Two years ago, I realized something that made me uncomfortable: every time I tested a public AI tool on risk management questions, it gave me terrible advice. Not just unhelpful. Actively bad.
I’d ask ChatGPT about risk matrices, and it would enthusiastically explain their benefits. Claude would walk me through implementing enterprise risk management frameworks. Gemini would help me build risk appetite statements. Copilot would recommend colorful heat maps for visualization. All of them were spectacularly wrong. The problem wasn’t that they didn’t know enough. The problem was that they knew too much of the wrong things.
What “Most Probable” Actually Means
Large Language Models work on a simple principle: they predict the most probable next word based on patterns in their training data. But “most probable” doesn’t mean “most accurate.” It means “most frequent.” And what’s most frequent on the internet when it comes to risk management? Thousands of pages explaining how to build risk registers. Hundreds of consulting firm articles about risk appetite statements. Endless templates for heat maps and compliance frameworks. The models are trapped in an echo chamber of popular but deeply flawed practices.
I tested this repeatedly. When I asked about risk matrices, the AIs would initially defend them. Only when I pushed back with specific academic citations would they reluctantly admit the obvious: risk matrices embed dangerous biases and mathematical errors that can lead to terrible decisions. But here’s the thing – most people won’t push back. They’ll take the first answer, assume the AI knows what it’s talking about, and implement advice that feels sophisticated but is fundamentally broken.
Ask RAW@AI about this post or just talk about risk management
Two Worlds, Accelerating Apart
This perfectly captures the split in our profession: RM1 versus RM2. RM1 is the world of artifacts. Policies, registers, appetite statements, heat maps. They satisfy auditors and regulators. They look impressive in board presentations. But they rarely affect how capital actually gets allocated or how strategies get shaped. RM2 integrates quantitative methods into real business decisions. Instead of producing standalone risk reports, it makes planning, budgets, and investments risk-aware. It doesn’t ask “What is our risk appetite?” It asks “How do uncertainties change the choice we’re about to make?”
AI is accelerating the divergence between these two worlds. General-purpose LLMs supercharge RM1. They generate risk registers faster than any human could. They produce polished appetite statements in seconds. They automate compliance reports with ease. But all this paperwork leaves actual decisions untouched.
That’s why I built RAW@AI. Not as another chatbot, but as a specialized tool trained on RM2 principles, grounded in the right sources, and built with guardrails that prevent it from falling into the popular-but-wrong trap. For two years now, my team has used it for actual risk management work – the kind of analysis and decision support that risk teams need to deliver.
The difference isn’t subtle. It’s the difference between astrology and astronomy.
Here’s what worries me: if AI can already produce registers and policies faster than any human, what’s left for risk managers to do? The answer is interpretation. Turning probabilistic models into business insight. Embedding uncertainty into strategic conversations. Making risk analysis a driver of decisions, not just a compliance exercise. The risk manager of the future isn’t a custodian of documents. They’re an architect of decisions. But you can’t get there by asking ChatGPT how to manage risk. You’ll just get a faster way to do what doesn’t work.
I published a benchmark in August 2025 testing major LLMs on risk management questions. The results were clear: none of them were fit for purpose. Although thinking models are getting better.
That should worry every risk professional who’s thinking about using AI in their work. Generic AI doesn’t just give poor risk advice – it amplifies the worst practices in our field while giving users the illusion of sophistication. It makes mediocrity feel modern. And in risk management, mediocrity isn’t harmless. It costs money. It misallocates capital. It builds overconfidence in decisions that should be questioned. The choice isn’t whether to use AI. The choice is whether you settle for tools that reinforce what’s popular, or insist on tools that deliver what’s correct. Because there’s a difference. And in our profession, that difference is measured in millions.
Explore the results of the Risk Benchmark: https://benchmark.riskacademy.ai
Meet RAW@AI, specialized AI for risk management: https://riskacademy.ai
See how AI is transforming RM2 at Risk Awareness Week 2025, 13–17 October: https://2025.riskawarenessweek.com
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
To break out of this cycle and move toward **scientific risk management**, risk management must be embedded at the core of decision-making.
We need to **use artificial intelligence responsibly**, under professional supervision, shift the focus from mere compliance to **real value creation**, diagnose risks using **scientific methods rather than ready-made models**, and **evaluate regularly** while linking actions to actual outcomes.
We must **build a culture of risk awareness**, not one of fear or formality.
We should understand that **the danger is not in the existence of risks, but in managing them ineffectively.**
ChatGPT itself is not the problem—**the problem lies in using it without deep understanding or a clear methodological framework.**
Such misuse does not protect institutions from crises; it **slows their response** and **misleads decision-makers** with false indicators.
What we truly need is a **scientific risk system** that employs technology with awareness and enhances our ability to face the unknown with **intelligence and genuine resilience.**
May God protect everyone.