Forget insurance as your first line of defense. Here’s what actually works.
The Fence, Not the Ambulance
Imagine a town built on the edge of a cliff. The town leaders, worried about people falling, buy the best ambulance service in the world. It’s expensive, but it’s great at taking injured people to the hospital. They see this as their first line of defense. A wise person comes along and asks, “Why don’t you just build a fence at the top of the cliff?” Insurance is the ambulance. It’s a reactive tool for financing a loss after it happens. A good risk management program—the fence—is what actually prevents the loss in the first place.
Stop chasing zero risk. Chase optimal risk retention instead.
The Bubble-Wrapped Business
A new CEO was so terrified of any possible loss that he tried to eliminate all risk. He bought every insurance policy imaginable, hired teams of lawyers to review every decision, and implemented so many rules that the company slowed to a crawl. He created a bubble-wrapped business that was perfectly safe and completely unprofitable. He learned that the goal of risk management isn’t zero risk; that’s impossible. The goal is to find the optimal balance—to intelligently retain the small, manageable risks so you have the capital and freedom to take the bigger risks that lead to growth.
The hidden truth about enterprise risk management (ERM) that consultants won’t admit.
The Binder on the Shelf
A big consulting firm sold our company a massive Enterprise Risk Management (ERM) program. It came in a set of three, 500-page binders filled with complex matrices and process flows. It was technically brilliant, and it cost a fortune. A year later, it was sitting on a shelf, gathering dust. The hidden truth consultants won’t admit is that a complex ERM framework is often useless. Real risk management isn’t a binder; it’s a culture. A simple, one-page checklist that is used every day by every employee is infinitely more effective than a perfect plan that nobody uses.
What nobody tells you about implementing a successful safety program.
The Posters and the Silence
Our company launched a big new safety program. We had a catchy slogan, professional posters on every wall, and mandatory training sessions for all employees. After six months, our accident rate hadn’t changed. Why? Because while we had the posters, we had silence from our leaders. The CEO never mentioned it. Managers never talked about it in their team meetings. Nobody tells you that the success of a safety program has zero to do with posters. It has 100% to do with the visible, passionate, and consistent commitment of senior leadership.
I spent my career as a risk engineer. Here’s what I learned about preventing losses.
The Predictable Surprise
In my 30 years as a risk engineer, I learned that there is no such thing as a “freak accident.” Every major loss I investigated was preceded by a long chain of smaller, ignored warnings. A machine guard would be broken for months. A crucial safety procedure would be routinely bypassed to save time. These weren’t secrets; everyone knew. The culture allowed these small deviations to become normal. The final accident was never a surprise; it was the predictable result of a hundred small failures that had been tolerated for years.
Unpopular opinion: Most business continuity plans are completely useless.
The Plan for a World That No Longer Exists
Our company spent a fortune on a detailed business continuity plan. It was a masterpiece of planning. It was also completely useless. The plan was written three years ago. Since then, we had changed our key software, moved our servers to the cloud, and half the people on the emergency contact list had left the company. When a real disruption happened, we discovered our plan was for a business that no longer existed. An outdated plan is worse than no plan at all; it’s a dangerous illusion of preparedness.
90% of managers don’t understand this about root cause analysis.
The “Human Error” Fallacy
An operator makes a mistake, causing a production line to shut down. The manager investigates and writes a report. The conclusion: “human error.” The operator is retrained. This is the fallacy 90% of managers fall into. They stop at the symptom, not the cause. A true root cause analysis asks “why” five times. Why did the operator make the error? The procedure was confusing. Why? It was poorly written. Why? The engineer who wrote it was rushed. A good analysis finds the broken system, not the broken person.
This simple contractual risk transfer technique transformed our liability exposure.
The Clause That Built a Fortress
Our company used to hire subcontractors with a simple handshake agreement. When one of their employees was injured on our site, we were sued. It was a costly lesson. We implemented a simple contractual risk transfer program. Now, no subcontractor can work for us unless they provide proof of their own insurance, name our company as an “additional insured,” and sign an agreement to “indemnify” us for their own negligence. This simple, two-page document has built a legal fortress around our company, pushing risk back onto the parties who create it.
You’re not having accidents because of bad luck. It’s because of a poor safety culture.
The Culture and the Consequence
Our factory had a string of accidents, and the manager kept blaming “bad luck.” It wasn’t bad luck; it was bad culture. For months, you could see the warning signs. People were taking shortcuts, and supervisors were looking the other way. Safety suggestions were ignored. The accidents weren’t random events. They were the predictable consequences of a culture that implicitly tolerated risk. You don’t have a luck problem. You have a leadership problem. Your accident rate is a direct reflection of what you, as a leader, are willing to accept.
Stop buying insurance for preventable losses. Invest in loss control instead.
The Premium and the Prevention
A distribution company had a high rate of back injuries from their workers lifting heavy boxes. Their workers’ compensation insurance premium was sky-high. They just kept paying the premium, treating it as a cost of doing business. I told them to stop buying insurance for a preventable loss. They took half of their annual premium and invested it in ergonomic lifting equipment and proper training. Their back injuries—and their premium—dropped by 70% the next year. It’s always cheaper to invest in prevention than to pay a premium for a problem you can solve.
The uncomfortable truth about your Total Cost of Risk (TCOR).
The Iceberg Under the Premium
As CEO, I was always focused on one number: our insurance premium. I would fight with our broker to get it 5% lower. I thought I was managing our costs. The uncomfortable truth is that the premium is just the tiny tip of the iceberg. Our Total Cost of Risk (TCOR) also included our retained losses (deductibles), legal fees, and the administrative cost of managing claims. While I was fighting over the tip of the iceberg, the massive, unseen costs below the surface were sinking the company.
Why everything you know about risk avoidance is backwards.
The Avoidance That Crippled the Company
Many people think risk management is about “risk avoidance.” If a new product has potential risks, they just decide not to launch it. This is backwards. A company that avoids all risk will never innovate, never grow, and will eventually be made obsolete by its competitors. The purpose of risk management isn’t to stop you from taking risks. The purpose is to enable you to take more risks, intelligently. It’s about building the strong safety net that gives you the confidence to make the bold leap.
I tried to implement a risk management plan without top-down support. It was a disaster.
