Risk Theater

The wise foresee outcomes. The unwise cannot know what approaches. Valluvar divides people by their capacity to anticipate. Not their capacity to present. Your risk register is impressive. Color-coded. Categorized. Heat-mapped. It predicted none of the things that actually went wrong last year. The supply chain disruption wasn’t on it. The key person departure wasn’t on it. The regulatory change wasn’t on it. But ‘server downtime’ was rated High, color-coded red, and had a mitigation plan with three owners. The risk register managed the risks that were easy to articulate, not the risks that were likely to occur.

Boeing’s decision debt accumulated over three decades. I mapped the chain. In 1997, the merger with McDonnell Douglas deferred the cultural question. In 2001, moving HQ from Seattle to Chicago deferred the engineering proximity question. In 2011, choosing to re-engine the 737 rather than design a new plane deferred the safety architecture question. Each deferral was rational in isolation. Stacked together, they created the 737 MAX, a plane whose aerodynamics required software to override physics, whose software was designed by $9-an-hour contractors. Decision debt compounds silently until it crashes.

Risk registers predict the weather they already know. In meteorology, forecast models are built on historical data and known atmospheric patterns. They’re excellent for predicting weather within the model’s parameters. But when conditions exceed the model’s training data, the forecast diverges from reality. Organizational risk theater operates identically: risk registers are built on known categories. They excel at predicting risks that look like past risks. But the risks that are most damaging are precisely the ones that don’t match any previous pattern. The model is confident. The storm is somewhere else entirely.

Look at your risk register. Now look at the last three actual disruptions your organisation experienced. How many of them were on the register? If the answer is zero, your risk register isn’t wrong. It’s performing a different function: reassuring stakeholders that risk is managed. Risk literacy would mean saying: ‘We don’t know what we don’t know, and here’s how we’ll respond when the unknown arrives.’

That color-coded fiction has a name. Risk Theater. And once you see it, you can’t unsee it.

Untie The Knot

Uproot

Risk management became a compliance function instead of an intelligence function. The register measured what was easy to categorize, not what was likely to occur. The process produced confidence rather than preparedness.

Navigate

The risk function focuses on the unknown and unknowable, not just the categorizable. Response readiness matters more than prediction accuracy.

Tool

SPAR / Pre-Mortem: the protocol that imagines failure before it happens, identifying risks that registers miss. Pre-Mortem asks: if this failed, why? The answers reveal what the spreadsheet cannot.

Implement

Compare your risk register to the last three actual disruptions. If none were registered, your risk function is performing, not predicting. Rebuild it around response, not prediction.

Emerge

When risk literacy replaces risk theater, the organisation stops being surprised by predictable disruptions and starts building genuine adaptive capacity.