New Risk Academy guides explore some of the biggest mistakes risk managers commonly make and how to avoid them


In an ever-changing business environment, organisations face myriad challenges and uncertainties.  

This means that the role of a risk manager is constantly evolving, as are the tools, techniques and strategies at their disposal.


To help navigate this increasingly complex world, Risk Academy has released a series of guides designed to help risk managers do their jobs more effectively.

The ’Being a Risk Manager’ guide provides essential knowledge and best practices - including some of the common mistakes risk managers make and provide practical solutions to overcome them. 

Here are four key errors to avoid.

1) Using methodologies that make decisions worse

Risk managers sometimes employ qualitative methodologies, such as heatmaps, which can lead to suboptimal decision-making outcomes.

While these methods may be simpler and easier to understand, they often add significant error to the decision, making them worse than not doing any risk analysis at all.

Some of the key critiques of heatmaps include:

  • Inaccurate representation of risk:   Heatmaps use arbitrary categories and color-coding to represent risk levels, which can oversimplify complex risk issues and create a false sense of security (Cox, 2008).
  • Loss of information:   Aggregating risks into categories often results in a loss of important details and context, making it difficult to prioritise risks effectively (Hämäläinen, 2017) and creating the flaw of averages (Savage, 2009).
  • Subjectivity: Qualitative methods, such as heatmaps, rely heavily on subjective judgments and assumptions, which can introduce biases and inconsistencies in risk assessment (Hubbard, 2009).

What risk managers can do:

To avoid these pitfalls, risk managers should consider incorporating more quantitative and data-driven approaches into their risk management processes. This can help support better decision-making.

Focusing on too many risks at a high level

A common mistake risk managers make is trying to address too many risks at a high level without deep diving into the specifics.

This can result in a lack of focus on the most critical risks and insufficient mitigation strategies.

What risk managers can do:

To avoid this mistake, risk managers should prioritise risks based on their exposure and effect on objectives, dedicating the necessary time and resources to address the most significant risks in great detail.

Not viewing decision makers as risk managers

Risk management should not be confined to a specific department or group of experts within an organisation.

Instead, risk management principles should be instilled across the organisation, with every decision-maker equipped to assess and manage risks within their area of responsibility.

What risk managers can do:

To avoid creating a risk management silo, risk managers should work to build a risk-aware culture by providing training, resources, and support to decision-makers across the organisation, empowering them to take risks effectively.

Ignoring core risks for the sake of new “sexy” risks

It can be tempting for risk managers to focus on new, high-profile risks that grab headlines, such as emerging technologies or geopolitical uncertainties. However, this can lead to the neglect of core risks, which may pose a more significant threat to the organisation’s objectives.

What risk managers can do:

To avoid this mistake, risk managers should maintain a balanced approach, addressing both new and emerging risks as well as core risks.

The guide covers several other key areas risk managers should consider. These include:

  • Having the wrong risk team skillset: Delving into the importance of understanding human decision-making in uncertain situations, corporate finance, probability, forecasting, risk modeling, laws, standards, regulations, business acumen, and computer science and data analysis.
  • Poor relationships and collaboration: Focuses on engaging with internal and external stakeholders, such as executives, managers, employees, regulators, auditors, and insurers, and how to develop a network of risk management professionals.
  • Slow integration into business: Examines how to align strategies with risk appetite, support informed decision-making, and demonstrate the value of risk management to the organisation.
  • Ignoring organisational politics: Tackles the challenges and politics within an organisation and how they can impact risk management initiatives.

Read the full guide here.