The Appearance of Protection Is Not Protection
Walk into most organisations and ask about governance, risk, and compliance…
…and you’ll be shown policies, frameworks, registers, and reports—carefully prepared artefacts that demonstrate control, signal oversight, and provide reassurance that risk is being managed in a structured and deliberate way.
Evidence.
Documents that confirm something has been reviewed, approved, or completed.
Records that show alignment to standards.
Outputs that can be presented, defended, and relied upon when required.
But here’s the question that rarely gets asked—at least not in a way that lingers long enough to truly matter:
How much of it is actually protecting the house?
The Illusion We’ve Learned to Trust
This isn’t a question of intent.
Most leaders care deeply about their people, their organisation, and the outcomes they are responsible for—often carrying a level of accountability that extends far beyond what is visible on the surface.
And yet, despite that intent, many organisations have been conditioned—over time, through systems, expectations, and regulatory pressure—to equate documentation with control, and compliance with protection.
If it’s written down… it must be managed.
If it’s signed off… it must be understood.
If it’s completed… it must be effective.
It sounds logical.
It also happens to be where the illusion begins.
Because documentation doesn’t equal protection.
It equals evidence that a requirement has been met at a point in time—nothing more, nothing less.
And minimum standards, by design, were never intended to keep you ahead of risk; they exist to ensure you remain within acceptable boundaries.
There is a difference between staying within the lines… and truly safeguarding what sits inside them.
Evidence of What… Exactly?
“Evidence” is one of those words that carries weight, authority, and a quiet sense of reassurance.
It suggests something tangible. Verifiable. Real.
But when you pause and really sit with it, the question becomes unavoidable:
Evidence of what, exactly?
A policy that was approved… at a specific moment in time?
A document that was signed… by the appropriate authority?
A training module that was completed… once, perhaps annually, acknowledged and recorded?
A report that was submitted… aligned to expectations and delivered on schedule?
All of these things are evidence.
But they are evidence that something happened.
They are not evidence that something is continuing to happen in the way we assume, expect, or need.
Because risk does not operate in snapshots.
It operates in motion—continuously, dynamically, and often quietly, in ways that never quite make it into the formal record.
So, when we say, “We have evidence,” what we are often really saying is:
“We can demonstrate that, at a defined point in time, we did what was required.”
Which is very different from being able to say:
“We understand how this is being interpreted, lived, and acted upon… right now, in real time, across our organisation.”
When Evidence Becomes a Story We Tell Ourselves
And this is where the conversation becomes more confronting.
Because evidence—particularly within compliance and governance environments—is not just static.
It is often curated.
Organised, selected, structured, and presented in a way that reflects a version of reality that can be understood, communicated, and, when necessary, defended.
Not always with intent to mislead.
But shaped nonetheless—by pressure, by expectations, by incentives, and at times, by an unspoken need to demonstrate that things are under control.
As compliance language becomes more formal, more legal, and more precise, the role of evidence subtly shifts.
It becomes less about understanding what is happening… and more about demonstrating that obligations have been met, due diligence has been exercised, and accountability can be shown if questioned.
Which, in many cases, is about protection.
But often, it is protection after the fact—protection of position, rather than protection of people, decisions, and outcomes as they unfold.
And in that space, something important emerges:
Evidence can be technically accurate… and still be deeply misleading.
When Evidence Holds… But Reality Doesn’t
If that feels like a stretch, it’s not.
The collapse of Carillion, one of the UK’s largest construction and government outsourcing companies in 2018, offers a clear and sobering reminder of what this can look like in practice.
In the years leading up to its collapse, the structures were in place.
Accounts were prepared.
Audits were completed by KPMG.
Governance processes were followed.
Sign-offs were given.
The evidence existed.
And yet, the organisation was already deteriorating beneath the surface.
Debt was mounting.
Assumptions were being carried forward.
Signals were either not fully challenged… or not acted on with the weight they required.
