The familiar story is incomplete

On 26 April 1986, Reactor 4 at the Chernobyl nuclear power plant exploded during a late-night safety test. The disaster killed plant workers and emergency responders, contaminated large areas, forced mass evacuations and left a long legacy of health, environmental and social harm. Forty years later, it still has a strange grip on the imagination because of its scale, because of the physical horror of an open reactor core burning into the night, and because it feels like a warning from inside the machinery of modern organisations.

It is tempting to tell the story as a technical accident: xenon poisoning, low-power instability, a positive void coefficient, graphite displacers in control rods, and a reactor design with dangerous characteristics. That technical version is not wrong, but it is incomplete. The disaster at Chernobyl was also an organisational failure, in which the physical explosion was the final expression of weaknesses that had accumulated earlier in design governance, operating rules, safety culture, escalation, regulatory oversight and the translation of technical knowledge into decision-making. The reactor failed in seconds, but the management system failed before that.

The recurring pattern is simple and dangerous: conditions changed, but the decision frame did not change with them.

A reasonable objective under changed conditions

The test at the centre of the accident had a legitimate purpose. If a nuclear plant loses external electrical power, it still needs electricity to run essential systems, including pumps; diesel generators can provide backup power, but they take time to start and reach full output. The question was whether the remaining momentum of the turbine, as it spun down after steam supply was cut, could provide enough electricity for a short bridging period. This was not a foolish question, but a safety question.

That matters because many organisational failures do not begin with obviously reckless intentions, but with reasonable objectives pursued under deteriorating conditions. A test is planned, conditions change, people adapt, the original decision is not revisited, and momentum takes over.

The test had been attempted before, and the plant was preparing another attempt during a planned shutdown of Reactor 4. The power reduction for that shutdown had already begun when the operating context changed: the electrical grid still needed output from the unit, so the shutdown process was held part-way through rather than continuing as planned. Reactor 4 therefore spent longer than intended in a reduced-power state before the test resumed. By the time the night shift inherited the situation, the plant was no longer in the clean, planned state imagined by the test procedure. This is the first governance lesson: a decision made for one set of conditions should not silently survive into another. Risk management often fails at exactly this point when the organisation says, "We approved the activity." Approval, however, is not magic. Approval depends on assumptions about timing, technical state, available margin, operating competence, external pressure and control effectiveness. When those assumptions change, the decision should change too.

Approval is conditional. When timing, technical state, available margin or external pressure changes, the original decision should be reopened.

When pressure makes stopping difficult

The available record supports a clear operational pressure: the test had already been postponed, the shutdown window was limited, and the grid had delayed the power reduction because electricity was still needed. The opportunity to complete the test was narrowing.

The pressure to continue did not need to take the form of an explicit order from Moscow; it was already built into a situation in which an unfinished test, a closing shutdown window, a grid-imposed delay and an existing plan all pointed in the same direction. Stopping would not have been a neutral technical act, because it would have meant explaining non-completion upward through a hierarchy that was not known for rewarding inconvenient caution. This is where culture becomes operational: in a healthy safety culture, changing conditions make stopping easier; in a weak safety culture, changing conditions become obstacles to work around. The difference is not visible only in speeches or policy statements, but appears in the moment when someone must decide whether to pause, escalate, disappoint the plan or continue.

The point is not that every individual wanted risk, but that the organisational setting made continuation easier than escalation. This pattern is familiar far beyond nuclear power: a project milestone is already late, a supplier assessment is incomplete but go-live is scheduled, a vulnerability is known but the release train is moving, a product complaint pattern is uncomfortable but recall would be expensive, or a risk review is postponed because the board pack is already closed. No one has to say, "Ignore the risk"; the organisation simply makes stopping feel like failure. A weak management system makes interruption costly and continuation ordinary. A strong one reverses that burden by making changed conditions visible, by giving escalation a credible route and by making conservative decisions legitimate before courage is required.

