What Creates Risk Opportunities in Your System?

By Raimund Laqua, P.Eng. - The Lean Compliance Engineer

I've sat through countless meetings where we talk about being "proactive"—whether it's safety, security, or quality. Yet here we are, still chasing incidents after they happen, still writing corrective actions for problems we should have seen coming. Sound familiar?

Here's what I've learned after three decades in risk & compliance:

The Real Enemy Isn't What You Think

We obsess over the symptoms—incidents, failures, breaches, defects. But here's what we miss: **uncertainty creates the opportunity for risk**. These incidents are just manifestations of that risk. Hazards, threats, and failure modes? They're all manifestations of uncertainty.

Think about your last major incident—safety, security, or quality related. The failure, the breach, the defect—those were risk manifesting. But the real question is: why didn't we see it coming? Because we weren't looking at the uncertainties that created those risk opportunities in the first place.

Why Traditional Programs Feel Like Whack-a-Mole

Most risk & compliance management programs treat risk as a pest to eliminate. Write better procedures! More training! Tighter controls! But you can't eliminate risk opportunities when uncertainty keeps creating new ones.

I've seen this pattern repeatedly across different organizations and domains. Every "solution" seems to create new problems. The root issue isn't equipment, people, or processes—it's uncertainties that keep creating fresh risk opportunities because we're not identifying them systematically.

What Actually Works

The smartest professionals I know don't chase risk symptoms—they map the uncertainties creating those opportunities.

When we run HAZOPs in process safety, we're asking: "What uncertainties exist here, and what risk opportunities might they create?" In cybersecurity, threat modelling does the same thing—identifying uncertainties in system behaviour that create attack opportunities. Quality engineers use FMEA to map uncertainties in manufacturing processes that create defect opportunities.

In aerospace, STAMP analysis tracks how uncertainties cascade through control systems, creating risk opportunities at every interaction. A sensor uncertainty creates risk opportunities for pilot response, which creates uncertainties about aircraft behaviour, which creates more opportunities downstream.

Even business consultants figured this out. CYNEFIN maps help teams recognize different types of uncertainty and the unique risk opportunities each creates—whether you're managing operational safety, cyber-security threats, or product quality.

The Shift That Changes Everything

Instead of asking "How do we prevent this incident?" try asking "What uncertainties are creating risk opportunities we haven't considered?"

Because new uncertainties will always emerge in complex systems. The question is whether your organization learns to spot them before they manifest as incidents—safety, security, or quality related.

After years of watching organizations struggle with this across multiple domains, I'm convinced the future belongs to teams that hunt uncertainties—not the ones still swatting at risk symptoms.

What uncertainties is your system hiding, and what risk opportunities are they creating right now?