The Hidden Threat of the Risk Manager

In today’s evolving landscape of organizational governance, the role of the risk manager is more crucial than ever. Risk managers are tasked with identifying, assessing, and mitigating risk to ensure an organization’s continued success and compliance. Their responsibilities include monitoring potential threats, designing risk management frameworks, and advising leadership on potential dangers. In an increasingly complex business environment, their role is indispensable. However, the paradox in risk management is that the individuals responsible for safeguarding against risk can sometimes become the most significant risk to the organization.

The idea that the greatest risk in risk management could be risk managers themselves challenges the conventional belief that a risk manager is always a safeguard. This notion highlights the potential pitfalls when a risk manager’s biases, limitations, or actions inadvertently introduce or amplify risk rather than mitigate it. Organizations must recognize this risk and implement mitigation measures to maintain the effectiveness of their risk management processes.

The Nature of Cognitive Biases

Cognitive biases are systematic patterns of deviation from rationality in judgment.¹ They can affect risk managers by distorting their perception of risk, leading to decisions based on incomplete or flawed information. For example, one form of cognitive bias, confirmation bias, occurs when a risk manager favors information confirming their pre-existing beliefs while disregarding evidence that may contradict that belief.

Scenario—Confirmation Bias in a Financial Risk Assessment
Imagine a risk manager employed by a financial institution who is convinced that a particular investment has low risk due to its past performance. Despite emerging data suggesting increasing market volatility, the manager focuses on reports that support the continued stability of the investment. The risk manager’s confirmation bias can lead to them underestimating risk, resulting in significant financial losses for the organization.

Mitigating Biases
Organizations can mitigate bias by implementing structured risk assessment frameworks that require diverse inputs and perspectives. These frameworks should include cross-functional collaboration, data-driven risk-scoring models, automated risk assessment tools, scenario analysis, and continuous monitoring.

Encouraging risk managers to consult with colleagues from different departments can counteract individual biases by broadening the scope and can provide a more balanced view of potential risk.

The Impact of Insufficient Knowledge

Risk management is a complex field that requires a deep understanding of industry-specific threats, regulatory requirements, and emerging risk.² A risk manager lacking expertise in these areas may fail to identify critical risk or underestimate their potential impact. Consequently, this deficiency could result in inadequate mitigation strategies and increased risk exposure.

Scenario—Cybersecurity Risk in a Healthcare Organization
Consider a healthcare organization where the risk manager has limited knowledge of cybersecurity. This manager might overlook vulnerabilities in the organization’s IT systems, such as outdated software or weak passwords. Due to these gaps in the risk manager’s knowledge, the organization could potentially face severe consequences when a cyberattack occurs, including data breaches, financial losses, and reputational damage.

Enhancing Expertise
Organizations should invest in continuous professional development for their risk managers to address any knowledge gaps. This investment could encompass specialized programs such as enterprise risk management (ERM) workshops, operational risk management courses, and cybersecurity risk fundamentals training. Staying up to date with industry trends such as environmental, social, and governance (ESG) risk management, third-party risk management, and emerging technologies such as artificial intelligence (AI) ensures that risk managers are prepared for the evolving risk landscape.

Organizations should encourage risk managers to network and connect with a wide range of professionals, as collaboration with external experts can provide additional insights and enhance the organization’s overall risk management capabilities.³

The Importance of Clear Communication

Effective communication is essential in risk management.⁴ Risk managers must convey complex risk information to stakeholders in a clear and concise manner.⁵ Communication failures can lead to misunderstandings, delayed responses, and inadequate risk mitigation measures.

Scenario—Poor Communication During a Supply Chain Disruption
Imagine a global manufacturing company facing a supply chain disruption due to a natural disaster. The risk manager identifies the risk but fails to communicate the severity and potential impact to the senior management team. As a result, the company delays implementing contingency plans, leading to production halts, missed deadlines, and significant financial losses.

Improving Communication Skills
Risk managers can improve their communication skills by practicing clear and concise reporting, focusing on delivering key messages without unnecessary jargon. They can leverage data visualization tools such as Tableau and Power BI to transform complex risk data into accessible dashboards, charts, and infographics. Regular stakeholder updates via presentations, emails, and dynamic reports help ensure alignment and transparency. Additionally, participating in communication workshops, seeking feedback on delivery, and engaging in cross-functional meetings can sharpen communication skills over time.

Organizations can foster a culture of open communication by establishing collaborative channels through platforms such as Microsoft Teams, Slack, and other dedicated forums where employees can ask questions and share concerns. Leaders should demonstrate open communication practices and encourage proactive information sharing to set a positive tone. Implementing clear communication protocols for risk reporting, such as scheduled risk reviews and check-ins, ensures that critical information flows seamlessly between departments.

The Risk of Stagnation

In today’s fast-paced business landscape, risk evolves constantly and can emerge unexpectedly. This risk is fueled by technological innovations, regulatory changes, and shifting market dynamics. A risk manager who is resistant to change or overly reliant on traditional methods may fail to recognize and address emerging risk, leaving the organization vulnerable to threats.⁶

Scenario—Ignoring Technological Advancements in Risk Management
Consider a risk manager in a financial organization who relies solely on manual risk assessments, ignoring new technologies such as artificial intelligence (AI) and machine learning (ML) that can provide more accurate and timely risk predictions. The manager may miss critical insights by resisting these advancements, leading to suboptimal decision making and increased risk exposure.