When the operating state changes but the decision does not

To understand the technical sequence, we need a little reactor physics. We do not need enough detail to become nuclear engineers, but we do need enough to see why the governance failure mattered. During operation, fission produces iodine-135, which decays into xenon-135. Xenon-135 strongly absorbs neutrons. At normal power, xenon is also removed by neutron absorption, so production and removal can remain broadly balanced. When power is reduced, however, there are fewer neutrons available to remove xenon, while iodine already in the core continues to decay into new xenon. Xenon can therefore build up after a power reduction and suppress the chain reaction. This is often called xenon poisoning. At Reactor 4, the shutdown sequence had already begun when the grid delay kept the unit at reduced power for longer than planned. Later, when power was reduced further and fell much lower than intended, xenon poisoning became a serious control problem. The reactor did not behave like a simple machine where operators could just turn power up and down at will. Xenon was absorbing neutrons and holding the reaction back.

To raise power, operators withdrew control rods. This restored some reactivity, but at a cost. The reactor was now being operated with many rods withdrawn, reducing the margin available to control the reactor. The plant eventually stabilised far below the originally intended test power, in a state that left too little room for error. Technically, the plant was no longer in the condition the test had assumed. Organisationally, however, the old decision still had momentum.

This is often where blame narratives become too easy, with the story reduced to claims that the operators violated rules, should have stopped, or simply made mistakes. The operating state was unsafe, and important limits were breached. A governance analysis, however, asks a different question: why was the organisation able to arrive at this state and continue? A well-designed management system does not rely on perfect judgement at 1 a.m. under production pressure, test pressure and hierarchical pressure. It creates barriers before people reach the edge, and it defines which changes in state require a new authorisation rather than local improvisation. The problem at Reactor 4 was not merely that the reactor was in a dangerous condition. It was that the dangerous condition did not cause the organisation to stop.

The amplification loop inside the system

The RBMK reactor design had characteristics that made low-power operation especially hazardous. The reactor was graphite-moderated and water-cooled: graphite slows down neutrons, and in this design that moderation helped sustain the chain reaction, while water removed heat and also absorbed some neutrons. In many reactor designs, especially where water also acts as the main moderator, coolant water boiling into steam tends to reduce reactivity because steam is much less dense than liquid water and slows fewer neutrons into the range where fission is sustained efficiently. That provides a stabilising effect. In the RBMK, under certain operating conditions, the opposite could happen. When water turned to steam, there was less water available to absorb neutrons while the graphite moderator remained, so more steam could increase reactivity, produce more heat and produce still more steam. This is the positive void coefficient; in plain organisational language, the system had a condition in which disturbance could amplify itself.

That is not automatically catastrophic if the condition is well understood, tightly controlled and surrounded by conservative operating limits. It becomes dangerous, however, when the people operating the system do not have enough usable information about the danger, and when governance mechanisms do not force the organisation to stay away from unstable states.

The phrase "positive void coefficient" sounds technical, but for governance the concept is familiar because many organisations have systems where pressure increases instability. A bank can suffer losses that trigger liquidity pressure, which then triggers confidence loss and creates still more liquidity pressure; a supplier network can absorb one disruption by pushing demand to another supplier until that supplier also fails; a cyber incident can force emergency workarounds that weaken controls and create new exposure; and a hospital under pressure can accumulate waiting lists, staffing gaps and incident backlogs that reinforce each other. The technical mechanism differs, but the governance question is the same: do we know when our system becomes self-amplifying? If risk increases faster than information can travel, or faster than escalation and control action can respond, the management system is already behind the event.

When controls have hidden failure modes

The most unsettling detail in the accident sequence is the emergency shutdown system. After the turbine rundown had begun, the operators pressed AZ-5, the emergency shut-down button, apparently to shut down the reactor as part of the operating sequence rather than because recorded parameters required emergency intervention. In ordinary intuition, the function of that button was clear: it should end the danger. The control rods enter the core, neutrons are absorbed, and the reaction slows.

In the RBMK design at the time, the control rods were not simple absorber columns. The neutron-absorbing section was coupled to graphite displacers, and the purpose of those displacers was not to make an inserted control rod more effective. It was to improve the neutron economy when the absorber was withdrawn: instead of leaving the channel filled only with water, which absorbed neutrons, the graphite displaced some of that water and made more neutrons available to sustain fission. The graphite was not simply outside the reactor when a rod was fully withdrawn; it sat within the fuelled region of the core, but because it did not cover the full core height, water remained in parts of the channel. Under the conditions present that night, this mattered enormously. When AZ-5 was pressed and fully withdrawn rods began entering the core, graphite initially displaced water in the lower part of the channel. Since water absorbed neutrons, replacing water with graphite could briefly increase reactivity locally before the neutron-absorbing part of the rod entered fully.

