informed and impactful.

• How risk management can degrade value: The potential pitfalls of over-reliance on traditional risk management. Link
• Risk analysis and decision guidance: The role of actionable insights in guiding strategic decisions. Link
• Minimum functional objectives in decision-making: A novel approach prioritizing essential outcomes. Link
• The role of risk appetite in strategy: Defining and understanding organizational risk appetite. Link
• Mastering risk-reward decision-making: A strategic approach to balancing potential rewards with risks. Link

Real-life applications and success stories

Practical insights and real-world applications of risk management principles are invaluable. This theme showcases success stories, lessons from industry pioneers, and practical strategies that have proven effective across sectors.

• Turning risks into opportunities: Real-life examples of transforming threats into advantages. Link
• Lessons from risk-taking pioneers: Gleaning insights from industry leaders’ experiences. Link
• Scenario planning and stress testing: Techniques for preparing organizations for unexpected scenarios. Link
• Innovations in risk management: Exploring the latest trends and strategies from a cross-industry perspective. Link

Risk communication and culture

The human element in risk management is pivotal. This theme underscores the importance of effective risk communication, fostering a risk-aware culture, and the psychological aspects of risk-taking.

• Talking about numbers without using numbers: Making complex data understandable. Link
• Developing a risk-taking mindset: Overcoming fear and uncertainty to embrace risks. Link
• Fostering a culture of risk awareness: Building a resilient organizational culture that prioritizes risk awareness. Link

Here are the top 5 insights participants can expect from the RAW2023:

• The future of risk management is intertwined with technological advancements. Participants will gain insights into how AI, data analytics, and other emerging technologies can be harnessed to make risk management more proactive and efficient.
• A recurring theme is the importance of integrating risk insights into core business strategies. Workshops will delve into how to make informed and impactful decisions, balancing potential rewards with associated risks, and the role of risk appetite in guiding organizational strategies.
• Participants will benefit from real-life examples showcasing how perceived threats were transformed into strategic advantages. These success stories offer practical lessons and strategies that can be applied across various sectors.
• Conveying complex risk data in an understandable manner is crucial. Workshops will provide techniques and approaches for effective risk communication, ensuring that stakeholders at all levels can grasp and act on risk insights.
• Beyond tools and strategies, the human element in risk management is pivotal. Participants will learn about fostering a culture that embraces calculated risks, the psychological aspects of risk-taking, and strategies to overcome fear and uncertainty.

Organisations can only hope to advance their Purpose – and thus create value – by making and implementing decisions. Decision-making approach and competency is thus fundamental to sound governance.

This workshop will show that although the array of current and past approaches to ‘Risk Management’ with their many artefacts and paraphernalia absorb precious resources, they serve only to hinder rather than help sound decision making. We will contend that these ‘Risk management’ belief systems create an illusion of confidence as to which outcomes will flow from decisions and so act as an organisational ‘Kool-aid’ that insidiously undermine sound governance.

We will examine a diverse selection of well known, public domain case studies of decisions that resulted in very serious unintended consequences (ranging from Fukishima to SVB) to illustrate that it was the distraction of ‘Risk management’ that resulted in the defective decisions that made these events possible.

While our presentation will demonstrate how the advocacy of the proponents of these unnatural ‘Risk management’ belief systems to ‘integrate’ them into the (natural) way that organisations (and their ‘Deciders’) actually make decisions distracts and hinders, it will also demonstrate (by contrast) that greater awareness of how decisions are actually made supports and facilitates even better decision-making.

https://2023.riskawarenessweek.com/talks/how-risk-management-hinders-rather-than-helps-decisionmaking-and-actually-degrades-value/

Are you ready to put your luck to the test while learning about probability theory, game theory, and informed decision-making? Welcome to the RAW2023 lottery, where you can win full access to the Risk Awareness Week 2023 worth between $250-500!

The game of chance and probability

The RAW2023 lottery is not just a game of chance, but a practical application of probability theory. When you enter your email in the pop-up, you’re essentially rolling a virtual dice. The outcomes? Better luck next time or very real discounts of 10%, 20%, 30%, 40%, 50%, or even a whopping 100% off the full access pass to RAW2023!

But what are the odds? That’s where probability theory comes in. Each discount represents a possible outcome, and the probability of each outcome is an interesting question. While we can’t reveal the exact probabilities, we can assure you that every spin holds a fair chance of winning! Gives your estimates in the comments below and see how they compare to the actual model.

