How to reconcile different attitudes to risk

We all grow up learning to evaluate and manage risks in a way that’s personal to us.

Take, for example, two employees making toast in the office kitchen. By coincidence, they both drop their toast at the same time. One picks it up, bins it and then washes their hands before making a replacement. The other, embracing the five-second rule, peels it off the floor, gives it a cursory brush down and tucks in with unashamed gusto. These colleagues have evaluated the same risks. They’ve taken what they both deem to be ‘appropriate’ mitigating action. Yet their contrasting attitudes to risk have resulted in differing outcomes.

Buttered toast at work

Of course, buttered toast poses a minor risk in normal (pre-pandemic) circumstances. Leaving aside the extraordinary events of this year for one moment, there’s a raft of far larger risks that face businesses. Switching suppliers is risky. Installing a new computer system is risky. Developing a new product or service line is risky. In order to grow our businesses, we have to accept risk. Failure to do so is, ironically, a risk in itself.

Uncontrolled risk management

Now imagine that you allow employees to take responsibility for identifying, mitigating and managing risks without guidance and assistance. Chaos would follow. Some of them would be more careful with your company money than their own. Others wouldn’t. Some would care more about the company’s reputation than their own. Again, others wouldn’t. Some would be overly cautious – resorting in possible paralysis through analysis – others would hope for the best. Across your business, these very different attitudes would ensure that your business would be unevenly exposed to risk. That’s not good for your customers, your objectives or even for your staff. Being responsible for risk – when you’re not trained to do so – is stressful.

As employers and managers, we must equip our teams to manage risk in an effective way.

Does technology offer a risk management solution?

We may have the most advanced technology the world has ever seen, but it’s imperfect. AI trusts correlations that may turn out to be irrelevant or selective. Sophisticated AI and algorithms didn’t predict Trump. Yet, the team behind The Simpsons did.

In truth, the world is infinitely more complex than we often think. We must learn to acknowledge the uncertainty and complexity of business problems. Rather than attempting to constrain risk completely – a task akin to nailing jelly to a wall – we should ensure that we are prepared for multiple scenarios. We should also bear in mind that fixing one problem may, inadvertently, damage another part of our business.

Evaluating and managing risk is a skill that can be learned in two ways – through training and the hard way, when things go wrong and we have to scrabble around for a solution. We recommend the former.

Learning to work as a team to manage risks

Risk management is about effective decision making. This demands the right people being in the right place at the right time, armed with the Seven Essentials:



Collectively, the team can use identify alternative routes forward and weigh up the potential for harm or reward. There are several methods to achieve this, which reduce the risk of the loudest talker or the most negative thinker taking control of the discussion and outcomes.

Scenario planning produces a set of plausible potential futures. It helps teams understand how various situations will affect business, e.g. What happens if a key supplier goes bump? What happens if we all have to work from home again?

Simulation exercises (aka tabletop/business continuity planning) enable teams to walk through how risks may unfold. The National Cyber Security Centre’s free Exercise in a Box is a good example. It helps organisations test their response to a cyber attack and requires no expert knowledge.

Bow-tie analysis – a visual way of representing the path of a hazard – helps teams identify root causes and both immediate and long-term impacts. Click here to download.

*The best outcomes are seen when some of the team have been on risk management training and are aware of their own attitudes to risk. Why not join us and the IIRSM (International Institute of Risk and Safety Management) online as we teach delegates to ‘Manage Risk – the Essentials’? Alternatively, we hope to regularly run Managing Risks courses in conjunction with the IIRSM in Central London from September 2020.


If you found this blog useful, you may also like to…

Read our blog on using the 5Ps to identify your business risks. The 5Ps of business continuity – people, processes, products, partners and property – offer a straightforward way to evaluate risks.

Talk to us about ISO22301, the Business Continuity standard.

Sign up to our newsletter to keep abreast of the latest risk management news (visit our website footer to do this).

Ask us to facilitate an Exercise in a Box session for you.


Simpsons creator Matt Groening told The Guardian that “[Trump] was of course the most absurd placeholder joke name that we could think of at that time, and that’s still true.”