Active and passive risk
Attitudes towards risk are something that I've been meaning to write about for some time now. To me, there're basically two types of risk - active and passive (I'm no risk expert in the "risk analyst"/academic sense, so ignore all of this if it's obvious)...
- Active risk is that which is deliberately taken on - for instance the choice to develop a new product that may (in theory) fail in the market. Or the rewrite of a piece of software due to burgeoning support costs.
- Passive risk is that which is inherent in inaction - for instance, the choice not to update an existing product to compete with others in the marketplace. Or the decision not to rewrite a piece of software, despite burgeoning support costs.
Both these types of risk can be measured in the same way - the cost, and the potential return/loss. Yet people seem to have very different attitudes towards them. Passive risk is seen as a necessary evil that's often ignored. Whereas active risk is seen as something to be avoided, regardless of the potential payback (and likelihood thereof).
I think, in corporate life, the problem lies in what people are measured/judged on - the decisions that they DO make (active risk), rather than the ones they DON'T make (passive risk). It's easier to blame indecision on someone else than it is a choice you made yourself. Unfortunately, I've seen many cases where the passive risk is huge; easily enough to cause a company to go under sometimes (and actually causing it to, in at least one company I've worked with).
In theory, this all comes down to a corporate risk register, and ensuring that it's both complete, and has well-defined accountabilities for each item. Unfortunately, I've rarely seen this really working, with numerous passive risk items dropping out of sight due to an unwillingness to take on responsibility.