Risk Events, Controls & Organisational Brittleness

The views and opinions expressed on this account are my own and do not reflect the official policy or position of my employer.  Any content provided is for informational purposes only and should not be considered or relied upon as professional advice.

In my last post, I discussed how fear of failure and loss framing can push individuals to make decisions that don't align with an organisation's goals. I also pointed out that people with low organisational social capital can tend to favour risk‑averse solutions. In this post, I'll explore these ideas further by looking at the risk event process and argue that, suprisingly, many firms’ risk event processes can harm organisations instead of helping them.

In the 1980s, the phrase “No one ever got fired for buying IBM” was common in corporate circles. IBM was seen as a safe choice for software and consultancy work. That reputation wasn’t entirely undeserved: in its heyday, IBM was known for taking on projects only when it was confident it could over‑deliver. This meant that, if IBM failed to deliver, or offered poor value, the people that hired them were rarely blamed.

Today, no company enjoys quite that level of trust, but the underlying behaviour persists. Many decisions are made not because they benefit the organisation , but because they protect individuals from blame. Examples include:

• Focussing on meeting regulations instead of business goals,

• Hiring prestigious consultants and following their advice without question,

• Setting performance targets that are easy to achieve but don't align with the organisation's purpose, or

• Prioritising defensive over offensive strategic objectives.

Risk Events and the Illusion of Control

Risk teams often criticise these behaviours, but they can fall into the same trap. when a process fails unexpectedly, the default response can be to add another control to prevent the issue from happening again. Sometimes a control didn't exist because it was deemed impossible to design an effective control. However, following a risk event, it is often safer for risk teams to add an ineffective control than justify the status quo.

This is understandable. People rarely lose their jobs over a single failure, but repeated incidents trigger uncomfortable questions and can damage reputations. The higher ups pushing for tangible action are themselves often incentivised to demonstrate that something has been done in response to a process failure, regardless of effectiveness. Adding controls, even ineffective ones, feels safer. However, this approach can lead to excessive red tape, which creates bigger problems for the organisation over time.

How Organisations Become Brittle(ⁱ⁾

Empowered employees add value by using their judgement and responding to local information that senior management might not see. This flexibility often requires vague rules. However, over time, organisations can lose this adaptability and become rigid, relying on strict rules and processes. Even firms that once valued initiative can drift toward rigid, rule‑based ways of working, and find it hard to change direction once that rigidity takes hold.

This often happens after shocks that damage trust and credibility. To regain control, senior management centralises decision-making, removes discretion from junior managers, and imposes standard processes. Whilst this can help in the short term, it often reduces the organisation's ability to adapt in the long run, and to deal with novel future shocks. This is because these processes are designed to manage the immediate issue, not to build long-term resilience. They trade efficiency and local responsiveness for predictability and control.

For example, in the 1990s, Ford centralised its engineering and manufacturing decisions to cut costs. Whilst this saved money, it also reduced the company's ability to cater to local customer preferences, leading to a loss of market share.

The Trade‑Off: Control vs Empowerment

Standardised processes are easier and cheaper for employees to follow, and organisations find it simpler to reward rule-following than adaptability. During a crisis, this trade-off can make sense. However, once these processes are in place, they're hard to remove. Employees often stick to the safer, rule-based option, even when adaptability is needed.

Over time, this reliance on rigid processes makes organisations brittle. They become less agile, more dependent on rules, and less able to handle future challenges. Whilst rules can improve coordination and reduce misunderstandings, they can also stifle innovation and adaptability.

What does this mean for Risk teams?

Risk management theory (and regulation) rightly emphasises the importance of risk event processes. They are among the most powerful tools we have. When something goes wrong, risk teams gain the social licence to challenge the fundamentals of the business in new ways. The ability of the business to respond openly, collaboratively, and constructively to risk events and near misses is a cornerstone of a healthy risk culture.

But using risk events as useful learning tools does not automatically justify using them to increase centralised control or oversight. At our worst, Risk teams are catalysts for introducing organisational brittleness by prioritising the creation of top-down processes and controls that erode employee initiative and ownership.  It is a brave choice for risk teams to investigate a risk event that has caused real organisational harm and conclude that no further action needs to be taken, or to remove controls that have become part of the furniture.  It requires trust in the individuals involved, and it requires trust that management will see the bigger picture.

Risk teams should:

• Resist adding controls that don't provide clear value. It is easier to push back on ineffective, badly designed, or performative controls when there is a clear understanding of what a good control looks like.

• Recognise that new controls can encourage rigid, top-down behaviour and discourage employee initiative. Risk frameworks need to explicitly consider how other processes and activities besides controls mitigate risks.

• Risk teams must ensure that lessons from events are genuinely understood, embedded in organisational memory, and retained across all relevant teams

A good risk framework empowers individuals to avoid adding unneccessary controls and protects them from criticism if lightning does strike twice.

As an aside, I have noticed that some GRC software companies are touting AI tools that create exhaustive lists of controls for every risk area. If used to support the creation of a "completist" control framework, this can accelerate the creation of organisational brittleness. Organisations should instead aim for a "risk proportionate" control framework that compliments the organisation's risk culture and business norms.

I hope this blog sparks ideas and discussion. If you found it interesting, please share or connect with me on LinkedIn to contribute or provide feedback!

(i)The inspiration for this section and the next is a single paper: Jin Li, Arijit Mukherjee, Luis Vasconcelos (2022) What Makes Agility Fragile? A Dynamic Theory of Organizational Rigidity. Management Science 69(6):3578-3601.