Risk management practices sit at the core of information security - and yet the NSCS Annual Review (2025) reports "nationally significant" incidents increasing nearly by double in the UK. Is it time to acknowledge that current practices are not working for us and should we consider if there is a case for a post-risk world? During this session, we'll briefly examine how risk management became central to our profession and then dig into its practical challenges: prioritisation difficulties, subjective scoring, lack of actionable data and business buy-in. It will explore a growing movement amongst security practitioners that questions whether "managing risk" should be the primary goal at all, and re-evaluates what our industry's objectives should be. Other practices - such as chaos engineering, resilience, and threat-centric approaches will also be presented as alternatives. The session is designed as a thought exercise -  it is challenging risk management as the central concept, and opening the door to the discussion of how a world without risk management looks like. Therefore the key take-away for the audience is not to say "we were wrong to manage risk all along", but to return to their teams and reassess some core practices, whilst asking the question: are we actually reducing harm, or just optimising a failing system?