The document discusses two approaches to risk management: 1) a formal, structured process of risk assessment and codified responses, and 2) an approach with effective engagement of management and staff in ongoing risk assessment and mitigation. It suggests that most organizations do not effectively implement either approach. It then examines the trade-off between formal risk auditing and effective human/staff engagement, and how organizational culture and external factors influence the formal vs. implementation aspects of risk management. It provides two examples, one of a small business with informal but effective risk management linked to its business plan, and one of an NHS hospital trust with complex, formal plans but poor staff awareness and ownership leading to failures.