Risk ratings reflect personal judgement, not evidence.

Different teams rate the same risk differently.

Biases (optimism, politics, recency) distort results.

#Enterprise Risk, #Operational Risk, #Cyber Risk, #Third-Party Risk

Description text“High” doesn’t reveal whether loss is £100k or £10m.

Boards, regulators, and insurers need quantified exposure.

Hard to link to revenue, cost, or service outcomes. goes here

#Enterprise Risk, #Operational Risk, #Cyber Risk, #Third-Party Risk

Description text goes hereWithout numbers, it’s impossible to rank risks.

Budgets get spread thinly instead of targeted.

Critical risks may be underfunded while minor risks get attention.

#Enterprise Risk, #Operational Risk, #CyberRisk, #Third-Party Risk

Item descriptionYou can’t roll up “reds/ambers/greens” into enterprise exposure.

Concentration risk and interdependencies remain hidden.

No ability to model systemic or cascading effects.

#Enterprise Risk, #Operational Risk, #Third-Party Risk

Item descriptionMost assessments are workshop-based snapshots.

They fail to keep pace with fast-changing risks (cyber threats, supplier health, operational disruptions).

Early warning indicators get ignored.

#Operational Risk, #Cyber Risk, #Third-Party Risk

Item descriptionRegulators (Basel, Solvency II, DORA, NIS2) expect quantification.

Auditors and investors see qualitative-only frameworks as immature.

Perception of “box-ticking” undermines credibility.

#Enterprise Risk, #Operational Risk, #Cyber Risk, #Third-Party Risk

Can’t feed into stress testing or scenario modelling.

No basis for capital allocation, M&A risk due diligence, or crisis planning.

Limits the role of risk management in strategy execution.

#Enterprise Risk, #Operational Risk, #Cyber Risk, #Third-Party Risk