Cause-centric risk management
Most risk managers would agree that the most effective way to manage risk is to terminate the risk, but human nature being what it is - particularly in the defense and security sectors, decision makers are too keen to defend against existing threats before they seek to terminate the risks. For instance, when confronted by terrorism, they might invest in various protective measures but forget to dampen the grievances, which encouraged the terrorism in the first place.
So far as decision makers seek to terminate, they probably terminate only the proximate causes. For instance, if faced by an insurgency, they might buy off one insurgent group with an immediate alliance against a more threatening insurgent group. But treating the risk in this way condemns us to perpetual treatment of a risk that is never resolved - moreover, we could end up activating new risks. For instance, by buying off one group, we could empower that group against its old foes or provoke new jealousies and thereby spark off a sectarian conflict.
Tracing the root causes is more burdensome than tracing the proximate causes, but is ultimately the most effective response - and often the most efficient response too.
The "react-defend-activate" pathology is most obviously illustrated by the Global War on Terror. Reacting against terrorist threats as they exist today is no solution to terrorism as a historical phenomenon. Trying to defend the homeland against all possible threats is a route with no end except bankruptcy, after many diversions into pork barrel politics - with every small town requesting funds for its own biological/chemical terrorism response team. Exporting counter-terrorism to regimes and societies overseas inevitably activates new threats, which is how a war on terror has turned into a war on insurgency.
Despite changes in the war on terror, we lack a proper discourse on the main alternative to the react-defend-activate pathology. The alternative is "root cause-centric" risk management. Although astute theorists of risk management have prescribed such a focus, in practice it is all too often forgotten.