Post by Fritzi Thornton

Recently, I've found myself asking myself the same questions about risk-based approaches. Mauritius officially adopted a risk-based approach in 2019, publishing its first country risk assessment report. Since then, we've built frameworks, methodologies, heatmaps, and scoring models. But the question remains: Are we there? In my collaborations with various reporting entities and within our company, I've seen tangible progress. But I've also seen other issues—some more subtle ones. While we're talking about risk, our practices often still reflect a rules-based mindset. Risk assessments are completed. Scores are assigned. Templates are filled out. But when we delve deeper, the thinking behind these results isn't always clear, documented, or consistently applied. The following situations often occur: • Scoring takes precedence over reasoning • The line between inherent risk and residual risk is blurred • Conclusions lack sufficient written support • Data is used, but not always critically evaluated This raises an important question: Are we applying risk-based methods or risk-based rules? Because true risk-based assessment (RBA) is not about producing outputs. It aims to: • Understand the risk • Clarify that understanding • Clearly demonstrate how the conclusions were reached Mature risk-based assessment cannot be reduced to a template. It requires judgment. More importantly, it requires providing evidence of that judgment. As we move towards the next mutual assessment, what we need to shift may not be technical, but behavioral. From: - Completing the assessment To: Thinking deeply about risk and demonstrating that thinking Therefore, perhaps a better question is not: “Have we reached our goal?” But rather: “Have we truly made the shift?”