The System That Stops Disasters Before They Start. proactive risk management system

The #1 Proactive Risk Management System That Stops Disasters Before They Start

ByDejan Majkic
Your $100K+ Scrum Career Starts Here! Stop Dreaming. Start Earning. Become a Scrum Master in 90 Days!
TABLE OF CONTENTS
1 Introduction
2 The Firefighter’s Curse
3 Why “Just Being Aware” Fails Every Time
4 The Wake Up Call I Needed
5 What Prevention Actually Looks Like
6 Building Your Own Prevention System
7 The Three Questions That Change Everything
7.1 Question 1: Who owns this risk?
7.2 Question 2: When do we check on this risk next?
7.3 Question 3: What’s the trigger for escalation?
8 Making It Work In The Real World
9 The Real Cost of Staying Reactive
10 Your Proactive Risk Management System Starts Now!

Introduction

January 7, 2025. Weather forecasters saw it coming days ahead. A windstorm was barreling toward Los Angeles. Not just any windstorm. The most destructive since 2011.

So-called “proactive risk management system” of the The National Weather Service called it “life-threatening.” They warned winds would “accelerate to dangerous levels.” They predicted “explosive fire growth.”

The fire department knew. The mayor knew. They sent warnings about the winds on social media. They issued news releases.

And then the fires erupted.

When evacuation alerts finally went out, they took 20 to 30 minutes to reach people. Some residents got the warning after their homes were already burning. Over 12,000 structures destroyed. More than 30 people are dead. Billions in damage.

The risks were known. The warnings were issued. But here’s the thing: warnings aren’t the same as a system.

And that’s the trap most of us fall into.

The Firefighter’s Curse

I learned this lesson the hard way on a healthcare IT project.

We had a big database migration coming. Everyone on the team knew it was risky. We talked about it in meetings. Someone would say “We should really test the rollback procedure.” Everyone would nod. Then we’d move on to the next agenda item.

Three weeks before go-live, someone mentioned it again. “Did we ever test that rollback?” Silence around the table. We all knew the answer.

We scrambled. Worked weekends. Built the rollback procedure under pressure. It worked, barely. But we were one bad decision away from taking down medical records for 50,000 patients.

We weren’t lazy. We weren’t incompetent. We just didn’t have a system that forced us to address the risk before it became a crisis.

We were firefighters, not fire prevention specialists.

Los Angeles County had the same problem, just at a much bigger scale. They knew about the windstorm. They knew the vegetation was record dry. They knew they were in a Very High wildfire hazard zone.

But knowing and having a system to act on what you know? Those are two different universes.

Why “Just Being Aware” Fails Every Time

Here’s what happens in most organizations, and probably yours too.

Someone raises a risk in a meeting. Everyone agrees it’s important. Maybe someone even writes it down. Then everybody goes back to their desk and gets pulled into today’s fires.

The risk sits there. Waiting. Growing.

Los Angeles had cut their fire department budget by 17.6 million dollars before the fires hit. They had signed a contract for new emergency alert software in November, right before the holidays. When the fires erupted in January, only 4 people had been trained on the system.

Think about that. They upgraded their emergency system but didn’t train people to use it. It’s like buying a fire extinguisher and leaving it in the box.

Southwest Airlines did the same thing in 2022. Their pilots literally told management “We’re one router failure away from complete meltdown.” One month later, that’s exactly what happened. Two million people stranded at Christmas. 825 million dollars down the drain.

CrowdStrike knew software updates could crash systems. They crashed 8.5 million computers anyway because they had no testing system in place.

Boeing knew they had quality control problems. Planes kept having issues. Then a door fell off at 16,000 feet.

The pattern is always the same: people know about the risk, but there’s no system forcing them to deal with it before disaster strikes.

The Wake Up Call I Needed

After my close call with the database rollback, I realized something. Our team wasn’t bad at identifying risks. We were actually pretty good at it.

We were terrible at doing something about them.

We’d have great discussions. We’d identify 15 potential problems. We’d all feel productive. Then we’d leave the room and… nothing. The risks just sat there in meeting notes nobody read.

I needed to answer a hard question: why do some teams catch disasters before they happen while others watch them unfold in slow motion?

The answer hit me during a conversation with a fire chief at a conference. He told me something that changed how I think about risk.

“Amateur firefighters react to fires. Professional firefighters prevent them. The best firefighters? They build systems that make fires impossible.”

That’s when it clicked. I wasn’t building prevention systems. I was just getting better at reacting faster.

What Prevention Actually Looks Like

Let me show you the difference with a real example.

Reactive team: “We should probably back up the database before the migration.”

Proactive team: “Database migration checklist, item 7: Verify backup completed and test restore procedure. Cannot proceed to item 8 until verified by two people.”

See the difference?

The reactive team knows what they should do. The proactive team built a system that forces them to do it.

Los Angeles needed the second version. Instead, they had the first.

They knew winds were coming. But their evacuation alert system? It required someone at the incident command center to call or text someone at the emergency operations center. That person would then update a third party vendor system. Then the alert went out.

During the worst moments of the fires, this phone tag system took 20 to 30 minutes per neighborhood. And that was an improvement. The old system took 30 to 60 minutes.

Imagine waiting 30 minutes for a fire alert when flames move faster than you can run.

The system wasn’t designed for speed. It was designed by people who never imagined needing it during a genuine catastrophe.

Building Your Own Prevention System

Here’s what I did after my wake up call, and what you can start doing today.

I stopped having risk discussions. I started having risk decisions.

Old way: “We should monitor the server load during peak hours.”

