Grant Purdy helped write the book on risk management – literally. He co-authored ISO 31000, the global standard everyone follows. After 50 years in the field, he’s saying something uncomfortable: we got it wrong.
Here’s what he means. Walk into most companies and you’ll find risk registers nobody reads, heat maps that annoy everyone, and processes that measure everything except what actually matters for business decisions. The whole system was supposed to help people make better choices when things are uncertain. Instead, it became a compliance monster that eats time and money while creating fake confidence.
How we ended up here
It happened slowly. Every new regulation and “best practice” piled on top of what came before. We kept inventing solutions to fix problems our previous solutions created. Purdy watched it happen from the inside – useful tools turned into paperwork requirements, decision support became regulatory theater. What we promised and what we actually delivered drifted further apart.
The core problem is simple: there are two completely different games being played. One is about creating documents to satisfy external requirements. The other is about actually helping people discuss uncertainty when making real business decisions. These serve different masters – regulators versus the people who actually run things. Most companies got stuck in the first game and forgot about the second.
Ask RAW@AI about this post or just talk about risk management
Why this matters
Not many people can look at their life’s work and say “we were wrong.” That’s what makes Purdy’s message hit hard. He’s not some outside critic – he’s the guy who built the house and is now saying some walls need to come down.
His fix is straightforward but requires a mindset shift. Stop saying “risk management” and start saying “decision support.” Instead of risk registers for reporting, help people make specific choices – what to launch, what to delay, where to add safety margins, what to spend money on.
What this means for you
First, you can stop pretending a stack of documents equals managing uncertainty. Second, bring conversations back to actual decisions – what are our options, what assumptions are we making, what breaks if the world doesn’t behave like we expect? Third, make tools that people actually want to use – quick decision notes instead of endless registers, “what if” scenarios instead of colorful heat maps, simple response rules instead of thick methodology manuals.
The hardest part is breaking old habits. But there’s freedom in stopping the performative busy work and focusing on what actually changes outcomes. That’s the gift in Purdy’s honesty – permission to quit playing “proper risk management” and do what we set out to do in the first place: help people make better decisions when facing uncertainty.
Admitting we got things wrong isn’t defeat – it’s a fresh start. Risk management can finally do what it always promised: not create fake control, but help people choose better.
Grant Purdy’s session “We Got It All Wrong” is at RAW 2025, October 13-17. Full program at https://2025.riskawarenessweek.com
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
