There is a version of the drift zone that is specific to organisations, and it looks like action. The risk has been identified. It has been assessed. It has been given a colour, a score, and an owner. It appears in the risk register. It is reviewed quarterly. It has a mitigation plan with dates and responsible persons.
And nothing changes.
This is compliance theatre. The organisation has not dealt with the risk. It has processed it. The paperwork creates the feeling of management without any of the substance. The board receives a report. The report says the risk is "being managed." Everyone moves on to the next item.
The problem is that the paperwork acts like a narrative. It tells the organisation a story: we are on top of this. The risk register becomes a filter, not a tool. It absorbs the discomfort of the risk and converts it into a process. The process satisfies the requirement to be aware. The awareness satisfies the requirement to act. Except nobody actually acted.
This is information filtering at the organisational level. The raw signal ("this system is failing and needs replacing") gets processed through layers of governance until it becomes a green cell in a spreadsheet. The distance between the signal and the decision-maker is wide enough to absorb the urgency.
The consequence horizon for these risks does not arrive through internal process. It arrives externally. A regulator shows up. A client complains publicly. A system fails visibly. And suddenly the risk that was "being managed" is being dealt with at emergency speed by people who could have dealt with it at normal speed a year earlier.
If your risk register has items that have been on it for more than twelve months without resolution, the question is not whether the risk is being managed. It is how far away the horizon is, and what it will look like when it arrives.
Morgan Sheldon