Back to Basics: 14 Risk Oversight Rules You Know (But May Be Ignoring)

Many risk oversight axioms were relevant in the pre-digital era. What’s different today is that we are operating in an era defined by unprecedented access to advanced digital tools. Machine learning and AI have the capacity to analyze data, identify patterns, make predictions and generate content. AI-driven advanced analytics can process large volumes of data to detect risks and anomalies far earlier than traditional methods, offering enhanced early warning capabilities. 

The pace of change is driven by disruptive innovation and the declining half-life of business models. It is widely recognized that, in many businesses, the confluence of multiple technologies is transforming back-office operations and customer-facing processes. And we’re not done yet: Quantum computing, advanced connectivity, digital trust systems, and cloud and edge computing promise to continue to raise the bar of change.

With that said, here are 14 principles relevant to risk oversight that you’ve probably heard before.

It’s not about avoiding risk — it’s about understanding the risks worth taking

Not every risk is negative; some can drive innovation or boost competitive edge. Taking calculated risks is often necessary for making strategic choices and achieving strategic objectives. Rather than about avoiding bets, it is about making the best calculated bets that support objectives. Every opportunity for growth, innovation or improvement comes with some level of uncertainty and risk, making opportunity and risk two sides of the same coin. In the digital age, “playing it safe” to avoid risk is a risk in and of itself, as it can lead to stagnation, missed opportunities and loss of relevance in a rapidly changing world. 

Sync risk management with strategy

Objectives clarify what the organization is trying to achieve, allowing risk managers to focus on the opportunities and threats that could impact their achievement. They are closely linked to value drivers like innovation, growth, customer experiences, employee engagement, sustainable practices, brand equity and governance. This business context makes communication with stakeholders clearer and defines responsibility for managing risks.

The market is always changing, so stay alert and vigilant and change with it

According to Jack Welch, former CEO of General Electric, “If the rate of change on the outside exceeds the rate of change on the inside, the end is near.” Given that disruptive change is the norm, it’s “adapt or perish,” as H.G. Wells wrote. Early movers, those quickest to adapt, are most likely to survive and thrive. Acceptance of the status quo is potentially lethal. Short-termism, risk aversion, organizational inertia, past success, sunk costs and resource constraints are powerful blind spots that can preempt necessary change. The bottom line: The world is your dashboard, so check it often.

Be anticipatory; otherwise you’ll miss what can hit you and how much it might hurt

Business fundamentals inevitably shift, and uncertainty is highest when leaders aren’t aware of their blind spots. Looking back is not the answer. Leaders must bring to bear the necessary expertise, processes and information to identify emerging risks. Scenario analysis and stress testing help examine the continued relevance of strategic assumptions and assess resilience under extreme, adverse conditions. Strategic decisions and the risks undertaken should provide a margin of safety to account for uncertainty and unknowns.

If you don’t see it or measure it, you can’t manage it

No list of truisms is complete without this core risk management principle. What’s different today is the abundance of digital tools that enable capture of real-time data from multiple sources and continuous monitoring of key risk indicators. Access to large datasets enhances the reliability of value at risk (VAR) calculations, while advances in computing power allow thousands of simulations simultaneously for more complete probability distributions of potential outcomes and more robust Monte Carlo analyses. Internet of Things devices provide continuous data streams for monitoring operational risks, e.g., equipment failures or environmental hazards.

Don’t overlook your third parties; your brand and reputation depend on it

Today’s organizations have become “boundaryless” as they rely on outsourcing and strategic sourcing arrangements, ecosystem partners, and other parties to meet their business goals. If a third party fails — due to data breaches, quality issues or regulatory violations — the primary organization is typically held responsible. Outsourcing does not eliminate risk.

Risk

Balancing Risk & Reward: A Perfect Dance to the Tune of Changing Times

by Jim DeLoach

January 23, 2026

Despite uncertainty and global shifts, business leaders are prepared to innovate, form strategic partnerships and plan for long-term growth

Read moreDetails

Beware of dysfunctional environments where truth and facts are ignored

Culture lays the foundation for managing risk. To paraphrase Peter Drucker, culture eats strategy for breakfast — and it can devour risk management, too. Resistance to change, internal barriers to timely risk identification and escalation and poor collaboration may hamstring an organization’s ability to adjust its risk strategies, business model and operations timely. Balancing value creation and preservation as well as emphasizing short-term and long-term objectives are cultural attributes requiring effective leadership, supported by a strong second line led by a savvy senior risk executive.

Be wary of “the smartest people in the room” 

History shows, through examples like Orange County, Long-Term Capital Management, Enron and financial institutions during the 2007-2009 financial crisis, that the arrogance of individuals who view themselves as superior to others, project overconfidence in their views and denigrate the views of others can stifle vital discussion and teamwork. Their behavior often undermines the benefits of diverse perspectives, collaborative problem-solving and adaptive learning.  

Concentration of resources increases risk

Diversification — across products, services, markets and geographies — mitigates risk, enhances growth opportunities and improves competitive positioning and overall resilience. Expanding offerings or entering new markets reduces reliance on a single revenue stream and better navigates changing markets. Vertical integration broadens the organization’s reach into different stages of the value chain, while strategic alliances combine strengths, share risks and improve market access.

Prepare for contingencies, including the worst

Preparation and response readiness are the key to world-class reaction. The question is, “Are we prepared for the unexpected?” Resilience is built in the cool of the day, not in the heat of the moment. Being better prepared is a function of a sound strategy based on realistic assumptions and taking on risk with knowledge and transparency, setting aside time to think about plausible and extreme scenarios that could derail the strategy and formulating appropriate response plans. Fires cannot be fought by a committee.

Learn from your mistakes

Post-mortems help organizations identify what went wrong in risk management and highlight how to improve. By asking, “What could we have done differently?” when risk management fails to provide early warning of a specific event, incident, limit violation or near-miss, management can clarify roles, strengthen responses and reassure stakeholders. However, hindsight has no value if its lessons aren’t applied.

Look out far enough

Limiting risk assessments to one- to three-year time horizons can create blind spots with respect to long-term risks and opportunities. The World Economic Forum uses a 10-year horizon, and many companies are now considering longer periods to anticipate plausible and extreme scenarios, such as industry disruption and disintermediation, geopolitical changes and regulatory shifts. Risk assessment timeframes should at least align with strategic planning cycles. Countries like China plan decades ahead, offering advantage over those countries with much shorter policy horizons.

Cognitive bias often drives missed opportunities

The various forms of cognitive bias and the groupthink they encourage often result in a desire for harmony. This emphasis on conformity can suppress valuable dissent, and alternative points of view and salient contrary information can be overlooked, resulting in faulty, subjective assumptions and serious blind spots. This dysfunction leads to poor risk-reward decisions that are not based on objective data. To paraphrase a Mark Twain quote, what gets you into trouble is what you know for sure that just ain’t so. The bottom line: Sound risk oversight requires open, transparent debate, diverse perspectives and a willingness to challenge assumptions.

Filter your risk discussion with senior management and the board

Risk universes are nice as a common language. In fact, I initiated the concept over 30 years ago with Andersen’s business risk model. But when talking with senior leaders and directors, the dialogue should be focused on the risks that matter — the critical enterprise risks and emerging risks. This works if leaders agree that effective processes are in place to prioritize the key risks meriting attention and anticipate the “gray rhino” risks looming on the horizon.

That’s it. Next month, I will share 14 more risk oversight tenets, ones that you may not have heard before.