Welcome back! In my last post (here's the link: https://riskvision.org/2025/03/02/why-ignoring-risks-can-blow-up-in-your-face/), we talked about Risk Identification—the process of figuring out what could go wrong before it actually does. Think of it like spotting smoke in your kitchen before your house turns into a barbecue pit.
But here’s the problem: Identifying a risk and doing nothing about it isn't much of a help either. That brings us to the second step of risk management: Risk Response.
What Is Risk Response?
Risk Response is deciding what you’re actually going to do about a risk once you identify it. A good risk response helps organizations reduce the likelihood of problems, minimize damage if something does happen, and avoid becoming the front page news article.
The Four Main Ways to Respond to Risks
Most risk responses fall into four categories:
1. Avoid the Risk
Translation: You stop doing the activity causing the risk altogether. For example, a company decides not to store sensitive customer information because the cybersecurity risk is too high.
It’s basically the business equivalent of seeing a sketchy amusement park ride and saying:
“Nope, I would like to increase my chances of living another day.”
2. Reduce the Risk
This is the most common approach. You keep doing the activity but put controls in place to reduce the chance or impact of failure. For example, the company that did not want to store sensitive customer information because of cybersecurity risks, will now store that data using multi-factor authentication. Other examples include:
- Installing fire suppression systems
- Performing quality checks
- Training employees
It’s like wearing a seatbelt. You still drive the car—you just prefer not to fly through the windshield.
3. Transfer the Risk
You shift some or all of the risk to someone else. The company that stores sensitive customer information may purchase cybersecurity insurance. Other examples include:
- Outsourcing
- Contracts with vendors
This is essentially saying:
“If this goes badly, somebody else is helping pay for it.”
4. Accept the Risk
Sometimes risks are minor, unavoidable, or too expensive to fully address.
In these cases, organizations knowingly accept them.
But there’s a difference between:
- Informed acceptance (“We understand the risk and can tolerate it.”)
and - Ignoring reality (“What could possibly go wrong?”)
History shows us that second approach rarely ends well.
What Happens When Risks Are Identified… But Not Responded To?
Here are some real-world examples where organizations knew about risks but failed to respond appropriately.
Spoiler alert: things got ugly.
The Titanic: The Unsinkable Ship That Sank Anyway
The RMS Titanic is one of history’s most famous examples of poor risk response.
Before the ship hit the iceberg in 1912, there were already warning signs:
- Multiple iceberg warnings were received from other ships
- The Titanic was traveling at high speed through icy waters
- There weren’t enough lifeboats for everyone onboard
So what was the response?
Basically:
“Full speed ahead.”
The belief that the Titanic was “unsinkable” created overconfidence, and safety concerns were not taken seriously enough.
The result:
- Over 1,500 people died
- Maritime safety laws changed worldwide
- Lifeboat requirements became mandatory
Turns out confidence is not a substitute for risk management.
The Challenger Space Shuttle Disaster: Ignoring Engineers Is Usually a Bad Idea
In 1986, the Space Shuttle Challenger exploded shortly after launch, killing all seven crew members onboard.
The risk had actually been identified beforehand. Engineers warned that the shuttle’s O-ring seals could fail in cold temperatures.
However, launch day was unusually cold.
So what happened?
Despite the warnings, leadership decided to proceed with the launch anyway due to schedule pressure and organizational momentum.
Seventy-three seconds after launch, the shuttle broke apart.
The disaster revealed major failures in risk response, including:
- Ignoring technical concerns
- Poor communication between leadership and engineers
- Prioritizing deadlines over safety
One of the biggest lessons from Challenger is this:
A risk management process is useless if leadership ignores the people raising the risks.
Why Organizations Fail to Respond to Risks
So why do people ignore risks even when they know they exist?
A few common reasons:
Overconfidence
“We’ve never had a problem before.”
Famous last words.
Short-Term Thinking
Some leaders prioritize quarterly profits, deadlines, or appearances over long-term stability.
Risk mitigation often costs money upfront—but disasters usually cost much more later.
Decision Fatigue and Complexity
Sometimes organizations know about risks but freeze because solving them seems difficult, expensive, or inconvenient.
Unfortunately, risks do not disappear just because nobody wants to deal with them.
Poor Communication
In many disasters, frontline employees or experts raised concerns that leadership either ignored or never fully understood.
Good risk management depends on organizations where people can speak up without being dismissed.
Final Thoughts: Risk Management Is About Action
Risk Identification is important.
But Risk Response is where risk management becomes real.
Because at the end of the day:
- Identifying risks without action changes nothing
- Delayed responses often make problems worse
- The cost of prevention is usually far smaller than the cost of disaster recovery
The goal isn’t to eliminate every risk—that’s impossible.
The goal is to respond intelligently enough that when problems happen, they don’t become catastrophes.
Or, put another way:
It’s much cheaper to buy the fire extinguisher before the fire starts.
We’ve now covered risk identification and risk response. In my next blog, we’ll dive into risk measurement and monitoring, because risk management doesn’t end once a response plan is created — because even the best response plans need to be continuously evaluated to ensure they remain effective.
0 Comments