Value-Based Risk Management: From Noise to Decision Advantage

Michael RasmussenWritten by
Published onUpdated onDiscussionLeave a Comment on Value-Based Risk Management: From Noise to Decision Advantage

Risk is boring. And that is our fault.

That was the provocation at the heart of my session this morning at Risk-in conference in Zurich today, where I had the honor of sharing the stage and co-presenting with my good friend, risk collaborator, and fellow provocateur Stefan Gershater. The session, “Value-Based Risk Management: From Noise to Decision Advantage,” was not about polishing the traditional language of risk management. It was about challenging it.

Too much risk management today creates activity, not advantage. It creates registers, workshops, heat maps, assurance routines, policy attestations, and management reports. Some of these things are necessary. Some are useful. But too often they are disconnected from what the business is actually trying to achieve. They satisfy process requirements without improving decisions. They document uncertainty without helping leaders navigate it. They produce artifacts that risk teams can point to, but not outcomes that executives value.

And that is the problem.

If the CEO, COO, CFO, or other senior leaders are not giving risk leaders time in their diaries, it may not be because they do not care about risk. It may be because risk has been presented to them as a long list of scary things that might happen, organized into the three famous colors of red, amber, and green, accompanied by the promise that the list will be updated before year-end. That is not a leadership conversation. That is administrative noise.

Executives do not wake up in the morning excited to discuss whether the risk register is up to date. They care about growth. They care about performance. They care about execution. They care about protecting what has been built and expanding what is possible. They care about whether the organization will deliver on its objectives, whether it will seize the right opportunities, whether it will avoid catastrophic missteps, and whether it can act with confidence in the face of uncertainty.

That is where risk management must evolve. Risk management should not be the handbrake on the business. It should be the navigation system that helps the business move forward, steer through uncertainty, and achieve its objectives.

Risk Is Our Business

I opened the session with a familiar theme from my work and podcasts: Risk is our business. It comes from one of my favorite moments in the original Star Trek series, when Captain Kirk declares, “Risk is our business.” That line captures something too many organizations forget. Every organization is, in its own way, a starship of risk. It exists to pursue objectives in uncertain environments. It moves toward opportunity while facing disruption, constraint, competition, regulation, operational fragility, and change.

The business of not taking risk is the business that is out of business.

The question is not whether the organization takes risk. It already does. The question is whether it takes the right risks, in the right context, with the right intelligence, controls, resilience, and confidence. The question is whether risk management is helping the organization understand the road ahead or merely documenting the potholes already passed in the rearview mirror.

This is where many traditional risk programs fall short. They are too often rearview-mirror exercises. By the time a risk is fully identified, documented, assessed, scored, and placed on a register, it may already have become an event. The risk function becomes an observer of uncertainty rather than a participant in decision-making. It records what the business fears, but it does not help the business decide what to do.

Value-Based Risk Management changes the starting point. It begins not with the risk register, but with objectives. It asks: What are we trying to achieve? What value are we trying to create or protect? What uncertainty could affect that value? What decisions must be made? What confidence do leaders need to act?

This aligns with the essential insight of ISO 31000: risk is the effect of uncertainty on objectives. Yet too many organizations focus almost entirely on the uncertainty and not nearly enough on the objective. Stefan made this point powerfully. Risk people spend a great deal of time defining, scoring, and debating uncertainty, but far too little time understanding what an objective is, how it generates value, and how uncertainty affects the ability to deliver that value.

That imbalance is why risk becomes noise.

Organizations Do Not Have an Appetite for Risk. They Have an Appetite for Value.

One of the central themes of our session was a statement that challenges one of the most established phrases in the risk profession:

Organizations do not have an appetite for risk. They have an appetite for value.

The traditional language of “risk appetite” often starts in the wrong place. It asks whether we are willing to accept a particular risk, as though risk itself is the thing the organization desires. But no executive, board, investor, or stakeholder truly wants risk for its own sake. What they want is the value that may be achieved by pursuing an objective under uncertainty.

