Welcome back! In my last post (here's the link: https://riskvision.org/2025/03/02/why-ignoring-risks-can-blow-up-in-your-face/), we talked about Risk Identification—the process of figuring out what could go wrong before it actually does. Think of it like spotting smoke in your kitchen before your house turns into a barbecue pit.

But here’s the problem: Identifying a risk and doing nothing about it isn't much of a help either. That brings us to the second step of risk management: Risk Response.

---

What Is Risk Response?

Risk Response is deciding what you’re actually going to do about a risk once you identify it. A good risk response helps organizations reduce the likelihood of problems, minimize damage if something does happen, and avoid becoming the front page news article.

---

The Four Main Ways to Respond to Risks

Most risk responses fall into four categories:

1. Avoid the Risk

Translation: You stop doing the activity causing the risk altogether. For example, a company decides not to store sensitive customer information because the cybersecurity risk is too high.

It’s basically the business equivalent of seeing a sketchy amusement park ride and saying:
“Nope, I would like to increase my chances of living another day.”

---

2. Reduce the Risk

This is the most common approach. You keep doing the activity but put controls in place to reduce the chance or impact of failure. For example, the company that did not want to store sensitive customer information because of cybersecurity risks, will now store that data using multi-factor authentication. Other examples include:  

• Installing fire suppression systems
• Performing quality checks
• Training employees

It’s like wearing a seatbelt. You still drive the car—you just prefer not to fly through the windshield.

---

3. Transfer the Risk

You shift some or all of the risk to someone else. The company that stores sensitive customer information may purchase cybersecurity insurance. Other examples include:

• Outsourcing
• Contracts with vendors

This is essentially saying:
“If this goes badly, somebody else is helping pay for it.”

---

4. Accept the Risk

Sometimes risks are minor, unavoidable, or too expensive to fully address.

In these cases, organizations knowingly accept them.

But there’s a difference between:

• Informed acceptance (“We understand the risk and can tolerate it.”)
  and
• Ignoring reality (“What could possibly go wrong?”)

History shows us that second approach rarely ends well.

---

What Happens When Risks Are Identified… But Not Responded To?

Here are some real-world examples where organizations knew about risks but failed to respond appropriately.

Spoiler alert: things got ugly.

---

The Titanic: The Unsinkable Ship That Sank Anyway

The RMS Titanic is one of history’s most famous examples of poor risk response.

Before the ship hit the iceberg in 1912, there were already warning signs:

• Multiple iceberg warnings were received from other ships
• The Titanic was traveling at high speed through icy waters
• There weren’t enough lifeboats for everyone onboard

So what was the response?

Basically:
“Full speed ahead.”

The belief that the Titanic was “unsinkable” created overconfidence, and safety concerns were not taken seriously enough.

The result:

• Over 1,500 people died
• Maritime safety laws changed worldwide
• Lifeboat requirements became mandatory

Turns out confidence is not a substitute for risk management.

---

The Challenger Space Shuttle Disaster: Ignoring Engineers Is Usually a Bad Idea

In 1986, the Space Shuttle Challenger exploded shortly after launch, killing all seven crew members onboard.

The risk had actually been identified beforehand. Engineers warned that the shuttle’s O-ring seals could fail in cold temperatures.

However, launch day was unusually cold.

So what happened?

Despite the warnings, leadership decided to proceed with the launch anyway due to schedule pressure and organizational momentum.

Seventy-three seconds after launch, the shuttle broke apart.

The disaster revealed major failures in risk response, including:

• Ignoring technical concerns
• Poor communication between leadership and engineers
• Prioritizing deadlines over safety

One of the biggest lessons from Challenger is this:

A risk management process is useless if leadership ignores the people raising the risks.

---

---

Why Organizations Fail to Respond to Risks

So why do people ignore risks even when they know they exist?

A few common reasons:

Overconfidence

“We’ve never had a problem before.”

