You Don’t Have a Risk Problem. You Have a Decision Problem

Written By James Smith

Risk is often treated like something separate from the business.

Something you assess, measure, and report on alongside everything else.

In reality, risk is the output of decisions.

Every prioritization.
Every investment.
Every tradeoff between speed, cost, and control.

Those decisions determine how often something goes wrong and how much it costs when it does.

If you want to understand risk, you have to understand how decisions are being made.

Most organizations don’t lack analysis.

They lack consistency in how decisions are made using that analysis.

The same type of issue shows up in two places and gets handled differently.

Same starting point. Different decisions. Very different exposure.

Different assumptions.
Different thresholds.
Different definitions of what is acceptable.

None of it is necessarily wrong on its own.

But collectively, it creates a risk profile that is uneven and hard to defend.

This usually traces back to something simple.

Decision thresholds are not clearly defined.

At what point does this get escalated?
At what level of loss do we change direction?
How much uncertainty are we willing to accept before acting?

If those lines are not clear, decisions fall back to individual judgment.

And judgment matters—but it does not scale.

From a risk perspective, this shows up in the drivers of loss.

What influences how often something happens.
What influences how large the loss becomes.
What changes those over time.

If decisions affecting those drivers are inconsistent, exposure becomes inconsistent.

Not because the environment is unpredictable.

Because the decision process is.

Then incentives come into play.

Most organizations say they value resilience.

But they reward speed.
They measure cost.
They tolerate exceptions when pressure shows up.

Those signals shape behavior far more than policy ever will.

And over time, they shape the risk profile whether you acknowledge it or not.

If you step back, most risk issues are not isolated events.

They are patterns.

Patterns of decisions made without clear thresholds.
Patterns of tradeoffs that were never explicitly stated.
Patterns of incentives pulling in a different direction than intended.

Until those patterns are addressed, risk will continue to show up as disconnected problems.

Fixing this doesn’t require more reporting.

It requires clarity.

Clarity in thresholds.
Clarity in expectations.
Clarity in how decisions should be made when the answer isn’t obvious.

Once that’s in place, risk starts to stabilize.

Not because it goes away.

Because it’s being shaped intentionally.

James Smith

James is the Founder and Managing Director of ORP Consulting and a U.S. Army veteran with over a decade of experience across military, law enforcement, and national laboratory environments. He brings a disciplined, security-first perspective focused on practical risk management and decision-making that holds up under real-world conditions.

Next

Risk Is Not the Problem. Misunderstanding It Is