By the time Carillion collapsed, the gap between what was documented and what was actually happening had become impossible to ignore—and the consequences were massive and unavoidable.
What We Say vs What Actually Happens
Let’s strip it back.
Safeguarding isn’t a policy issue → it’s a people issue.
Governance isn’t a board pack → it’s a thinking issue.
Compliance isn’t protection → it’s evidence of minimum standards.
Policies don’t stop harm—people do.
Board packs don’t surface risk—real conversations do.
Compliance doesn’t prevent failure—it often trails behind it.
And yet, many organisations continue to invest heavily in strengthening the very mechanisms that sit furthest away from where risk actually lives.
Not because they are wrong.
But because those mechanisms are visible, measurable, and defensible.
They provide something that can be pointed to when questions are asked.
Something that feels… safe.
Where Risk Actually Lives
Risk does not sit neatly in a register, waiting patiently to be reviewed.
It doesn’t align itself to reporting cycles or governance calendars.
It lives in the everyday.
In the decisions people make when time is tight and pressure is high.
In the conversations that feel uncomfortable and are therefore avoided.
In the behaviours that are tolerated, excused, or overlooked.
In the signals that are noticed—but not acted on.
In the tools and technologies we create—often assuming they will manage what we haven’t fully understood.
And most of all—
risk lives in people.
In how they think.
How they interpret what’s in front of them.
How they respond when it matters.
That is where protection either strengthens… or quietly begins to break down.
The Starting Point Most Organisations Get Wrong
The last letter in the PROTECT framework is “T” — Toolkit.
That is on purpose.
And yet, most organisations begin there.
Policies.
Systems.
Frameworks.
Controls.
They build out the artefacts of compliance and governance first… and then expect people to operate within them effectively.
But protection doesn’t start there.
Because tools don’t interpret risk—people do.
Tools don’t make decisions—people do.
Tools don’t act—people do.
So when we start with Toolkit, what we are implicitly saying is:
We trust the system more than we trust our people.
And in that moment, something subtle—but significant—begins to shift.
People disengage.
Signals are softened or missed.
Silence replaces conversation.
Workarounds emerge.
Not because people don’t care.
But because the system was never designed with them at the centre.
This is systems before people… when it needs to be people before systems—or better yet, systems designed for people.
Reordering the Way We Think About Protection
If we are serious about protecting the house—not just demonstrating that past requirements have been met, recorded, and signed off—then we need to start where risk actually lives.
With people.
- People — those closest to the work, the environment, and the signals that matter
- Risk Lens — how those people interpret and make sense of what they are seeing
- Origin — the deeper drivers behind decisions, behaviours, and pressures
Only then do tools have their rightful place—not as the starting point, but as the support.
Because when tools are built on top of aligned thinking, engaged people, and a clear understanding of risk…
they enhance protection.
When they are not…
they create the illusion of it.
This is where we start to become PROactive.
A Different Standard
This isn’t about removing compliance.
Compliance matters.
But it was never meant to carry the full weight of protection.
That responsibility sits elsewhere.
With leadership.
With culture.
With people.
Because once you see this gap… it’s hard to unsee it.
And closing it doesn’t start with more systems, more policies, or more reporting.
It starts with a different way of thinking.
A different relationship with risk.
One that begins with people—
and builds from there.
(It’s exactly why I created the Risk Rebel Leadership Pathway.)
Because the organisations that are truly protecting the house don’t just have better systems.
They have leaders who understand that risk doesn’t live in a document.
It lives in decisions.
In behaviour.
In conversations had… or avoided.
They pay attention to what doesn’t show up in reports.
They create environments where people can speak up early—before things escalate.
They recognise that silence is not safety, and that the absence of noise is not the absence of risk.
And they know that real protection is not proven in what is written down…
but in what actually happens when it matters most.
So… what say you?
Are you protecting the house—
or creating the illusion of protection?
And if you’re ready to close that gap… you know where to start.
