A co-creative approach to risk management

‘Could you give us some training on risk management?’

This request came out of the blue last year, followed shortly afterwards by another similar one. So I became curious. And somehow I was intrigued to find a way to approach this supposedly dry topic differently from how I had experienced it in many projects in the past.

And after the first workshop, I can say: it was worth it!

And maybe now is exactly the right time to rethink risk management – not as a mandatory programme with dusty lists, but as a co-creative format that really works!

Because, as Walter Scheel once said: ‘Nothing happens without risk, but without risk, nothing happens either.’

Why risk management is experiencing a renaissance right now

Every day, the world seems to become a little more uncertain. VUCA, BANI, polycrises – take your pick. [1] So it’s no wonder that many people want to regain control: with clear plans, strong heroes and, ideally, an Excel spreadsheet that has an answer for every risk and exudes security.

At the same time, agility seems to be losing its appeal. This is understandable, as many initiatives that were launched under the guise of agility have failed in recent years. [2] Perhaps also because supposedly outdated topics such as risk management were taken lightly and dismissed with the motto ‘We don’t need risk management, we do sprints’? Or because swarm intelligence was never seriously trusted in the first place? Whatever the case, we are returning to the good old days of command and control.

For armchair psychologists like me, this is all perfectly understandable. And unfortunately counterproductive and dangerous. Because in uncertain and dynamic times, it is extremely risky to let decisions be made by individuals – the famous ‘single point of failure’.

What do you think: Maybe it’s time to take risk management seriously again, without completely ignoring Ashby’s Law?

‘According to Ashby, a system must have at least as many options for action as there are disturbances that can arise from a system to be controlled. The system must therefore be at least as complex as the situation it has to cope with. In practice, you can achieve this by increasing your own options for action, for example by employing more people and knowledge, improving information processing or using better methods.’ [3]

Classic meets collaborative: the idea behind co-creative risk management

Risk management is not a new topic. But how often do you experience it as a lively, helpful process?

My experience from around 12 years in classic projects where risk management was part of the manual: Risk management was often treated as a compulsory exercise: an initial list was attached to the project application and then cosmetically updated before the steering committee – if at all.

Did I ever see the project team actively addressing uncertainties in this context? Did the documented risks lead to a real change in behaviour during the project? Not really.

And then risk management is nothing more than a fig leaf. Or even a complete waste of time.

But there is another way! Take proven tools from classic risk management and use them together, repeatedly and with focus.

So away from the lone project manager who maintains the risk list in a quiet corner, and towards the active involvement of everyone who is affected or involved. Interactive. Iterative. With room for individual perspectives and experiences. Because together we see more, including more risks.

And – perhaps even more importantly – by actively engaging with the topic, everyone involved becomes more aware of how to recognise and manage risks during the project. Behaviour changes. Risks step out of the shadows of the risk list and into the spotlight, into the collective attention of everyone involved.

And there is another aspect that is often overlooked: Of course, we all know that risks and opportunities are two sides of the same coin. But let’s be honest: if risk management is often neglected, then opportunity management is even more so. However, if research on effectuation is correct, then we are wasting a lot of potential by failing to recognise opportunities that we could use to our advantage.

But now back to the specific issue at hand: what does co-creative risk management look like in practice?

The workshop approach: From sticky notes to backup plans

Co-creative risk management follows the structure of classic risk management and involves all participants (at least the project team, perhaps even known stakeholders) interactively in the process from the outset.

An initial ‘Opportunities & Risks’ workshop takes place at the earliest possible point and begins directly with the first C from the Training from the Back of the Room framework: Connect. Before we analyse risks, we should first establish connections to the topic, to our own experiences and to the other participants.

So everyone brings their questions, experiences and preconceptions about risk management to the table; these are collected, clustered and assigned to the four central elements of risk management:

1. Identify risks
2. Analyse risks
3. Derive measures
4. Ongoing risk control

At this point, it is important to listen carefully. The questions and experiences of the participants reveal the risk culture in the organisation (or different risk cultures from different areas of the organisation). Making this transparent and discussing different attitudes (risk-averse, risk-tolerant, risk-affinity) and their effects without making sweeping judgements is an important basis for effective risk management in a team.

Once all questions have been discussed and best practices and experiences shared, there are two brief thought-provoking points to consider:

‘If we want to do everything perfectly, we will end up doing nothing at all.’