The Plan and the Deaf Ears
As the new safety manager, I rolled out a brilliant risk management plan. I held training sessions, put up posters, and sent out emails. It was a complete disaster. Nobody paid attention. Why? Because the CEO never mentioned it. No senior manager ever asked about it in a meeting. There were no consequences for ignoring it. I learned that a risk management plan is just a piece of paper. It only becomes real when the most senior person in the room consistently and visibly demonstrates that it is a priority.
Hot take: Your safety committee is overrated.
The Committee and the Lack of Accountability
Our company had a safety committee. It had a formal charter and met every month. It was also completely useless. The committee was a place where problems were discussed, but never solved. It was a substitute for real accountability. We disbanded it. Instead, we made safety a key performance metric for every single line manager. We gave them the authority and the budget to fix problems in their own areas. The committee was a “talk shop.” Empowering the line managers was what actually got things done.
Most companies waste hours on risk registers. Do this instead.
The Long List and the Short Fuse
We spent six months creating a corporate “risk register.” It was a massive spreadsheet with 150 different potential risks. It was comprehensive, and it was completely paralyzing. We were so overwhelmed by the long list that we did nothing. We threw it away and did this instead: We identified our “top 5” enterprise risks. The five things that could actually put us out of business. We focused all our energy on those five items. A short, actionable list that you can actually manage is infinitely better than a perfect, comprehensive list that just sits on a shelf.
The 5-minute habit that replaced my fear of an OSHA inspection.
The Walk-Around and the Welcome
I used to live in constant, low-grade fear of a surprise OSHA inspection. I started a simple 5-minute habit that replaced that fear. Every single morning, before the shift starts, I walk the factory floor with a small notebook. I’m not looking for problems; I’m looking for proactive safety behaviors to praise. I’m also making myself visible and approachable. The employees know that safety is my first priority every day. Now, if an OSHA inspector shows up, I can welcome them, because I know we are doing the right things every single day, not just when we’re being watched.
Your high claims frequency isn’t caused by your employees. It’s this.
The System and the Symptom
Your company has a high frequency of small injury claims. You blame your “careless” employees and invest in more training and discipline. You’re treating the symptom, not the cause. Your claims are not caused by your employees. They are caused by your broken systems. Is the workflow poorly designed? Is the equipment old and unreliable? Are your supervisors pushing speed over safety? Your high claim frequency is a fever. The employees are just the thermometer telling you that your underlying operational systems are sick.
If you’re not using a formal risk assessment matrix, you’re already losing to your competitors.
The Matrix and the Map
My competitor always seemed to make smarter, faster decisions than I did. I learned their secret. They use a formal risk assessment matrix for every major decision. It’s a simple tool that plots the “likelihood” of a risk against its potential “impact.” This allows them to visually map their risks and prioritize them. It forces them to have an objective, data-driven conversation about risk, instead of just relying on gut feeling. While I was guessing, they were using a map. That’s why they were winning.
Stop glorifying insurance. Start glorifying prevention.
The Cure and the Prevention
Our culture glorifies the insurance payout. A company has a fire, and we are impressed when they have a huge policy that helps them rebuild. We see the insurance as the hero. This is backwards. We should not be glorifying the “cure.” We should be glorifying the prevention. We should be celebrating the company that invested in a top-tier fire suppression system and had a small, containable fire that didn’t even trigger their insurance. A small, prevented loss is a much greater business victory than a large, insured one.
The real cost of a “minor” incident that nobody calculates.
The Cut Finger and the Cascade of Costs
An employee had a “minor” incident—a small cut on his finger that required a few stitches. We thought the cost was just the $500 medical bill. We were wrong. The real cost was a cascade of hidden expenses. We had to pay another employee overtime to cover his shift. The supervisor spent half a day on the incident report and investigation. And our workers’ comp premium went up at the next renewal. That “minor” $500 incident actually cost our company over $5,000 in direct and indirect costs.
What risk-mature organizations do with data that struggling companies don’t.
The Data That Drives and the Data That Dies
Struggling companies collect safety data—incident reports, audit findings—and let it die in a spreadsheet. It’s a graveyard of information. Risk-mature organizations do something completely different. They treat their risk data as a living, breathing asset. They analyze it for trends. They use it to predict where the next incident is likely to occur. They share it transparently with their leadership and their front-line employees. They don’t just collect data; they use it to drive decisions and to prevent the next accident before it happens.
The myth of “common sense” is destroying your safety record.
The “Sense” That Isn’t Common
I once had a manager who refused to write a safety procedure for a simple task. He said, “Everyone should just use their common sense.” This myth is destroying safety records. “Common sense” is not common. It’s based on an individual’s own unique experience, training, and risk tolerance. What’s common sense to a 20-year veteran is a complete mystery to a new hire. A formal, written safe work procedure ensures that everyone is following the same, single, safe standard, regardless of their personal “common sense.”
I quit focusing on lagging indicators and our incident rate dropped by 50%.
The Rear-View Mirror and the Road Ahead
For years, our safety program was focused on one metric: our OSHA incident rate. This is a “lagging indicator.” It’s like driving by only looking in the rear-view mirror; it only tells you where you’ve been. I quit focusing on it. Instead, we started tracking “leading indicators”—proactive metrics like the number of safety observations completed, the percentage of training attended, and the number of near-misses reported. By focusing on the positive actions that prevent accidents, our actual incident rate dropped by 50% in one year.
Controversial: Your zero-incident goal is holding you back from real safety improvements.
The Zero and the Hidden Problems
Our company had a stated goal of “zero incidents.” It sounds great, but here’s the controversy: it was holding us back. Because the pressure to hit “zero” was so immense, supervisors were sweeping minor incidents under the rug. Employees were afraid to report near-misses for fear of ruining the perfect record. The goal of zero was actually driving our problems underground. We switched our goal to “100% reporting of all incidents and near-misses.” The reported numbers went up, but our real-world safety and our ability to learn from our mistakes improved dramatically.
95% of online advice about risk management is too academic. Here’s a practical approach.
The Thesis and the Toolbox Talk
Most of the risk management advice you find online is written by academics. It’s full of complex theories and Greek letters. It’s useless for a real-world manager. A practical approach is simpler. Once a week, ask your team two questions: “What is the riskiest thing we are going to do this week?” and “What is one thing we can do to make it safer?” That simple, 10-minute conversation is more effective than a hundred pages of academic theory. It makes risk management a real, practical, and collaborative team activity.