Game theory and informed decision making

Game theory, a crucial part of decision science, is all about strategic interaction and making optimal choices. In the RAW2023 lottery, the strategy is simple: enter your email and spin. The potential payoff? Huge discounts on a ticket to one of the most insightful risk management conferences of the year.

The decision to participate in the lottery is an informed one. You know the possible outcomes and their benefits. The cost? Just a few moments of your time to enter your email.

How to claim your prize

If you’re one of the lucky winners, a discount code will be emailed to you. Make sure your email is correct, as you’ll be redirected to the ticket page where you’ll need to apply this code manually during checkout. The original price will be shown before the discount, so make sure you check your email for the code and use it.

Enter the code during checkout and voila! You’ve just used probability theory, game theory, and informed decision-making to score a fantastic deal on your RAW2023 pass.

So why wait? Spin to win and dive into the world of risk management with RAW2023. This is your chance to learn from the best in the industry, and who knows, you might just get to do it for free!

The power of community is a fundamental aspect of human behavior, deeply rooted in our evolutionary past. Neuroscience tells us that humans are social creatures, driven by the need to connect, collaborate, and learn from one another. When we interact with others, especially those who share our interests and passions, our brains release chemicals like oxytocin and dopamine, which not only make us feel good but also stimulate our creative and cognitive abilities.

As risk management professionals, we understand the value of community in our line of work. The ability to share insights, exchange ideas, and learn from the experiences of others is crucial in understanding the multifaceted nature of risk. That’s where Risk Awareness Week RAW2023 comes in.

RAW2023 isn’t just a conference—it’s a community. Each year, thousands of risk professionals from around the globe come together to engage in insightful conversations, share their experiences, and learn from the best in the field. The diversity of participants—from different industries, backgrounds, and levels of experience—enriches the RAW community and enhances the learning experience.

But building a network isn’t an event—it’s a process. Behavioral economics suggests that repeated actions can become habitual, leading to long-term changes in behavior. By attending RAW annually, you can foster the habit of networking, connect with fellow risk professionals, and build relationships that extend beyond the duration of the conference.

With RAW2023 on the horizon, we’re excited to offer another opportunity for you to grow your network and learn from the best in the business. But networking at RAW is more than just attending sessions—it’s about actively participating in discussions, asking questions, and sharing your own insights. Remember, every interaction is an opportunity to learn and grow.

If you’re new to RAW, don’t hesitate to introduce yourself and engage with other attendees. If you’re a returning participant, reconnect with the peers you met during previous editions and expand your network by meeting new ones. The shared experience of RAW creates a sense of belonging and mutual understanding that fosters productive conversations and enduring connections.

So, are you ready to be a part of the RAW community and enrich your professional network? Join us for RAW2023 this October. As a reminder, early bird tickets are available, providing you with a cost-effective opportunity to invest in your professional development. To register, visit our website https://2023.riskawarenessweek.com/.

At RAW, you’re not just an attendee—you’re a part of a global community of risk professionals. Let’s learn, grow, and navigate the future of risk together. See you at RAW2023!

This Risk Identification Checklist for Procurement is a valuable tool designed to guide you through the procurement process, helping you identify, assess, and manage potential risks at every stage. It covers a wide range of potential risks, from defining the procurement need to the delivery and use of the procured products or services, including the credit risk associated with prepayments and bank guarantees.

The checklist is designed to be attached to your procurement approval paperwork, providing a thorough overview of all potential risks associated with the procurement decision. However, it also serves as a guide for preparing presentations and memos for the Executive Committee, with a focus on significant risks that could have a major impact on the procurement project.

https://riskacademy.blog/download/risk-identification-checklist-for-procurement/

By using this checklist effectively, you can ensure that your procurement decision is as successful and risk-free as possible. It’s a must-have tool for anyone involved in procurement, helping to ensure that all potential risks are identified, assessed, and managed effectively.

I wanted to introduce to you our new online course developed by DCRO Institute and Risk Academy – Advanced Risk Governance.

The course is built upon 2 fundamental principles: verifiable science and validated through practical application by the authors. Whenever we implement a technique, methodology or approach it has to be based on either decision science, probability theory, neuroscience, behavioral economics, corporate finance or other relevant and well researched fields of study. And more importantly, we only share theories have been validated, back tested and replicated by numerous organizations.

In 2021 both FERMA in Europe and RIMS in US recognized this approach as best-in-class but more importantly, it allowed the company where one of the authors worked to save $13M on insurance premiums while improving the quality of coverage and increasing limits as well as reduce credit, performance and market risks and support risk-based decision making.

