Every enterprise faces risks. Managing them is like doing homework we often try to skip in favour of more exciting pursuits. Managers know they must deal with risk. But many prefer to focus on innovation, growth, or strategy. And yet, nothing truly exciting in business can happen without risk management.

We must begin with the foundational recognition that all systems; organisational, economic, ecological, social, are complex systems. Risk management never operates in isolation. It is always embedded in a web of interdependencies, feedback loops, and non-linear dynamics. There is no “outside” of complexity. All decision-making, coordination, and leadership occur within this condition.

While risk management and resilience are often discussed as separate or complementary disciplines, they are frequently conflated or misunderstood. Resilience is not a component of risk management. It is a defining feature of complex systems. It describes the capacity of a system to absorb shocks, reorganise, and continue functioning. Risk management, then, should be understood as one of the mechanisms through which resilience can be either enhanced or degraded.

In current practice, two dominant but insufficient habits shape the risk discourse. One is what we could call the optimistic school. This group, which is common in the corporate and entrepreneurial world, assumes risk is manageable, problems are fixable, and disruptions are transient. Their stance implicitly comforts decision-makers who wish to avoid difficult conversations. Optimism in this form often masks a reluctance to fully engage with the harsh, systemic implications of risk. The burden of failure usually falls on those least responsible and most vulnerable, frontline staff, users, or the public.

The second is the polar opposite, the pessimistic (or catastrophist) school. This approach which is more common in government, public institutions, and compliance-heavy sectors, leans on fear and crisis. It legitimises hyper-caution and risk aversion, often justifying inaction or overregulation. This approach paradoxically weakens resilience by reinforcing brittleness; that is, the inability of a system to adapt or improvise under stress both to acute and prolonged stresses.

Both schools are inadequate. They offer comfort (emotional or political) rather than clarity. They are rooted in attitude, optimism or pessimism, not in systems thinking.

What’s missing is a complexity-grounded approach to risk. This is not a “middle ground” between optimism and pessimism, but an entirely different epistemology. This is where we may find a third way; complexity-based risk management. It recognises that risk is not something to be eradicated. In complex systems, risk is not an anomaly. It is ever-present. Risk is also a signal. It is part of the system’s way of adjusting, innovating, and evolving. It also means that managing risk is not about preventing failure but increasing adaptive capacity. The focus shifts from controlling events to improving the system’s capacity to navigate change. And finally the third way or managing risk ‘knows’ that resilience is not static. It is dynamic and developed through practice, learning, and experimentation. This means risk management becomes less about fixed plans and more about enabling flexible, decentralized, feedback-rich responses.

So, what are the implications for practice? A complexity-informed risk management framework would be about following five actions:

1. Diagnose systemic vulnerabilities and adaptive capacities, not just assess likelihood and impact of individual events.
2. Encourage scenario-thinking that goes beyond worst-case and best-case dichotomies, focusing instead on exploring multiple plausible futures and the capacities required to navigate them.
3. Embed learning loops into organisational processes so that risks are continuously re-evaluated as systems evolve.
4. Redefine accountability so that responsibility for risk decisions is shared more equitably, rather than being diffused upwards or displaced downwards.
5. Recognise that every risk also presents a potential opportunity, not just for survival but for transformation, innovation, and renewal.

In this framing, risk management becomes an act of stewardship, not just of assets, compliance or reputation but of the system’s ability to regenerate itself in the face of pressure. This approach demands a shift in institutional culture and individual mindset from control to navigation, from certainty to adaptive capacity, from compliance to coherence with system dynamics.

Risk is not a deviation from normality; it is the shape of the world we inhabit. When we treat risk as a nuisance to be suppressed or a threat to be feared, we miss the chance to engage it as a teacher, as a source of insight. A truly resilient system, organisation, society, or economy is one that understands risk not as something to be solved, but as something to be worked with.