One small change to our hiring process eliminated a major source of liability.
The Hire and the Hidden History
Our biggest source of employee problems was what I called “surprise hires”—people who looked great on paper but turned out to have a history of workplace issues. We made one small change to our hiring process. We started conducting professional, in-depth reference checks on every final candidate, using a third-party service. We didn’t just confirm dates of employment; we asked tough questions about performance and teamwork. This simple step of professional due diligence has almost completely eliminated our “surprise” problem hires.
The truth about behavioral-based safety that consultants profit from hiding.
The Behavior and the Broken System
Consultants love to sell “Behavioral-Based Safety” (BBS) programs. They focus on observing and correcting the “unsafe behaviors” of front-line employees. The truth they profit from hiding is that this is often a sophisticated way of blaming the victim. Unsafe behaviors are almost always a symptom of a broken system. An employee is taking a shortcut because the “safe” way is slow and inefficient, and they are under immense pressure to increase production. A good safety program focuses on fixing the system, not just correcting the behavior.
Stop accepting “that’s how we’ve always done it.” It’s killing your resilience.
The Seven Most Expensive Words
The seven most expensive words in any business are “because we’ve always done it that way.” That phrase is the anthem of complacency. It is the enemy of innovation and the killer of resilience. It’s the reason you are still using outdated software, following inefficient processes, and ignoring emerging risks. The world is changing faster than ever. The way you’ve always done it is no longer good enough. The moment you hear that phrase, you should see it as a massive red flag that you are falling behind.
Replace your annual safety training with daily micro-learning. Thank me later.
The “Death by PowerPoint” and the Daily Dose
Our old annual safety training was a full-day “death by PowerPoint” session that everyone hated and promptly forgot. We replaced it with something far more effective: daily micro-learning. Every single day, at the start of the shift, the supervisor spends just three minutes talking about one single, specific safety topic. It’s a small, consistent, and digestible dose of information. This constant reinforcement has been infinitely more effective at changing behavior than our old, once-a-year information dump. You will thank me later.
The supply chain secret that could save you from a catastrophic business interruption.
The Single Source and the Second Supplier
The secret to supply chain resilience is stunningly simple: never, ever have a single point of failure. I once ran a business that relied on one single, critical component from one single supplier. When a fire destroyed their factory, my business was shut down for six months. I learned a hard lesson. Now, for every single critical component, I have a fully qualified, and regularly tested, second source. It costs a little more in the short term, but it’s the only thing that guarantees my survival in the long term.
Why your traditional risk management approach fails in a globalized world.
The Local View and the Global Risk
A traditional risk management approach is focused on the things you can see: your factory, your employees, your local market. This approach is completely failing in a globalized world. Today, your biggest risk might be a flood in Thailand that shuts down your key supplier, a political crisis in South America that affects your raw material costs, or a new data privacy law in Europe that impacts your website. You need to stop looking at risk through a local lens and start managing it with a global perspective.
I ignored my consultant’s advice on business impact analysis for years. It cost me my business after a fire.
The Analysis and the Aftermath
A risk consultant once told me I needed to do a “Business Impact Analysis” (BIA). It sounded like a boring, academic exercise, so I ignored his advice. Then, a fire destroyed my office. I had property insurance, but I had never calculated what the real impact of being shut down for six months would be. I hadn’t identified my critical processes or my recovery timeline. The financial and operational impact of the downtime was far greater than the physical damage, and the business never recovered. That BIA I ignored would have been my roadmap to survival.
Let’s be honest: Your “risk management plan” is just a binder on a shelf.
The Plan and the Patina of Dust
Let’s be honest with ourselves. You have a “risk management plan.” It’s sitting in a nice binder on a shelf in your office. It was probably written five years ago, and nobody has looked at it since. It has a patina of dust on it. A plan that is not a living, breathing part of your daily operations is not a plan at all. It is a corporate artifact. It is a checkbox you ticked to satisfy an auditor. It will not help you in a real crisis.
87% of companies get contractual risk transfer wrong. Don’t be one of them.
The Contract and the Comeback
Most companies think that having a contract with a vendor means they have transferred their risk. They are getting it wrong. They will have a weak, one-sided indemnification clause. They will fail to get an “additional insured” endorsement. They will accept a low limit of liability from the vendor. A contract is not a magic wand. It is a legal tool that must be wielded with expertise. Getting contractual risk transfer right requires a deep understanding of the law and insurance. Don’t be one of the 87% who think a piece of paper is a shield.
This weird habit of celebrating near-miss reports outperforms punishing mistakes every time.
The Near-Miss and the “Good Catch”
In our factory, we have a weird habit. When an employee reports a “near-miss”—a potential accident that was caught just in time—we celebrate it. We post it on a “Good Catch” board and the employee gets a gift card. Our old culture was to punish mistakes, which just made people hide them. By celebrating the proactive identification of hazards, we have created a culture where people are actively looking for problems to solve. Our near-miss reporting has gone up 500%, and our actual accident rate has plummeted.
The real reason your safety program isn’t working (hint: it’s not the employees).
The Program and the Production Pressure
Your safety program has great rules and training, but your employees are still taking shortcuts and getting hurt. The reason isn’t them; it’s you. The real reason your safety program isn’t working is because your production goals are in direct conflict with your safety rules. You are telling your employees to “be safe,” but you are rewarding their supervisors for “getting it done fast.” Safety is what you say; production is what you measure. Until you align your operational pressures with your safety procedures, your program will always fail.
Ditch your complex ERM software. Use a simple risk register and action plan instead.
The Software and the Simplicity
We spent a fortune on a complex Enterprise Risk Management (ERM) software platform. It had a thousand features and required a week of training. Nobody used it. It was too complicated. We ditched it. We replaced it with a simple, shared spreadsheet. It has three columns: “The Risk,” “The Owner,” and “The Action Plan.” That’s it. Because it was simple and accessible, everyone on the management team actually used it. A simple tool that gets used is infinitely better than a complex one that doesn’t.
Stop pretending you can eliminate all risks. Start managing them intelligently.
The Myth of Zero and the Mission of Management
Some leaders live under the delusion that they can, and should, eliminate all risks from their business. They are chasing a myth. Risk is an inherent part of doing business. It is a source of both danger and opportunity. The mission of a leader is not to eliminate risk. The mission is to build a resilient organization that can manage risk intelligently. It’s about taking the right risks, mitigating the wrong ones, and having a plan to respond and recover when one of them comes to fruition.