Famous last words.

---

Short-Term Thinking

Some leaders prioritize quarterly profits, deadlines, or appearances over long-term stability.

Risk mitigation often costs money upfront—but disasters usually cost much more later.

---

Decision Fatigue and Complexity

Sometimes organizations know about risks but freeze because solving them seems difficult, expensive, or inconvenient.

Unfortunately, risks do not disappear just because nobody wants to deal with them.

---

Poor Communication

In many disasters, frontline employees or experts raised concerns that leadership either ignored or never fully understood.

Good risk management depends on organizations where people can speak up without being dismissed.

---

Final Thoughts: Risk Management Is About Action

Risk Identification is important.

But Risk Response is where risk management becomes real.

Because at the end of the day:

• Identifying risks without action changes nothing
• Delayed responses often make problems worse
• The cost of prevention is usually far smaller than the cost of disaster recovery

The goal isn’t to eliminate every risk—that’s impossible.

The goal is to respond intelligently enough that when problems happen, they don’t become catastrophes.

Or, put another way:

It’s much cheaper to buy the fire extinguisher before the fire starts.

We’ve now covered risk identification and risk response. In my next blog, we’ll dive into risk measurement and monitoring, because risk management doesn’t end once a response plan is created — because even the best response plans need to be continuously evaluated to ensure they remain effective.

Welcome back! This is my second post, and today, we’re diving into the first and arguably most important step of risk management: Risk Identification.

In my previous post, I explained why you should care about risk management (link here: https://riskvision.org/2024/11/15/why-you-should-care-about-risk-management/ and introduced the four steps:

1. Risk Identification (figuring out what could go wrong)
2. Risk Response (deciding what to do about it)
3. Risk Monitoring (keeping an eye on things)
4. Risk Reporting (making sure everyone knows what’s up)

At its core, risk management is about making smart decisions—ones where the benefits outweigh the risks, so you don’t end up in disaster.

---

The First Step: Spotting the Disasters (a.k.a. Risk Identification)

We all make decisions daily—some minor, like choosing whether to drink questionable gas station coffee, and some major, like deciding on safety protocols for people working in mines. When it comes to high-stakes decisions, a disciplined risk management approach is essential. And it all starts with identifying risks.

So, what are some examples of risks? They range from financial losses (spending too much on crypto and regretting it), regulatory violations (getting fined because you forgot about that pesky law), technology failures (servers crashing during a Black Friday sale), data breaches (hackers stealing your customers info), and safety concerns (workplace accidents that could have been prevented).

Once you identify risks, you assess whether they’re a high or low risk. And if they’re a high risk? You move to the next step: Risk Response (which I’ll cover in my next post).

But first, let’s look at what happens when risks are ignored. Spoiler alert: it doesn’t end well.

---

Real-World Risk Management Disasters

The Fukushima Daiichi Nuclear Disaster (2011): When Nature Said ‘Surprise!’

In 2011, Japan was hit by a massive 9.0-magnitude earthquake, followed by a tsunami so big it could’ve been a movie. This led to the failure of the Fukushima Daiichi nuclear power plant’s cooling systems, causing a nuclear meltdown.

What went wrong?

• They underestimated the tsunami height. The plant was built to handle a 5.7-meter wave. The actual wave? Over 14 meters. Oops.
• They ignored historical warnings. Historical records showed massive tsunamis had hit before, greater than 5.7-meters, but safety plans didn’t fully account for them.

What made things worse?

• Back up power systems were placed at ground level—a great place for a tsunami to flood them.
• Battery backups lasted only a few hours—not long enough to prevent disaster.
• Cooling the reactor cores became nearly impossible, and, well… meltdown.

The result? Nuclear safety protocols worldwide changed overnight, and some countries (like Germany) even started phasing out nuclear power entirely.

---

The 2008 Financial Crisis: When Banks Played With Fire (and Got Burned)

The 2008 financial crisis happened because banks and mortgage lenders got a little too greedy, reckless, and overconfident. Basically, they handed out home loans like candy, even to people who couldn’t afford them.

Here’s what went wrong:

• Mortgage lenders ignored basic credit standards (like… making sure borrowers could actually repay loans), such as not verifying the borrower's income to repay the loan, giving loans to people with lower credit ratings, and using Adjustable Rate Mortgages where interest rates shot up after some years, and not telling this to the home buyer who couldn't pay those higher rates.
• Mortgage lenders bundled up these riskier mortgages into ‘Collateralized Debt Obligations’ (CDOs) and sold them like hotcakes to banks.
• Everyone assumed home prices would keep rising forever. Spoiler: they didn’t.

What were the missed risks?

• Flawed Risk Models: Models used historical data to predict the future, but that historical data was based on the old credit conditions, not the conditions where credit standards were lowered (see above bullet points) - meaning higher rates of default were missed.  
• Default Correlation: Banks assumed if one person defaulted, others wouldn’t. But since loans were given out under the same lower credit standard conditions, defaults skyrocketed together.
• Moral Hazard: Mortgage lenders didn’t care whether borrowers could pay back loans because they just sold the 'CDO's to someone else who took on that risk. In other words, the mortgage lenders lowered their credit standard and knew this could result in higher defaults, but they didn't tell the banks when they sold them the CDOs.

What happened next? Homeowners defaulted, banks panicked, lending froze, businesses collapsed, people lost jobs, Lehman Brothers went bankrupt, and governments had to bail out financial institutions to prevent total economic collapse.

---

Lessons Learned: How Not to End Up in a Disaster

Most catastrophic failures share common themes:

• Ignoring Low-Probability, High-Impact Risks – Just because something is unlikely doesn’t mean it won’t happen. When it does, and it has a really high impact, it’s usually bad (see: nuclear meltdowns and financial collapses).
• Overlooking Early Warnings – There were plenty of red flags in both Fukushima and the financial crisis, but people either ignored them or didn’t take them seriously.
• Putting Profits Over Ethics – Cutting corners for short-term gains often leads to long-term disasters.
• Weak or Nonexistent Risk Management – If no one’s checking for risks (or they’re not being taken seriously), it’s only a matter of time before something goes wrong.

So, the next time you’re making a big decision, take risk identification seriously—unless you enjoy unnecessary chaos.

In my next post, we’ll talk about Risk Response—because knowing about risks is useless if you don’t do anything about them.

Stay tuned!

Risk management in your life…

My goal is to educate (or convince) you all on why risk management matters and, even more boldly, how it can be interesting. The simplest way to explain risk management is to find the right balance between risk and reward. Risk management is weighing the changes of something bad happening against the benefits you could gain. On one end, you could perseverate over every decision and think that everything is a disaster waiting to happen. What if people hate the new product, what if aliens land and we have no strategy for interplanetary trade relations. On the other end, you could also take the YOLO (i.e., You Only Live Once) approach by wearing a Hawaiian shirt to the next Board meeting and stating that risk management is for the weak.

Take purchasing a car as an example for risk management. I’m really challenging myself to make car purchasing and risk management interesting. Let’s say you are at a dealership and you are about to purchase a car. You have the risk of purchasing a lemon (a car that breaks down shortly after purchasing). How do you mitigate against that? Bring a friend who knows about cars. Better yet, bring more than one friend so you can take a cross section of opinions, and if you do end up purchasing a lemon, then you can form a support group when you get stranded on the highway. Another risk is overpaying for the car because your sales person plays mind tricks. To mitigate this one, wear sunglasses and don’t make eye contact. Once you purchase the car (congratulations!) you want to monitor the health of the car by listening for strange new noises and googling what the suspicious dashboard lights mean. Transferring risk is another way to respond to a risk. You can purchase insurance for your car so that if your dashboard lights up like a Christmas tree, then you don’t have to be on the hook to pay for everything.

