Back to Basics: Why Risk Management Starts (and Ends) With Objectives

Author
Felicity Tindall
Date
January 19, 2026
Share

Risk is often perceived as something negative — something to avoid. But in reality, risk is simply uncertainty that matters.

That definition, often attributed to David Hillson, sits at the heart of effective risk management. Whether you follow ISO standards, IRM guidance, or your own organisational framework, the common thread is clear: risk only makes sense when viewed through the lens of objectives.

So, what is risk?

Across industries and standards, risk is consistently described as the effect of uncertainty on objectives. It can stem from a potential event, a change in circumstances, or both. Importantly, that effect can be negative or positive.

We often focus on what might go wrong – cyberattacks, operational failures, financial losses – but risk also includes opportunity. Innovation, growth, and transformation all involve uncertainty. Avoiding risk entirely is rarely an option if you want to move forward.

Risk is everywhere — whether we realise it or not

We manage risk every day:

  • At work, when delivering services, protecting data, or maintaining safety

  • At home, when buying a car, purchasing a house, or even planning a holiday

In today’s digital age, risk has become even more complex. Almost every organisation relies on technology and data, which means digital and operational risks can no longer be underestimated.

A useful question to ask – personally and professionally, is:

What keeps you awake at night… or what should be keeping you awake at night?

Risk is about future uncertainty. Once something has already happened, it becomes an issue — not a risk.

Why risk management really matters

Effective risk management is not about eliminating all risk. It’s about making informed decisions.

Done well, it helps organisations:

  • Identify threats and vulnerabilities early

  • Protect finances, reputation, and people

  • Allocate resources where they matter most

  • Meet regulatory and compliance obligations

  • Make better, more balanced decisions

A powerful example is the 2016 Delta Airlines system outage. Over 2,000 flights were cancelled, costing an estimated $150m and damaging a reputation built on reliability. Operational risks, if unmanaged, can be incredibly costly.

On the flip side, good risk management can enable innovation. Netflix famously recognised the risk of standing still in a changing market. By embracing streaming — and later original content — it transformed not just its business, but an entire industry.

Risk doesn’t disappear — it gets managed

Imagine a mouse trying to reach a piece of cheese… with a mousetrap in the way.

The objective is clear: get the cheese.
The risk is also clear: injury from the trap.

The mouse can’t eliminate the risk entirely, but it can change the impact — perhaps by wearing a helmet or adjusting its approach. The likelihood may remain the same, but the outcome improves.

That’s risk management in its simplest form.

The risk management process starts at the beginning

Before identifying or evaluating risks, there’s a crucial first step that’s often overlooked:

What are we actually trying to achieve?

Without clearly defined objectives, risk management becomes meaningless. Whether your goal is delivering services, keeping people safe, maintaining financial stability, or achieving strategic growth — risk only exists in relation to those aims.

Once objectives are clear, we can ask:

  • What could stop us achieving them?

  • What uncertainties matter most?

  • How can we reduce the likelihood or impact?

Communication is the thread that holds it all together

Risk management isn’t a one-off exercise or a static register. It’s a continuous process underpinned by communication and consultation.

Engaging stakeholders – employees, customers, suppliers, regulators, and communities – brings better insight, stronger buy-in, and more robust decision-making. Clear, honest communication builds trust and reduces reputational damage when things don’t go to plan.

Of course, it isn’t without challenges: time constraints, resistance to change, cultural differences. But with the right resources, simple language, training, and persistence, these barriers can be overcome.

Final thought

Risk management is not about avoiding the cheese.

It’s about understanding what you want to achieve, recognising what could stand in your way, and choosing how to respond — thoughtfully and deliberately.

Sometimes that means changing tactics. Sometimes it means accepting risk. But it always starts with clarity, communication, and a willingness to think ahead.

You might also like.

April 21, 2026

FREE risk register template

Are you a small or medium-sized enterprise just starting your risk management journey? Are you looking to build your first
Read now >
March 10, 2026

How to Implement a Risk Management Framework in 90 Days

Many organisations recognise the importance of managing risk effectively but struggle to move from informal processes and spreadsheets to a
start of risk planning
Read now >
February 13, 2026

Supporting Local Government Reorganisation and Devolution

Local Government Reorganisation (LGR) and devolution bring significant change for councils -new structures, new responsibilities, and new ways of working.
Read now >