This week I took an international flight. I had four hours to wait at the airport and I decided to make the most of the time: I went to relax and ordered a gin and tonic. After drinking half the glass, I heard a family at the next table reading aloud another news story about victims of poisoning from adulterated drinks. I almost spat out my drink. And I left the drink half full.
I realized that I had simply erased from my memory the sequence of headlines on the subject in recent weeks. Some friends decided, consciously or not, to temporarily change the social menu to beer or wine as a way to avoid the risk. I, on the other hand, at that moment, accepted it. And worse: I accepted without even evaluating the impact or the likelihood of possible poisoning.
Risk management left the office and went to the bar.
Continues after advertising
The adulterated drinks crisis confronted society with a reality: managing risks has become part of the social life of Brazilians (and not just those from São Paulo). Ordinary people, in banal leisure situations, began to make decisions based on exposure to risk. Even without realizing it, or certainly without recognizing it as such, people began to intuitively adopt classic responses that are part of risk management manuals in the corporate world.
Eliminate, mitigate, share or accept. These are, in essence, the four possible responses when a risk is identified within the company.
Elimination is the most radical choice: completely interrupting the process that generates the risk. This is what those who stopped consuming distilled spirits completely did. If there is no consumption, there is no risk of poisoning. Mitigating is taking measures to reduce the chance or impact of the risk. Drinking drinks from a known source or at home, for example, does not eliminate the risk, but it offers a perception of greater control. Sharing is less common in the drinks scene, but it would be a case of someone opting for life insurance protection to mitigate the impact of intoxication. And there are those who just accept the risk, hoping they won’t be the next serious case. All of these decisions are legitimate, as long as they are conscious.
Continues after advertising
The point here is not to judge individual behavior, but to highlight how society, faced with a concrete threat, began to operate with the same logic that GRC applies in the corporate environment. This movement highlights the fundamental role of risk management as a tool to support decision-making. Both in everyday social life and at the heart of organizations.
Mitigating is not weakness. It’s strategy.
Identifying the risk is just the beginning. The true value of GRC, as well as conscious decisions at a bar table amid an outbreak of methanol poisoning after drinking alcoholic beverages, lies in how this risk is responded to.
A strategic GRC knows that the role of risk management is not to eliminate all of the organization’s risks. Zero risk is not, and should not be, an isolated goal of GRC. Much less his solitary mission. Because, in many processes, zero risk would mean closing the business doors once and for all. Eliminating risk in the corporate environment is not always the best answer, and it is certainly not the only valid answer. This difference is more than semantics. It structures the entire risk management approach.
Continues after advertising
In technical terms, we call inherent risk the risk that exists before any control or mitigation is applied. It’s raw risk, in the veins. Residual risk is what remains after the application of mitigation measures. It is the “leftover balance” after the company does what it can to reduce the probability or impact. The function of the GRC is precisely to take this residual risk to a level that is compatible with the risk appetite defined by those who make the decisions (such as the decision to consume distilled spirits).
Mitigation is not a containment measure. It’s a strategic choice. It means applying audits to critical suppliers, reviewing contracts, demanding evidence of compliance, testing and monitoring controls, expanding process traceability and keeping teams trained, connected and prepared to react to warning signs. A mature company does not measure its success by the absence of risks, but by the ability to anticipate them, treat them and maintain its level of residual risk within what is tolerable for its reality, its brand and its market.
When the response fails, the risk turns into harm.
In the corporate environment, inefficient or ineffective risk management not only generates specific deviations from what is tolerable, but also compromises the company’s strategic and operational assets. Just as an individual’s decision can put them at risk of poisoning, the corporate choice to maintain weak accounting controls or blindly trust third-party contractors not assessed for compliance can generate contaminations that are much more difficult to treat: those that affect the credibility of the brand.
Continues after advertising
A product outside of technical specifications, intentionally placed on the market, can cost much more than a recall. It can compromise contracts, break strategic partnerships, paralyze operations and undermine investor confidence. And it’s not an alarm. It’s mathematics. Risk that is not addressed inevitably escalates and brings with it severe damage.
Operations with low integration and without structured communication channels between corporate areas, such as GRC, quality, legal, finance, cybersecurity and sustainability, lose the chance to act preventively. Just as globalization has interconnected business flows, risks in the corporate environment also operate in a network. The financial side affects the operational side, which contaminates security, compromises the legal side, and so on. What could be treated as a localized non-conformity becomes interpreted, internally and externally, as a systemic failure. In this scenario, the lack of a quick response stops being a failure in efficiency and becomes a sign of unpreparedness. And the lack of preparation, today, goes viral.
It’s not enough to have controls on paper or well-designed flows in presentations. Risk intelligence must function as a living engine of the organization, capable of triggering alerts, circulating information and provoking timely responses. When an alert signal appears, whether in the production process, in the supply chain, in a supplier’s behavior or on social media, it needs to travel through the company’s structure in real time, connecting areas and triggering coordinated action. Because what starts as a discreet anomaly can become a problem, then an incident and, within hours, escalate into a real crisis. And, in this scenario, what determines the impact is not the existence of the risk itself, but the readiness of the response.
Continues after advertising
Leaving the glass half empty at the airport was easy. All it took was one scare. But, in the corporate environment, decisions like this cannot depend on chance, luck or employees’ memory of the week’s headline. The role of an out-of-the-box GRC is precisely to ensure that known risks are not normalized, and that appropriate responses are structured before damage occurs. In the bar or corporate environment, maturity is measured by the ability to act before intoxication.