In other words, the emergency shutdown system could initially add reactivity under certain extreme conditions. The safety system was not simply absent; it was present, trusted and dangerous in a way that was not adequately visible to the operators. This should make every governance professional uncomfortable, because it is the difference between having a control and understanding what that control actually does under stress.

A control is not reliable because it exists. It is reliable only if its behaviour under stress is known, tested and governable.

Most organisations have controls that are assumed to be protective:

• an escalation process;

• approval workflows;

• a supplier due diligence checklist;

• an audit programme;

• a risk committee;

• an incident response plan;

• dashboards showing red, amber and green.

The disaster leaves a set of uncomfortable questions for any organisation that relies on formal controls. What does the control actually do under stress? Does escalation clarify accountability, or does it diffuse it? Does a risk committee make decisions, or does it absorb discomfort? Does a dashboard reveal deteriorating conditions, or does it hide them behind averages? Does supplier due diligence expose dependency, or does it produce paper confidence? At Reactor 4, the shutdown button was real. The organisation, however, had not governed its failure mode.

When risk knowledge is not usable

One of the most important lessons from the disaster is that risk information can exist and still be useless. Some dangerous characteristics of the RBMK design were known within parts of the scientific, design and regulatory system, while others were sufficiently indicated by operating experience and safety analysis gaps that they should have triggered deeper review. Risk is not controlled simply because it is documented somewhere, partially understood somewhere, or suspected somewhere. The knowledge has to reach the people who need it, in a form they can act on, with authority attached.

If operators do not understand the conditions under which a reactor becomes unstable, the knowledge is not operationally effective. If procedures do not translate safety-critical design characteristics into hard limits and stop criteria, the knowledge is not governable. If regulators and designers do not ensure that operating organisations understand safety-critical design behaviour, the knowledge is not assured.

This distinction matters far beyond nuclear power. Organisations often confuse "documented" with "managed". They maintain risk registers, policies, training packs and technical assessments, but when a real decision arrives, the information is too abstract, too fragmented, too late or too politically inconvenient. Risk management is not the existence of information. It is the conversion of information into better decisions.

Risk knowledge becomes useful only when it can change authority, stop criteria or operating behaviour at the moment of decision.

The organisational failure before the explosion

The organisational root causes of the disaster can be grouped into several patterns.

This framing also matters historically: later analyses, including the IAEA's INSAG-7 report, shifted emphasis away from a simple operator-blame account and towards the interaction of reactor design, operating procedures, safety culture and regulatory oversight.

First, there was a weak safety culture. That phrase is sometimes used vaguely, but here it has practical meaning. A strong safety culture makes conservative challenge legitimate. It allows people to stop work when conditions change. It treats uncertainty as a reason to pause, not an embarrassment to overcome.

Second, the governance of the test was weak. A safety-relevant test should have had clear preconditions, stop criteria and re-authorisation triggers. If the reactor could not be operated under the planned conditions, the test should have been stopped or redesigned.

Third, operating procedures did not adequately protect against the reactor's dangerous low-power characteristics, and the system relied too heavily on operators managing a complex, unstable state in real time.

Fourth, safety-critical design characteristics were not sufficiently transparent to the people operating the plant. The control rod insertion effect and the reactor's behaviour under certain low-power conditions were not governed as operationally critical knowledge.

Fifth, regulatory oversight did not provide a strong independent barrier. A regulator should not merely exist as an institution, but must have the authority, independence and technical capability to challenge design and operating assumptions before catastrophe.

These are not exotic failures, but management-system failures: decision thresholds were unclear, escalation was weak, critical knowledge did not travel effectively from design and regulation into operational judgement, and independent challenge did not provide a strong enough barrier. The organisation relied too heavily on local judgement under pressure, and it failed to revisit the decision to continue when the conditions changed. In modern governance terms, the failure was not only that hazards existed, but that the system did not convert changing conditions into a new decision with enough authority to interrupt the work.

