in

ASP.NET Weblogs

Extreme JS

JS Greenwood's WebLog on architecture, .NET, processes, and life...

Active and passive risk

Attitudes towards risk are something that I've been meaning to write about for some time now.  To me, there're basically two types of risk - active and passive (I'm no risk expert in the "risk analyst"/academic sense, so ignore all of this if it's obvious)...

  • Active risk is that which is deliberately taken on - for instance the choice to develop a new product that may (in theory) fail in the market.  Or the rewrite of a piece of software due to burgeoning support costs.
  • Passive risk is that which is inherent in inaction - for instance, the choice not to update an existing product to compete with others in the marketplace.  Or the decision not to rewrite a piece of software, despite burgeoning support costs.

Both these types of risk can be measured in the same way - the cost, and the potential return/loss.  Yet people seem to have very different attitudes towards them.  Passive risk is seen as a necessary evil that's often ignored.  Whereas active risk is seen as something to be avoided, regardless of the potential payback (and likelihood thereof).

I think, in corporate life, the problem lies in what people are measured/judged on - the decisions that they DO make (active risk), rather than the ones they DON'T make (passive risk).  It's easier to blame indecision on someone else than it is a choice you made yourself.  Unfortunately, I've seen many cases where the passive risk is huge; easily enough to cause a company to go under sometimes (and actually causing it to, in at least one company I've worked with).

In theory, this all comes down to a corporate risk register, and ensuring that it's both complete, and has well-defined accountabilities for each item.  Unfortunately, I've rarely seen this really working, with numerous passive risk items dropping out of sight due to an unwillingness to take on responsibility.

Published Jan 08 2005, 07:05 PM by jsgreenwood
Filed under:

Comments

 

Gary Walvin said:

Slightly off the original point, but I've often seen a lack of knowledge by senior management cause something to be mistakenly classed as a risk. You know the scenario: "I don't understand it, therefore it must be high risk". This seems to be irrelevant of the fact that the people actually doing the work know perfectly well how to do it and the risk is minimal.

The main area that risk registers seem to fail in is where something lands on the border between department responsibilities and communication leaves a lot to be desired.
Guess that just furthers my belief that if we'd all just talk a little more, we'd achieve a hell of a lot more (quick, get the joss sticks, flowers and pretend we're at Woodstock...)

Passive risks can be changed (with a bit of rewording) to encourage action and have a much greater impact, e.g. "if we don't change this we'll lose money" changed to "if we carry on doing this we'll lose money". To me, this slight change encourages the recipient to look at what they ARE doing. Refering to things being done works much better than something not being done, e.g. "Smoking gives you lung cancer" works much better than "Not smoking prevents lung cancer".
January 10, 2005 11:24 AM
 

TrackBack said:

^_^,Pretty Good!
April 9, 2005 11:59 PM

Leave a Comment

(required)  
(optional)
(required)  
Add
Terms of Use