How Many Layers Do You Add to Manage Risks?

I listened to Tim Harford’s podcast, La La Land: Galileo’s Warning (Classic). Galileo warned that adding more layers of risk management does not prevent bad outcomes—and might create them. Yet, I’ve said I respect risk management. Not all risk management is created equal. We can use additional steps, sequential occurrences, to manage risks. Layers are the concurrent practices we might use—what Galileo calls layers.

The Difference Between Steps and Layers in Risk Management

Step actions build on each other. Layers add to each other. 

Here’s an example: I manage my vertigo by wearing stable shoes, practicing my core exercises, and taking brisk walks. All of those actions add to each other. Any one of them helps—but each step builds on the others. When we add risk management actions​ (steps), we create a coherent risk management system.

But concurrent layers are different. Long ago, a male consultant told me he wore a belt and suspenders to keep his pants up. That was a great idea, but he’d neglected to zip his fly. He had concurrent layers that did not address an obvious risk.

You might have seen another example of concurrent layers at work—the multiple signoff problem. One person signs off on this action, then a higher-level person signs off, etc. Why all these signoffs? Because someone, long ago, made a mistake. In a mistaken belief about risk management, the organization created layers to manage the risk of that mistake.

Instead, the organization could have created steps to manage risks. Those steps might not mistake-proof anyone’s actions, but the steps might contain any future mistakes early. 

How Can You Recognize Layers in Risk Management?

I look for these signals of layers:

  • Successive levels of signoffs in an organization.
  • Each action works in parallel to the others.
  • If the action looks and feels like bureaucracy.

Not all bureaucracy is about layers of risk management, but too much of it is.

Create Small Steps to Reduce Risks

Small steps manage just one aspect of the entire problem. How can you create small steps?

  • How many aspects of the problem can we see? Aside from my previous vertigo example, we can manage project risks by asking questions about who expects what and when. The who refers to both internal partners and external users and customers.
  • As we create steps, ask how many aspects this action addresses. Watch for steps that address the same aspect—those might be layers.
  • Review all the steps to see if you created a risk management system.

Once you understand enough of the aspects, you can add small steps to create a resilient system.

Focus on Steps, Not Layers, to Manage Risks

Many years ago, I assessed an automated test suite that took hours to run. It returned some valuable results, but the testers still found problems in the product. The problem was the automated tests were actually layers—many of the tests tested the same things. 

After eliminating the extraneous tests, the test suite ran in under an hour, and the entire product development team understood where to add more test automation. They eliminated the layers and added more steps.

You can, too. 

Heed Galileo’s warning. Focus on steps, not layers, to manage your risks. 


I published what I hope is the almost-final version of Become a Successful Independent Consultant. My layout person has the book now, and my cover person is working on a cover. Phew!

I also opened the Q2 Writing Workshop for registration.

Read More of Create an Adaptable Life

New to the newsletter? See previous issues.

Here are other links you might find useful:

Till next time,


© 2023 Johanna Rothman

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: