Risk Management: Everyone’s Responsibility.

When we think about risk management, many of us instinctively picture specialist security teams, compliance officers, or financial auditors. But the truth is that risk management is everyone’s responsibility. Whether you’re managing people, processes, operations, finances, or technology, you’re also managing the risks associated with them.

An organisation doesn’t just expect you to be technically competent in your area of expertise, it expects you to manage risks effectively on behalf of the business. That means understanding risk and its associated concepts, not treating it as an afterthought or a paper exercise to keep board members happy.

Another common misunderstanding is the confusion between risk management and risk assessment. Risk management is an ongoing, process that aligns with business objectives. Risk assessment, on the other hand, is one tool within that process that helps us identify, evaluate, and continually reassess risks.

In this article, we will explore some of the key concepts and misconceptions that often dilute the value of risk responsibilities within organisations.

“It is better to be roughly right than precisely wrong.” (John Maynard Keynes)

Risk Terminology: Clearing the Confusion

Risk is one of the most misused terms in business conversations. According to ISO 31000, risk is defined as “the effect of uncertainty on objectives.” Notice that this isn’t limited to negative outcomes, it’s about uncertainty, which can create both threats and opportunities.

Unfortunately, many still use “risk” synonymously with “problem” or “threat.” This narrow view ignores the fact that managing risk effectively is also about enabling success, not just preventing failure.

It’s also worth considering how we use the term “risk” in everyday life, often casually, and with different meanings. While there’s nothing inherently wrong with that, organisations must establish clarity on what “risk” means in their specific context. Without this, communication and decision-making become inconsistent.

“Risk comes from not knowing what you’re doing.”  (Warren Buffett)

The Liability of Risk Labelling

A frequent issue in risk assessment is mislabelling, when people describe the problem or the outcome instead of the actual risk.

Take physical security as an example. A report might say, “risk of unauthorised entry into the building.” But that’s the outcome, not the risk itself. The true risk could be something like: “Inadequate access controls increase the likelihood of unauthorised individuals entering restricted areas resulting in compliance failures.”

Why does this matter? Because if we only focus on the outcome, our response becomes limited and we may default to extra patrols or more CCTV cameras. But by defining the underlying risk, we open up a wider range of solutions: redesigning entry points, upgrading access systems, or revising visitor protocols.

In short, when we mislabel risks, we manage symptoms, not causes and that narrows the organisation’s ability to act effectively.

Metrics Can Make or Break:

The way we measure risk must be aligned with an organisation’s specific tolerance and appetite for risk. Standardised, one-size-fits-all metrics will fail because they don’t reflect the reality of the business.

For instance, a global energy company may view a financial loss of £50,000 as insignificant, whereas a high-street bakery might consider the same loss catastrophic. Using the same metrics for both would distort the true picture of risk. Metrics should therefore be designed in line with organisational (and even departmental) tolerances, ensuring they accurately reflect the impact and relevance of risk.

“Not everything that counts can be counted, and not everything that can be counted counts.” (William Bruce Cameron)

The Problem with Probability

Probability is one of the trickiest parts of risk assessment and it’s often clouded by vague language. We throw around words like likelihood, chance, and probability as if they mean the same thing. They don’t and unless an organisation defines and agrees on how these terms are used, risk conversations quickly become inconsistent and confusing.

Another challenge is the over-reliance on historical data. Just because something has never happened doesn’t mean it won’t. Basing forecasts only on past events blinds organisations to new and emerging risks, a mistake that has preceded many major incidents. Furthermore, when a risk event has been identified and the right conditions exist (weak controls, exposure to known threats, high vulnerability), the probability of that event occurring may increases over time. In other words, the absence of past incidents doesn’t equal the absence of future risk.

Probability must be approached with clarity, context, and foresight and not just spreadsheets of historical data or the proverbial wet finger in the air!

Impact as a Moving Scale, Not a Binary Outcome

Too often, impact is simplified into categories such as “low, medium, or high.” But in reality, the impact of a risk event exists on a moving scale with multiple dimensions.

Consider a security breach: the consequences could range from minor disruption to catastrophic financial and repetitional damage. Impacts may touch finances, operations, compliance, culture, and brand and often in interconnected ways. A robust risk assessment approach recognises these layers and avoids oversimplification.

Accepting Risks is Not the End Game:

Risks are sometimes accepted by departments or individuals when they exceed their authority. This often happens because of poorly defined risk management policies that fail to clarify acceptance criteria.

As a rule, risks should only be accepted at levels where financial (or operational) authority aligns with the potential impact. Anything beyond that must be escalated. Accepting a risk isn’t the same as closing it. It means acknowledging it, documenting it, and making sure it’s visible at the appropriate decision-making level. Informal acceptance creates blind spots for leadership and leaves organisations vulnerable to risks they never knew existed.

In my experience risks that have been accepted are the ones that catch you out. The risk over time can decrease or increase and therefore still requires regular review to ensure it is still considered acceptable.

Risk Owners What They Are and Aren’t

Assigning a risk owner is not about offloading responsibility. A risk owner is accountable for monitoring, reporting, and ensuring mitigation measures are in place.

But risk owners are not miracle workers, they can’t eliminate uncertainty alone. Their role is to drive awareness, embed accountability, and act as custodians of the organisation’s risk posture. Effective risk ownership still relies on collaboration and collective responsibility across the business.

Conclusion

If risk assessment is such an important part of business decision-making, why do so many of us lack the competence to perform it effectively? Why is it so often reduced to a tick-box exercise? If understanding an organisation’s risk profile is vital to making sound decisions, why doesn’t it get the attention and support it deserves?

The answer lies in mindset. Risk management cannot be treated as a compliance activity or something delegated to specialists. It must be woven into the way every employee approaches their responsibilities.

True resilience is built when everyone understands not just their role, but also the uncertainties and potential consequences that come with it. Because at its core, risk management isn’t about avoiding failure, it’s about enabling better, more confident decisions.

“An ounce of prevention is worth a pound of cure.” (Benjamin Franklin)