Two experts, one stage, zero patience for bad risk management. At Risk-!n 2025, a CRO and a professor exposed the most common mistakes – and how to fix them.
At Risk-!n 2025, a scientist and a chief risk officer took the stage to debate what actually works in corporate risk management.
Professor Stefan Hunziker, from Lucerne School of Business, brought the academic firepower. Alexander Hilsbos, CRO of Switzerland’s largest university hospital, brought the operational grit.
Together, they delivered a sharp, funny, and at times brutally honest teardown of the industry’s most persistent failings.
Here were their top misconceptions about the industry:
1. Believing risk management is indispensable
Many organisations see risk management as a box-ticking function, reassuring, ever-present, but not integral to actual decisions. Hunziker challenged the audience to imagine a world where the risk team vanishes overnight. Would anything break? Would anyone notice?
He said: “Imagine risk management is literally switched off overnight in your organisation… In many companies, nobody would even notice.
“Why? Because this person may be totally decoupled from decision making,” said Hunziker.
Hilsbos conceded that things might look normal at first: “Production will still continue… we will still be able to render services and… people will show up for work every day.”
But over time, he warned, “a Wild West risk culture would creep in… When people don’t feel the pressure that they need always to balance risk and rewards and opportunities, they will… start shooting from the hip.”
Their point wasn’t that risk management is irrelevant, but that it needs to be visibly tied to outcomes. If its absence wouldn’t cause alarm, that’s a sign it may not be truly integrated into how decisions are made.
2. Treating risk maps like a safety net
The humble heatmap remains a favourite in corporate risk reporting, but its simplicity can be misleading. Hunziker and Hilsbos agreed it often gives executives false confidence, encouraging a shallow or distorted view of risk.
Both speakers agreed: the heatmap has had its day. Hilsbos warned that risk maps create “an illusion of control and the illusion of comparability” and said that continuing to use them is “an institutionalised way of lying to management… because there are so many things you’re not telling them.”
Meanwhile, Hunziker called them outright dangerous. “Bubbles are the biggest risk in the company,” he said. “Risks are distributions or ranges, not just a bubble.”
The takeaway? Heatmaps feel safe, but they oversimplify. Replacing them with more nuanced representations, such as ranges and scenarios, can make risk discussions more realistic and action-oriented.
3. Reporting averages instead of uncertainty
Summarising risk as a single number might seem efficient, but it hides the complexity of uncertainty. Both speakers argued that risk managers should instead use distributions and ranges to more accurately reflect unknowns.
However, they cautioned that it’s important to then be able to talk about the conclusions drawn in a way that is contextualised and brought to life - especially when talking to the senior board or management committee.
Hunziker said. “Quantification definitely earns respect… but you have to combine it with good narratives.”
And Hilsbos added: “Do you really want to lecture the board members on mathematics and statistics and integral calculus?” he asked. “I’m not so sure. It’s a bit over the top for many in our audience.”
The solution? Blend rigour with relevance. As Hunziker said: “It’s the blend of both – soundly quantified risks combined with narratives – that makes risk management useful.”
In other words, credibility comes not just from the maths, but from communicating uncertainty in a way decision-makers can relate to, and act on.
4. Assuming decision-makers behave rationally
Risk management still clings to rational models that assume people weigh options logically. But as the speakers pointed out, real decisions are messy, emotional and made under pressure, often with incomplete information.
Hilsbos criticised the idea that people make rational decisions as unrealistic: “We can safely ignore from now on this concept.” Instead, he suggested embracing heuristics and bounded rationality. “The future is already here,” he said. “It’s just unevenly distributed.”
Hunziker agreed. “Enter the psychologists,” he said. “Decision-making under uncertainty is the key word here.”
The conclusion was clear: risk managers must move beyond theoretical models and start helping leaders make better choices in real-world complexity.
5. Thinking risk analysis doesn’t require technical skill
There’s a growing temptation to downplay the role of statistics in favour of soft skills. But Hunziker was clear: technical fluency matters. Without it, risk management loses its credibility and power to influence.
“I’ve heard so many arguments that say, we do it without statisticians, or we do without math,” said Hunziker. “It’s just not possible.”
Basic statistical and probabilistic thinking, they argued, is fundamental for anyone supporting decision-making under uncertainty. Being able to understand and communicate probabilities isn’t optional, it’s core to the job. Without it, risk professionals are flying blind.
6. Detaching risk from decisions
Despite all the talk of integration, risk is still often disconnected from strategy. Hunziker criticised the theatre of risk workshops and registers that never reach decision-makers. The solution, he argued, is tying risk directly to business objectives.
“Has a risk register ever informed a strategic decision?” asked Hunziker. “In most cases, the answer is just no… There is a very weak or immature risk culture at play.”
Too often, risk and strategy are discussed on different days by different people. Until risk insights influence the timing, structure and substance of decisions, it will struggle to be taken seriously at the top table. “On Tuesdays, usually decisions are made… and on Thursdays risk workshops take place,” he joked. “A total isolation… they just work only in silos.”
Hilsbos warned that this disconnect isn’t just procedural, it’s cultural. “It’s not just the lack of the function per se… it would negatively impact the company’s culture,” he said.
What now?
For all the flaws, the message was ultimately hopeful. “Everything is already here,” Hunziker said. “We just have to assemble it and use it.”
His final point was simple but powerful: “Risk management without science is not worthwhile… Embrace science as the foundation for sound risk management.” Or as Hilsbos put it: “Don’t tire of explaining these advanced concepts… it eventually sinks in and your audience will appreciate these insights.”
No comments yet