The most common model for managing risk is what's known as the Ostrich Approach. This appears to work reasonably well in many situations, and is based on 3 concepts fortuitously working together:
I wrote recently about how only 1% of companies had some form of strategic plan that they actively followed - and there were consequences to that; a similar situation exists for managing risk. I also recently wrote about using PESTLE for identifying opportunities and threats to the business; those threats could constitute external risk. Most companies could perhaps improve their risk management activity.
Often when people think of risk management, and certainly if you do a web search, financial risk and governance seem to dominate. But risk could affect any and every part of a business. Some of it we can leave to our ingenuity to deal with especially if the probability of the risk occurring is low and the potential impact not too severe. But other types of risk may need a little more careful ongoing observation, some preliminary planning, or in some cases, detailed preparation. Fire fighting is very draining and disruptive to business and a cause of considerable inefficiency. And there is a limit to the size of fire you can deal with without severe damage to business viability.
Risk management is all about dealing with uncertainties about the future; at some point, those uncertainties may put something at risk. And so, it aims to identify, evaluate, and mitigate potential threats to a business. It prepares the organisation to handle uncertainties effectively, maintaining continuity while safeguarding what is important or crucial to the business.
It doesn't require a complex system, or a dedicated department. In fact, it doesn't need to be difficult or complicated at all, and actually works best when kept simple. Ideally, it involves having a little more information to bring extra richness to your existing decision making process.
Effective risk management considers all aspects of the business: finance, operations, compliance, reputation / brand, and overall business strategy. It creates a safety net that supports decision-making and long-term planning. Risk management works best, and requires least effort when it is integrated in the being of the company - when it is part of the culture where all employees are on the lookout for potential issues; forewarned is forearmed. Similar to thinking strategically, a strong risk aware culture enables a company to be less reactive and so more proactive and agile. Great for brand perception.
Here are 4 big potential impacts:
There are a few key reasons why companies don't give risk management more prominence:
Many companies are understandably so focused on day-to-day operations that risk management feels like a luxury or an afterthought. Some companies may feel they lack the internal expertise to identify and assess risks comprehensively. Risk management can be seen as an expense without immediate returns rather than as an investment in resilience. And the ostrich approach seems to work just fine, and fire fighting is 'just part of the job' with an overhead to be borne.Individuals do manage risks, often informally. However, this often leads to yet another silo effect, and no coherent strategy, reducing overall potential effectiveness and increasing vulnerability.
Risk management doesn't have to be an 'all or nothing' type activity. You can make a big difference by just asking a few more questions about the potential impact of events occurring in and external to the company, being constantly aware of what is most at risk (ie what is most important to the company), and including those considerations in existing management discussions.
Without getting into any specific risk methodology, you can think of risk comprising 2 parts:
'What' - aka a 'risk event' - this is the thing that could create problems for you (the spark that could set off a fire). Fixing this, or reducing the probability of this, could save you a lot of time and expense solving the actual resulting .....
'So What' aka an 'issue (to be resolved)'. This is the fire that needs to be fought. Often, So What issues have knock on effects (subsequent So Whats) each potentially getting more damaging and costly, and difficult to respond to. And so, if the What does occurs, and there is an impact and potential issue to resolve, dealing with that as quickly as possible can be very helpful.
Here's some examples:
You can start with a What and work forwards to one or more So Whats, or start at a So What and work back to one or more Whats that could cause the issue.
Among the So Whats are usually the things that are of greatest value to you - keep an eye out for those.
The reality is that many businesses, particularly smaller ones, already engage in some form of risk management, even if it’s informal or reactive. The key is to elevate those efforts into a slightly (or much) more structured and proactive approach. Risk management isn’t about eliminating all uncertainty—it’s about equipping your business to face the future with confidence, adaptability, and resilience. And the good news is, even modest efforts to identify and address risks can bring clarity, cohesion, and preparedness to your organisation.
As Peter Drucker famously said, “The greatest danger in times of turbulence is not the turbulence—it is to act with yesterday’s logic.” Risk management is about looking forward, not backward, staying agile, and ensuring that your business can adapt and thrive no matter what comes next. Make being part of the small percentage of companies that actively manage risk a priority—you’ll thank yourself when the unexpected arises.
You know where I am if you want to explore further
Graham
/kcl-goes-green/HeaderLogo-60x300-ID-e065fb7a-094d-4fc6-d8c1-f4f88e7523f5.png)