9 common risk management failures and how to avoid them

1. Poor governance and weak risk controls

Citibank made headlines in a negative way when it mistakenly wired a $900 million loan payoff to cosmetics company Revlon's lenders in August 2020. A federal judge later ruled that Citibank wasn't entitled to refunds from 10 lenders that had refused to return about $500 million, although an appeals court overturned the ruling, and the bank eventually got all the money back.

Citibank did have risk-related policies and technologies in place, such as dedicated terminals for wiring large amounts of money and a set of internal controls that it revised after shifting to remote work during the COVID-19 pandemic. But the error was traced to a recently installed software package that had UI issues and didn't have the appropriate controls built into it, which led to human error. "This was a case where the human side of the equation can overwhelm any amount of good technology that has been installed," said Chris Matlock, a vice president and analyst team manager at Gartner.

The problems went deeper than that, though -- to the heart of the company's risk management efforts. Two months after the erroneous payment was made, Citibank was fined $400 million by U.S. regulators for what the government called its "longstanding failure to establish effective risk management and data governance programs and internal controls." The order also required the bank to overhaul its practices and controls.

In 2021, a wildfire amid record-high temperatures that topped 120 degrees destroyed the village of Lytton, British Columbia, leading to multiple class-action lawsuits claiming the fire was triggered by heat or sparks from a freight train operating nearby. The suits, which were combined in January 2025, alleged that the Canadian Pacific Kansas City and Canadian National railways should have known it was unsafe to run the train in those conditions.

While such incidents might appear to be the result of reckless behavior, "it's often not that simple," said Josh Tessaro, principal consultant at ServiceNow consultancy Workpact. "When you see one of these news articles that looks like reckless risk-taking, it is almost always due to lack of risk data, process definition and governance."

2. Immature risk management processes

Just launching an ERM program isn't enough. Enterprises that don't invest in developing a detailed risk management plan leave the success of their initiatives to chance, said Donald Farmer, principal at advisory services firm TreeHive Strategy. A formal plan creates a framework for identifying, evaluating, prioritizing and responding to business risks. Without one that's endorsed by senior management, the risk management process in an organization is unlikely to be comprehensive or fully effective.

A plan should also document the following things:

• Different risk management roles and responsibilities.
• Internal training and communication plans.
• Ongoing risk monitoring measures.
• Documentation and record-keeping policies.
• A process for reviewing and updating the plan to keep it aligned with business needs.

Putting all those elements in place and ensuring that they're implemented as planned helps boost ERM maturity levels, which should reduce risk-related problems in business operations.

3. Not creating a strong risk culture

Alla Valente, a principal analyst at Forrester Research, said corporate culture can be an issue when companies fail to effectively mitigate risks, often resulting in negative business consequences.

For example, Wells Fargo's executives turned a blind eye to warning signs of the bank's predatory lending practices, systematic loan servicing issues and improper banking practices for more than a decade. Doing so "was a strategic decision," Valente said. "It could have been fixed, but fixing culture is never easy." That was a costly failure in managing risk: In 2022, Wells Fargo agreed to pay $2 billion to affected customers and a $1.7 billion federal fine.

To avoid such problems, risk and business leaders must work to build a strong risk culture that permeates all levels of an organization. In addition to developing a risk management plan that incorporates a training program for all employees, other culture-building steps to take include integrating risk management practices into business operations and rewarding employee behavior that aligns with risk policies.

4. Inadequate oversight of risk initiatives

Risk management failures can also occur when senior executives and the board of directors don't prioritize ERM programs and give them the attention required to ensure that they succeed.

Silicon Valley Bank's collapse in 2023 illustrates this point. According to a report by the inspector general for the Federal Reserve System's Board of Governors, the bank's board and senior management "failed to appreciate the significance of the multiple layers of risks" it faced. Those risks included a narrow customer base and large amounts of uninsured deposits and investments in long-term securities.

Instead of ensuring that internal controls were implemented to mitigate the risks, the report said, bank management emphasized business growth -- a strategy that proved disastrous when rising interest rates sparked a run on the bank by its depositors. A possible contributor to the lack of management attention to the increasing risks: The bank's chief risk officer position was vacant for most of 2022.

5. Lack of transparency about business risks

Withheld data, siloed data or a lack of data related to risks within organizations can create transparency issues and result in unforeseen consequences. "Many processes and systems were not designed with risk in mind and are often disconnected across the enterprise and owned by different leaders," Tessaro said. "Risk managers often then settle for the data they have that is easily accessible, ignoring critical processes because the data is hard to get."

