Disinformation. Geopolitical chaos. Supply chain disruption. Cyber threats. There’s no shortage of excellent reports on emerging risks—MNP’s Canadian risk trends, Diligent’s ERM strategy guide, NSSG Global’s five critical trends. All are worth your time.
Yet getting swept up in the hype is actually a terrible approach to risk management. When every headline screams that AI is coming for your job and hackers are coming for your data, it’s easy to feel like nothing is within your control.
So let’s take our power back. Let’s bring risk management back to basics as we plan for the new year. Because here’s the most useful, practical, and pragmatic way to think about risk:
| The greatest risk is the risk of not achieving your goals.
What’s your risk of missing sales targets? (Risk mitigation: Block out prospecting time and actually honor it.) What’s your risk of your risk register gathering dust? (Risk mitigation: Schedule quarterly reviews with action items—not just updates.) What’s your risk of still talking about “learning AI tools” next December? (Risk mitigation: Register for the course today.) What’s your risk of losing your best people to competitors who figured out flexibility? (Risk mitigation: Before you finalize 2026 plans, ask your top three performers what would make them stay—and actually listen.) What’s your risk of not losing those 10 pounds? (Risk mitigation: Evict the cookies from your cupboard.)
With that lens, here are my favorite low-tech risk management principles to carry into 2026.
1. Don’t Get Too Comfortable
Risk programs that give you the warm-and-fuzzies aren’t helping you. They’re doing the opposite.
I’ve seen programs (not the ones I’ve run, obviously) rinse and repeat last year’s assessment with the Board rubber-stamping what’s already there. The conversation is flat. Everyone wonders what the point of risk management even is.
Here’s the thing: Risk management is a natural source of disagreement. We have different risk tolerances baked into us from wildly different professional experiences, personal histories, and human wiring. It’s actually unnatural for a leadership team or Board to see risk the same way.
And that’s a feature, not a bug.
After years in the trenches doing GRC work, I can tell you: it’s not the comfortable activities that move the needle. HR thinks nothing could possibly go wrong. IT thinks civilization is one patch away from collapse. Some people attack risks with surgical precision; others paint with a broad brush.
Yes, leaders need alignment on how to build their risk program—Diligent’s ERM guide makes this point well. But sometimes the quest for everyone to be on the same page becomes a blocker to actually doing anything. Discomfort, especially early on, is a sign your program is working. It’s a catalyst for learning, discussion, and the occasional awkward silence.
The takeaway: Embrace uncomfortable conversations. Differences in risk tolerance spark the insights that matter.
2. Your Best Risk Management Tool Is a Cup of Coffee
Risk management loves its tools—matrices, heat maps, frameworks, PowerPoints, workshops, surveys, and ever-more-complicated models dreamed up by people with advanced degrees.
But the best risk management tool I’ve ever heard of comes from Dr. Karen Hardy, former Deputy Risk Officer for the U.S. Department of Commerce and author of Flip This Risk.
Hardy recounted her journey implementing a risk program for Commerce. First, she tried a compliance program—asking people to follow requirements. Didn’t work. Then a fancy risk dashboard. Nope. Then cutting-edge software. Still nothing.
Finally, she tried something radical: a cup of coffee.
Those one-on-one conversations with key stakeholders yielded the best information for her risk program. People shared what actually kept them up at night—insights no matrix or software would ever surface. It turns out, people will tell you things over coffee they’d never put in a survey.
It’s a powerful reminder for those of us who thrive on data, models, and complexity: sometimes the best tool is the one that fits in your hand and costs $4.
The takeaway: Even in our AI-obsessed, data-drunk era, don’t underestimate actual human conversation. The answers you need are probably sitting in someone’s head, waiting for you to ask.
3. Balance Objective-Centric and Risk-Centric Thinking
There’s a juicy debate in risk circles between two schools of thought.
Risk-Centric thinking—the dominant approach—focuses on brainstorming risks, building registers, assigning owners, creating heat maps, and monitoring mitigation. You know the drill.
Objective-Centric thinking flips the script. It asks: What’s the risk of not achieving our strategic goals? Purists argue this keeps you focused on what matters—growth, technology, talent—rather than peripheral concerns like access management checklists. It also aligns with reality: Most people aren’t paid to manage risk. They’re paid to hit objectives.
But objective-centric isn’t always the answer. Some organizations don’t have clearly defined objectives yet. Others know their risks more viscerally than their goals. That’s true for people, too. (We’re often more motivated by a health scare than a wellness goal.) And sometimes risk management really is an assurance activity—internal controls, policies, compliance—serving a different purpose.
A practical note: Objective-centric discussions often belong in the annual strategy session. Risk-centric work may sit better with the audit committee. Different tools for different audiences.
The takeaway: Know which approach you’re using and why. Then connect the dots to what your organization is actually trying to achieve.
4. Action Beats Perfect Heat Maps
Risk management shouldn’t be an exercise in pretty presentations. It’s about action—even baby steps—to move your organization forward.
Two frameworks are worth knowing. The IIA’s Three Lines Model emphasizes value creation alongside protection:
- First line (operations) owns daily risks
- Second line (risk and compliance) provides oversight
- Third line (internal audit) delivers independent assurance
This model works because it creates accountability.
The Four-Action Framework categorizes risks into buckets:
- Tolerate (accept what’s within thresholds)
- Monitor (watch but don’t act yet)
- Improve (actively mitigate)
- Operate (manage through established procedures)
But honestly? The approach I often use with clients is almost too simple to say:
- A handful of quarterly to-dos with names attached
- One-page reporting
- Assigned owners
- Clear deadlines
This isn’t glamorous, but it works because it’s clear and someone’s neck is on the line.
If your risk program produces beautiful heat maps but no behavior change, you have an art project, not a risk program.
The takeaway: Track quarterly actions. Assign owners. Hold people accountable. Iterate. Repeat.
The Bottom Line
The risk management world is drowning in sophisticated tools, scary headlines, and frameworks with impressive acronyms. But the fundamentals haven’t changed: embrace discomfort, have real conversations, prioritize action over perfection, stay connected to what you’re actually trying to achieve.
Sometimes the best risk mitigation is grabbing a coffee with a colleague and asking, “What keeps you up at night?”
The answer might surprise you. And it definitely won’t require a heat map.
******************
Risk Oversight helps organizations strengthen their internal audit, internal controls, and governance programs—with practical solutions tailored to your reality, not someone else’s. If you’re looking for support in 2026, let’s talk: adrienne@riskoversight.ca.