The 4-word phrase that changed how I think about preventing losses.
Accidents are not random.
I used to think of accidents as unpredictable, random events—bad luck. Then a mentor told me a 4-word phrase that changed my entire approach to safety: “Accidents are not random.” He was right. Every single accident is the result of a chain of events, a series of small failures in a system. They are not random; they are predictable. This mindset shift transformed me from a reactive manager into a proactive one. My job wasn’t to clean up after random events; it was to find and fix the broken systems that made those events inevitable.
What the legal profession doesn’t want you to know about hold harmless agreements.
The “Hold Harmless” and the Hollow Promise
Your contract has a “hold harmless” or “indemnification” clause where the other party promises to protect you from their mistakes. What the legal profession doesn’t want you to know is that this promise can be a hollow one. If the other party has no money and no insurance, their promise to “hold you harmless” is completely worthless. They can’t give you what they don’t have. A hold harmless agreement is only as strong as the insurance policy that stands behind it. The contract is just the starting point.
I was today years old when I learned about finite risk insurance.
The Policy That’s Also a Bank Account
I was today years old when I learned about “finite risk” insurance. It’s a weird hybrid of insurance and finance. A company pays a large premium into a fund for a multi-year period. If they have no claims, at the end of the period, they get a significant portion of that premium back, plus investment income. It’s a way for a company with a great safety record to essentially pre-fund their own potential losses and get rewarded for their good performance. It’s like an insurance policy that turns into a savings account.
Normalize saying no to contracts with unacceptable indemnification clauses.
The “No” and the Negotiation
For years, our sales team would sign any contract just to close the deal. They would agree to broad, one-sided indemnification clauses that put our company at huge risk. We decided to normalize the word “no.” Our legal team now has a set of “red line” clauses that we will not accept under any circumstances. We have trained our sales team to politely but firmly explain that these clauses are unacceptable. It has made some negotiations harder, but it has dramatically improved our company’s risk profile.
Plot twist: Your biggest operational risk isn’t your process. It’s your key personnel.
The Person and the Point of Failure
We spent a fortune mapping and optimizing our business processes. We thought our biggest risk was a flaw in the system. The plot twist came when our single most important employee, the one person who held all the critical knowledge in their head, quit with no notice. The perfect process was useless without the one person who knew how to run it. We learned that “key person risk” is not just about the CEO. It can be a shift supervisor, a lead engineer, or an office manager. The biggest risk is often a single point of human failure.
The risk treatment technique everyone ignores that gives me an edge.
The Risk I Share
Everyone knows the standard risk treatments: avoid, accept, or transfer (insure). But there’s a fourth one that everyone ignores: sharing. I run a small manufacturing business. We couldn’t afford a key piece of equipment on our own. So we formed a joint venture with another small company to buy and share the equipment. We created a separate legal entity and a joint insurance program. By sharing the asset, we also shared the risk and the cost. It’s a creative and powerful risk management technique that gives me a huge competitive edge.
Stop optimizing for efficiency. Optimize for resilience.
The Just-in-Time and the Just-in-Case
My company was a temple of efficiency. We had a “just-in-time” supply chain with no excess inventory. We were lean and profitable. Then a small disruption—a port closure a thousand miles away—shut down our entire operation for a month. We were efficient, but we were not resilient. We changed our philosophy. We now intentionally build in some redundancy. We have a “just-in-case” inventory and a backup supplier. It’s slightly less efficient on paper, but it means our business can withstand a shock that would destroy our more “efficient” competitors.
The brutal truth about why your investment in safety gear isn’t reducing injuries.
The Gear and the Underlying Attitude
You’ve spent a fortune on the best safety gear—new hard hats, expensive gloves, state-of-the-art respirators. But your injury rate isn’t going down. Here’s the brutal truth. The gear is not the problem. The problem is the underlying safety culture. If your supervisors are still pushing speed over safety, and if employees see the new gear as just another rule to be ignored when the boss isn’t looking, then you haven’t fixed anything. You’ve just put a new, shiny bandage on a deep, cultural wound.
Throw away your old emergency response plan. It’s making you worse at crisis management.
The Plan and the Paralyzing Panic
You have a dusty, 100-page emergency response plan that you test once a year. It’s making you worse at crisis management. In a real emergency, nobody is going to find that binder. The plan is too complex and too rigid to be useful in a chaotic, rapidly evolving situation. Throw it away. Replace it with a simple, one-page “Crisis Response Framework.” It should just have three things: the core crisis team, their contact info, and a simple set of guiding principles. Empower your people to be flexible and adaptive, don’t handcuff them with a plan.
The 60-second test that reveals if your managers truly support your safety culture.
The Question That Shows Their True Colors
To find out if a manager truly supports your safety culture, try this 60-second test. Ask them this simple question: “What happens to your production schedule if you have to shut down a machine for an hour to fix a safety issue?” An unsupportive manager will complain about the lost production. A supportive manager will say, “The production schedule doesn’t matter. We shut down the machine and we fix the problem. Safety is the first priority.” Their immediate, unscripted answer will tell you everything you need to know.
Why everyone is wrong about the cost of implementing a risk management program.
The Cost of Action vs. The Cost of Inaction
Companies often avoid implementing a formal risk management program because they are worried about the cost—the training, the systems, the personnel. Everyone is wrong about this. They are only calculating the cost of action. They are completely ignoring the far greater cost of inaction. A single, uninsured, unmitigated catastrophic event—a major lawsuit, a product recall, a data breach—can cost a hundred times more than the entire risk management program would have. The program is not a cost; it’s the best investment you can make.
Stop asking “are we insured for that?”. Ask “how can we prevent that from happening?” instead.
The Reactive vs. The Proactive Question
When a new risk is identified in a meeting, the first question from the leadership team is almost always, “Are we insured for that?” This is the wrong question. It is a passive, reactive question that accepts the risk as inevitable. The right question to ask first is, “How can we prevent that from happening in the first place?” This is an active, proactive question. It forces the team to think about controls, procedures, and engineering solutions. Insurance should be the last resort, not the first thought.
The habit of conducting pre-mortem analyses that I wish I’d started a decade ago.