Stefan illustrated this with a simple example. Ask someone to leave an expensive watch unattended on a table, and they will refuse. Ask them to leave the watch there with a meaningful possibility that a better watch will be there when they return, and the conversation immediately changes. They will ask about probability. They will ask about the conditions. They will ask about the upside and downside. They will ask about the decision.

The appetite was never for risk. The appetite was for the outcome.

That distinction matters because it reframes the entire risk conversation. Risk management should not begin by asking how much risk the organization is willing to take in the abstract. It should begin by asking what value the organization is trying to create or protect, and what uncertainty surrounds that value.

A growth objective has risk. A resilience objective has risk. A compliance objective has risk. A transformation objective has risk. A market expansion objective has risk. A strategic decision not to act also has risk. Risk is not separate from the objective; it is embedded in the pursuit of the objective.

This is why risk management must move from risk-centric language to value-centric language. The business does not need to be trained to speak risk. Risk professionals need to learn to speak the language of the business.

From Risk Activity to Decision Advantage

The phrase “decision advantage” is critical. Risk management earns its seat at the table when it helps leaders make better decisions faster.

That is a very different ambition from maintaining a risk inventory. A risk register may be useful, but it is not the destination. A heat map may be a visual aid, but it is not intelligence. A control library may be necessary, but it is not confidence. The real value of risk management is realized when uncertainty is translated into insight that improves decisions.

Executives are not asking, “Can you give me a perfectly maintained risk taxonomy?” They are asking, even if they do not use these words:

  • Can we achieve the plan?
  • Where are we most uncertain?
  • What assumptions are fragile?
  • What external conditions could change the strategy?
  • What internal capabilities are weak?
  • Where should we invest?
  • Where should we slow down?
  • Where should we take more risk?
  • Where should we avoid, transfer, mitigate, or accept risk?
  • Where do we have confidence, and where are we pretending?

That is the conversation risk leaders must be prepared to have. It is not enough to say, “Here are the top risks.” The better question is, “Here are the objectives, here is the uncertainty around them, here are the decisions required, and here is the level of confidence we have in achieving the outcomes.”

This is where risk management becomes strategic. It is no longer a compliance exercise. It becomes a leadership capability.

The Human Dimension of Risk

One of the most powerful aspects of Stefan’s contribution was his insistence that risk is a human phenomenon. Probability exists without humans. The probability of two asteroids colliding in deep space exists whether anyone observes it or not. But whether that event is good, bad, meaningful, irrelevant, threatening, or advantageous depends on the observer.

Risk requires context. It requires objectives. It requires value. It requires judgment.

The same event may be catastrophic for one organization and advantageous for another. A market disruption may destroy one business model and create another. A regulatory change may burden one organization and differentiate another. A supply chain shock may expose fragility in one enterprise while rewarding resilience in another. A technology shift may be a threat to incumbents and a launchpad for challengers.

This means risk management sits at the intersection of mathematics, probability, psychology, ethics, strategy, and decision science. It is not simply a matter of data. It is not simply a matter of technology. It is not something that can be fully outsourced to a dashboard, an algorithm, or an AI-generated summary.

Technology matters. Data matters. Analytics matter. But risk management still requires human judgment. It requires understanding why people pursue objectives, how they perceive value, what they fear, what they desire, what trade-offs they are willing to make, and what confidence they need to act.

This is also why the conversation cannot be reduced to fear. Fear may get attention, but only briefly. A risk conversation built only on fear becomes exhausting. Leaders may respond to immediate threats, but they will not build a lasting relationship with risk management if every interaction is framed as danger, restriction, and loss.

The stronger conversation is about value creation and value protection. It is about helping leaders succeed.

The Ancient Problem: Controls Without Context

One of the most memorable moments in the session came when Stefan referenced a cuneiform tablet: an ancient receipt for two cows. It was funny, particularly in Switzerland, where the idea of a receipt drew laughter and applause. But the point was serious.

