Traditional risk management doesn’t just fail to protect value — it erodes it through overpayment, volatility, and missed opportunities. Companies pour billions globally into risk registers, policies, and committees, yet these tools do nothing to reduce cash-flow volatility from preventable events like supply-chain shocks, cyber incidents, or operational failures. Instead of turning risk into a profit engine, the process sustains “chaotic volatility” that scares off cheap capital and caps growth. These concepts, models, tools and frameworks, whilst once useful, became rigid, bureaucratic, and are misapplied; preventing organisations from addressing risks dynamically and pragmatically. Traditional methods might satisfy regulators, while optimisation drives real competitive advantage, let the dead horses R.I.P.
The 7 dead horses of risk management:
- 3 Lines of Defense / 3 Lines model
Originally designed to clarify roles, this model creates structural silos that paralyse organizational agility.
• Why it’s a dead horse: It fosters an “us vs. them” mentality. The First Line (operations) views the Second Line (risk/compliance) as internal police or a bottleneck, leading to hidden risks and malicious compliance. The Third Line (audit) arrives long after the damage is done to perform an autopsy.
• The Modern Reality: Risk cannot be managed in sequential boundaries. In a fast-paced environment, every employee must be a risk manager in real-time. Splitting risk ownership from operational execution ensures that risk management remains an administrative afterthought rather than a core component of decision-making. - Risk registers
The risk register is where good risk management goes to die. It is a static, backward-looking compliance exercise.
• Why it’s a dead horse: Risk registers are typically massive spreadsheets filled with hundreds of fragmented, unquantified risks. They treat risks as isolated, static events rather than dynamic, interconnected variables. By the time a risk register is compiled, debated, and approved, the external environment has already changed, rendering the data obsolete.
• The Modern Reality: Management needs dynamic, forward-looking insights that look at the whole picture, not a laundry list of chores. Registers encourage a “check-the-box” mentality, focusing energy on managing the list rather than optimizing business performance and navigating uncertainty. - Heatmaps
The colourful 5 by 5 matrix is arguably the most damaging tool in modern corporate governance because it provides a false sense of scientific precision.
• Why it’s a dead horse: Mathematically, heatmaps are deeply flawed. They suffer from “range compression” and “sub-optimal resource allocation,” meaning vastly different risks end up in the same yellow or red squares based on subjective, arbitrary definitions of “likelihood” and “impact.” They cannot handle compounding risks or calculate the actual financial/operational velocity of a risk event.
• The Modern Reality: Colouring a square red does not help an executive make a strategic trade-off. Modern risk management requires quantitative metrics, scenario analysis, and a focus on risk optimization—understanding how taking specific risks drives strategic value—rather than plotting subjective opinions on a colourful grid.
- RCSAs/ CRSAs
RCSAs rely heavily on the flawed assumption that people can objectively and accurately assess their own risks and the effectiveness of their own controls.
• Why it’s a dead horse: They are plagued by inherent cognitive biases (such as confirmation bias and optimism bias) and political manoeuvring. Managers naturally tend to rate their controls as “effective” to avoid scrutiny or budget penalties. The process consumes thousands of collective hours filling out subjective questionnaires that yield highly unreliable, defensive and useless data.
• The Modern Reality: Instead of asking people how they feel about their controls, organizations need a digital risk nervous system—continuous, automated indicators and operational data that reflect reality in real-time, completely independent of human bias or fear of blame. - RAG ratings
Much like heatmaps, RAG ratings oversimplify complex, nuanced operational and strategic realities into a childish color code.
• Why it’s a dead horse: RAG ratings invite manipulation. Project managers and risk owners routinely game the system, keeping projects “Green” or “Amber” until the very last moment when a collapse is inevitable (the “watermelon effect”: green on the outside, red on the inside). They lack granular data, obscure the actual scale of exposure, and fail to show trends or velocity.
• The Modern Reality: Strategic decision-making requires data-driven thresholds, probabilistic outcomes, and clear directional trends. A simple colour cannot communicate the volatility of an operational environment or the subtle shifts in culture that signal impending failure. - ISO31000/ COSO
These heavyweight, standardized frameworks treat risk management as a standalone, rigid architecture rather than an organic part of organizational culture.
• Why it’s a dead horse: They promote a one-size-fits-all, bureaucratic process focused on establishing elaborate terminology, committees, and policies. Organizations spend millions aligning with COSO or ISO standards, resulting in a mountain of paperwork but no measurable improvement in decision-making agility or resilience during a crisis.
• The Modern Reality: Frameworks don’t manage risk; people do. Modern management requires a focus on risk culture and behavioural change. Risk management must be seamlessly baked into existing strategic planning and daily execution, completely discarding the rigid, generic structures that look good on paper but fail in practice. - GRC
While intended to integrate assurance functions, traditional GRC has evolved into an expensive IT repository designed to automate the bad habits of the previous six dead horses.
• Why it’s a dead horse: Risk sandwiched between Governance and Compliance is a recipe for disaster and misrepresents its true strategic function. Most GRC platforms are glorified document management systems. They force organizations into a compliance-first straightjacket, focusing heavily on internal policies, audit trails, and regulatory mapping. They are built for controllers and auditors, not for front-line decision-makers who need to navigate market uncertainties.
• The Modern Reality: GRC systems capture the bureaucracy of risk, not the heart of risk. Real risk management is integrated, conversational, and culturally embedded. It relies on agility, transparent communication, and thinking differently about uncertainty, none of which can be achieved by forcing employees to log into a clunky, compliance-heavy software interface.
Shift to the Future
Continuing to flog these seven dead horses keeps organizations reactive, slow, and blind to true strategic threats. To fulfil its true strategic purpose, the Risk Function must maintain absolute structural and intellectual independence. This is not about isolation, but about objective authority with a focus on adding value through the effective optimisation of risk to build sustainable competitive advantage. Modern risk management is not about avoiding or mitigating every potential hazard through administrative checklists; it is about building a culturally resilient organization that understands the whole picture, empowers every employee to be an active sensor, and uses risk as a tool for proactive optimization.
Need help? Go to the “services” button above!
Highly insightful article for strategy makers, board members and senior professionals.