Rethinking Risk: When Assumptions Stop Fitting the World

Written By Donna Worthington

If you work in a Risk function, or Chair an Audit and Risk Committee, I want to share something that has shifted how I am thinking about risk.

💡 Indy Johar has written an important essay on risk as a philosophy. His central claim: risk is not simply the probability of harm... it is what happens when an organisation's assumptions, capabilities and dependencies quietly stop fitting the world around them.

Traditional risk management: name it, rate it, mitigate it. It is a model designed to work for stable environments where background conditions can be assumed, like markets, supply chains, social license.

But we are no longer in that environment. The gap is growing between where we currently stand, and the trajectory the world is moving. By the time the risk appears on a risk register, the window for early action has passed.

What this moment is calling for is a more honest view of what the organisation is actually exposed to:
🔹 It means using scenario exploration to test the organisation against futures it has not planned for.
🔹 It means building the discipline of the pre-mortem into how decisions are made, asking before commitment: What would have to be true for this to fail? What dependencies might not hold? What is the organisation not yet willing to see?
🔹 It means building the capacity to hold complexity and uncertainty, not as a problem to be solved, but as the condition to be navigated. Not having all the answers. But developing the organisational muscle to ask better questions, sit with what they surface, and remain genuinely curious about what the system is trying to tell us.

A few questions to consider.
For Audit and Risk Committee Chairs:
❓ Are we asking whether our organisation remains fit for the world it is moving into?
❓ Does our risk framework help us sit with complexity, or does it primarily help us simplify it away?
❓ Are we tracking trajectories and early signals?
❓ What are we assuming will always be there, and have we ever genuinely examined what happens if it isn't?

For the Risk Function:
❓ What is the diversity of thinking inside our risk function, are we drawing on systems thinkers?
❓ Is our data and information designed to surface early signals and invisible dependencies?
❓ Is scenario analysis and pre-mortems a standing part of how we build risk awareness, or tools we only use when a decision is already in front of us?

The Risk Function has never been more important. It plays a critical role in identifying and managing what is already known and to sense what is emerging.

Link to Indy Johar's essay: https://indyjohar.substack.com/p/on-risk

Donna Worthington https://www.elevareadvisory.com
Next

AI Governance: Who Bears the Harm When AI Goes Wrong?