Human beings invented agriculture, numbers, writing, and control mechanisms because value had to be documented, transferred, protected, and trusted. That ancient receipt was, in a way, a control against misstatement or misaccounting. It recorded who had what, what changed hands, and where value moved.

The problem is that too much of modern risk and control thinking has not moved far enough beyond that ancient control mindset. We still focus heavily on whether the numbers are recorded correctly, whether the report is complete, whether the control exists, whether the evidence is retained, whether the policy was attested to, whether the register was updated.

These things matter. But they are not enough.

Stefan used the analogy of a patient in a hospital bed. If the doctor only tells you the patient’s temperature is 37 degrees, that is a data point. It is not a diagnosis. It does not tell you whether the patient is improving or declining. It does not tell you what condition the patient is in, what intervention is required, or what outcome is likely. It is one measurement in a complex system.

The same is true in organizations. A control test result is not the health of the business. A financial metric is not the full story of performance. A risk score is not a decision. A compliance report is not resilience. Each may be a useful signal, but the organization needs to understand the system.

Value-Based Risk Management requires moving beyond isolated indicators and toward connected insight.

Internal and External Risk: What We Can Control and What We Must Prepare For

A recurring image in the session was the ship. Stefan spoke from experience, using HMS Chatham as an example, and the analogy fits beautifully with the broader “starship of risk” theme.

A ship has internal risks: systems may fail, engines may break, food or fuel may run low, people may lack capability, processes may not work. These are risks the organization can influence directly. It can affect their probability through maintenance, training, investment, process design, controls, and leadership.

But a ship also faces external risks: weather, rocks, enemies, currents, darkness, time, and the surrounding environment. These are risks whose probabilities the ship cannot control. It cannot change the weather. It cannot move the rock beneath the water. It cannot prevent every external shock. But it can prepare. It can navigate. It can build resilience. It can sense, respond, adapt, and steer.

This distinction is vital for modern GRC and risk management. Too many risk programs treat all risks as if they can be managed in the same way. They cannot. Some risks require reducing probability through better internal controls. Others require improving preparedness, resilience, optionality, and response. Some require changing strategy. Others require strengthening capability. Some require accepting uncertainty because the value at stake justifies the exposure.

This is where risk and resilience converge. External uncertainty shapes strategy. Internal capability determines whether the organization can execute that strategy. Controls, policies, processes, capital investment, assurance, and actions all exist to create confidence that objectives can be achieved.

Surprise Is Still Risk — Even When the Outcome Is Positive

Another important challenge in the session was the idea that uncertainty is not only a problem when the outcome is negative. If an organization materially exceeds its target and leadership is surprised, that still indicates a failure to understand uncertainty.

Stefan shared the example of a company that made significantly more money than expected. The CFO was delighted. More money meant bigger bonuses. But the risk question was different: How did we not see this coming?

That is the discipline of Value-Based Risk Management. It is not simply about preventing downside. It is about understanding uncertainty around objectives. If the organization is 25% below target, something was misunderstood. If the organization is 25% above target and had no idea why, something was also misunderstood. In both cases, the organization lacked insight into the drivers of performance.

This matters because the upside may not repeat. The organization may confuse luck with competence. It may allocate capital based on false assumptions. It may reward outcomes without understanding causes. It may miss signals that should shape future strategy.

Risk management must help organizations understand variance, not just loss. It must help leaders understand why performance deviates from expectations, whether in a favorable or unfavorable direction. This moves risk into the heart of performance management, strategy execution, and decision-making.

ORCA: Objectives, Risks, Controls, Assurance, Actions

One of the practical models Stefan introduced was ORCA:

Objectives. Risks. Controls. Assurance. Actions.

The simplicity of the acronym matters because it changes the flow of risk management. It does not start with a list of risks. It starts with objectives.

The objective defines the value the organization is trying to create or protect. The risks are the uncertainties that may affect that objective. The controls are the mechanisms that make the objective more achievable. Assurance provides confidence that those mechanisms are working. Actions define what must change, improve, invest, respond, or adapt.

