Complexity prevails through granularity
But start breaking your risks down into different categories. Now you have operational risk, which is concerned with your processes and the way you run the business, and people risk, which is more strategic and concerned with scaling your business. Even at this level it’s still not complicated.
Now consider that your business doesn’t operate as a whole; over time it’s naturally evolved, and silos have formed. Now there are lots of teams all doing different things, using their own models, speaking their own language, working to their own agenda, which means you need an integrated approach to risk management.
But within each department, there will be some really specific risks. For example, finance will need to deal with liquidity risk and credit risk. So now you need some very specific controls to mitigate these niche risks.
And don’t forget to include risks from your external environment. You can have the most robust security in the world, but a small third-party can leave you exposed and vulnerable.
All of a sudden, your world has become very complicated. And that’s before we’ve even mentioned the minefield of regulatory risk.