Why effective risk management begins with understanding the organization as a living system

Every organization wants to be "in control." But what does that actually mean ''control'' in an environment that is constantly changing?

In the second episode of our Securecast, Henk Meijer and Naeem Arif discussed a question that precedes every risk management issue: what is an organization, anyway?

Because before you can manage risk, you have to understand what you are trying to manage.

The word organization comes from the Greek organon, literally tool or instrument.
Thus, an organization is not an end in itself, but a means to achieve a certain result.

As Henk puts it:
"A company is an interplay of people and resources to achieve a common goal."

That seemingly simple definition gets to the heart of risk management: any risk arises because an organization is trying to accomplish something. Without a goal, no risk.

Multiple glasses on one organization

Naeem talks in the podcast about how he regularly asks students to "draw their organization."
Some sketch a building, others the CEO, others the information system or logo. And they are all right - because each pair of glasses shows a different aspect.

A lawyer sees contracts, a controller sees numbers, an IT person sees systems and data.
Together they form a mosaic of perspectives that never fully coincide.

For risk professionals, this is crucial: risks arise precisely in the transitions between these lenses, where responsibilities, definitions or assumptions no longer align.

One quote from the conversation lingers:
"Countries, as well as companies, do not have fixed values - they have fixed interests."

An organization is constantly changing: strategies shift, markets move, people come and go. What remains is the underlying interest - the function in the environment.

This makes an organization more like a living organism than a machine. It survives only as long as it remains relevant.

Or as Naeem puts it:
"The statement survival of the fittest is applicable one-to-one to organizations. Only the companies that adapt best to changing circumstances survive."

For risk managers, this means that control cannot be static. Effective risk management is adaptive risk management: the ability to respond to change in a timely manner.

Organizational expert Gareth Morgan described eight metaphors for organizations, the best known of which is the "organization as a machine."

After the industrial revolution, this was a logical image: processes had to run efficiently, control was measurable and people were replaceable parts.

But that thinking falls short in today's reality.
People are not cogs; they have motivations, drives and values. Hence the terminology shifted over the years, from employee to collaborator and now colleague.

Still, Henk notes, machine thinking remains deeply rooted in organizations:
"Just look at dashboards, KPIs and process models, they still breathe the logic of the machine."

Those who really want to manage risk effectively must see the organization as an organism: a system that lives by interacting with its environment, learning from feedback and adapting to circumstances.

Follow Securecast for new episodes and submit your questions or topics you would like covered.

• Listen on YouTube
• Listen on Spotify
• Contact our team: securecast@securance.com
• Explore Securance Advisory

Useful references

• IIA Three Lines Model
• COSO framework for internal control

British systems thinker Kenneth Boulding described a hierarchy of systems, from simple (like a bridge) to highly complex (like human societies).

Organizations are near the top of that scale: sociocultural systems in which behavior, culture, power, technology and interests converge.

Therefore, complete predictability is impossible.
There is no linear relationship between cause and effect, no "one best way" to manage risk.

As Naeem says:
"What is the impact of motivated people on the success of an organization? Everyone feels it is positive, but it cannot be measured exactly."

For risk professionals, this is an important realization: models and frameworks (COSO, COBIT, ISO) are useful, but not laws of nature. They provide structure, not certainty.

Being in control is an illusion, but control remains essential

At the end of the talk, Henk aptly says:
"Organizations are one of the most complex systems in existence. So really being in control, that's actually a utopia."

That sounds sharp, but it's not pessimism.
It means that risk management is not about eliminating uncertainty, but about learning to deal with complexity.

True control does not arise from absolute certainty, but from insight, adaptivity and dialogue.

In conclusion

Anyone who truly wants to control organizations must first understand them.
Not as machines with fixed buttons, but as living systems that continuously respond to their environment.

Effective risk management therefore does not start with rules or models, but with system understanding, the realization that behavior, culture, technology and environment are inextricably linked.

In the Securecast episode "The Organization as Prison?" Henk Meijer and Naeem Arif share even more insights about this way of looking at things.

Listen to the episode via Spotify or YouTube, and discover how your organization can remain resilient and realistically "in control."