The priorities, the working assumptions, and the cultures of organizations can make risk control difficult. Risk control operations may run up against built-in assumptions of trust performance" in meaningful and persuasive ways. Interventions must be designed, and their effectiveness measured (to the extent possible) a long way back in a chain of possible events. All control work has to be conceived, organized, and conducted far back in the development of the threat.

Analysis is fundamentally important in breaking the risk and its precursors into elements that can be controlled or reduced. Organizations may prefer to sacrifice individuals who fall over the edge rather than give up the performance gains associated with risky practice.

Investigation and punishment, after a fall, may turn out to be window-dressing, as the organization may well be reluctant to give up the performance gains. The organization may be unwilling or reluctant to devote resources to audit, surveillance, and enforcement. Officials responsible for customer service and process management may end up opposing, sabotaging, or sidelining the risk control operation.

At a minimum, a risk-management system must have the following components:

• A Nomination System which generates and funnels nominations for risks to be addressed.
• An Assignment System for committing personnel/ resources to risk-mitigation projects.
• Project Records: project files, paper or electronic, organized around risks or risk-concentrations (rather than around cases, programs, systems, or functional divisions).

More and more agencies are learning how to organize resources around important risk areas and to respect the natural shape and size of problems they seek to address, rather than forcing them into the existing organizational apparatus.

In reflecting on their hard won successes, agency executives usually discover that the following observations apply to their successful risk-control initiatives.

• Neither the specific components of the risk, nor the solution, were conceived anywhere in the agency legislation. The solution of the problem or the mitigation of the risk required neither a change in legislation, nor any change in the agency general policies.

• The "problem" or "risk-concentration" was identified, managed, and solved below the level of strategic planning. Although the agency mission statement, authorizing legislation, and strategic plans might specify broad classes of risk, successful projects usually address carefully delineated.

• The risk performance measures (indicators of risk-reduction success) were specific to the project and were selected before developing the action plan. Designing relevant metrics took as much creativity and imagination as the action plan itself.

Real world problems come in awkward shapes and sizes, which do not fit established groups or units. Dealing with them properly requires coordination and commitment across different units and agencies.

• Management does not understand this kind of work, and fails to support those who try to do it.
• Problem - solving and risk-mitigation work brings an unfamiliar degree of discretion, and uncertain degrees of authorization.

Pioneering agencies find this work to be different, unrelentingly difficult, and intellectually demanding. Many government agencies, especially regulatory and enforcement agencies, are adopting risk-management frameworks to reorient their core businesses. Many others are recognizing the need to use formal risk-management approaches to protect their personnel, their clients, their resources, and their ability to carry out their primary missions.