Most companies rely on a compliance checklist approach to risk, which creates a false sense of security and keeps them trapped in a reactive cycle when incidents occur.
Srilakshmi Tariniganti, Manager of Technology Risk at Sutherland, explains that this happens because organizations fail to assign real ownership and rarely translate technical risks into business impact.
She defines the solution as building a proactive risk culture through daily identification habits, clear accountability, and communication that connects risk to operational consequences.
Many organizations approach risk management as a reactive, compliance-driven checklist instead of an active, core business function. A reactive approach creates a false sense of security and often leads to a predictable cycle of frantic responses when incidents occur. The belief that compliance equals safety blinds companies to the operational flaws that build up long before a breach ever surfaces.
Srilakshmi Tariniganti, Manager of Technology Risk at global business and digital transformation partner Sutherland, has spent twenty years implementing frameworks like ISO 27001, PCI DSS, and SOX, and she has watched the same cultural struggle play out across industry after industry. In her view, the problem is pervasive because most companies still fail to treat risk as a core, day to day responsibility rather than a procedural task.
"Most organizations still see risk management as a support department. But that shouldn't be the case. More than 80% of organizations are still treating risk as just a checklist," says Tariniganti. It's a culture that leads to a cycle of predictable disruption. "When a breach happens, everyone gets into a reactive mode. They wonder what happened and why, because they believed they were secure and the compliance checklist always looked good." In these situations, the pendulum of attention swings sharply toward security during a crisis, only to drift back toward neglect once the danger passes.
Talk it out: Tariniganti's fix starts with something far more deliberate. A proactive risk culture has to be built into the rhythm of daily work, not bolted on after the fact. Risk identification must happen at the most granular level, she says, and program leaders must identify risks at the technical level for their specific development environments, whether it's an AWS S3 bucket or a SQL database, and understand the type of data involved as well as the necessary security measures. "Every day, sit for fifteen minutes and talk through the risks before anything else. Just fifteen minutes, like we do in agile or a sprint. When people say what they’re noticing out loud, ownership starts to form."
The single biggest obstacle preventing this cultural change is a failure to translate technical risk into clear business impact. That failure to translate risk explains why leadership may not buy in, why proactive measures can be seen as a "waste of time," and why the CISO often struggles to be seen as a strategic partner instead of a blocker to the business. "If that is done clearly, then trust me, it is very easy to build a risk culture," notes Tariniganti. "One strong voice from the C-suite will do all the magic, but that translation is missing."
Metrics in a vacuum: But this communication gap can persist even in mature teams. "I have seen very mature departments that have their RTOs, for example, and RPOs defined. But is that communicated to the other employees? If not, there is no point in having something defined." Her point underscores a fundamental management principle: it's nearly impossible to hold someone accountable to a standard they don't know exists.
Pros and con men: Once manageable in the era of traditional IT, these weaknesses now risk being accelerated by the unprepared adoption of new technologies like AI. The trend is amplifying existing process flaws at an unmanageable speed. As high-profile real-world incidents, such as the Hong Kong deepfake scam, demonstrate, many companies appear to be chasing trends without fully understanding the consequences. "Bringing in AI has become a buzzword. It's a status symbol for companies to be able to say that they are using AI for a project," Tariniganti observes. "But are you ready with the best practices? Are you ready with the pros and cons of what kind of AI you are using?"
Ultimately, a cycle of inaction is perpetuated by what Tariniganti identifies as a fundamental breakdown in the process. Even when risks are identified, little changes because there is often no precise mechanism to track implementation or assign ownership, creating a significant gap in accountability. She points to the common practice of "accepting the risk" as a critical failure point in the process. "There are times when I have done risk assessments and communicated the mitigations, but no one is tracking whether that is implemented or not. The process breaks down when some say they will 'accept the risk.' But what does that mean? Accept the risk and do what? What is the control? Are you saying you are living with it? Is it communicated to the people above? Who is doing that?"
For a true risk culture to be established, risk must be reframed and elevated, leaving behind its perception as an IT problem or compliance burden to become a core business imperative. "Risk management is a continuous process. It has to evolve," Tariniganti concludes. "Only then can a culture be established, because people have to understand this is not a support function; it is a basic need, and that's how businesses are run. It is going to impact the business and your job as well."
