What Creates Risk Opportunities in Your System?

By Raimund Laqua, P.Eng. - The Lean Compliance Engineer

I've sat through countless meetings where we talk about being "proactive"—whether it's safety, security, or quality. Yet here we are, still chasing incidents after they happen, still writing corrective actions for problems we should have seen coming. Sound familiar?

Here's what I've learned after three decades in risk & compliance:

The Real Enemy Isn't What You Think

We obsess over the symptoms—incidents, failures, breaches, defects. But here's what we miss: uncertainty creates the opportunity for risk. These incidents are just manifestations of that risk. Hazards, threats, and failure modes? They're all manifestations of uncertainty.

Think about your last major incident—safety, security, or quality related. The failure, the breach, the defect—those were risks that became a reality.

But the real question is:

Because we weren't looking at the uncertainties that created those risk opportunities in the first place.

Why Traditional Programs Feel Like Whack-a-Mole

Most risk & compliance management programs treat risk as a pest to eliminate. Write better procedures! More training! Tighter controls! But you can't eliminate risk when uncertainty keeps creating new ones.

I've seen this pattern repeatedly across different organizations and domains. The root cause isn't equipment, people, or processes—it's uncertainties that keep creating fresh risk opportunities.

What Actually Works

The smartest professionals I know don't chase the symptoms of uncertainty (i.e. risk) —they map the uncertainties creating those opportunities.

When we run HAZOPs in process safety, we're asking: "What uncertainties exist here, and what risk opportunities might they create?"

In cybersecurity, threat modelling does the same thing—identifying uncertainties in system behaviour that create attack opportunities.

Quality engineers use FMEA to map uncertainties in manufacturing processes that create defect opportunities.

In aerospace, STAMP analysis tracks how uncertainties cascade through control systems, creating risk opportunities at every interaction.

Even business consultants figured this out.

CYNEFIN maps help teams recognize different types of uncertainty and the unique risk opportunities each creates—whether you're managing operational safety, cyber-security threats, or product quality.

The Question That Changes Everything

After years of watching organizations struggle with this across multiple domains, I'm convinced the future belongs to teams that hunt uncertainties—not the ones still swatting at symptoms – the effects of uncertainty.

Instead of asking "How do we prevent this incident?" try asking