The Risk Culture Contradiction: Why Organisations React as Though Incidents Should Never Happen

Byadmin

Something that has puzzled me for years — and that I keep seeing across very different organisations, in very different sectors.
Many describe themselves as operating in volatile, uncertain environments. They accept that risk is part of the work. They speak of resilience, adaptability, initiative. And in many ways, this is true — they do operate in conditions that others would refuse, and they do it with commitment.
But when an incident actually happens, something shifts.

The Contradiction

The same organisation that accepted uncertainty begins reacting as though the incident should not have occurred. The reflex is to look for the error, the fault, the gap in the procedure — as if the event were proof that something went wrong in the system, rather than a possible consequence of the environment they chose to operate in.
There is a deep contradiction here, and I think it runs deeper than most people realise.
We speak of uncertainty, but we respond to incidents as though certainty was possible. We value initiative, but we judge outcomes as though every consequence should have been foreseen. We say we are resilient — we accept exposure, we adapt, we take calculated risks — but when those risks materialise, we react with the logic of a system designed to prevent any incident from ever happening.
In other words: we talk like one kind of organisation, but we respond like another.

Why This Matters for Risk Culture

This matters enormously. Because the way an organisation reacts after an incident shapes everything that comes before the next one.
It shapes the willingness to report honestly. The freedom to take initiative. The trust people place in the system.
If the culture says “we accept risk” but the reaction says “someone must be accountable for this failure” — people learn quickly which message is real. And the real message is always the one that follows the incident, not the one written in the policy.
This gap is not a communication problem. It is an identity problem. It lives in the space between who the organisation says it is and how it actually behaves under stress.

Where the Conversation Needs to Start

I do not think there is an easy resolution to this tension. But I believe it starts with an honest conversation — not about what the organisation aspires to be, but about who it actually is in its relationship with risk.
What do we truly accept? What are we genuinely prepared to face? What happens internally when something goes wrong — and does that reaction align with the culture we say we are building?
That conversation is uncomfortable. But without it, the contradiction persists — quietly undermining the very culture the organisation is trying to build, and making the next incident harder to navigate than it needs to be.
Risk culture is not what an organisation writes in its policy. It is what it does in the hours and days after something goes wrong.

Leave a Reply

Your email address will not be published. Required fields are marked *