This creates a system, not a list. It creates a flow of information from strategy to uncertainty, from uncertainty to control, from control to assurance, and from assurance to action. It also closes the loop. Actions affect capabilities. Capabilities affect objectives. Objectives evolve as the environment changes.

Importantly, opportunities are not separate from this model. When someone asked whether there should be another “O” for opportunities, Stefan’s answer was that opportunities are embedded in objectives. An objective may be to grow, expand, enter a new market, launch a product, transform a business model, or protect existing value. Opportunity and risk are both expressions of uncertainty around value.

This is a more mature way to think about risk. It avoids the false separation between risk management and opportunity management. The organization is not managing risk on one side and opportunity on another. It is managing uncertainty in pursuit of objectives.

The Future of Risk: Systems, Causality, and Connected Intelligence

The session also moved into the future of risk management: systems thinking, causal inference, Bayesian logic, graph databases, and connected models of risk and performance.

This is where risk management must go. Organizations are not flat lists of risks. They are complex systems operating in dynamic environments. One failure can cascade. One decision can shift multiple exposures. One control weakness can affect several objectives. One external shock can create operational, financial, compliance, reputational, and strategic consequences at the same time.

The future of risk management is not simply more automation of old processes. It is not AI-generated risk descriptions placed into the same tired registers. It is not faster production of heat maps. That may create speed, but not necessarily intelligence.

The future is understanding relationships.

  • How does one risk influence another?
  • How does a control affect the probability or impact of multiple outcomes?
  • How does an external condition change the feasibility of a strategy?
  • How does a weakness in one capability affect several objectives?
  • How does uncertainty in the financial plan connect to supply chain, workforce, technology, regulatory, geopolitical, and operational uncertainty?

This is where Bayesian thinking, causal inference, and graph-based approaches become important. They allow organizations to move beyond static risk lists and toward dynamic models of how things connect. They support a more intelligent understanding of cause and effect, probability, dependency, and decision impact.

The caution, however, is equally important. AI is not a substitute for risk management maturity. An AI-powered risk platform does not automatically mean better risk management. If the underlying model is weak, if objectives are not defined, if relationships are not understood, if the AI hallucinates and leaders believe it, the organization may make worse decisions faster.

Technology should strengthen decision-making, not create a more efficient illusion of insight.

Controls as Decision Levers

The session also reframed controls in a powerful way. Controls are often treated as static mechanisms: policies, procedures, approvals, reconciliations, access restrictions, monitoring activities, and evidence requirements. They are cataloged, tested, and reported. But in a value-based model, controls become decision levers.

Stefan described controls in terms of time and effect.

Some risks are structural or systemic. They require transformation, capital investment, capability development, or major redesign. These are long-term controls. They may take years to produce meaningful benefit because they address deep structural uncertainty.

Other risks relate to business performance and execution. They may be addressed through better processes, clearer policies, improved management routines, training, accountability, and operational discipline. These controls may produce benefit within the year.

Still other risks and opportunities require immediate action. Incident response, crisis management, and opportunity exploitation are immediate controls. They are how the organization acts when uncertainty becomes urgent.

This time-based view of controls is important because it connects risk management to decision horizons. Not every risk response belongs in the same governance cycle. Not every control should be judged by the same timeframe. Not every action is a remediation plan. Some actions are strategic investments. Some are operational improvements. Some are immediate responses to events or opportunities.

This moves controls from a compliance inventory to a management discipline.

Stop Training the Business to Be Risk Experts

Another challenge from the session was direct and necessary: Do not train business leaders to become risk experts. Risk experts must learn the business.

This reverses a common mistake. Risk teams often try to bring the business into the language, structures, taxonomies, scoring models, and reporting rituals of the risk function. They ask the business to identify risks, score risks, update risks, attest to controls, and participate in risk workshops. Some of that may be necessary, but it often reinforces the perception that risk management is an administrative burden.

The better approach is to meet the business where it is.

