The nature of unintended consequences (types, causes, and rating levels) was broadly canvassed in Part 1 of this series. This sequel considers how the side-effects of your activities fit within your risk management system.

To recap – unintended risks are those we incur as side effects of our own goals and actions (or inaction), rather than being accidents or misadventures.. Such risks may compromise our strategies, operations, and/or the welfare of our personnel, stakeholders, the wider community, or the environment. They are a subset of the class of events called unexpected or emergent risk events, many of which arise in our external environment, triggered by the actions of others (e.g., new regulatory measures, market forces, new technology, etc).

The header image above uses the ‘field of vision” metaphor to characterise unintended consequences as internal risks, and position awareness of them adjacent (or peripheral) to the known risks arising from our strategic and operational activities.

Being realistic and resilient

Most of the nonprofit organisations I encounter are relatively small. None have dedicated professional risk managers on staff, so they are all relying on managers with heavy workloads, and equally time-poor volunteers, who generally have modest governance skills.

For small nonprofits, the goal isn’t to have the most sophisticated risk tools — it’s to have enough shared awareness, responsibility, and simple visibility that risks are surfaced, discussed, and acted on before they escalate.

Simplicity + Conversation = Resilience in volunteer-driven organisations.

Tools like risk heat maps, risk radars and spider charts are snapshots of subjective judgments, and so are less precise (i.e., mathematical) than tools used by risk professionals in larger organisations (e.g., Monte Carlo simulations).

To the extent possible, we want our decision-making to be objective and evidence-based. Where our thinking is based on possible projected future scenarios however, we only have evidence of similar past events, and so some level of subjectivity will be involved.

Paired decision criteria

We select from a large range of possible decision criteria according to the situation we are facing. The list of 20 sets of paired decision criteria below includes several you are likely to be familiar with, and perhaps some you have not seen before. Using the questions in the Focus column, you may wish to use this table as a reference when choosing which decision criteria are most applicable to your deliberations.

The comparison of three decision matrices, each of which uses paired criteria, may illustrate how each of these applied to the same issue may yield different insights (albeit subjective) that could inform your decision. Matrices like these are intended to help us answer wquestions like:

• ‘How soon do we expect a risk to be material?’,
• How quickly do we need to respond with preventive or control measures?’., and
• ‘Should such an adverse event occur, do we have the response measures ready for immediate implementation?’

Not all emergent consequences are emergencies, or even negative in nature. The ones we need to control are those that are able to compromise our situation in some way. They need to be assessed for consequentiality, chiefly using likelihood and impact criteria. These are closely aligned with urgency and importance, the criteria featured in the Eisenhower matrix (widely used to help busy people with time management and prioritisation).

The comparative chart above may also allow us to consider where time and risk management come together – where we prioritise what action we will take and how we will address it.

Sometimes, the speed at which a risk is emerging is the critical factor in escalating its urgency. Velocity is therefore used as a proxy for urgency in some risk management systems.

Risk Contagion

The term ‘risk contagion‘ sounds like it might only be applied in relation to a disease outbreak. However, it applies more generally wherever a potential failure occurring in one unit or area of our organisation could have significant effects in other departments. Unintended consequences, and cascading second order impacts of our actions may also be thought of as ‘contagious’.

While rating likelihood/impact, and perhaps velocity/proximity, you may also wish to consider a simple contagion/interdependency rating. This can offer another valuable paired-criteria snapshot to inform your risk decision-making. The following scale has been offered by the Global Association of Risk Professionals (GARP):

Limited – A potential failure may impact the risk owner’s department or a few other departments
Moderate – A potential failure may impact several departments
Significant – A potential failure may impact the whole organisation and external stakeholders

Pairing contagion with interdependency would provide another valuable paired-criteria snapshot to inform your risk decision-making.

Risk Shifts over Time

It may be self-evident that different kinds of risk emerge at each stage of most processes. Risk management plans rarely acknowledge this however, and are often framed in a high-level way to refer to the overall project or initiative rather than the key phases involved.

Identifying unintended and unforeseen consequences once an initiative is underway requires more than routine performance monitoring — it demands systems that are adaptive, participatory, and sensitive to weak signals. These approaches must complement standard risk registers by addressing what lies outside the original plan or emerges dynamically.

This temporal risk shift is illustrated in our next chart, in which different kinds of risk are grouped within each of the planning, execution, outcome and evaluation phases of an initiative.

Nonprofits updating risk heat maps and inventories annually, and then not really considering risk management until the next review, are adopting a risky approach. Apart from monitoring the status of risks identified in the annual review, they also need to be alert to emerging risks in both their external and internal environments.

Some of those risks will arise from the actions taken to execute strategies adopted by the governing board, or operational processes overseen by management. The risks associated with collateral damage, slippage, side-effects and other unintended consequences therefore need to be reassessed progressively.

Where do unintended consequences fit within risk management?

Risk management traditionally emphasises the identification, analysis, and mitigation of threats to planned outcomes. Tools like the risk heat map (likelihood × impact matrix) and bowtie diagram have become mainstays in institutional practice. However, these frameworks often overlook the breadth and asymmetry of consequences, particularly those that are unintended, unforeseen, or morally consequential.