The recurring governance pattern

The Chernobyl disaster shows a pattern that appears in many management-system failures:

1. Conditional approval: an activity is approved under a defined set of assumptions.

2. Assumption decay: timing, technical state, resources, exposure or control confidence changes.

3. Momentum protection: continuation remains easier than delay, redesign or escalation.

4. Local adaptation: people closest to the work compensate instead of triggering re-authorisation.

5. Control overconfidence: formal controls are trusted without being tested under stress.

6. Knowledge fragmentation: critical information exists but is not usable where authority is exercised.

7. Narrowing corridor: options shrink until the organisation is choosing under pressure between bad choices.

What risk management should learn

For risk management, the central lesson of the disaster is this: risk management failed because the test conditions changed, but the decision frame did not. The operators and managers were no longer conducting the test that had been imagined. The reactor state, power level, control margin and level of uncertainty had all changed, but the organisational momentum remained: continue the test. This is a common risk management failure. An organisation approves a project, supplier, product launch, restructuring or technical change. Later, the assumptions deteriorate, costs rise, deadlines compress, staffing changes and warning signals appear, while the original approval continues to govern the decision. The risk process should interrupt that momentum.

A useful risk process makes the assumptions behind a decision visible. It defines which indicators show that conditions have changed, who has authority to pause or stop, what must be escalated, how residual risk is accepted, and when a new decision is required. It also gives changed information a route into authority, so that a deteriorating operating state is not treated as a local inconvenience. Without that, risk management becomes ritual. The organisation can say the words, maintain the forms and still drift into danger.

What governance design should learn

For governance design, the Chernobyl disaster is a case about decision rights under pressure. Governance is not just an organisation chart, and it is not simply a committee structure. It is the design of authority, accountability and escalation so that important decisions happen at the right level with the right information. A good governance design would have made several things explicit: who owned the safety test, who could approve continuation when test conditions changed, which operating states required automatic stop or escalation, which technical risks had to be understood by operators, which independent function could challenge the test, and how production or grid pressure should be weighed against safety conditions.

The most important governance question is not "who was responsible?" after the disaster, but "who had the authority to stop this before the accident sequence became uncontrollable?" In many organisations, accountability is retrospective: after failure, responsibility is reconstructed, while before failure authority is ambiguous. Governance should make authority clear before the decision. The disaster shows what happens when stop authority is too weak, too unclear or too culturally difficult to use.

Could the disaster have been avoided?

The disaster could have been avoided, although not by one perfect decision in the control room. It would have required multiple barriers, each of which would have made the final catastrophe less likely. The reactor design could have been safer: the positive void coefficient could have been reduced, and the control rods could have been designed so that emergency insertion did not create a positive reactivity effect. After the disaster, RBMK reactors were modified, which tells us the design was not destiny. Operating limits could also have been stricter and more effectively enforced, because low-power operation in an unstable configuration should not have been treated as a manageable inconvenience.

The test procedure could have required re-authorisation when conditions changed. If the planned power level could not be achieved, the test should have been stopped or redesigned. Operators could have been trained more clearly on xenon poisoning, control margin, positive void behaviour and the shutdown system's limitations. Independent safety review could have challenged the test design and operating conditions, because high-risk tests should not depend on local operational momentum. Most importantly, the organisation could have had a safety culture in which stopping was normal rather than heroic or career-limiting. Avoidance, in other words, was not a single missing action. It was a missing system of barriers.

The lesson for today's organisations

The Chernobyl disaster can feel distant because it happened forty years ago, because disasters of that scale are rare, and because most readers are not responsible for operating or governing nuclear reactors. Most organisations do not operate graphite-moderated reactors with positive void coefficients and flawed control rod designs, but every organisation has unstable states: a bank can enter a liquidity spiral, a hospital can normalise unsafe waiting times, a software company can automate deployment faster than it can validate change, a manufacturer can treat field complaints as noise until they become a recall, a public authority can rely on disposal routines that nobody has actually assured, and a supplier network can become fragile because every individual contract looks acceptable in isolation. The mechanism changes, but the governance problem remains.

The lesson of the Chernobyl disaster is not that people make mistakes, because that conclusion is too easy. The more demanding conclusion is about the system around them.

The lesson is not that people make mistakes. The lesson is that organisations must be designed so that changing conditions force better decisions before options narrow.

The question for decision-makers, risk managers and auditors is therefore not only whether this could happen here. The more useful questions are more specific: where are we continuing with an old decision after the conditions have changed? Where do we assume a control will save us without understanding how it behaves under stress? Where is critical technical knowledge known somewhere but not usable by the people who need it? Where is stopping formally possible but culturally difficult? Where has risk management become a ritual instead of a decision system? Forty years after the Reactor 4 disaster, those questions are still alive.