By Salihah Budall, MSc., CFS, CRMP, CSSYB
A warehouse catches fire. The company activates its emergency response plan. The fire department is called, employees are evacuated, insurance claims are filed, and within weeks, a new warehouse is sourced. The board commends the team for their swift response. The incident is logged, the file is closed, and the organisation moves on.
But nobody asks why combustible materials were stored next to an aging electrical panel. Nobody reviews whether the fire suppression system had been inspected in the last three years. Nobody examines whether the warehouse had been flagged as a risk in any prior assessment, or whether such an assessment ever took place at all.
This is how most organisations operate. They manage symptoms. They respond to what has already gone wrong with competence and urgency, and they mistake that competence for risk management. It is not.
"Incident response is not risk management. One is a reflex. The other is a discipline. Organisations that confuse the two will always be surprised by what happens next."
Salihah Budall, MSc., CFS, CRMP, CSSYB
The Reactive Trap
The reactive trap is seductive because it feels productive. When something goes wrong, people mobilise. There are meetings, task forces, action items, and reports. Leadership is visible. Decisions are made. From the outside, it looks like the organisation is managing risk. But what it is actually doing is managing consequences.
The distinction matters enormously. Consequence management is about containment. Risk management is about anticipation. One asks "what do we do now that this has happened?" The other asks "what could happen, how likely is it, and what are we doing about it before it does?"
Organisations that live in reactive mode tend to exhibit a common set of patterns:
- They have no formal risk register, or they have one that has not been updated in over a year
- Risk discussions only happen after an incident, never before
- There is no defined risk appetite, so every decision is made ad hoc
- The concept of risk is siloed within compliance, finance, or operations rather than embedded across the organisation
- Leadership equates insurance coverage with risk mitigation
These organisations are not failing because they lack intelligence or competence. They are failing because they have never been shown what a structured approach to risk actually looks like, or why it matters more than the crisis response they have perfected.
What Risk Management Actually Does
Risk management, when done properly, performs three distinct functions that incident response cannot replicate.
1. Identification Before Materialisation
The first function is systematic identification. This means actively scanning the internal and external environment for threats and opportunities before they materialise into events. It requires structured processes, not intuition. A risk register is the minimum tool, but the discipline behind it, regular review, cross-functional input, and escalation pathways, is what makes it effective.
Most organisations skip this step entirely. They assume that if something important were about to go wrong, someone would notice. This assumption is wrong more often than it is right. The things that cause the most damage are usually the things that were technically knowable but practically invisible because nobody was looking.
2. Assessment and Prioritisation
The second function is assessment. Not every risk deserves the same level of attention. A structured risk management process evaluates each identified risk by its likelihood and potential impact, then prioritises accordingly. This prevents the common failure mode where organisations spend disproportionate resources on low-probability, low-impact risks while ignoring the ones that could genuinely threaten the business.
Assessment also introduces the concept of risk appetite, the explicit statement of how much risk the organisation is willing to accept in pursuit of its objectives. Without this, every risk decision is subjective, inconsistent, and dependent on whoever happens to be in the room.
3. Treatment and Monitoring
The third function is treatment and ongoing monitoring. For each prioritised risk, the organisation decides whether to avoid, reduce, transfer, or accept it, and then implements controls accordingly. But the work does not stop there. Controls degrade. Environments change. New risks emerge. A living risk management process includes scheduled reviews, control effectiveness testing, and feedback loops that keep the system current.
"A risk register that is not reviewed is not a risk register. It is a document. And documents do not protect organisations. Processes do."
Salihah Budall, MSc., CFS, CRMP, CSSYB
The Three Categories Organisations Consistently Miss
Even organisations that have some risk management in place tend to focus narrowly on operational risks, the things that can go wrong in day-to-day activities. While operational risk is important, it is only one dimension. The categories that cause the most significant failures are often the ones that receive the least attention.
Operational Risk
Operational risks are the most visible and therefore the most commonly managed. They include equipment failures, process breakdowns, supply chain disruptions, IT outages, and workplace safety incidents. Most organisations have at least some informal mechanisms for dealing with these, even if they are not framed as risk management.
The danger with operational risk is not that organisations ignore it but that they treat it as the entirety of risk management. An organisation that has robust operational controls but no strategic risk oversight is like a ship with excellent lifeboats but no navigation system.
Strategic Risk
Strategic risks arise from the decisions an organisation makes about its direction, its markets, its products, and its competitive positioning. They include market shifts, competitive disruption, regulatory changes, reputational damage, and failures of governance or leadership.
Strategic risk is harder to manage because it requires engagement from senior leadership, not just operational teams. It also requires a willingness to challenge assumptions, including the assumption that the current strategy is correct. Many organisations avoid strategic risk discussions because they feel politically uncomfortable or because leadership interprets them as criticism.
Emerging Risk
Emerging risks are threats that are not yet fully formed but are developing in ways that could become significant. They include technological disruption, climate-related risks, geopolitical instability, evolving cyber threats, and shifts in regulatory philosophy.
Emerging risks are the hardest to manage because they require organisations to look beyond their immediate environment and consider scenarios that have not yet occurred. Most organisations do not do this at all. Those that do often treat it as an academic exercise rather than an input to decision-making.
The organisations that are best at managing risk are the ones that maintain visibility across all three categories and allocate attention proportionally to where the greatest threats and opportunities lie.
Moving from Reactive to Structured
The shift from reactive to structured risk management does not require a massive transformation programme or an expensive consulting engagement. It requires four things:
- Executive ownership: Risk management must be owned at the leadership level, not delegated to a compliance officer or buried within operations. The board and senior leadership need to define risk appetite, review the risk register regularly, and make resourcing decisions based on risk priorities.
- A living risk register: The risk register is the foundational tool. It must be comprehensive, regularly updated, and reviewed at defined intervals. It should cover operational, strategic, and emerging risks, and each entry should include likelihood, impact, current controls, and assigned ownership.
- Defined risk appetite: The organisation must articulate, in writing, how much risk it is willing to accept across different categories. This statement becomes the decision-making framework for everything from capital allocation to vendor selection to market entry.
- Scheduled review cadence: Risk management is not a project. It is a process. Risks must be reviewed on a defined schedule, quarterly at minimum, with triggers for ad hoc reviews when the environment changes materially.
"The organisations that survive disruption are not the ones with the best crisis response. They are the ones that saw it coming early enough to adapt. That is the difference between managing symptoms and managing risk."
Salihah Budall, MSc., CFS, CRMP, CSSYB
ISO 31000 provides a globally recognised framework for implementing these elements. It is not prescriptive about tools or templates but establishes the principles and structure that any organisation, regardless of size, can use to build a risk management process that actually works.
The question every organisation needs to answer is not whether it can afford to implement structured risk management. It is whether it can afford not to. The next disruption is not a question of if but when. The only variable is whether you will see it coming.
Build Your Risk Management Foundation
Credit Garden helps organisations move from reactive incident response to structured, proactive risk management. Start with your World Credit Score to understand your financial risk profile.
Calculate My World Credit Score