A transparent risk management approach requires a consistent company-wide strategy that's supported by senior management and other business leaders. The strategy should encompass the various interests, objectives and critical risk concerns of all departments. It should also do the following:

• Clearly define the risk management program's purpose and goals.
• Encourage risk awareness across the enterprise.
• Institute a common risk language.

A centralized system of record for risk profiles and risk-related events should also be established to collect, manage and report on key risk data. Many organizations create a risk register that lists different risks and their probability, potential business impact and priority level based on internal risk assessments, along with risk owners, response plans and other information.

6. Overemphasis on business efficiency vs. resilience

Efficiency and resilience sit at opposite ends of the business spectrum, Matlock said. If they aren't balanced properly, he added, risk management efforts can go awry.

Increased operational efficiency can lead to higher profits when things go well. For example, the auto industry realized significant savings by creating a supply chain of thousands of third-party suppliers spread across multiple tiers. But early in the COVID-19 pandemic, there were massive disruptions in supply chains, including a semiconductor shortage. The bottom lines of automakers suffered when chip suppliers took advantage of the higher margins they could get from customers in the consumer electronics industry, leaving the auto companies short on supplies of needed components.

Business resilience and continuity planning should be a key aspect of risk management programs to help avoid or mitigate such situations.

7. Insufficient monitoring of supply chains

The supply chain disruptions caused first by the pandemic and then by ongoing wars and the Trump administration's back-and-forth tariff policy highlight the need for effective supply chain risk management. So do high-profile cybersecurity incidents, such as the massive backdoor attack against customers of software vendor SolarWinds.

Contracts with suppliers need to address protection of sensitive data, cyber insurance requirements, data destruction practices and other cyber-risk issues, said Mark O'Hara, a managing director at consultancy AArete. Other types of supply chain risks to consider include economic, environmental and geopolitical ones. But O'Hara said many organizations don't regularly review existing agreements or consistently communicate new requirements, resulting in noncompliant contracts and potential risk management problems.

Organizations also need to focus more broadly on third-party risk management, an umbrella category that encompasses both supply chain risks and those related to dealings with IT vendors and other companies selling finished goods to an enterprise. Even more broadly, ERM initiatives should address fourth-party risk management to protect against risks at the suppliers and vendors that third parties use.

8. Failure to recognize and manage AI risks

Enterprises are increasingly adopting AI technology for business applications, including the use of AI in risk management programs. However, organizations can run into problems if they don't effectively manage AI-related business risks. There are a variety of such risks to consider, starting with the problems that can occur if AI tools aren't properly trained and monitored.

High-profile examples of the latter include Microsoft's Tay chatbot, which quickly began spouting racist, misogynistic and antisemitic comments after being publicly released in 2016, and xAI's Grok bot, which similarly praised Adolf Hitler and made other offensive statements following a July 2025 update. After being released in 2024, Google's AI Overviews search feature told users they could add nontoxic glue to pizza sauce and "should eat at least one small rock per day," among other nonsensical recommendations.

The following are other examples of potential AI risks:

• Bias in AI algorithms, from either training data or coding, that leads to faulty results.
• Erroneous results, such as the AI hallucinations most commonly associated with large language models.
• Unethical or illegal use of AI tools that evades internal risk controls.
• Possible legal liabilities and regulatory compliance issues resulting from AI usage.
• Reputational risk caused by inappropriate use of the technology.
• Heightened cybersecurity threats as attackers increasingly use AI themselves.

9. Overconfidence in risk management capabilities

Misjudging the effectiveness of risk management processes can lead to big problems, especially when a business faces an unexpected crisis. This problem extends beyond overconfidence on the part of risk managers and corporate executives involved in overseeing ERM initiatives: Business managers and operational workers might have an exaggerated sense of their ability to handle risks. A common example is financial traders pursuing risky trading strategies that don't comply with risk management policies.

The potential for misplaced confidence in internal controls is another reason why risk and business leaders should regularly review risk management programs.

Editor's note: This article was updated in July 2025 for timeliness and to add more information.

George Lawton is a journalist based in London. Over the last 30 years, he has written more than 3,000 stories about computers, communications, knowledge management, business, health and other areas that interest him.

Craig Stedman is an industry editor at Informa TechTarget who creates in-depth packages of content on analytics, data management and other technology areas.