Risk Strategy

The Risks Your Team Already Knows About But Won't Tell You

The most dangerous risks in a mid-market company are rarely unknown. They are known by people who don't feel safe surfacing them. Here's why standard ERM misses them, and the structural fixes that work.

By Eric Kennedy · Wed May 27 2026 · 7 min read

The Risks Your Team Already Knows About But Won't Tell You
TL;DR: The most dangerous risks in a mid-market company are rarely unknown. They are known by people who don't feel safe surfacing them. Standard ERM tools (heat maps, workshops, voluntary disclosure) capture only what people are comfortable saying out loud in a facilitated session. This article covers why suppressed risk is the most underexamined failure mode in operational risk management, the three categories of risk that consistently stay buried (vendor distress, operational workarounds, strategic assumption risk), and the structural changes mid-market risk programs need to make to actually see what their organizations know.

There is a version of enterprise risk management that looks rigorous from the outside. Heat maps get updated. Risk registers get reviewed. The board gets a quarterly presentation. Leadership feels covered.

And somewhere in the organization, a mid-level operations manager knows that a critical vendor is three months from financial distress. A finance analyst knows that a key control has been bypassed informally for two years. A department head knows that the assumptions behind next year's revenue forecast are not realistic.

None of that information is on the heat map.

This is the most underexamined failure mode in operational risk management: not missing data, but suppressed data. The risks that exist, that are visible to people inside the organization, that never make it to the people who need to act on them.

Why people don't speak up

The research on this is unambiguous. According to Wiley's Workplace Intelligence research, only 53% of individual contributors feel safe taking risks at their organizations, compared to 76% of executives. Nearly one in five individual contributors do not feel safe taking risks at all, the highest of any group surveyed. Mental Health America's 2024 workplace research adds another piece to the picture: only 47% of employees agree that their employer encourages clear and transparent communication. Less than half.

That gap between executive and contributor experience is not a coincidence. It is a structural feature of how most organizations operate.

Senior leaders consistently overestimate how much honest information flows upward. They assume that if something important were happening, they would hear about it. That assumption is almost always wrong.

Operational risk management that depends on voluntary disclosure is not a program. It is an optimism strategy.

What gets suppressed and why

Iceberg diagram contrasting the small visible tip of mid-market risk that reaches leadership (heat maps, risk register, quarterly reports) with the much larger submerged mass the team already knows but rarely surfaces: vendor distress, bypassed controls, and aggressive forecast assumptions.

The risks that tend to stay buried are not random. They cluster around a few predictable categories.

Vendor and third-party risk. People who manage vendor relationships often know when a supplier is struggling: delayed responses, staff turnover, quality slippage, pricing pressure. That information rarely reaches finance or risk leadership until a failure is imminent, because the person who knows it does not have a clear channel to escalate it, and escalating feels like creating a problem rather than preventing one.

Operational workarounds. In most organizations, the documented process and the actual process are different. Controls that exist on paper get bypassed informally because the workaround is faster, or because the control was designed for a context that no longer exists. The people doing the workaround know it carries risk. They also know that disclosing it might create work, invite scrutiny, or imply criticism of a process someone senior designed.

Strategic assumption risk. The risks embedded in forward-looking projections, revenue forecasts, capacity assumptions, market timing, are often visible to the people building the models. When those assumptions are aggressive, the people who know it are frequently not the people who approved it. Raising a flag means questioning leadership's judgment. Most people do not do that without a structured invitation.

Why standard ERM misses this entirely

Side-by-side comparison diagram contrasting Traditional ERM (where risk is known by employees but blocked at the psychological safety gap, so leadership receives only fragments) with Structured Risk Input (where anonymous, visible, actioned channels allow the full risk picture to reach leadership), with the closing line "The difference is not awareness. It is design."

Most operational risk management frameworks are designed to capture what leadership already knows and codify it. Interviews, workshops, risk surveys: these tools surface the risks that people are willing to articulate to someone with authority in the room.

According to McKinsey's 2021 research on psychological safety and leadership, only 26% of leaders create psychological safety for their teams. That means the standard ERM toolkit is working with a fraction of the available information in most organizations.

The heat map reflects what people were comfortable saying out loud in a facilitated session. It does not reflect what people know.

This is the fifth gap most mid-market ERM programs do not account for. The other four (no risk appetite, risks owned by no one, registers too long to be useful, no link to capital allocation) are visible problems. This one is invisible by design. You cannot diagnose a missing signal. You can only diagnose the absence of a system that would catch one.

What a risk program needs to do instead

Closing this gap requires three structural changes that most mid-market risk programs have not made.

Build structured channels for risk input. Not suggestion boxes, those are performative. Structured risk input mechanisms that are periodic, specific, and actioned visibly. When people see that surfaced risks get taken seriously and do not result in retaliation, the volume and quality of risk intelligence increases. When they see the opposite, it stops entirely.

