Why Narratives Matter More Than Spreadsheets
Risk management loves numbers. Heatmaps, VaR, KRIs, dashboards.
But in practice, what quietly drives decisions are stories:
– “We’re too small to be hacked.”
– “Our people would never do that.”
– “This vendor has always delivered, they’re safe.”
These are narratives. They sit under the surface and override formal policies, even in a sophisticated enterprise risk management framework. If you don’t work with these narratives consciously, they will silently rewrite your “rules” in real time.
This guide is about turning vague risk stories into durable rules that actually hold up when things get messy — and doing it in a practical, step‑by‑step way.
Step 1. Surface the Hidden Narratives
1.1. Listen for phrases, not policies
Narratives rarely appear in policy documents. They appear in hallway comments and quick justifications.
Pay attention when people say things like:
– “Realistically, the biggest risk is X.”
– “In our line of business, you *have* to accept this risk.”
– “Legal can fix it later.”
These are informal risk policies. Often stronger than anything written in a procedure.
Tip for beginners:
During interviews or workshops, stop asking only “What are the risks?” and start asking “What do people *believe* about risk here?” You’re not just mapping threats; you’re mapping local folklore.
1.2. Extract the core storyline
Behind every recurring phrase there is a core storyline. For example:
– “Regulators like us” → *We can take compliance shortcuts; we won’t be punished.*
– “We’re a tech company, we move fast” → *Speed beats control; governance is optional.*
– “Our senior traders know what they’re doing” → *Oversight is redundant; experience equals safety.*
Write these narratives down in clear, neutral language. Treat them as hypotheses, not facts.
Common mistake:
New risk managers jump straight to controls without naming the underlying story. As a result, staff game the control, because the *actual* narrative never changed.
Step 2. Check Narratives Against Reality
2.1. Turn stories into testable claims
A narrative isn’t useful until it can be tested. Rephrase it into something measurable:
– “We’re too small to be hacked” →
“We are below the targeting threshold for common cyber‑attacks, as evidenced by incident logs for the last 24 months.”
Now you can verify this against data, threat intel, and incident reports. Spoiler: it’s usually wrong or at least incomplete.
2.2. Use the enterprise risk management framework as a stress test
If you already have an enterprise risk management framework, use it not as a reporting tool, but as a *reality filter* for narratives:
– Map each key narrative to specific risk categories (strategic, operational, financial, compliance).
– Ask: “If this narrative is wrong, what events show up in our risk register? What scenarios get under‑estimated?”
– Check whether any narrative directly contradicts your stated risk appetite or tolerance.
When narrative and framework conflict, narrative usually wins in daily behavior. That’s where your work begins.
Warning:
Do not quietly “tweak” impact/likelihood ratings just to make the narrative look correct. That is risk theatre, not risk management.
Step 3. Convert Narratives into Explicit Rules
3.1. From vague belief to actionable principle
Take a vague narrative and translate it into a crisp rule structure:
Example narrative:
“We can bend onboarding rules for strategic clients.”
Durable rule candidate:
“Any exception to client onboarding requirements must be:
1) documented with business justification,
2) signed off at director level, and
3) logged for quarterly review by Compliance.”
Notice: the story (“strategic clients deserve flexibility”) isn’t censored; it’s contained by guardrails.
3.2. Use clear decision conditions
Durable rules are not slogans. They answer:
– *When* does this apply?
– *Who* can decide?
– *What* must be documented?
– *Which* metrics will signal that the rule is failing?
Phrase your rule so a new hire could apply it on day one without calling you.
Tip for beginners:
If a rule can be interpreted in three different ways by three different managers, it’s not a rule — it’s an opinion in formal clothing. Rewrite until it’s “boring clear.”
Step 4. Embed Rules into Tools, Not Just Documents
4.1. Let software enforce the narrative, not just store it
Policy PDFs don’t protect you; execution does. This is where governance risk and compliance software becomes more than a box‑ticking tool.
Think in terms of:
– Workflow gates (you cannot proceed without required approvals).
– Mandatory fields (you cannot close a risk without specifying owner and due date).
– Automated alerts (exception volumes or threshold breaches trigger reviews).
The aim is simple: the path of least resistance should be the compliant and safe path, not the risky shortcut.
4.2. Align operational risk management solutions with real behavior
A lot of operational risk management solutions are configured around idealized processes, not how work *actually* happens. That breaks the connection between rules and reality.
When configuring tools:
– Start with real process maps and observed behaviors, not vendor templates.
– Build controls at the “points of decision” where narratives usually override caution (discount approvals, access rights, overtime, launch go/no‑go).
– Ensure exceptions are easy to log but hard to hide.
Common mistake:
Organizations buy sophisticated governance tools, then configure them as filing cabinets. If the system only stores risk registers but doesn’t shape decisions in real time, your rules are decorative.