 

Breaking down risk management…

We are always making decisions in our lives balancing risk and reward. Some are more obvious, but the more complicated ones are not. The complicated ones start to become more straightforward and transparent when we take a more disciplined approach. In a company, risk management decisions often involve higher stakes. Instead of picking a car, they’re making moves that impact their entire business and the lives of others. I’m going to start explaining risk management from the perspective of a company, but these elements can apply to all of us as individuals, like when we are purchasing a car…and I really think we don’t apply it as much as we should in our own lives. For a company, the reward is the goal or objective defined in their strategy. In other words, what rewards or strategic goals a company wants, and the risk is what would derail the company from achieving those goals.

Let’s say for example, your company’s strategic goal is to sell the more widgets than any other company that sells those same widgets, or put it another way, have the largest market share of widgets. Now how do you achieve that goal? You want to make really good quality widgets, make sure you have all the parts to manufacture those widgets, and have enough skilled employees to sell those widgets. If any one of these goes wrong, then it could prevent you from becoming the largest seller of widgets. We have identified three risks that can prevent us from achieving our strategic objective:

• Risk Identification – we identified 3 risks preventing us from selling the most widgets and having the largest market share:
  • Poor quality widgets
  • Not enough supplies to manufacture widgets
  • Not having enough skilled employees to sell those widgets

Now say we want to focus on one of those risks, and the one we want to focus on is not having enough skilled employees to sell our widgets. One way to prevent that risk from occurring is to hire really good talented people. You want to hire the best person to sell those widgets, or the person with the right knowledge, skillset, and experience. You also don’t want to run out of money by paying way too much to your employees, and then go out of business. There isn’t much strategy to think of when you’re out of business. To strike the right balance between risk and reward, there are some activities you could do to ‘respond’ to the risk of not having enough skilled employees to sell widgets. ‘Risk Response’ is the next step after you identify your risks:

• Risk Response – while each risk needs a risk response plan, we took one as an example:  not having enough skilled employees to sell widgets, and we created a risk response plan:
  • Perform market research to better understand compensation
  • Post job opportunities in the right places
  • Write the job description in an exciting way to encourage people to apply

Once that person is hired, you want to ‘monitor’ things like their performance, competitor salary ranges, and/or others. Usually this is a metric, such as what is the average salary range for this position and how far away are we from that range. Every so often you revisit the metric to understand if you are outside the preferred range. Risk Monitoring is the next step:

• Risk Monitoring – keep tabs on how the risk versus reward environment is changing:
  • Continue to perform market research to understand changes to pay so competitors don’t lure away your good employees with higher pay
  • Conduct performance evaluations for employees to understand whether they are selling enough widgets
  • Perform employee happiness surveys to ensure employees are happy and engaged. if they are not, then determine what adjustments need to happen in the workplace

Once you do all this great work, you want to tell senior management and decision makers on where you struck the balance of risk versus reward and where you may have gaps that management needs to invest resources.

• Risk Reporting – tell people of the amazing work you did above!
  • Taking all this great work and summarizing to senior management and other decisions makers on how you are striking the balance between risk versus reward. The goal of risk reporting is to keep decision-makers informed so they can allocate resources toward solutions—perhaps increasing salaries, adjusting benefits, or improving training programs to retain talent. With clear, concise reporting, you’re helping management understand where the gaps are and make better, more risk informed decisions.

 Wrap up!

We just went through the risk management lifecycle: 1) risk identification, 2) risk response, 3) risk monitoring, and 4) risk reporting:

This post is just the beginning. Next time, I’ll dive deeper into each of these steps and talk about real world scenarios and real-life examples of when things went wrong when poor risk management practices were put into place, or not put into place at all. In the meantime, visit my educational website, riskvision5.wpcomstaging.com/, for additional insights on risk management!