In most organizations, risk management exists in one of two forms: as an Excel spreadsheet that is updated once a year and then forgotten. Or as a compliance department that works so thoroughly that innovation practically grinds to a halt. Both are dangerous, just in different ways.
Good risk management does not mean avoiding all risks. It means consciously taking the right risks and consistently eliminating the wrong ones.
A manager I advised described his dilemma as follows: “Our risk management has two speeds: Either the compliance department blocks everything, or the operational areas completely ignore them and do what they want.” In practice, this meant that strategically important projects were stuck in approval loops for months, while operational risks in other areas escalated unnoticed until they landed on his desk as a crisis.
The pattern is widespread: organizations invest effort in the formal documentation of risks and neglect the leadership question behind it. Which risks are acceptable? Which are not? And who decides? If these questions remain unanswered, a vacuum is created that is filled either by excessive caution or by uncontrolled risk-taking. Three levers help find the balance.
Nassim Nicholas Taleb, author and risk analyst, distinguishes three categories: fragile systems that collapse under pressure. Robust systems that withstand pressure. And antifragile systems that grow stronger under pressure. Most organizations strive for robustness, enduring shocks. But truly successful organizations learn to emerge stronger from risks and setbacks.
The prerequisite for this is differentiation. Not every risk deserves the same level of attention. In practice, a simple distinction proves effective: Existential risks that could jeopardize the company’s substance require maximum control and avoidance. Data protection violations in regulated industries, security risks in critical infrastructures, and life-threatening financial exposures. Here, governance is not a brake, but a condition for survival. Strategic risks associated with deliberate investment or market decisions do not need to be avoided, but rather understood and managed. Every strategic decision is a calculated risk. The question is not whether risk exists, but whether it is in the right proportion to the expected benefit. Operational risks arising in day-to-day business require robust processes and clear responsibilities, not committee decisions.
| Risk Type | Correct Response | Common Mistake |
|---|---|---|
| Existential | Avoid, maximum control | Documented in the Excel spreadsheet, but not operationally managed |
| Strategic | Consciously take, actively manage | Talked to death by committees until the opportunity is gone |
| Operational | Harden processes, clarify responsibility | Ignored until it becomes a crisis |
A division head whom I supported in redesigning her risk management started with a simple sorting: Which of our documented risks are actually existential, which are strategic, and which are operational? The realization: Over eighty percent of the documented risks were operational and could have been managed through better processes and clearer responsibilities, without a committee and without a monthly report. The remaining twenty percent deserved the full attention of management.
Those who master this differentiation can make targeted asymmetric investments in strategic risks: small, controlled experiments where the potential loss is strictly limited, but the potential learning or market gain is significant. Organizations that never take small risks unlearn how to deal with uncertainty and break down at the first major shock. This is exactly what Taleb means by antifragility: not the absence of risk, but the ability to grow stronger through calculated stress.
Most risk assessments have a systematic blind spot: they only evaluate the risks of action. What happens if we start this project? What can go wrong if we enter this market? What are the compliance risks of this new technology?
What is missing is the counter-question: What happens if we don’t? The risk of inaction is not in any risk matrix. But it is often the greater risk. The competitor who introduces the technology while you are still reviewing. The market that shifts while you wait. The talent that leaves because the organization is too slow. In regulated industries like the energy sector, this balance is particularly challenging: regulation demands caution, the market demands speed. Serving both simultaneously is the real leadership achievement.
For every risk assessment, demand an explicit evaluation of the risk of omission. “What does every week cost us in which we do not decide?” is a question that exposes risk aversion for what it often is: not caution, but a culture of hedging.
Risk management that exists only in processes and documents is ineffective. What matters is the risk culture: How does the organization actually deal with uncertainty?
In a healthy risk culture, risks are openly addressed, even upwards. The bearer of bad news is heard, not punished. Mistakes in calculated risks are treated as learning experiences, not career-enders. And leadership exemplifies what it expects: it talks about its own misjudgments, admits when a risk assessment was wrong, and shows that uncertainty is not a sign of weakness. As I regularly experience in my consulting practice: The quality of an organization’s risk management can be most reliably gauged by how quickly bad news reaches the executive level. One of the most important tasks of a manager is to actively seek out bad news. If your dashboard consistently shows only green lights, you don’t have good risk management, but a team that has learned what you want to hear.
In a toxic risk culture, the opposite happens: risks are concealed because naming them is seen as a weakness. Problems are sugarcoated until they can no longer be hidden. And the organization optimizes not for good decisions, but for hedging. You know the result: the crisis that “no one saw coming,” even though the signals had been visible for months.
Build early warning systems based on people, not just metrics. Define clear escalation paths and remove the stigma from escalation. Create spaces where operational teams can name risks without fear of consequences. And regularly check: Does bad news reach you in time, or only when it’s too late?
First: Do you know the three biggest risks in your area, not the documented ones, but the actual ones? If your answer matches the risk Excel, that’s a good sign. If not, you’re trusting the wrong instrument.
Second: When was the last time you consciously took a risk because the expected benefit justified the risk? If the answer is “I can’t remember,” your organization may not be cautious, but paralyzed.
Third: How quickly does bad news reach your desk? This week, ask an employee if there’s an operational risk they haven’t reported to you yet. The answer will tell you more about your risk culture than any audit report.
The greatest damage in organizations does not come from risks that were taken and went wrong. It comes from risks that were not seen because no one wanted to look, and from opportunities that were not seized because the fear of making a mistake was greater than the courage to decide.
Risk management is not a task for compliance departments. It is a leadership attitude. And this attitude is not reflected in the quality of your risk matrix, but in the question: Do your employees dare to tell you the truth?
Decisions Under Uncertainty – Why seventy percent certainty is almost always enough and why perfection kills decision-making.
Leading in a Crisis – When the risk has materialized: How to set the course in the first hours.
All Insights can be found in the overview.
Proven tools and models for self-application are available under Solutions.
If you want to take these thoughts further for your company, a no-obligation initial conversation is worthwhile.