The solution to this dilemma is well known from design thinking and other creative techniques: the double diamond! When it comes to risks, we also think broadly at first and collect all conceivable risks. And since there are far too many risks for us to seriously keep an eye on, let alone manage, we focus on a few that are very likely and/or very damaging. We repeat these steps for the measures.

The second thought-provoking impulse raises awareness of the need to always keep an eye on the other side of the coin throughout the entire process: ‘If we only focus on risks, we miss opportunities.’

Identify risks: Stand on your head and keep an eye on the stakeholders

When taking the first step of identifying risks, it is particularly useful to look at the issue from different perspectives in order to broaden the focus as much as possible and identify as many potential risks as possible. The various techniques can be used either by small groups working in parallel or by everyone working together one after the other.

Perspective A: Stakeholder analysis

All possible stakeholders in the project are classified on a classic matrix (influence × impact) and assigned an assessment of their attitude (positive, neutral, negative) towards the project. The different quadrants can be used to derive initial tactics for dealing with the stakeholders located there during the project. [4]

This is because stakeholders often represent the greatest risks or opportunities.

Perspective B: Headstand method

The question ‘What would we have to do to make our project fail spectacularly?’ yields a long list of sabotage ideas – from absurd ideas to disturbingly realistic pitfalls. These are sorted into pairs and placed in a How-Now-Wow matrix. Here, too, sorting the ideas into the quadrants of the matrix provides initial insights into how these risks (and opportunities) should be dealt with. [5]

Playful methods can promote serious insights.

Of course, there are other approaches, such as environmental analysis, PESTLE analysis, SWOT analysis, risk breakdown structure (top-down/bottom-up), root cause analysis or impact mapping, which can be helpful in this step and can certainly be used co-creatively.

In addition, it may well make sense to supplement the co-creatively generated results with classic research (in your own project databases or in public sources), targeted AI prompting or expert interviews.

Analyse, evaluate and prioritise risks – and gain insights

The next step is to narrow the focus again: all risks identified so far are compared in pairs and sorted into a classic risk matrix (probability × damage level): ‘Which risk is more dangerous? Which is more likely?’

It is helpful to use techniques such as silent sorting, magic estimation or team estimation games.

This may sound tedious, but the result is very enlightening and reveals where the most serious dangers for the project lie.

But before we continue, we should critically question the result once again: Is this enough for us? How objective were we?

The answer may be disappointing, but it is important not to kid ourselves: there is no guarantee of completeness, let alone an objective assessment!

The results of such a co-creative approach are better than nothing and very likely better than if one person had done it alone. And presumably, the effort required to further complete and objectively evaluate the results is disproportionate to the resulting added value.

Nevertheless, the results can be questioned and verified with expert surveys or a small AI research project with manageable effort.

Derive measures: Think in concrete scenarios

Critical uncertainties from the Liberating Structures framework [6] can be used as a thinking tool here: We take the two top risks and derive four possible scenarios from them:

Scenario 1: Neither risk occurs (or only with very little impact).

Scenarios 2 and 3: One of the risks does not occur (or only with very little impact), while the other risk does occur (and with significant impact).

Scenario 4: Both risks occur (and with significant impact).

Yes, another matrix with four fields!

Together (or in small parallel groups), these scenarios are first described in concrete terms (How does this scenario specifically affect our project? How does it make us feel?) and then countermeasures are derived from them: preventive and reactive questions that help:

• What do we do before it hits?
• What do we do when it hits?
• What do we need to notice it in time?
• What do we need to do to not only survive, but thrive?

Terms such as early warning system, Plan B, probability reduction, damage limitation, emergency plans and even ‘insurance’ come up in the discussion. Risk management comes to life when the potential danger is no longer an abstract entry in a risk list, but becomes a conceivable future.

Looking at the four scenarios and the measures derived from them, patterns can certainly be recognised.

Hypothesis: Measures devised by different people for different scenarios could well represent robust tactics, provided they are not standard platitudes.

Otherwise, the joint classification in a How-Now-Wow matrix with a pairwise comparison of all measures helps to prioritise and select measures.

Are these four scenarios derived from the two top risks sufficient? Probably not. And yet we have gained a fairly concrete idea of our project in a risky future and what this means for each individual personally. This can be built upon. The focus can be gradually expanded to include further risks and integrate these into the scenarios or further differentiate the scenarios. Classic research, AI prompting or expert surveys can help here. Or you can use other co-creative approaches such as What–So what–Now what or Mini Specs (both from Liberating Structures) to harness the creativity of those involved.

This completes the initialisation of risk management. Before we move on to how this will be actively dealt with in the course of the project, it may be useful to change perspective once again to avoid blind spots and false certainties.

Effectuation in situations of high uncertainty

What if everything is uncertain?

Sometimes risk management simply doesn’t work. When it is unclear what could happen, how dangerous it is or how likely it is to happen, risk lists are useless, a waste of time or, in the worst case, even distract from reality.

In such situations of high uncertainty, effectuation can help.

Effectuation describes how experienced entrepreneurs make successful decisions and act under uncertainty (e.g. a new product, a market that does not yet exist):

• They use their existing resources and the opportunities that arise from them.
• They always act within the limits of their affordable losses.
• They actively use circumstances and coincidences as opportunities.
• They enter into partnerships on an equal footing.
• They actively shape the future instead of analysing it.

Effectuation is a successful approach, especially for innovative projects, when breaking new ground and doing real pioneering work.

To find out at the start of a project whether effectuation, design thinking, scrum or a classic project approach or a mix makes sense in each case, it helps to use the Cynefin model (or a Stacey Matrix as a simplified model) as a thinking tool at the beginning of the undertaking. [7]

And you will probably often find that there is no clear answer, because most projects are not 100% innovation. In such situations, it is important to differentiate and act accordingly: The innovative components of a project, such as the user experience of a new app, may require less risk management and more opportunity recognition, while securing a backend against hacker attacks requires an extra dose of conscientiousness in risk assessment.

Continuity instead of actionism: risk management as routine

Finally, the most important question: how do you keep the topic alive?

For it to work and be effective, consistency is required. Or, as Dwayne Johnson says: ‘Success isn’t always about greatness. It’s about consistency. Consistent hard work leads to success. Greatness will come.’

And the solution is probably not – or only very rarely – an additional rule meeting!

Instead, here are a few ideas:

• Visibility creates awareness: Transparent visualisation of identified risks on a risk board in the project room, whether real or virtual.
• Habit stacking: Tap into existing routines and meetings instead of creating new ones: e.g., regular check-ins on risks and opportunities in the daily stand-up or in more detail during the sprint retrospective.
• Define clear responsibilities for dealing with risks and measures.
• Include not only preventive but also reactive measures as options in the project plan as a preventive measure.
• Explicitly consider risks when sorting product backlog entries.

And yes, sometimes that means not doing something else. Because time is limited, and so is attention.

That’s why the thought-provoking quote from the beginning of this article is relevant here: ‘If we want to do everything perfectly, we’ll end up doing nothing at all.’ Where is our attention well invested? And where is it not?

And now you: What will you change starting tomorrow?

Imagine that you have conducted such a co-creative risk management workshop with your project team. You have identified many risks, then jointly focused on the most important ones, derived measures to address them, and committed to them. The energy in the team is high, even after you have jointly defined how to proceed with the risks.

It would be easy to simply end the workshop and move on to other things. But how likely is it that most of the participants will mentally tick off the topic of risks and quickly forget about it in their day-to-day project work?

What can help here is for everyone to reflect on their individual perspectives at the end of the workshop. What specific changes will I make starting tomorrow?

And if you want to increase commitment even further, make these personal resolutions transparent to the team and discuss them in the next retrospective.

Now it’s your turn: What do you think about co-creative risk management? ‘Old wine in new bottles’? Yes, sure. But is it useful? What will you do differently starting tomorrow? And are there other seemingly dry project management topics that would be worth dusting off?

Notes (partly in German):

If you want to learn how to move your project forward without a fixed plan, use your existing resources cleverly, turn surprises to your advantage, and how artificial intelligence can help you with all of this, then sign up for Heiko Bartlog’s German-language Effectuation Training – Effectual Product Ownership. When: 8 July 2025 – 10 July 2025, 9 a.m. – 1 p.m. each day. Where: Online.

[1] What is VUCA, what is BANI?
[2] Download: Blogpaper Agilität? Haben wir probiert! Funktioniert nicht!
[3] Alexander Tornow: The successful group communication
[4] Smartpedia: How does stakeholder analysis work?
[5] Smartpedia: How does the headstand technique work?
[6] Birgit Schiche: Liberating Structures – Freedom for Better Communication
[7] Stacey Matrix: Entscheidungshilfe bei der Projektkomplexität

Here you will find further information on the topic of risk management, including objectives, tasks and practical questions.

If you like the article or would like to discuss it, please feel free to share it in your network. And if you have any comments, please do not hesitate to send us a message.

Heiko Bartlog has published more articles on the t2informatik Blog, including: