ISO 31000 defines risk as “the effect of uncertainty on outcomes.” Identifying risks and determining ways to respond to them help you learn about your processes, your organization, and the environment you’re operating within. It also raises your awareness of how any of these things might change in the future. Perhaps most important, this helps you quickly respond to—and recover from—negative events like natural disasters, supply chain disruptions, and cyberattacks.

Risk management can also help your organization uncover new opportunities, if risks are considered within the context of strengths, capabilities, and threats.

But let’s face it: Risk management can be difficult and time-intensive, and it doesn’t easily reveal returns on investment. Especially when people are busy, and budgets are tight, taking a risk-based approach can feel like a distraction. “Compliance complacency” is not uncommon, and sometimes only the minimal amount of effort goes toward meeting governance or documentation requirements. In 2016, Carmela Cucuzzella, of Concordia University in Canada, mentioned that some product designers even express contempt for risk management, claiming that it can strip them of their creative freedom.

 …