We hope ideas and tools presented in this course will provide you with practical ammunition (tools and ideas) that will have an immediate and significant effect on the quality of Board decision making. We encourage you to share your implementation success stories with the professional risk community at the next global Risk Awareness Week conference.

Overall theme for the course is advanced risk oversight.

Advanced risk oversight is a role a board member may choose once the traditional risk management elements have been implemented and the board member is prepared/curious/interested in taking a proactive role in driving deeper change to the way companies plan, budget, make decisions and measure performance with risks in mind.

Once the risk appetite statement is in place, risk policy approved, risk reports are prepared regularly, the board members may ask “so what”. Did that version of risk management change the way management plans and executes decisions? If you as the board member are dissatisfied with the effect risk management is having on the business bottom line and executive performance, then this course is for you.

Our goal is to look beyond the “ERM” view of risk management and share practical case studies how quantitative risk management changes how management makes decisions, procures, plans, forecasts, transfers risk and measures risk-adjusted performance.

Course structure

The course consists of five modules:

• Module 1 covers introduction, theme, structure and course objectives.
• Module 2 showcases some of the problems with modern risk management, business and project planning and finance and explains why many common methodologies ignore and hide risks from decision makers making risk oversight impossible.
• Module 3 describes what good risk-based decision making may look like and explains the role Board members play in integrating risk management practices into planning, decision making and performance management.
• Module 4 provides specific case studies on risk management implementation and the value and savings companies were able to generate through better quantitative risk analysis.
• Module 5 attempts to bring it all together and cover the cultural side of risk management to make the changes stick.

Course objectives

The course has the following objectives:

• Provide you with ammunition to initiate the move to advanced risk management and find support from shareholders and top management
• Improve the quality of your decision making and corporate planning and performance management through better risk analysis
• Protect and reduce your exposure to non-transparent decision making
• Provide practical case studies and additional resources to strengthen your oversight and learn from successful implementations

REGISTER TODAY

The idea that audit plans should be risk based is so old and widely accepted that we give no second thought to it. And yet in my 16 years of risk across 4 continents I have seen 100s of audit plans and I can assure you NONE of them were risk based. They were opinion and feelings based, some even had colors and qualitative words describing perceived risk exposure, some were materiality based and yet none were risk based because they were disconnected from the underlying organisational risk profile. 

If you are an internal auditor and you are sure that your audit plan is risk based, scroll to the bottom of the article, I added a quick checklist that will change your mind 

The problem – the biggest lie IIA ever sold business is that auditors understand risk

IIA even published a guideline on creating a risk-based audit plan, Developing the Risk-based Internal Audit Plan, 2020. I carefully reviewed the guideline back when it came out and again today and can guarantee, anyone who is following this best practice has no risk-based audit plan, 87% of the time. 

In alignment with the Code of Ethics principle of objectivity and Standard 1100 – Independence and Objectivity, internal auditors should do their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately. Developing the Risk-based Internal Audit Plan, 2020

 

I think this is irony at its best, I will come back to the Code of Ethics principles a little later in the article. 

Risk assessments typically include both quantitative and qualitative methodologies. An abundant selection of software is available to help the internal audit activity perform risk assessments that result in both quantitative and qualitative data. Developing the Risk-based Internal Audit Plan, 2020

Well, I know of only one software that turns qualitative risk registers into quantitative and utilise utility theory to properly quantify and compare financial and non-financial risks. Archer Insight. 

In their risk assessments, internal auditors should estimate both inherent risk — the risk that exists if no controls were in place — and residual risk. Developing the Risk-based Internal Audit Plan, 2020

Ok, this is too funny. I have a whole article on why this is a typical example of nonsense when auditors artificially create a whole new concept to fit their agenda and serve no practical business purpose whatsoever. If you know auditors are the only beneficiaries from the whole inherent/residual conversation, something is seriously wrong.  The better alternative to “inherent” and “residual” risk concepts.

The CAE or assigned internal auditors should document the reasons for their determination of residual risk. This rationale lends support to internal audit’s view of risk priorities. Developing the Risk-based Internal Audit Plan, 2020

This is one of many reasons why risk prioritised derived from such approach have nothing to do with actual risk exposure the business is facing and what the auditors should’ve been focused all this time. 

Risk assessment results with levels of risk for each auditable unit may be depicted graphically in a heat map or similar chart to help show the ranking of priorities. Heat maps are especially useful when certain criteria are weighted more heavily than others and in visual presentations to the board and senior management.