Separate risk identification from performance review. One of the strongest predictors of whether operational risk gets surfaced is whether the person surfacing it believes it will be used against them. In organizations where risk identification and performance management are entangled, where flagging a problem in your area is perceived as owning that problem, people do not flag problems. They manage them quietly and hope for the best.

Embed risk surfacing into existing operational touchpoints. The most reliable way to capture suppressed risk is not a separate channel that requires effort to use. It is integration into operations people already do: quarterly business reviews, control self-assessments, vendor management touchpoints, monthly close calls. A two-question prompt during a vendor review ("What is your honest read on this supplier's stability?" and "What would you want leadership to know that you have not been asked?") will surface more actionable intelligence than any standalone risk survey. The mechanism matters less than the discipline of asking.

Diagram titled "Three Structural Changes That Surface What Your Team Knows" showing three numbered boxes connected by arrows: (1) Structured Input Channels - periodic, specific, actioned visibly, not suggestion boxes; (2) Separate from Performance Review - flagging a risk in your area cannot make you the owner of the problem; (3) Embed in Existing Touchpoints - vendor reviews, quarterly business reviews, monthly close calls

The information is already there

The most actionable implication of all of this is also the most underutilized one: the risk information your organization needs to manage its exposure more effectively is almost certainly already present inside the organization. It exists in the operational knowledge of the people closest to your processes, vendors, customers, and controls.

The question is not whether that information exists. The question is whether your risk program is structured to reach it.

If your risk program runs on voluntary disclosure and annual reviews, you are not seeing your full risk picture. You are seeing the part of it that people were comfortable sharing.

Governance, risk and compliance programs that are designed only to document what leadership already knows will always have blind spots. Programs that are designed to systematically surface what the organization collectively knows, including what people are reluctant to say, are in a different category entirely.

Key Takeaways

Where to Start {eyebrow="Redesign the Layer"}

If your risk program is producing the same heat map every quarter, the answer is not a better heat map. It is a redesigned operating layer that pulls in what the organization actually knows.

Risk Clarity Sprint{.cta-primary} ERM Diagnostic{.cta-secondary}

The Risk Clarity Sprint (4 to 6 weeks) rebuilds the risk identification layer of your program, including structured input channels, named owners, and a refresh cadence that surfaces what your team actually knows. If you want a maturity assessment first, start with the ERM Diagnostic. The diagnostic fee is credited toward the Sprint if you move forward.

Frequently Asked Questions

What is suppressed risk in operational risk management?

Suppressed risk is risk information that exists inside an organization (known to employees, managers, or analysts closest to a process, vendor, or control) but never reaches the people who can act on it. Unlike unknown risk, suppressed risk is not a knowledge problem. It is a structural problem with how the organization captures information. Most mid-market operational risk programs are designed to document what leadership already knows; suppressed risk is what they systematically miss.

Why don't employees report risks they see?

The research consistently shows three reasons. First, the lack of psychological safety: people who do not feel safe taking risks in their organization do not report risks that might be associated with them, their team, or a process owned by someone senior. Wiley's research shows only 53% of individual contributors feel safe taking risks at their organizations, compared to 76% of executives. Second, the entanglement of risk identification with performance review: flagging a problem in your area often feels like owning the problem. Third, the absence of structured channels: when there is no clear, low-friction way to surface a risk, the path of least resistance is to manage it quietly.

How is suppressed risk different from unknown risk?

Unknown risk is something nobody in the organization sees coming, often because it is external (regulatory change, market shock, technological disruption). Suppressed risk is something someone in the organization already sees clearly, but the organization has not designed a way to capture it. Unknown risk requires better intelligence, scenario planning, or external scanning. Suppressed risk requires better internal channels and a culture that rewards surfacing problems rather than hiding them.

What does a structured risk input channel look like?

A structured risk input channel is a periodic, specific, and actioned mechanism for surfacing what employees know about operational risk. It is not a suggestion box. The most effective versions are embedded in operations people already do: a two-question risk prompt at the end of a vendor review, a structured component of quarterly business reviews where risk owners answer specific questions about what has changed, a confidential channel paired with visible follow-through on what gets surfaced. The defining features are: separate from performance review, specific about what is being asked, and visibly followed up on so people see that surfacing risk leads to action.

How do mid-market companies build psychological safety in risk reporting?

The structural answers matter more than the cultural ones. Three practical moves: separate risk identification from performance review entirely, so flagging a problem in your area does not make you the owner of it; design specific, low-friction prompts that ask people directly about risk in their domain ("What would you want leadership to know that you have not been asked?"); and demonstrate visible follow-through so that surfaced risks lead to action rather than retaliation. The most damaging signal is a surfaced risk that disappears into the void. The most encouraging is a surfaced risk that visibly triggers a conversation and a response.