Improving Risk Management with The Cynefin Framework



Risk management is crucial for organizational resilience and success in the ever-evolving business landscape. It involves continuously identifying, analyzing, evaluating, treating, and monitoring risk in an organization’s operations and strategy. As risk issues are identified, risk managers must make difficult decisions on which issues to prioritize and what to do about them.

This article introduces an approach that uses a powerful decision-making framework called Cynefin to characterize issues in a way that can improve decision-making, ultimately saving time and resources. 

ISO 31000 Risk Management Guidelines

The proposed approach is based on the ISO 31000 guidelines released in 2009 by the International Standards Organization (ISO) to help organizations of any industry, size, or location manage risks to achieve objectives and improve decision-making.

Risk Management Process

The graphic shows that the ISO 31000 guidelines detail a Risk Management Process that includes Defining Scope, Context and Criteria, Risk Assessment, Risk Treatment, Monitoring and Review, and Communication and Consultation.

Defining Scope, Context, and Criteria is essential to the effective governance of risk within an organization and to ensuring alignment with its mission, goals, and values. 

ISO 31000 Risk Management Process

Risk Assessment includes three activities designed to improve decision-making about the need to treat a risk.  

  • Risk Identification: Identifying risks that could impact an organization’s ability to achieve its objectives by causing harm or loss.
  • Risk Analysis: Determining the probability and impact of a risk on the organization 
  • Risk Evaluation: Comparing the results of analysis against the pre-established criteria to decide if treatment is required and with what priority.  

Risk Treatment: Selecting and implementing a suitable treatment for addressing the risk that may include avoiding, accepting, transferring or mitigating the risk.

Monitor and Review: Continuously monitor and review the risk management process and its outcomes to ensure their relevance and effectiveness.

Communication and Consultation: Engaging internal and external stakeholders to ensure the communication of risk information and the consideration of their views.

The Risk Triage Process

It is common for risk managers to simultaneously deal with multiple identified risk issues arising from audits, security reviews, etc. In this situation, it can be valuable to have a documented process to triage those issues to quickly prioritize them based on a predefined set of criteria. While the ISO 31000 guidelines do not explicitly call out a risk Triage process, it is clearly an element in the Risk Evalution process. It should be noted that Risk Triage is not a substitute for Risk Analysis and that it may be necessary to recharacterize and reprioritize issues over time.

Using the Cynefin Framework to Characterize Risk 

Cynefin framework

Dave Snowden developed the Cynefin Framework in 1999 to help identify the appropriate decision-making approach in different environments. The framework can be applied to understanding the nature of risks and the environment in which they occur. Specifically, the risk issues organizations face can be divided into five distinct domains: Clear, Complicated, Complex, Chaotic, and Disorder. 

Understanding and leveraging these domains as part of the triage process can significantly enhance an organization's ability to characterize issues more effectively, saving resources and leading to better prioritization.

Clear Domain: Risks are straightforward and easily identifiable in this domain. Solutions are well-known, and best practices can be applied. For example, compliance with regulatory requirements falls into this category. The focus here is on standard operating procedures and ensuring that these procedures are diligently followed.

Complicated Domain: Risks in this domain require expert analysis and expertise to identify and mitigate because the relationship between cause and effect may not be immediately obvious. Organizations should rely on subject matter experts to diagnose issues and implement solutions.  

For instance, technological upgrades and cybersecurity measures often fall into this category.

Complex Domain: The complex domain is characterized by risks with no clear cause-and-effect relationship. These risks emerge from dynamic interactions within the system. Organizations should adopt an experimental approach, testing different hypotheses and learning from outcomes to inform future decisions and directions.

For example, the risk of losing market share may depend on market trends and complex customer behaviors that require additional information to make appropriate decisions. are often complex. 

Chaotic Domain: There is no clear relationship between cause and effect, making traditional analysis futile, but the risks are apparent and require immediate action to restore order in the chaotic domain. The priority is acting swiftly to stabilize the situation, then identifying patterns and restoring order.

Examples include natural disasters or sudden market crashes. 

Disorder Domain: This domain represents situations where it is unclear which of the other four domains applies. In such cases, the primary goal is to break down the problem and categorize it into the appropriate domain to apply the relevant strategies.

Applying Cynefin: A Three-Step Process

Applying the Cynefin framework to characterize identified risks during triage can improve decision-making, save time, and ensure appropriate actions are taken. 

It can be integrated with the existing risk management processes and involves three steps:

  • Step 1: Determine the Domain 
  • Step 2: Select the Course of Action
  • Step 3: Monitor and Adjust

Step 1: Determine the Domain

After identifying a risk, assign it to one of the five Cynefin domains by asking specific questions that help clarify the nature of the risk and its context. Here are some example questions that can help guide you:

Clear Domain

  1. Are the cause-and-effect relationships well understood and predictable?
  2. Can a best practice or a known solution be applied?
  3. Can the problem be easily categorized and addressed using standard procedures?

