On Acceptance of Risk
There are four or five responses to risk, depending on who you ask. They are: mitigate, accept, transfer, reduce, and sometimes, ignore. Ignoring a risk is just a lame way of burying your head in the sand and pretending it doesn’t exist. Let’s just say there are four legitimate responses to risk.
What we usually hope for is mitigation and reduction. These responses deal with risk directly, but most importantly, they show the greatest amount of responsibility in dealing with the problem.
Transferring risk can be a legitimate response or it can be a way to essentially ignore it. It can be legitimate when there is a thoughtful decision to transfer to another party, and that party accepts. This can be an insurance policy, for example. It is illegitimate when transferring it to another party is a way of ignoring it, essentially just another way of saying, “it’s not my problem.”
That leaves acceptance. Acceptance means, “I know that this might happen, and if it does, I am prepared to accept the consequences of my decision.” The problem with acceptance is that it is rarely tied to consequences.
I see this problem in the real world all the time. Security professionals present risks to senior management and they simply do not respond. They don’t respond unless there is an incentive to do so, and agreeing to put themselves on the line with little or no positive return doesn’t win many fans. If the senior executive fails to respond and the risk is realized, they can just say, “I never saw the risk analysis,” or worse, “they failed to effectively communicate the risk to me.”
We need two things to make risk acceptance work. One, the risk acceptor can not be in a position of authority over the risk advisor. This creates a situation where the advisor might water down the risk out of fear for his own job. Two, there have to be consequences that tie directly to the risk being realized and for choosing to not mitigate, transfer or reduce it. Essentially, this means that ignoring the risk becomes default acceptance with a particular consequence. In both cases, the consequences of acceptance (either by default or explicitly) need to be commensurate with the risk.
Consequences tend to motivate people. Risk acceptance without consequences is not risk acceptance at all.