Talk to strategy leaders about strategic objectives, assumptions, scenarios, and choices. Talk to operations leaders about execution, capacity, resilience, process performance, and disruption. Talk to financial planning and analysis teams about uncertainty in the plan, error bars around forecasts, and where confidence weakens across the year. Talk to business unit leaders about what they are trying to achieve, where they are exposed, and what would help them win.

This requires new alliances. Risk teams have historically spent much of their time with auditors, lawyers, accountants, and compliance teams. These relationships remain important. But value-based risk management also requires stronger relationships with strategy, operations, finance, product, commercial leadership, transformation teams, resilience leaders, and the people who own performance.

Risk professionals should be known as people who help the business succeed, not people who arrive with templates.

The Financial Plan Is a Risk Model — Whether Finance Calls It That or Not

One of the audience questions went straight to the reality of organizations: businesses are often run through the financial plan. Objectives, incentives, bonuses, investments, and performance conversations are frequently anchored in annual financial targets.

That creates both a challenge and an opportunity for risk management.

The challenge is that financial planning often presents a single line: the budget, the target, the forecast, the expected outcome. But reality is not a single line. Reality has uncertainty. It has ranges, assumptions, dependencies, volatility, and confidence levels. The plan may show what the organization intends to achieve, but risk management can help reveal where the plan is fragile.

The opportunity is to make risk management useful in-year while also pushing the conversation beyond the financial year. Risk professionals can help finance and business leaders ask: Where are we less certain? Which assumptions matter most? What could cause us to outperform or underperform? What would we do if the curve changes? Where do we need leading indicators? Where do we need options?

This does not require forcing finance to speak risk. It requires risk professionals to speak finance.

Start with the plan. Add uncertainty. Discuss the drivers. Identify the decisions. Build confidence. That is how risk becomes relevant.

Confidence Is the Product of Risk Management

Perhaps the strongest closing theme from Stefan was that risk professionals do create something. They create confidence.

That is profound.

Risk management does not create products in the traditional sense. It does not always generate revenue directly. It does not own the strategy, operate the factory, sell the service, or manage the customer relationship. But it does create confidence that the organization can pursue objectives, protect value, grow responsibly, remain resilient, stay safe and legal, and make better decisions under uncertainty.

Confidence is difficult to create and easy to lose. It is built through clarity, discipline, intelligence, assurance, transparency, and action. It requires knowing where the organization is strong and where it is exposed. It requires understanding what is controlled, what is not controlled, what can be influenced, what must be prepared for, and what decisions must be made.

Confidence is not blind optimism. It is not the absence of risk. It is the justified belief that the organization understands its objectives, its uncertainty, its capabilities, its controls, and its choices.

This is the real output of Value-Based Risk Management.

From Noise to Advantage

The message of the session was clear: risk management must evolve from noise to decision advantage.

  • Noise is a risk register disconnected from objectives.
  • Noise is a heat map that simplifies complexity into colors without improving decisions.
  • Noise is a control report that says the temperature is 37 degrees but does not diagnose the health of the patient.
  • Noise is a business case built around saving 75% of time in risk assessments when the business does not care how busy the risk team is.
  • Noise is asking executives to care about risk without first understanding what they are trying to achieve.

Decision advantage is different.

Decision advantage starts with objectives. It understands value. It maps uncertainty. It connects internal and external risk. It distinguishes between what can be controlled and what must be prepared for. It uses technology and data intelligently, but does not confuse automation with insight. It builds causal understanding. It aligns controls to decision horizons. It creates confidence. It helps the business protect and grow.

This is what Value-Based Risk Management is about.

It is not risk for risk’s sake. It is not compliance theater. It is not administrative activity. It is not a prettier register or a faster assessment. It is a leadership capability that enables the organization to pursue objectives with clarity, confidence, and resilience.

Risk is our business. But risk is not the point.

The point is value. The point is objectives. The point is better decisions. The point is helping the organization boldly go where strategy, process, and technology have never gone before.

Leave a Reply