Those who argue that life is full of risks and we must learn to live with them are often labelled ‘pessimists’. Risk management is painful and not a natural act for humans.

One of the most daunting challenges organisations face in business life is dealing with unmanageable risks.

Unmanageable risk refers to difficult or impossible risks to address or mitigate through conventional risk management practices. These risks pose significant challenges because they cannot be easily controlled or managed by the affected parties or through specific actions or initiatives.

Robert Kaplan is a senior fellow and the Marvin Bower professor of leadership development at Harvard Business School. He classifies risks as preventable, strategic or external.

Risk management gained prominence, especially in the financial services sector, after the 2007-2008 credit crisis. Post-crisis investigations concluded that lax regulation was the main factor behind this systemic failure. Financial services regulators have developed new rules for strengthening organisational governance in the last 15 years to prevent a similar crisis from reoccurring.

Admittedly, preventable risks that arise within an organisation are controllable and should be avoided. This risk category is best managed through active prevention: monitoring operational processes and guiding people’s behaviours and decisions towards desired norms.

Business literature on preventable risk management has multiplied in the last decade and blueprints of best practices are easy to find.

Risk management is often treated as a compliance issue that can be solved by drawing up many rules and ensuring all employees follow them. Many such laws are sensible and reduce risks that could severely damage a company. Of course, the spectrum of risks that organisations face is much broader.

Kaplan argues that strategic risk management is fundamentally different and must not be tackled by a rule-based approach. He quotes the Deep­water Horizon oil disaster in the Gulf of Mexico in 2010 as an example. When Tony Hayward became CEO of BP in 2007, he vowed to make safety his top priority. One of the first rules he instituted was requiring all employees to use lids on coffee cups while walking and refrain from texting while driving. Three years later, under his watch, the Deepwater explosion became the worst manmade disaster in history.

Rules-based risk management will not diminish the likelihood or the impact of a disaster such as the Deepwater Horizon, just as it did not prevent the failure of many financial institutions like Lehman Brothers during the 2007-2008 credit crisis.

The best approach is for organisations to build resilience and enhance their capacity to adapt and respond to external risks

Strategy risk management needs a risk-management system designed to reduce the probability that the assumed risks materialise and improve the company’s ability to manage or contain the risk events should they occur.

Various studies have found that people overestimate their ability to influence events that are, in fact, heavily determined by chance. Many organisational leaders tend to be overconfident about the accuracy of their forecasts and risk assessments. Too many quantitative risk analyses are based on linear extrapolations from recent history to highly uncertain and variable futures.

Management teams facing uncertain conditions often engage in groupthink. Once a course of action has gathered support within a group, those not yet on board tend to suppress their objections, however valid, and fall in line. This is particularly common if the management team is led by an overbearing or overconfident leader who wants to minimise conflict, delay and challenges to their authority.

External risks cannot typically be reduced or avoided through the approaches used for managing preventable or strategic risks. Some external risk events are sufficiently imminent that managers can manage as they do their strategy risks. For instance, Huawei, the Chinese technology giant, has recently achieved record profits despite being affected by US sanctions on the export of computer processors.

However, other external risks are more challenging to predict, quantify and address effectively. Examples include the recent global pandemic, natural disasters like the 2010 Icelandic volcano eruption and geopolitical conflicts like the Ukraine war.

Today, the most threatening risks facing organisations world­wide are trade wars, climate change and global warming, the depletion of critical natural resources such as freshwater and geopolitical conflicts after decades of taking the peace dividend for granted.

Risk management is one of the less glamorous functions of organisational leaders. It is nonintuitive and runs counter to the “can do” culture most leadership teams try to foster when implementing strategy. The best approach is for organisations to build resilience and enhance their capacity to adapt and respond to external risks.

Undoubtedly, risk management is very different from managing strategy.