Embracing Innovation
Organizations should encourage a culture of innovation and continuous improvement in risk management practices to overcome resistance to change. This could involve adopting new technologies such as AI and ML, which have demonstrated value in proactive fraud prevention. For example, JPMorgan Chase utilizes AI models through its in-house OmniAI platform to analyze transactions and detect anomalies in real time, helping prevent fraud before it occurs.⁷ The platform supports faster AI deployment across business units and ensures security for sensitive data. By enhancing fraud detection and reducing operational costs, OmniAI has helped JPMorgan stay ahead of emerging threats without compromising customer experience.

Providing training on the latest tools and techniques ensures that risk managers remain agile and equipped to meet emerging challenges. By embracing innovation, organizations can better anticipate and mitigate risk, strengthening operational resilience. Risk managers should be open to learning and adapting to new approaches to enhance the organization’s ability to manage risk effectively.

The Dangers of Overconfidence

Overconfidence can lead risk managers to underestimate risk complexity or severity, resulting in inadequate preparation and response.⁸ This psychological bias can be particularly dangerous when it leads to a false sense of security, causing the organization to neglect necessary precautions.⁹

Scenario—Underestimating a Regulatory Compliance Risk
Imagine a risk manager who is highly confident in their understanding of regulatory requirements. This confidence leads them to dismiss concerns about a new regulation that could impact the organization’s operations. As a result, when the regulation is enforced, the organization may be caught unprepared, potentially facing fines, legal action, and operational disruptions.

Cultivating Humility
To address overconfidence, organizations can encourage risk managers to challenge their assumptions and seek feedback from colleagues regularly. Conducting scenario planning and stress testing systems and procedures can also help risk managers recognize potential gaps in their assessments and prepare for a broader range of outcomes. Additionally, fostering a culture where admitting uncertainty is accepted can lead to more thorough and cautious risk management practices. Five steps can be taken to get started on this journey:

1. Lead by example. Leadership must set the tone by openly acknowledging uncertainties and limitations in decision making. When leaders demonstrate vulnerability, it sends a powerful message that admitting uncertainty is a strength, not a weakness, fostering trust throughout the organization.
2. Normalize discussions around uncertainty. Integrate questions such as “What don’t we know?” or “What assumptions are we making?” into daily meetings and reports. This encourages teams to think beyond what is known, making it easier to identify blind spots early and improving the overall decision-making process.
3. Provide psychological safety. Creating an environment where employees feel safe expressing doubts or raising concerns without fear of criticism is essential. When feedback is welcomed openly and without blame, trust grows, and individuals are more likely to share potential risk or uncertainties.
4. Incorporate scenario planning and pre-mortem exercises. Use stress tests and pre-mortem activities to proactively explore what could go wrong. These exercises shift the focus from predicting outcomes to preparing for various possibilities, helping teams manage uncertainty more effectively.
5. Reward transparency. Recognize and reward employees who openly highlight gaps, assumptions, or uncertainties. Positive reinforcement reinforces the idea that transparency is valued, encouraging more honest conversations and better organizational risk management practices.

The Ethical Dimension of Risk Management

Risk managers often face ethical dilemmas, such as balancing short-term profits against long-term sustainability or prioritizing stakeholder interests over regulatory compliance. Ethical lapses can lead to decisions that compromise the organization’s integrity and expose it to legal and reputational risk.¹⁰

Scenario—Ethical Dilemma in Environmental Risk Management
Consider a risk manager in a manufacturing company who is pressured to downplay the environmental risk associated with a new product line. By succumbing to this pressure, the manager allows the product to go to market without adequate safeguards. When environmental damage occurs, the organization may face public backlash, regulatory fines, and a tarnished reputation.

Upholding Ethical Standards
To mitigate ethical risk, organizations should establish clear ethical guidelines and provide risk managers with training on ethical decision making. Regularly reviewing risk management decisions through an ethical lens and involving external auditors in the process can help ensure that ethical considerations are prioritized. Creating an environment where ethical concerns can be openly discussed without fear of retaliation is also crucial for maintaining the integrity of the risk management process.

The Value of Checks and Balances

Checks and balances are critical in ensuring that no single individual or group has unchecked power to make risk management decisions. Regular audits, peer reviews, and independent assessments can help identify potential biases, errors, or ethical concerns in the risk management process.

Scenario—Independent Review of Risk Assessments
A multinational corporation implements a policy of independently reviewing all major risk assessments by a third-party consulting firm. This ensures that risk assessments are thorough, objective, and free from internal biases or conflicts of interest.

Establish a Governance Framework
Organizations can create a robust governance framework that includes clear roles and responsibilities, regular audits, and oversight by senior management or a third party. This framework should be designed to ensure accountability and transparency in all aspects of risk management.

