10 Commandments of a risk manager according to ChatGPT

We ran an experiment. We asked ChatGPT, the artificial intelligence chatbot developed by OpenAI, to write the ‘10 commandments of a risk manager’ for us and then we evaluated the results.

Here are the 10 commandments according to ChatGPT:

1. Thou shalt establish a comprehensive risk management plan that aligns with the organization’s goals and objectives.
2. Thou shalt identify and assess all potential risks, including both internal and external factors that could impact the organization’s operations.
3. Thou shalt prioritize risks based on their potential impact and likelihood of occurrence.
4. Thou shalt develop and implement risk mitigation strategies to reduce the likelihood of risks occurring or to minimize their impact if they do occur.
5. Thou shalt regularly review and update the risk management plan and strategies to ensure their effectiveness in managing current and emerging risks.
6. Thou shalt communicate the risk management plan and strategies to all stakeholders, including employees, shareholders, and customers.
7. Thou shalt ensure that all employees are aware of their roles and responsibilities in managing risks and are adequately trained to do so.
8. Thou shalt establish clear protocols and procedures for reporting and escalating risks and incidents to senior management.
9. Thou shalt establish a system for monitoring and measuring the effectiveness of the risk management plan and strategies.
10. Thou shalt maintain accurate and complete records of all risk assessments, mitigation strategies, incidents, and other risk-related information.

How did ChatGPT perform?

The list of 10 commandments looks good. But there are changes and improvements that are required:

• Risk management is about measuring the effects of uncertainty on objectives. Even before you implement a risk management plan, you should first be sure that your business and operational objectives are well defined. Commandment #1 should be changed to clearly indicate that the definition of objectives is the first step. Or there should be a completely separate commandment, preferably the first one, clearly articulating the importance of defining objectives.
• A risk is the likelihood of an incident occurring because of exposure to a hazard or the presence of a threat. To effectively identify risks, you must first identify hazards, threats, or potential causes. But the 10 commandments from ChatGPT don’t include the words ‘hazard’, ‘threat’, or ‘cause’ anywhere. Commandment #2 should mention hazards, threats, or causes.
• The list produced by ChatGPT can also be improved by emphasizing controls and barriers. The term ‘mitigation strategies’ is used in commandments #4 and #10. But ‘mitigation strategies’ is vague and can mean anything. Sending an e-mail asking workers to be careful when operating machinery is a ‘mitigation strategy’, but it would not be that effective. The need to implement controls and barriers should be explicitly spelled out somewhere.
• Commandment #7 has the right intention. All employees should be aware of their roles and responsibilities in managing risks. But it should go further. In any company, all employees are de facto risk managers. There are specific roles that have explicit risk management responsibilities (e.g., risk manager, auditor, compliance manager), but a risk manager must encourage a risk mindset among all employees. This is not done solely by communicating roles and responsibilities and making employees aware of their risk ownership. It’s also done by building an organizational culture where everyone is encouraged to constantly think about what could threaten objectives or ‘what could go wrong’.
• Commandment #9 also has the right intention. Conditions change, so it’s good to establish a system to monitor and measure the effectiveness of the risk management plan. But this commandment is similar to commandment #5. They can be merged and a new commandment #9 can be written about the need to regularly evaluate the effectiveness of controls and barriers, which can weaken due to changing circumstances. It’s good to be pro-active and conduct regularly scheduled inspections to verify their effectiveness and to have a live visual representation of the health of your controls and barriers.

ChatGPT is helpful in giving guidance on establishing commandments or rules, but you still need human experts who can improve your risk management processes and recommend software tools that can make your processes more effective.

Did you know that the bowtie methodology can help you follow risk management commandments or rules that you set? Bowties allow you to visualize any risk in just one, easy to understand picture, and create a clear differentiation between proactive and reactive risk management.

A bowtie gives you an overview of multiple potential scenarios, in a single picture. It provides a simple, visual explanation of a risk that would be much more difficult to explain otherwise.

Want to learn more about how bowties and barrier management can improve risk management at your company? Visit our webpages on the bowtie method and the BowTieXP Enterprise solution, and reach out to us at [email protected] for any questions.