Perfectly Compliant, Hardly Relevant: The Limits of Regulated Risk Management

Von Prof. Dr. habil. Stefan Hunziker

Many professionals in Swiss banks and insurance companies have recently voiced a similar concern that they “do everything the regulator expects,” yet risk management seems to add little value to the business. That frustration might actually be a positive sign.

Many organisations are beginning to question whether today’s assurance-oriented risk management truly delivers business value. It marks the start of a more profound reflection, from compliance fulfillment toward decision relevance.

Indeed, most frameworks and regulatory requirements are closely linked to operational and compliance decisions, but rarely support strategic decisions. This gap becomes particularly visible in the ORSA process. Risks assessed for regulatory purposes, such as capital adequacy or solvency metrics, rarely translate into business-relevant ERM risks that inform planning, pricing, or strategic resource allocation.

Practitioners often point to recurring symptoms, such as:

• The dominance of heat maps (yes, they’re still everywhere): colourful dashboards of “high–medium–low” ratings that look sophisticated but never support management decisions.

• The distinction between “inherent” and “residual” risk, a theoretical world that doesn’t exist. A discussion that doesn’t help to manage current uncertainty.

• The “overall risk assessment” highlights hundreds of operational and compliance risks, but omits strategic or opportunity-related risks and has no impact on the business.

The problem is a systemic design issue. When risk management is built primarily to provide assurance, it inevitably crowds out judgment, dialogue, and learning under uncertainty, the very qualities that matter for better decision-making.

In highly regulated industries, that means mastering a double role: one hat focused on assurance and regulatory confidence (the license to operate), the other on advisory and decision relevance (offering value to the business).

Only when both logics coexist and align with strategic judgment will risk management reclaim its purpose, not just to protect value, but to create it.