Step 5. Build Rules That Survive Pressure
5.1. Test rules against stress scenarios
A rule that works on calm days but breaks during a crisis is not durable. You need to stress‑test:
– Time pressure: “What happens to this rule when a deal must close today?”
– Political pressure: “What if a senior executive pushes for an exception?”
– Resource pressure: “What if the owner is on leave and no one wants accountability?”
Run tabletop exercises: walk through realistic scenarios and see where people *want* to bypass the rule. That’s where you redesign.
5.2. Define pre‑agreed escape hatches
Good rules include controlled ways to bend them. That keeps the narrative aligned even when flexibility is needed.
For example:
– Clear escalation paths for urgent exceptions.
– Temporary waivers with expiry dates and compensating controls.
– Documentation of who made the call and why.
You’re not trying to eliminate discretion. You’re trying to make discretion observable and auditable.
Tip for beginners:
A rule that says “No exceptions” will either be ignored or rewritten in secret. A rule that says “Exceptions are possible, but here is the cost and process” has a chance to survive reality.
Step 6. Connect Narratives to Formal Risk Services and Processes
6.1. Make consulting and assessments narrative‑aware
If your organization uses risk management consulting services or corporate risk assessment services, push them beyond generic matrices.
Ask your providers to:
– Identify dominant narratives in each business unit (“growth at all costs”, “regulator is friendly”, “data is internal only”).
– Show how these narratives distort perception of likelihood and impact.
– Propose control changes that explicitly address narrative, not only process gaps.
Otherwise, you get neat reports that never touch the cultural drivers of risk decisions.
6.2. Align advisory outputs with your internal rules
Consultants often deliver recommendations that read like “best practice,” but don’t fit your existing rule set or tooling. You end up with parallel universes: the slide deck model vs. the lived model.
To avoid this:
– Translate each external recommendation into a plain statement: “This changes narrative X into narrative Y.”
– Decide deliberately whether you accept that narrative change.
– If yes, encode it into your policies, systems, and training — not just into a “management response” section.
Warning:
Never implement a new control that contradicts an entrenched narrative without addressing the story itself. People will smile, sign, and then bypass it.
Step 7. Maintain and Evolve Narratives Over Time
7.1. Monitor for narrative drift
Narratives are dynamic. Market shocks, leadership changes, or a major incident can flip the dominant story overnight.
Watch for:
– Sudden spikes in “risk‑averse” language after public failures.
– New heroic stories (“Remember how we saved the quarter by ignoring the model?”).
– Shifts in which metrics get attention in exec meetings.
Integrate this into your continuous monitoring, not as “soft stuff,” but as leading indicators of future risk behavior.
7.2. Use metrics that tie back to stories
Durable rules live or die by feedback loops. Example metrics:
– Ratio of approved vs. rejected exceptions in key processes.
– Time to close high‑priority risk actions, segmented by business unit.
– Volume of “workarounds” detected in system logs or audits.
Discuss these not only as numbers, but as story prompts:
“What narrative is driving this pattern? What do people think is ‘okay’ here?”
Tip for beginners:
In regular reviews, add one standing question: “Which unwritten rule did we see in action this quarter?” This simple habit keeps narrative visible.
Step 8. Practical Checklist for Building Durable Rules
8.1. Step‑by‑step implementation
Use this lightweight progression when you enter a new team or project:
1. Listen
– Collect the recurring phrases people use about risk, compliance, speed, and customers.
2. Name the narrative
– Translate those phrases into one‑sentence “unwritten policies.”
3. Test with data
– Compare each narrative with incident logs, audit findings, and key metrics.
4. Design the rule
– Specify conditions, decision rights, documentation, and enforcement points.
5. Embed in tools
– Configure governance risk and compliance software and operational risk management solutions to make the rule the default behavior.
6. Stress‑test
– Run simple scenario exercises. Look for places where humans want to bypass the rule.
7. Monitor and adjust
– Track leading indicators and revisit narratives in quarterly risk reviews.
8.2. Red flags to watch
– People can recite policy but describe reality with a completely different story.
– Risk registers are updated, but no one can explain how that changes decisions.
– Exceptions are frequent, undocumented, and considered “just how we work.”
– Tools are used as reporting dashboards only, not as decision‑shaping systems.
Where you see these, you don’t have durable rules — you have fragile paperwork.
Closing Thoughts
Narratives are not the enemy of risk management; they are its operating system.
Spreadsheets, frameworks, and tools give you structure. But the stories people believe determine whether that structure is followed, bent, or ignored. When you consciously map those stories, test them against reality, and translate them into clear, enforced rules, you stop playing compliance theatre and start managing actual behavior.
Durable rules are simply this:
explicit agreements that can survive pressure because they respect how humans think, decide, and tell stories.