Risk Management: In the tool belt not just in the workshop

Every major technology shift arrives with the same arc: breathless promise, a handful of genuine success stories, and a longer trail of cautionary tales that fill case study libraries for a decade afterward. Digital transformation. ERP implementations. Cloud migration. The organizations that navigated those moments well weren’t the ones with the most aggressive timelines or the boldest vision statements. They were the ones that moved with their eyes open — clear-eyed about what could go wrong, equally clear-eyed about what they were positioned to gain, and disciplined enough to hold both views at once throughout the work, not just at the beginning and end of it.

That discipline is the difference. Not the technology. Not the strategy deck. The discipline.

My time spent at Atlanta AI Week reinforced this idea with sessions on AI risk, on governance as an accelerant rather than a brake, on cutting through the fog that keeps organizations from seeing what their initiatives are actually delivering. Taken together, they reinforced the idea that risk is not a synonym for threat. The organizations treating it that way — deploying governance as a defensive perimeter rather than a navigational tool — are managing only half the picture. The other half is what they’re positioned to achieve, and whether they’re protecting that position as deliberately as they’re guarding against loss.

That fuller orientation is what high-performing organizations build into how they operate. Not as a response to the current technology moment. Because the work has always required it.

The research is clear on why this matters from the start. The underlying principle — prospective hindsight — was established in 1989 by researchers at Wharton, Cornell, and the University of Colorado, who found that imagining a project has already definitively failed increases a team’s ability to identify the real reasons by 30%. Gary Klein formalized this into the pre-mortem method in a 2007 Harvard Business Review article. The improvement doesn’t come from pessimism. It comes from honesty — from creating the conditions for people to surface what they already suspect but haven’t said yet. A structured hour at the start of a project to ask “if this failed, why did it?” is what turns the promise to do better into a practice that actually delivers it.

A Lesson from Finance

I worked with a finance leader whose approach to project review changed the way I think about risk. This Controller had a gift for long-view questioning that I didn’t fully appreciate until I’d been on the receiving end of it for a while. No matter how thoroughly I prepared for a project review, she had questions I hadn’t anticipated — she was looking down the road the project would have to travel and asking whether we were actually built for what we’d encounter there.

I’ll admit I joked, more than once, that she was just looking for a reason to say no. Controllers sometimes are. But what I came to understand was that she genuinely wanted the projects that received approval to be positioned for success — and she knew that optimism, unexamined, is one of the most reliable sources of project failure. Her questions weren’t obstruction. They were the long view, applied consistently, by someone with the authority and the discipline to hold it.

What that produced, over time, ran well beyond Finance or the PMO. Leaders across the organization got better at asking those questions themselves because they saw the practice demonstrate its value. Department leaders saw how the questions made their programs stronger. They brought the same discipline to their own teams. The rigor became part of the dialogue — not an edict from above, but a way of working that spread through demonstrable practice. Threat and opportunity, examined together. That’s a fuller definition of risk than most governance processes operate from. And it’s a key differentiator in successful transformations.

The Discipline Precedes the Moment

Anyone who has sat through enough post-mortems knows the moment. The project is done — over budget, late, or simply not what anyone remembers agreeing to — and around the table, one by one, people share how they knew. We didn’t consider X. We never really addressed Y. The retrospective fills up with things the team saw coming and didn’t say, or said quietly and dropped when no one picked it up.

Then someone asks the harder question: why didn’t we consider X? Why didn’t we do Y?

Silence. Avoided eye contact. A sheepish acknowledgment and a promise to do better next time.

That moment — the gap between what people knew and what got said — is where the discipline breaks down. And it breaks down not because people are withholding, but because the structure didn’t exist to surface it earlier, when it was still cheap to act on. That’s what a pre-mortem is designed to fix: not the next post-mortem, but the conditions that make this one unnecessary.

The organizations that navigated major digital transformations successfully — that came out the other side with functioning systems, aligned teams, and outcomes they could actually point to — had a clear-eyed view of risk management from people who were present throughout, not summoned at the end.

The ones that stalled, or delivered something nobody quite remembered approving, or found themselves in a rescue situation — those organizations may have performed risk management too. It just lived in the wrong place. Too late in the process, too far from the decisions that shaped outcomes, too disconnected from the leaders who were making the calls that mattered.

That gap — between risk as a discipline carried throughout the process and risk as a checkpoint applied at the end — is where high-performing organizations separate from the rest. It’s not a new gap. It’s been around a while. What has changed is how consequential that gap can be in our current AI environment.

A recent Deloitte survey of more than 3,200 senior business and IT leaders found that only 21% of organizations have a mature governance model in place for agentic AI. The organizations succeeding are building cross-functional structures from the start: IT, legal, compliance, and business leadership present throughout, not sequentially. That’s not a recommendation specific to AI. It’s a description of what the discipline looks like when it’s working. Most organizations, it turns out, don’t have it in AI or anywhere else.

This is where AI readiness gets misunderstood. Most organizations approach it as a technical checklist: data infrastructure, model selection, governance frameworks. Those matter. But the organizations getting tripped up aren’t failing on the technical side first. They’re failing because the risk mindset wasn’t in place before the AI arrived. They’re deploying into environments where assumptions haven’t been stress-tested, where the questions that should have been asked in week two never got asked at all — and AI doesn’t pause to notice. It scales what’s already there, including the gaps. The pre-mortem discipline, the cross-functional presence, the habit of holding threat and opportunity in view simultaneously? That’s not just good project practice. It’s the foundation that determines whether AI delivers on what was promised, or amplifies what was already broken.

The Bearing Check Question

Risk fluency isn’t a tool you pick up for a specific project and set back down when it’s done. It’s not in the toolbox, and it’s not back at the workshop. It needs to be in the tool belt — carried by every leader in the chain, from VP to project manager, at the ready, in every initiative.

That means legal, finance, and quality aren’t summoned when something looks risky. They’re present when the work is being shaped. It means the project manager in sprint two and the product owner in backlog refinement are asking the same long-view questions the Controller asked in the project review — not because they’re risk professionals, but because the culture expects it and leadership has made it visible.

It means pre-mortems, not just post-mortems. Charters that are honest about what success requires. Teams that can articulate what they’re building against, not just what they’re building toward.

So ask yourself:

Where does risk fluency actually live in your organization, your team, and in you? Is it in the tool belt, carried into every initiative from the start? Or is it in the toolbox, available when someone thinks to reach for it? And in the work you’re leading right now — who’s asking the questions that haven’t been asked yet?