New way: “Every Monday at 9am, Sarah checks last week’s server metrics and reports anything above 80% capacity. If nothing is above 80%, she replies to this thread with ‘Clear.’ If something is above 80%, we meet Tuesday at 10am to decide action. This is now in Sarah’s calendar and mine.”

Notice what changed? The risk doesn’t sit in someone’s head anymore. It’s assigned. It’s scheduled. It has a trigger for action.

After the LA fires, investigators found the county had “outdated policies, inconsistent practices, and communications vulnerabilities.” Translation: no real system.

They also found something interesting. First responders acted heroically. Sheriff deputies evacuated nursing homes. County firefighters led buses through burning neighborhoods. They saved lives through individual courage.

But courage shouldn’t be your risk management plan.

The Three Questions That Change Everything

I now end every risk discussion with three questions. If I can’t answer all three, the risk isn’t managed. It’s just documented.

Question 1: Who owns this risk?

Not the team. Not the department. A specific human being with a name.

In Los Angeles, nobody specifically owned “making sure enough people are trained on the new alert system.” So when the fires hit, only 4 people knew how to use it.

On my projects now, every risk has a name next to it. That person might delegate the work, but they can’t delegate the ownership.

Question 2: When do we check on this risk next?

“We’ll monitor it” means nothing. “Sarah checks it every Monday at 9am” means something.

Los Angeles had a small fire on January 1st. They declared it contained at 4:46am. Case closed, right?

Wrong. That fire was still smoldering. When the windstorm hit six days later, it reignited and became the Palisades Fire. One of the most destructive fires in California history.

Nobody was scheduled to check if “contained” actually meant “extinguished.” No system. No schedule. Just an assumption.

Question 3: What’s the trigger for escalation?

When does this risk stop being monitoring and become action?

Server load above 80%? We meet Tuesday. Migration rollback test fails? We delay launch. Alert system training incomplete? We don’t sign off on the contract.

Clear triggers. No debate needed.

Los Angeles had warnings for days. But no trigger existed that said “at this warning level, we do X.” So warnings just piled up without action.

Making It Work In The Real World

You’re probably thinking “This sounds good, but my organization doesn’t work like that.”

I get it. I thought the same thing.

Here’s the secret: you don’t need permission to start. You just need your next meeting.

For Agile teams: Add one item to your sprint retrospective. “What risk did we identify last sprint, and did we actually do something about it?” Then pick one risk for next sprint. Assign it. Schedule it. Define the trigger.

For traditional project teams: Take your risk register. Pick the top three risks. For each one, answer the three questions. Send the answers to your team. Put the check-ins on your calendar.

For anyone with a recurring meeting: Reserve 10 minutes at the end. Call it “Risk Reality Check.” One risk. Three questions. Done.

Start small. Build the habit. The system grows from there.

I started with just my database risks. Within three months, my team was naturally thinking this way. Within six months, other teams were asking how we always seemed to catch problems early.

We didn’t get smarter. We built a system that made it impossible to ignore risks.

The Real Cost of Staying Reactive

Here’s what keeps me up at night about Los Angeles.

The investigators found that first responders were understaffed. The emergency management office was under resourced. The alert system was outdated.

All of this was knowable before the fires. All of it was preventable.

But prevention requires doing something today to stop a problem that might happen tomorrow. And tomorrow always feels less urgent than today’s crisis.

Until tomorrow arrives.

Southwest knew their IT systems were aging. They spent money on stock buybacks instead of upgrades. Then they paid 825 million dollars in one week.

Boeing knew they had quality problems. They kept producing planes anyway. Now they’ve lost 36 billion dollars total.

CrowdStrike knew they should test updates better. One untested update cost 10 billion dollars in global damage.

Los Angeles knew the risks. The fires still killed over 30 people and destroyed 12,000 structures.

The math is brutal: prevention costs money and time today. Reaction costs everything tomorrow.

Your Proactive Risk Management System Starts Now!

You don’t need to solve every risk today. You need to solve one risk in a way that proves the system works.

Pick one risk that’s been sitting on your radar. Not the biggest one. Not the scariest one. Just one that matters.

Answer the three questions:

  • Who owns it?
  • When do we check it?
  • What triggers action?

Put the check-in on a calendar. Make it real. Make it recurring.

That’s it. That’s your prevention system version 1.0.

When that risk gets handled before it becomes a crisis, pick another risk. Answer the three questions again.

After a few cycles, something magical happens. Your team stops waiting for you to ask the questions. They start asking them automatically.

That’s when you’ve gone from firefighting to fire prevention.

Los Angeles is rebuilding now. The investigators made 148 recommendations. They’re focused on prevention.

It took a catastrophe to force the change.

You don’t have to wait for your catastrophe. You can build your prevention system today.

Because here’s what I learned: the disasters that destroy projects aren’t the ones nobody saw coming. They’re the ones everybody saw coming but nobody had a system to stop.

Want to build a complete prevention system for your team? My course walks you through exactly how to integrate proactive risk management into every aspect of your workflow, whether you’re running sprints or managing traditional projects. You’ll learn the frameworks, tools, and habits that turn risk awareness into risk prevention. Discover Risk Management in Scrum and stop fighting fires before they start.

Founder of www.whatisscrum.org/

Agile and Scrum Advocate | Scrum Master | Product Owner | Trainer

After spending over 20 years in IT, with a decade dedicated to Agile and Scrum methodologies, Dejan Majkic emerges as a trailblazer in product development. He has aided thousands of students worldwide, leveraging his expertise to assist them in entering the tech industry, obtaining certifications, excelling in interviews, and securing well-paid positions.
CLICK HERE TO UNLEASH YOUR FULL SCRUM POTENTIAL