The Future Failure and the Present Fix
I wish I had started this habit on day one of my business. Before we launch any major new project, we conduct a “pre-mortem” analysis. We gather the team and we ask them to imagine that it is one year in the future, and the project has been a complete and total failure. Then we ask them to write down all the reasons why it failed. This simple, powerful exercise helps us to identify the potential risks and weaknesses in our plan before we even start. It allows us to fix the future failure in the present.
Here’s why generic risk management advice is terrible for creative industries.
The Creative and the Unquantifiable Risk
Generic risk management advice is all about data, matrices, and quantifiable financial risks. This is terrible for creative industries like advertising or design. Your biggest risk isn’t a factory fire; it’s a client hating your creative work, a campaign offending the public, or your star designer quitting. These are subjective, reputational, and human risks that can’t be put into a spreadsheet. A creative business needs a different kind of risk management, one that is focused on client relationships, brand reputation, and talent retention.
I’ll say what everyone’s thinking: Most risk managers are just insurance buyers.
The Manager and the Missing Strategy
Let’s just say what everyone in the corporate world is thinking. The person with the title “Risk Manager” in most companies is not actually a strategic risk manager. They are an insurance buyer. They spend 95% of their time on the annual insurance renewal process—gathering data, negotiating with brokers, and processing payments. They are not deeply involved in the company’s strategic decisions. They are not driving enterprise-wide risk mitigation efforts. They are managing the insurance transaction, not the company’s overall risk profile.
The skill of influence that matters more than your technical knowledge of risk.
The Expert and the Empty Room
I’ve known risk managers who were technical geniuses. They could build complex financial models and recite insurance policy language from memory. But they were completely ineffective. Why? Because they had no influence skills. They couldn’t communicate the importance of their work to the leadership team. They couldn’t persuade a plant manager to invest in a safety upgrade. I learned that the soft skill of influence—of being a trusted, persuasive advisor—is far more valuable in creating real change than any amount of technical knowledge.
This counterintuitive action of investing more in near-miss investigations fixed our severe injury rate.
The Near-Miss and the Deeper lesson
We used to only seriously investigate accidents that caused a major injury. It was a reactive process. We made a counterintuitive decision. We decided to invest our time and resources into conducting a full root cause analysis on every single “near-miss,” even the ones where nobody got hurt. We learned that the causes of a near-miss are often the exact same causes of a future catastrophe. By fixing the problems that led to the near-misses, our rate of actual, severe injuries dropped by over 50%.
Why your good intention of creating more rules is actually making things worse.
The Rulebook and the Refusal to Think
Our company’s response to any incident was to create a new rule. Over time, we had a massive, 300-page rulebook. Our good intention was actually making things worse. The rulebook was so complex that nobody could possibly remember everything. Worse, it was teaching our employees not to think. Instead of using their professional judgment, they would just blindly try to follow a rule, even when it didn’t make sense. A few, simple, guiding principles are far more effective than a thousand detailed rules.
Quit using generic safety posters. It’s not worth the paper.
The Poster and the Pointless Platitude
Walk into any factory, and you’ll see the same generic safety posters. A picture of someone wearing safety glasses with a cheesy slogan like “Safety First!” Quit using them. They are visual noise. Nobody reads them, and they do absolutely nothing to change behavior. A safety message is only effective if it is specific, personal, and delivered by a respected leader. A 30-second conversation between a supervisor and their employee about a specific risk is worth more than a thousand generic posters.
The metric everyone tracks (incident rate) that means absolutely nothing without tracking severity.
The Rate and the Real Risk
Our company was so proud of our low OSHA incident rate. We tracked it obsessively and celebrated every small improvement. It was a vanity metric. It meant nothing because we weren’t tracking severity. We had a lot of minor cuts and scrapes, but we weren’t looking at our “high-potential” near-misses. We were focused on the frequency of small problems, while completely missing the risk of a single, catastrophic event. A low frequency of paper cuts is irrelevant if you are not managing the risk of a fatality.
Stop calling it a “freak accident.” Call it a “predictable failure.”
The Freak and the Foreseeable
When something goes wrong, the first instinct is to call it a “freak accident”—a random, unpredictable event. Stop using that phrase. It’s an abdication of responsibility. There are no freak accidents. There are only “predictable failures.” An accident is always the result of a failure in a system, a process, or a piece of equipment. By calling it a predictable failure, you force yourself and your team to analyze the underlying system and to find the weakness that made the failure not just possible, but predictable.
The decision I made to hire a full-time risk manager that everyone said was overhead (but paid for itself 10x over).
The Overhead That Became an Asset
As a growing company, the decision to hire our first full-time risk manager was controversial. My board saw it as pure “overhead.” It was the best decision we ever made. Our new risk manager didn’t just buy insurance. He revamped our safety programs, strengthened our contracts, and built a business continuity plan. His work reduced our claims so much that our insurance savings alone paid for his salary. More importantly, he built a resilient culture that became a true competitive advantage. He wasn’t overhead; he was a profit center.
What I learned from a major regulatory fine that changed our entire compliance strategy.
The Fine and the Foundational Flaw
Our company was hit with a major fine from a government regulator. It was a painful and public experience. What I learned from that event changed my entire approach to compliance. We had always treated compliance as a checklist, something to be managed by the legal department. The fine taught me that compliance is not a legal issue; it’s an operational issue. The failure wasn’t in our legal interpretation; it was in our day-to-day operational processes. We now embed compliance into our operations, instead of just reviewing it in the legal department.
The common mistake of ignoring fleet safety that’s costing you a fortune.
The Fleet and the Financial Drain
Many businesses have a fleet of vehicles, but they treat fleet safety as an afterthought. This is a massive mistake. Vehicle accidents are one of the single largest sources of liability claims and workers’ compensation costs for most companies. They are a huge financial drain. Ignoring your fleet safety program—by not doing driver training, not monitoring driving behavior with telematics, and not enforcing a strict cell phone policy—is one of the laziest and most expensive mistakes a business can make.
PSA: A certificate of insurance is not risk management. Here’s proof.
The Certificate and the Comforting Lie
Here’s a public service announcement. Collecting certificates of insurance (COIs) from all your vendors is not a risk management strategy. It is a clerical task that provides a false sense of security. I’ve seen COIs that were fraudulent. I’ve seen COIs for policies that were cancelled for non-payment a week later. A COI is just a piece of paper. A real vendor risk management program involves vetting your vendors, reviewing their actual policies, and understanding their safety record. The certificate is just the beginning of the process, not the end.
The skill of crisis communication that executives should teach but don’t.
The Crisis and the Communication Vacuum
A major operational failure at our company quickly turned into a PR nightmare. Our executives, afraid of saying the wrong thing, said nothing at all. They created a communication vacuum that was immediately filled with rumors, speculation, and angry customers. We learned that the skill of clear, empathetic, and timely crisis communication is one of the most important, and most undeveloped, skills in the executive suite. The ability to manage the narrative in the first few hours of a crisis is critical, yet it’s a skill that most leaders are never taught.
This 5-minute action of a daily toolbox talk beats a monthly safety meeting every time.
The Toolbox and the Transformed Team
We used to have a one-hour safety meeting once a month. It was boring, and nobody paid attention. We replaced it with a simple, 5-minute action. Every single day, before the work starts, the crew gathers for a “toolbox talk.” The supervisor talks about the specific risks of that day’s job and asks for input from the team. This simple, daily habit has been transformative. It makes safety a constant, collaborative conversation instead of a monthly lecture. It has done more to improve our safety culture than any formal meeting ever did.
Why that big consulting firm is actually doing it wrong for small business risk management.
The Sledgehammer and the Small Nut
A small business hired a massive, global consulting firm to help them with risk management. It was a disaster. The big firm tried to apply the same complex, bureaucratic “enterprise risk management” framework they use for a Fortune 500 company. It was like using a sledgehammer to crack a nut. It was too expensive, too complicated, and completely inappropriate for the small business’s reality. A small business doesn’t need a 100-page ERM framework; it needs a simple, practical set of tools that it can actually use.
Stop waiting for an incident to happen. Start with a proactive risk assessment.
The Accident and the Action Plan
Most companies take a reactive approach to risk. They wait for an accident to happen, and then they react to it. This is like waiting for your house to catch fire before you think about buying a smoke detector. The professional approach is to be proactive. Stop waiting. Today, conduct a simple, formal risk assessment. Get your team in a room, identify your top five risks, and create a simple action plan to address them. It’s always cheaper, smarter, and safer to prevent the incident than it is to manage the aftermath.
The Bowtie risk analysis method I use that most safety professionals have never heard of.
The Bowtie and the Bird’s-Eye View
Most risk analysis tools are just lists or matrices. I use a powerful, visual method that most people have never heard of: the Bowtie analysis. It’s a simple diagram that looks like a bowtie. In the center is the “risk event.” On the left side, you map out all the “threats” that could cause the event and the “barriers” you have in place to prevent them. On the right side, you map out all the “consequences” of the event and the “recovery measures” you have in place. It gives you a single, powerful, visual snapshot of your entire risk management strategy.
Your claims problem exists because you believe that buying insurance is a risk management strategy.
The Premium and the Lack of a Plan
You have a high number of claims and your insurance premiums are skyrocketing. Your problem exists because of a fundamental belief. You believe that buying an insurance policy is a risk management strategy. It is not. Insurance is a risk financing strategy. It’s a way to pay for a loss after it happens. A real risk management strategy is a proactive plan to prevent the loss from happening in the in the first place—through safety programs, quality control, and better contracts. If you are just buying insurance, you don’t have a strategy at all.
Delete that “safety compliance” app. Your safety culture will improve instantly.
The App and the Abdication of Ownership
Our company bought a slick “safety compliance” app. It allowed our employees to check boxes and complete forms on their phones. Our compliance scores looked great, but our safety record didn’t improve. Why? Because the app was an abdication of ownership. It turned safety into a mindless, administrative task. It allowed supervisors to stop having real conversations with their people. We deleted the app and went back to face-to-face communication. Our safety culture improved instantly when people started talking to each other again.
The advice on risk appetite I give that makes boards uncomfortable (but works).
The Appetite and the Actual Numbers
When I talk to a board of directors about their “risk appetite,” they give me vague, feel-good answers like “we’re conservative.” I give them advice that makes them uncomfortable. I force them to put a number on it. I ask, “What is the maximum amount of money this company is willing to lose from a single, uninsured operational failure before it causes a material impact on our earnings? Is it $100,000? Is it $1 million?” This conversation, which ties a philosophical concept to a hard financial number, is always uncomfortable, but it is absolutely essential for good governance.
Why the common fear of operational disruption is irrational and the real fear of reputational damage is ignored.
The Disruption and the Destruction of Trust
Companies are terrified of an operational disruption—a factory shutting down for a week. They spend a fortune on business continuity plans to mitigate it. This fear is often misplaced. An operational disruption is a temporary, fixable problem. The real, rational fear they should have is the fear of reputational damage. A single event that destroys the public’s trust in your brand can cause permanent, unrecoverable financial harm. The fear of a broken machine is irrational compared to the fear of a broken promise to your customers.
I tried to use an off-the-shelf BCP template so you don’t have to. Here’s what happened in a real test.
The Template and the Total Failure
To save money, I downloaded a generic Business Continuity Plan (BCP) template from the internet. I filled in the blanks and felt prepared. Then we ran a real-world test. It was a total failure. The template was full of generic, non-specific instructions that were completely useless for our unique business. The contact list was wrong, the recovery priorities were incorrect, and the plan created more confusion than clarity. I learned that a BCP must be a custom-built document, tailored to the specific blood and guts of your own operation.
The question about “risk velocity” that instantly reveals if someone knows modern risk management.
The Velocity and the Volatility
When I’m interviewing a risk management professional, I ask them this simple question: “Can you please explain the concept of ‘risk velocity’ and why it’s important?” An old-school risk manager will talk about likelihood and impact. A modern risk professional will immediately understand. Risk velocity is the speed at which a risk can manifest and impact the business. A slow-moving risk, like a market shift, is very different from a high-velocity risk, like a viral social media scandal. Understanding velocity is the key to managing risk in a fast-paced world.
This old-school method of management-by-walking-around beats every safety dashboard.
The Walk and the Real World
I have a sophisticated safety dashboard on my computer with charts and graphs showing all our key metrics. It’s a great tool. But my most effective risk management method is an old-school one: Management-By-Walking-Around (MBWA). I spend an hour every day just walking the factory floor, talking to the front-line employees. I ask them, “What’s the dumbest rule we have? What’s the most dangerous thing you do all day?” The insights I get from those real, human conversations are infinitely more valuable than any data point on my dashboard.