Ok, this is all you really need to know about IIA level of competency when it comes to risk management. Heatmaps have been scientifically proven to misprioritise risks and be “worse than useless”  Let me make this very clear, IIA is recommending astrology and horoscopes in its official guidelines. Surely, that is a direct breach of a Code of Ethics principles. Last time I checked, promoting pseudoscience and astrology under the banner of independence is not a good idea. 

CAEs should meet with senior management to review internal audit’s assessment, ensure thoroughness and mutual understanding, and discuss the reasons for any significant differences in risk perceptions or ratings.

Ok, that’s just wishful thinking. How do you get an accountant compare notes with a surgeon? That is just an analogy, an illustration. The point I am making is internal auditors have no necessary risk management competencies to understand how risk exposure is calculated, how uncertainty affects decisions or objectives, how risks are correlated, why cVaR should be used for some risks instead of VaR and what role confidence interval plays in risk assessments and lastly, how there is no such thing as an enterprise wide approach to risk assessment, each risk has own risk model and aggregating risks is anything but trivial. 

So you tell me, why would management want to meet and take seriously auditors who come and talk about risks because apparently they need to be independent when planning audits. Would you listen to an auditor’s opinion on heart surgery or vaccination? The biggest lie IIA ever sold business is that auditors understand risk management.  The methodology provided in Appendix D of the Developing the Risk-based Internal Audit Plan, 2020 is an absolute disgrace, Appendix E is nothing short of negligence. 

The following books are listed as references, so I wanted to personally thank these gentlemen for contributing to the destruction of audit and risk management value across the world:

• Wright, Rick A., Jr. Internal Auditor’s Guide to Risk Assessment. 2nd ed. Lake Mary, FL: Internal Audit Foundation. 2018. https://bookstore.theiia.org/the-internal-auditors-guide-to-risk-assessment-2nd-edition.
• Urton L. Anderson, Michael J. Head, Sridhar Ramamoorti, Cris Riddle, Mark Salamasick, and Paul J. Sobel. Internal Auditing: Assurance and Advisory Services, 4th ed. Lake Mary, FL: Internal Audit Foundation. 2017. https://bookstore.theiia.org/internal-auditing-assurance-advisory-services-fourth-edition-2.

The solution – don’t replicate what professionals have already done

My simple answer is use whatever risk information exists within the business. Large shareholders, risk owners and 2nd line know exactly what the risks are.

However, despite IIA “best practice” auditors should start with 2nd line. But what if the auditors don’t trust the 2nd line methodology. Then audit the second line until you trust the methodology. But don’t kid yourself, unless you have mathematicians on the audit team you have zero chance of auditing risk management methodology that the risk team is using. Outsource the audit. What if the risk team is not doing quantitative risk analysis? Well, that’s an easy audit finding right there. Whatever the risk team is doing, it is not risk management, they should upgrade the methodology or be fired. Good risk managers can pretty quickly tell how does market risk cVaR compare to operational risk cVaR and whether cyber or climate are as huge as everyone makes them out to be. Legal, HSE, security, IT have a lot of information about significant risks in their areas of responsibility, but more importantly they know exactly where the weak control areas are. 

The second step is to talk to risk owners. Just like IIA is suggesting. The trouble is that while risk owners know their risks better than anyone, they are also often motivated to hide them and keep them hush hush. IIA forgets to mention that interviewing risk owners is unlikely to produce any meaningful and honest representation of the actual risk exposure, because risk owners are smart and will not bet against their own bonuses. So audit the performance management process and the methodology for calculating KPIs and bonuses before you seriously rely on risk owner input. 

Third step is to talk to the shareholders. It is easier in the private companies, where shareholders tell auditors exactly where to look. In public shareholders are many. And yet, I don’t understand why companies are not using proxy voting at AGMs to ask shareholders about their focus areas for the audit team and the key risks shareholders see. Institutional investors should be involved as well, they often have a solid view on the audit priorities. Didn’t audit want to become truly independent?  Well, here is the chance. 

Engaging external experts for horizon scanning is also a good source of risk information for the audit team. Wouldn’t it be awesome if risk and audit team together organised a horizon scanning or value killers workshop or interviews with external experts. 

Bottom line is auditors are not competent to perform risk assessments, so they have no choice but to rely on 2nd line risk assessments. Many 2nd line risk assessments are also bad, so auditors need to audit the 2nd line risk methodology and help business fix it, if 2nd line is still using qualitative horoscopes. When something is broken, auditors recommend to fix it, not recreate a worse replica of it. 

What else? What did I forget?

Step by step video guide to implementing risk management 1 and 2. Let me know in the comments if this helped you and what would you add to the list.

Despite the fact that risk management is a decision making tool, you should probably get Risk Management I sorted first, to keep the auditors, rating agencies and regulators at bay. It’s RM1, so keep it as simple and as quick as possible, this is less than 10% of the overall effort.

A1. Develop a short risk management policy structured around ISO31000 principles – this one is very easy, just follow the steps below:

• take existing corporate policy template
• take the principles from ISO31000:2018
• build a policy around the principles, keep it short. I think I have an example on my download page.

A2. Develop a very basic risk management framework document, aligned with ISO31000 – same as above, use the ISO31000:2019 to develop a framework document. Stick to the text of the standard as close as possible, don’t reinvent the wheel. Borrow some good sentences from COSO: ERM 2017 as well, just for fun. Claim that the document is aligned with both. Auditors love that.

A3. Identify and fulfil any other regulatory or shareholder requirement regarding risk management – this is also an important step, as many industries have additional risk management requirements, make sure you crossed them all when drafting policy and framework documents.

A4. Develop a high level risk profile, linking key risks to strategic objectives – this is basically a colourful risk register. You can talk to some of the key decision makers, but you really don’t have to. Competitor 10K reports and sample risk registers like the one I have will do the job.

A5. Document risk appetite – did you notice how I put risk appetite after risk profile? This is just to show that RM1 is just window dressing, it doesn’t matter how you do it, it’s not real. You don’t believe me it’s not real, well allow Grant Purdy, one of the creators of the AS/NZS 4360 and ISO31000, share his sobering views. This is a must watch for all risk managers.

When implementing RM2 start with the key decisions

B6. Develop a specific risk analysis methodology for each key decision type – the organisation should implement risk management by:

• identifying where, when and how different types of decisions are made across the organisation, and by whom;
• modifying the applicable decision-making processes where necessary by applying some of risk analysis techniques to the actual decision making process. This will help decision makers make informed and intelligent decisions based on proper risk analysis. Which techniques work and which don’t? I have an article on that.
• ensuring that the organisation’s arrangements for managing risk are clearly understood and practised.

B7. Provide tools to the decision makers or perform risk analysis on key decisions yourself – this is an important step to decide whether the risk team will become a methodology and monitoring centre and the actual risk analysis will be performed by decision makers or the risk team will become the analysis support centre and will perform all risk analysis themselves given the decision makers just the outputs. It’s a complex decision. If the decision makers are not mature, don’t have strong quant skills and are very biased, then risk team must become the analysis support centre and perform all risk analysis. Here is important to work with internal auditors to make sure risk analysis quality is sufficient to support decision making.

This is pretty basic stuff but if decision science is new to you, I recommend reading good books that had all the answers for the last 10+ years.

B8. Change the way uncertainty is accounted for during planning by moving away from single point estimates to ranges. Sam Savage, Executive Director of ProbabilityManagement.org, author of the Flaw of Averages – Why we Underestimate Risk in the Face of Uncertainty, Adjunct Professor in Stanford University’s School of Engineering and a Fellow of the Judge Business School at Cambridge University, will desribe this better than I ever could. Make sure you watch his workshop. It’s free, but places are limited.

B9. Replace traditional scenarios run by finance with more sophisticated risk modelling.

B10. Use simulations to change how KPIs and performance targets are calculated and how performance against them is measured.

It is important to make sure roles and responsibilities reflect risk-based decision making:

• C11. Update existing position descriptions to include responsibility for risk-based decision making, planning and performance management
• C12. Update existing committee charters to include responsibility for risk-based decision making, planning and performance management

Most staff do not have risk management training and unable to adequately consider uncertainty when making decisions:

• C13. Provide risk-based thinking training to decision makers. I have numerous courses for that online and offline at the https://riskacademy.blog.
• C14. Include risk management competencies into existing business training programs. Over the years I have discovered that it is actually much better to make every training course that HR department runs a little bit risk-based than do a standalone big risk training.

A series of workshops talk a lot more about what and how to train decision makers.

Need to establish clear communication channels. Here are some ideas:

• C15. Set up and become a secretary for the Risk Committee
• C16. Present risk related topics at every corporate speaking opportunity
• C17. Include risk management topics on the meeting agendas
• C18. Write risk management speeches for executives at every opportunity
• C19. Participate in corporate events and run own risk competitions

It is important to provide transparency through disclosure as well:

• C20. Disclose information about risk-based decision making in the annual report
• C21. Disclose information about risk-based decision making on the corporate intranet
• C22. Disclose information about risk-based decision making on the corporate website

Risk management requires special competencies

• D23. Develop quantitative skills
• D24. Develop soft skills
• D25. Develop a strong understanding of the nature of the business and the specifics of decision making within the organisation.

Here is my article on the competencies risk managers in non-financial companies mus have.

Risk management 2 requires tools beyond common GRC systems

• D26. Invest into proper modelling tools. There are plenty of RM2 systems on the market and some are actually amazing.
• D27. AutomateRM1 if possible. Archer Insight combines RM1 and RM2 quant functionality, which is actually quite rare to kill both birds with one stone.

Networking should be a big part of team development

• D28. At every opportunity meet and exchange ideas with other global risk managers
• D29. Quickly separate RM1 from RM2 risk experts. Spend your time interacting with RM2 risk managers and experts, don’t waste time on RM1 gurus. I have a whole list of RM2 experts.

And finally…

30. Have fun and if you are not having fun doing the above, if the management is blocking any attempt to improve decision making, start looking for a better more rewarding job.

Alex joined the fertilizer company just under 2 years ago and has since focused on proactive and effective risk management designed to reduce volatility in company performance, improve decision-making and strengthen corporate culture. Under Alex’s leadership the fertilizer company risk management has become integrated into the day-to- day management and operation of the business, risk management now guides corporate decision-making and forms an integral part of company culture.

The introduction of quantitative risk analysis changed how investment decisions are prepared and discussed at the Board (stochastic stress tests and NPV@risk), how insurance decision are made (loss exceedance curves, claims probability distributions), how performance is measures and businesses are remunerated (risk-adjusted net margins, risk capital charges), how large IT projects are implemented (cost and schedule quant risk analysis), how pricing and accounts receivables is managed (cVaR), how compliance issues are identified and managed (stochastic decision trees), limiting market risk exposure (VaR, limits, stop losses), how HSE risks are quantified and mitigated (stochastic risk models) and so on.

The fertilizer company has became home for some of the most advanced quant risk analysis in non financial companies. This risk maturity has contributed significantly to both company financial performance and the reduction in risk mitigation costs, for example the cost of insurance has been reduced by $10+ million year to year, without changes to deductibles or other changes in the quality of coverage, if anything the quality of insurance coverage has increased.

Alex’s work helped the company to recognize that making business decisions involves taking calculated risks, and correctly assessing these risks is fundamental to delivering long-term value to our shareholders and meeting our commitments to other stakeholders. Over the last 12 months Alex’s team has made significant progress in integrating quantitative risk analysis into decision making. Key business processes have been updated to make sure risks are identified and their effects assessed, mitigated and transparently communicated when making material decisions. This allowed the fertilizer company to proactively respond to COVID-19 and minimize potentially adverse effects on company personnel, supply chains, liquidity and customers.

https://2022.riskawarenessweek.com/talks/how-to-quantify-risks-for-insurance-purposes-and-save-a-lot-of-money/

Alex Sidorenko is an experienced executive across strategic, investment and operational risks and insurance working within multibillion dollar corporations in Australia, GCC and Europe. Successfully implemented changes to quantitative risk analysis, risk-based decision making and neuroscience.

Saved more than $13 million per year in premiums on cargo and PD/BI insurance through industry leading quantitative risk analysis without changing deductibles or limits. Successfully presenting corporate risk profile at the Ministry of finance and helping secure more than $1B in extra funding.

Author of the most popular free risk management book in the world, more than 150K downloads in 3 languages. Risk manager of the year, FERMA, 2021, Honourable mention 2021, RIMS. Risk manager of the year, RUSRISK, 2014, Best ERM Implementation, RUSRISK, 2014, Best risk management training, RUSRISK, 2013, 2014, 2015, finalist in risk management awards in 2018 and 2019.

Mitigating Risk is often thought of in terms of IT safety. However, it applies to many different areas of operation, manufacturing etc. Considering risk properly is particularly important. But just assessing risk is not sufficient. To have impact we need to make a Decision (or Decision Policy) to change the course of the risks. In this webinar we will look at the basics of Risk Management uncertainty, the analysis of the risks, mitigation and how do deal with uncertainty in some of our assessments.

https://2022.riskawarenessweek.com/talks/measuring-the-effect-from-risk-mitigation/