Complicated Domain

  1. Is expert knowledge or analysis required to understand the problem?
  2. Are there multiple potential solutions that need to be evaluated?
  3. Can the cause-and-effect relationships be understood with thorough analysis?

Complex Domain

  1. Are the cause-and-effect relationships unclear or emerging over time?
  2. Does the situation involve numerous interacting variables and unknowns?
  3. Is experimentation and probing necessary to understand and address the problem?

Chaotic Domain

  1. Is the situation highly unstable and rapidly changing?
  2. Are immediate actions required to prevent further damage or restore order?
  3. Is it difficult or impossible to determine cause-and-effect relationships at this moment?

Disorder Domain

  1. Is it unclear which domain the situation fits into?
  2. Is there confusion or disagreement about how to approach the problem?
  3. Do you need to gather more information to classify the situation correctly?

By answering these questions, you can better understand the nature of the risk and its context to identify the appropriate Cynefin domain. This then informs the most suitable approach for managing the situation effectively.

Step 2: Select The Course of Action

After identifying the Cynefin Domain, the next step is selecting the appropriate course of action. Here are some suggested actions and examples for each domain.

Clear Domain

Actions: Sense - Categorize - Respond

  • Assess the facts of the situation and categorize them.
  • Apply best practices.
  • Follow standard operating procedures.
  • Ensure compliance and consistent execution.

Example: In a manufacturing plant, ensuring all safety protocols are followed to prevent accidents. This involves routine checks and adherence to established guidelines.

Complicated Domain

Actions: Sense - Analyze - Respond

  • Conduct thorough analysis and diagnostics.
  • Bring in subject matter experts to provide insights.
  • Evaluate multiple potential solutions to find the best one.

Example: Implementing a new IT system requires experts to analyze requirements, evaluate different software options, and select the most suitable one.

Complex Domain

Actions: Probe - Sense - Respond

  • Engage in experimentation and safe-to-fail probes.
  • Encourage diversity of perspectives and brainstorming.
  • Adapt and iterate based on feedback and emerging patterns.

Example: Developing a new marketing strategy for a product launch. The team might try various approaches, analyze customer responses, and adjust the strategy accordingly.

Chaotic Domain

Actions: Act - Sense - Respond

  • Take immediate, decisive action to establish order.
  • Communicate clearly and frequently to manage the situation.
  • After stabilization, identify patterns and make sense of the chaos.

Example: Responding to a cybersecurity breach. Immediate actions include isolating affected systems, communicating the breach to stakeholders, and starting recovery procedures.

Disorder Domain

Actions: Categorize

  • Break down the problem to understand its nature.
  • Gather more information and perspectives.
  • Categorize parts of the problem into Clear, Complicated, Complex, or Chaotic domains and address them accordingly.

Example: A company facing a sudden drop in market share might initially be in disorder. They need to analyze the situation, gather data, and determine whether the issue is due to predictable factors (Clear), requires expert analysis (Complicated), involves unpredictable market trends (Complex), or is due to a sudden crisis (Chaotic).

Step 3: Monitor and Adjust

The goal is to move risk toward the Clear domain whenever possible. It may be necessary to do this in steps.  If the risk in the Chaotic domain, the goal would be to move it to Complex, then Complicated, then Clear. The dynamic nature of situations and the very real risk of mischaracterizing a risk as to its means that organizations need to continuously monitor them to determine if they should be recharacterized. 

Want to Learn More?

Watch the recording of the HIPAA Security 3.0 educational session "Deciding When to Perform a Quantitative Risk Analysis - When Is the Juice Worth the Squeeze?" to see how Cynefin improves the risk triage process.


Applying the Cynefin Framework in a triage process can enable organizations to more appropriately tailor their risk management strategies to the nature of the risks they face. This approach ensures that responses are appropriate given the context or character of the risk, enhancing the organization's management amidst uncertainty. Embracing the Cynefin Framework gives leaders the understanding to confidently navigate their risk portfolio, fostering a proactive and adaptive risk management culture.


ISO. (2018). ISO 31000:2018[E] Risk Management - Guidelines. ISO.

ISO. (2021). ISO 31000:2018 - Risk Management - A Practical Guide.

Snowden, D. (2020). Cynefin - Weaving Sense-Making Into the Fabric of Our World (R. Greenberg & B. Bertsch, Eds.). Cognitive Edge - The Cynefin Company.

Snowden, D. J. (2007, November). A Leader’s Framework for Decision Making. Harvard Business Review, (How You Look At It).

Deciding When to Perform a Quantitative Risk Analysis - When Is the Juice Worth the Squeeze?

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

You may also like:

Improving Risk Management with The Cynefin Framework
Dedicated Vs. Non-Dedicated HIPAA Security Officer
What is a Dedicated and Non-Dedicated HIPAA Security Officer?
What are the primary responsibilities of a HIPAA Security Officer?

Subscribe now to get the latest updates!