Stop romanticizing ERM. It’s actually just a framework for making better decisions.
The Framework and the Function
The consulting world has romanticized Enterprise Risk Management (ERM). They’ve turned it into a complex, bureaucratic, and almost mystical discipline. Stop romanticizing it. ERM is actually just a simple framework for making better, more informed decisions. It’s a way of forcing yourself to ask two simple questions before any major decision: “What could go wrong?” and “Are we prepared for that?” It’s not a dark art; it’s just a structured, common-sense approach to leadership.
The principle of ALARP (As Low As Reasonably Practicable) that guides every safety decision I make.
The Practicable and the Proportional
The legal and ethical principle that guides every safety decision I make is ALARP: As Low As Reasonably Practicable. This means that my duty is not to eliminate all risk, because that is impossible. My duty is to reduce the risk to a level that is as low as is practicably possible, without incurring costs that are grossly disproportionate to the benefit gained. It’s a powerful principle that helps me to make sensible, proportional, and defensible decisions about where to invest our limited safety resources.
Why your number of safety audits is vanity and your number of closed-out findings is sanity.
The Audit and the Action
My old company was obsessed with the number of safety audits we completed each year. We would boast about it in our annual report. It was a vanity metric. A nearby company tracked a different number: the average number of days it took to close out a corrective action from an audit finding. That number represents sanity. It doesn’t matter how many problems you find if you don’t fix them. The number of audits you do is irrelevant. The speed and quality of your corrective actions is the only metric that truly measures the health of your safety program.
Forget risk management. Aim for resilience engineering instead.
The Management of Failure vs. The Engineering of Success
The term “risk management” has a negative connotation. It’s about preventing bad things from happening. I’ve started to use a different term: “resilience engineering.” This is a profound shift in mindset. It’s not just about managing failure; it’s about proactively engineering your systems, processes, and culture to be more robust, adaptive, and able to withstand shocks. It’s about designing a business that doesn’t just survive a disruption, but can actually thrive in a world of uncertainty.
The realization that made me quit focusing on employee behavior and start focusing on system design.
The Person vs. The Process
For years, our safety program was focused on employee behavior. We had rules, we had discipline, and we tried to “fix” the “careless” workers. It didn’t work. I had a realization that changed everything. The problem wasn’t the people; it was the process. The work environment itself was making it difficult to be safe. I quit focusing on the person and started focusing on the system. By designing safer workstations and more intuitive processes, we made it easy to do the right thing and hard to do the wrong thing.
What amateurs do in risk management that professionals never do.
The Blame and the Broader View
When an accident happens, an amateur risk manager looks for someone to blame. They find the “guilty” person, they discipline them, and they move on. A professional risk manager would never do this. A professional knows that blaming an individual is a waste of time. They look for the broader, systemic causes of the failure. They ask, “What in our system—our training, our procedures, our equipment—allowed this event to happen?” Amateurs blame people; professionals fix systems.
The investment in a business impact analysis that everyone avoids that has the highest ROI.
The BIA and the Blueprint for Survival
Most businesses avoid doing a formal “Business Impact Analysis” (BIA). It seems like a time-consuming, expensive consulting exercise. It is the single highest ROI investment you can make in your company’s resilience. A BIA forces you to identify your most critical business processes, their dependencies, and the financial impact of their disruption. It is the foundational document upon which your entire business continuity and disaster recovery strategy is built. It is not a consulting project; it is your blueprint for survival.
Stop saying “be careful.” Say “follow the safe work procedure.”
The Vague and the Verifiable
When an employee is starting a risky task, a manager will often say, “Be careful.” This is a completely useless piece of advice. It is vague, subjective, and provides no actual instruction. I have banned that phrase from my facility. Instead, we say, “Follow the written safe work procedure for this task.” This is clear, direct, and verifiable. It refers to a specific, documented set of instructions that ensures the task is performed safely and consistently every single time. Stop being vague. Be specific.
The truth about risk management I couldn’t say as an insurance underwriter.
The Story and the Submission
I used to be an insurance underwriter. Here’s the truth about risk management I couldn’t say out loud. The quality of your formal, written risk management programs absolutely impacts your premium, but only if your broker knows how to tell that story. A great broker will package your safety manuals, your fleet program, and your BCP into their underwriting submission. A lazy broker won’t. I often had two similar companies, but I would give a better price to the one whose broker made the effort to professionaly “market” their superior risk management.
This tiny detail in a contract’s indemnification clause separates amateurs from professionals.
The “To the Extent” Clause
An amateur’s contract will have a broad indemnification clause that says the contractor will “indemnify and hold harmless” the owner for “any and all claims.” A professional’s contract has one tiny, but critical, detail. It will say the contractor will indemnify the owner “to the extent the claim is caused by the contractor’s own negligence.” This “proportional indemnification” is fair and reasonable. The broad form is often unenforceable and a sign of an amateur who just copied something from the internet. That tiny phrase separates the pros from the joes.
Why a low retention is a trap for companies that want to control their own destiny.
The Retention and the Lack of Control
A company might choose a low deductible or “retention” on their insurance, thinking it protects their cash flow. It’s a trap. With a low retention, every single small claim is turned over to the insurance company. This means you have absolutely no control over your own claims. The insurer will make decisions about settlements and legal strategy that you may disagree with. By taking a higher, but manageable, retention, you keep control over your smaller claims and your own destiny, only using the insurer for the truly catastrophic events.
Replace your complicated risk matrix with a simple heat map. You’re welcome.
The Matrix and the Muddle
I’ve seen risk management presentations that use a massive, 10×10 risk matrix with dozens of different color codes. It’s technically accurate and completely incomprehensible to a board of directors. I replaced our complicated matrix with a simple 3×3 “heat map.” Risks are simply “High,” “Medium,” or “Low” for both likelihood and impact. It’s visual, intuitive, and easy to understand. It allows us to have a strategic conversation, instead of getting bogged down in a muddle of academic details. You’re welcome.
The skill of scenario analysis that’s 10x more valuable than historical loss data.
The History and the Imagined Future
Risk managers are often obsessed with analyzing their historical loss data. This is useful, but it’s like driving by looking in the rear-view mirror. The skill that is ten times more valuable is “scenario analysis.” This is the skill of imagining the future. What are the emerging risks that have never happened to us before? What would be the impact of a catastrophic cyber attack or a major supply chain collapse? The ability to analyze these future scenarios is far more important for building a resilient business than just analyzing the accidents of the past.