The Benefits of Diverse Perspectives

Diverse perspectives can lead to more innovative and effective risk management strategies. Encouraging diversity in risk management teams, including gender diversity, background, experience, and expertise, can help the organization identify potential risk areas that a more homogenous group might overlook¹¹ Furthermore, diverse perspectives can result in more comprehensive risk assessments and help foster innovative solutions to complex challenges.

Scenario—Diversity in Decision Making
Consider a scenario where a risk management team is evaluating a new market entry. The team comprises individuals with different cultural backgrounds, genders, and professional experiences. Each team member brings unique insights on topics such as geopolitical risk, regulatory issues, and market dynamics. The team’s unique perspectives allow it to develop a more nuanced risk assessment and a robust entry strategy that accounts for various potential challenges.

Promoting Diversity
Organizations can encourage diversity of thought by actively recruiting and promoting individuals from diverse backgrounds and experiences. Additionally, employing an inclusive culture where all voices are heard and valued can ensure that diverse perspectives are effectively integrated into risk management decisions.¹²

Practices that help drive inclusivity and embed diverse perspectives into decision-making processes include:

• Inclusive leadership development programs—Train leaders to recognize and mitigate unconscious biases, fostering leadership that encourages diverse viewpoints.
• Decision-making frameworks—Use tools such as a responsible, accountable, consulted, informed (RACI) matrix¹³ or risk governance model to gather and evaluate diverse inputs systematically.
• Reverse mentoring programs—Pair senior leaders with less experienced employees to gain fresh perspectives and understand challenges faced by underrepresented groups.
• Surveys and pulse checks—Collect feedback on culture, strategy, and risk processes through employee surveys and pulse checks to ensure all voices are represented in decisions.

Conclusion

Organizations must recognize that risk can be introduced even by those tasked to manage it. A risk manager’s biases, lack of expertise, communication failures, resistance to change, overconfidence, and ethical lapses can introduce or amplify risk. By understanding and addressing the risk posed by risk managers, organizations can significantly enhance the effectiveness of their risk management practices.

To safeguard against the risk posed by risk managers, organizations must commit to continuous improvement in risk management practices. This includes investing in professional development, fostering open communication and collaboration, implementing rigorous checks and balances, and promoting diversity. By doing so, organizations can ensure that their risk management teams are effective not only in identifying and mitigating risk but also in avoiding the pitfalls that could turn them into a liability.

Organizations must critically assess their current risk management practices and take proactive steps to address the potential risk posed by risk managers. This may involve implementing new training programs, adopting innovative risk assessment tools, or revisiting the organization’s ethical guidelines. By taking these actions, organizations can strengthen their overall risk management framework and enhance their resilience in the face of emerging threats.

Ultimately, the key to successful risk management lies in balancing technology’s strengths with the insights and judgment of experienced risk managers. By addressing the inherent risk posed by risk managers themselves, organizations can build a more resilient risk management framework capable of navigating the challenges of an increasingly uncertain world.

Endnotes

¹ Emmons, D.L.; Mazzuchi, T.A.; et al.; “Mitigating Cognitive Biases in Risk Identification: Practitioner Checklist For the Aerospace Sector,” vol. 25, iss. 1, 2018, p. 52-93
² RIMS, “Tracking the Untrackable: Taking a Proactive Approach to Emerging Risks,” 4 June 2024
³ ISACA^®, State of Cybersecurity 2024, 1 October 2024
⁴ Consultancy.eu, “Why Communication is Key for Effective Risk Management,” 13 April 2021
⁵ Ellis, L.D.; “The Need for Effective Risk Communication Strategies in Today’s Complex Information Environment,” Harvard School of Public Health, Massachusetts, 5 January 2028, USA
⁶ Marsh&McLennan Insights, From Risk to Strategy: Embracing the Technology Shift, 2019
⁷ JPMorgan Chase, “Omni Means “All”
⁸ Adam, T.; Fernando, C.S.; et al.; “Managerial Overconfidence and Corporate Risk Management,” Journal of Banking & Finance, vol. 60, 2015, p. 195-208, 
⁹ Tamplin, T.; “Overconfidence Bias,” Finance Strategists, 4 July 2023
¹⁰ Disparte, D.; “Simple Ethics Rules for Better Risk Management,” Harvard Business Review, 8 November 2016
¹¹ Nikolaou, J.; “The Intersection of Risk Management and DEI,” Forbes, 2 November 2022
¹² Alho, H.; “Embracing Diversity: Enhancing Your Risk Management,” Tietoevry, 28 June 2024
¹³ Miranda, D.; Watts, R.; “What Is A RACI Chart? How This Project Management Tool Can Boost Your Productivity,” Forbes, 4 June 2024

SUBRAT MISHRA | CISM, PMP

Is a reporting and data insights lead with more than 10 years of experience, specializing in data analytics, governance, risk, and compliance (GRC), and project management. He empowers organizations to make data-driven strategic decisions through automated reporting solutions and actionable insights. Mishra’s career has spanned leadership roles in top-tier organizations including Barclays, Atos, and Wipro. His work in the risk and control area has involved establishing governance models, automating reporting processes, and strengthening risk management frameworks.