We deal with intended consequences when setting strategic goals. This requires us to clarify our intentions regarding the outcomes and impact of proposed actions. it also entails asking “What could go wrong with the execution of each strategy?’

When addressing strategy and risk management, we customarily determine our risk profile and align various monitoring and response measures to prevent or respond to the identified risks. These measures can involve both lead and lag indicators, but they do not necessarily help us to identify emergent and unintended risks. How then should we watch out for the unintended consequences of our actions (or inaction)?

ISO 31000 includes unintended effects

In ISO-based risk management systems (e.g., ISO 31000, ISO 9001), unintended and unforeseen consequences are addressed through a broad definition of risk as the “effect of uncertainty on objectives.”

Directors and managers are expected to identify risks from both internal and external sources, including unintended effects of policies or actions. ISO emphasises contextual analysis, stakeholder expectations, and systems thinking to anticipate such outcomes. Unforeseen consequences are managed through continual monitoring, corrective action, and the Plan–Do–Check–Act (PDCA) cycle, which ensures feedback loops inform adaptive decision-making. Tools like scenario analysis, Failure Mode and Effects Analysis (FMEA), and root cause reviews help surface hidden or emergent risks.

These Consequence Diagnostic Toolkit charts (Parts 1 and 2 below) allow for the identification of both foreseeable and unintended consequences.

The inclusion of a query related to the identification of any side-effects of our initiatives alongside standard risk identification and assessment prompts (illustrated below), will help ensure that unintended consequences are integrated into our risk management efforts.

Who owns unintended consequence risks?

Most nonprofits assign responsibility for risk management to an advisory committee, sometimes linked with finance and/or compliance oversight. Customarily committees such as this develop risk inventories, usually featuring strategic and operational risks arsing from the latest update to the organisation’s strategic plan.

Where a risk has been identified in a risk management plan it is usually assigned to an owner or owners, who are chiefly responsible for managing that risk. This can involve reporting on that risk on a regular basis; more frequently where significant risks are involved. It is less common however, for those committees to dedicate time and effort to consideration of unintended consequences arising from organisational activities.

Early Warning Systems for Unintended Consequences

When we think of early warning systems (EWS) we generally think of disaster management like disease outbreaks, fire, earthquake, tidal wave, flood or other environmental risks. Most office buildings (at least the more modern ones) will have EWS facilities built in, so that alarms sound and announcements are made to evacuate the premises in the event of fire, flood or other internal risks.

Applying the concept of an EWS to unintended consequences of our strategic or operational work involves somewhat different tools and processes.

Traditional EWS systems are somewhat blind to unintended consequences as they are targeted to known and anticipated risk scenarios.

They may suffer from the ‘lamplight problem’. The classic example of this is the person who loses their keys and, instead of searching wherever they have been, focuses their search under a lamppost because that’s where the light is. In an organisational context, we may stick to our established practices and familiar strategies, even when there are potentially better, more innovative approaches that require venturing into less-explored territory. Alternatively, team members might only work on the skills they already possess, rather than exploring areas where they have the potential for growth but are not currently comfortable.

Overcoming the ‘lamplight problem’ involves recognising the limits of our immediate perspective (our blind spots) and actively seeking out new information, perspectives, and solutions. This often requires being comfortable with uncertainty and venturing into areas that are not immediately obvious or comfortable. The chart which follows suggests four main ways in which these blind spots operate.

Early Warning Systems provide a signal that a response is required, but don’t necessarily define what that response entails. Each situation will require response/s appropriate to the circumstances. The five concentric rings surrounding our action awareness hub in the following chart invite us to look for unintended consequences from our core activities out to our periphery, where ripple effects may only be initially evident from weak signals.

To move beyond lip service to the integration of unintended consequences within our risk management system, we need to identify and use practical EWS tools and methods. The list of nine such tools in the chart below will hopefully include at least one that you can add to your risk management toolkit.

From Control to Curiosity

For non-profit leaders, the ultimate shift is from control to curiosity. The more we recognise that good intentions don’t guarantee good outcomes, the more we can lead with nuance, empathy, and resilience.

Unintended consequences aren’t just risks — they’re opportunities to learn, adapt, and lead with deeper wisdom.

To that end, a set of six practical strategies for the introduction or strengthening of early warning systems is offered by way of a closing ‘call to action’. That chart is complimented by a summary of five implications of unintended consequences for the governance and management of nonprofit organisations.

Part 3 in this series will follow in due course, rounding out the series with stories and narratives reflecting various perspectives on unintended consequences.

Series links:

The Consequentiality of Unintended Consequences – Part 1
The Consequentiality of Unintended Consequences – Part 3

See also:

Reactive, Responsive, & Proactive Leadership
Fusing experience and expectation in decision-making
“The die is cast”: On Randomness, Intentionality, and Certainty
Regret: your improvement catalyst
Strategic Archery
Strategy and Risk: 2 sides of one coin