Stop treating risk management like a cost center. Treat it like a driver of enterprise value instead.
The Cost vs. The Competitive Advantage
Most companies see risk management as a cost center—a necessary evil that just drains money from the budget. This is the wrong mindset. A world-class risk management program is a powerful driver of enterprise value. A great safety record lowers your insurance and operating costs. A resilient supply chain allows you to operate when your competitors can’t. A strong reputation for ethics and safety helps you attract the best talent. Stop treating risk management as a cost. It is a competitive advantage that makes your business more profitable, more stable, and more valuable.
The experiment I ran with a non-anonymous near-miss reporting system that proved our culture was strong.
The Name and the Near-Miss
Our old near-miss reporting system was anonymous. We got a lot of low-quality reports. I ran an experiment. I launched a new, non-anonymous system, but I guaranteed there would be zero punishment for any report. Instead, every person who submitted a “Good Catch” near-miss got a personal thank you from me and a gift card. The number of reports went down, but the quality went through the roof. The experiment proved that our safety culture was strong enough to handle transparency. Our people trusted us not to punish them for speaking up.
Why your old safety program worked before but doesn’t for a millennial workforce.
The Rules and the “Why”
Your old safety program was built on a foundation of rules and compliance. “Do it because I said so.” This approach does not work for a modern, millennial workforce. They are not motivated by just following rules; they are motivated by understanding the “why.” A modern safety program must be built on a foundation of engagement, communication, and respect. It needs to explain the “why” behind every procedure. It needs to give employees a voice in their own safety. The old, top-down, command-and-control model is dead.
The choice to build a redundant supply chain that everyone judges that actually makes sense for resilience.
The Second Source and the Security
My CFO judged my decision to qualify a second, more expensive supplier for a critical component. He said it was inefficient and hurt our profit margins. I did it anyway. That choice saved our company. When our primary supplier was shut down by a natural disaster, we were able to switch to our redundant supplier overnight. Our competitor, who was single-sourced, was out of business for six months. My “inefficient” choice was actually a brilliant investment in resilience that gave us a massive competitive advantage when crisis hit.
I stopped blaming individuals and our process improvement skyrocketed.
The Blame and the Barrier to Improvement
For years, when an error occurred, my first instinct as a manager was to find the person responsible and blame them. This created a culture of fear, where people would hide their mistakes. It was a massive barrier to improvement. I made a conscious decision to stop blaming individuals. Now, when an error happens, we have a “blameless post-mortem.” We focus exclusively on the process. What in our system allowed this error to happen? The moment we stopped blaming people, our team started bringing us solutions, and our processes improved dramatically.
The concept of “resilience” that nobody understands but changes everything.
The Bounce and the Bounce Back
Most people think risk management is about preventing bad things from happening. That’s only half the story. The concept of “resilience” changes everything. Resilience isn’t about not getting hit; it’s about how quickly you can get back up after you get hit. It’s about your ability to adapt, respond, and recover from a disruption. A resilient company might not have fewer problems, but it has the systems, the people, and the culture to withstand a major shock and get back to business faster than its competitors.
This unpopular opinion on safety incentives will trigger HR but it’s true.
The Pizza Party and the Perverse Incentive
Here’s an unpopular opinion that will trigger your HR department. Your safety incentive program, which rewards teams with a pizza party for having zero accidents, is actually making your company less safe. Why? Because it creates a powerful incentive for employees not to report their injuries. They don’t want to be the person who costs their team the pizza party. This drives injuries and near-misses underground, where they can’t be fixed. You are rewarding the outcome (zero reports), not the proactive behaviors that actually create safety.
Stop copying your competitor’s safety manual. Do your own hazard assessment instead.
The Copycat and the Uncovered Hazard
To save time, we downloaded our competitor’s safety manual from the internet and put our own company’s name on it. It was a lazy and dangerous shortcut. Our competitor’s factory had different equipment, a different workflow, and different risks. Their manual didn’t address the unique hazards in our own facility. A real safety program isn’t about having a thick manual; it’s about the process of doing your own, site-specific “Job Hazard Analysis” (JHA) for the actual work your own employees are doing every day.
The mistake of ignoring psychological safety I see everywhere that’s so easy to fix.
The Fear and the Failure to Speak Up
I see this mistake everywhere. Companies will have a great technical safety program, but they will completely ignore “psychological safety.” This is the feeling that employees have that they can speak up—to report a problem, to question a decision, or to admit a mistake—without fear of punishment or humiliation. If your employees don’t feel psychologically safe, they will not report the near-misses that are the precursors to your next big accident. Creating a culture of psychological safety is the easiest, and most important, thing you can do to improve your risk management.
Why this new “predictive analytics” for safety isn’t innovative. It’s just lagging indicators repackaged.
The Prediction and the Past
A new “predictive analytics” software for safety is getting a lot of hype. It claims to be able to predict your next accident. It can’t. It’s just a sophisticated analysis of your “lagging indicators”—your past accident data. While this can be useful for spotting trends, it is not truly predictive. It can only tell you where you’ve had problems in the past. It cannot predict a new, emerging risk that you have never experienced before. It’s just old data in a new, fancy package.
The rule I break consistently (I don’t punish all safety violations) and why you should too.
The Violation and the Valuable Lesson
I have a rule that I break consistently: I don’t punish every single safety violation. If an employee makes an honest mistake and immediately reports it, and the mistake reveals a weakness in our process, I will often thank them for the valuable lesson they have taught us. This creates a culture where people are not afraid to admit their errors. Of course, a willful or repeated violation has consequences. But punishing an honest mistake just drives the problem underground. A learning opportunity is more valuable than a disciplinary action.
Stop believing you can train your way to safety. Believe in engineering controls instead.
The Training and the Triumph of a Better Design
Companies love to solve safety problems with more training. An employee gets hurt, so they retrain the entire department. This rarely works. A much more effective approach is to use the “hierarchy of controls.” The most effective control is not training; it’s “engineering controls.” This means redesigning the machine or the process itself to be inherently safer. Instead of training someone on how to lift a heavy box, install a mechanical lift. Stop trying to train the person to fit the process. Redesign the process to fit the person.