7

Some say that ignored risks as part of an organization's behavior are much worse than accepted risks.

I would like to test that axiom (in the eyes of some).

When I am handling a risk and I choose to accept it, it means that I have done risk analysis and risk control, and have chosen to accept this risk and to live with it. When I am doing the same thing, only this time I choose to ignore that risk, am I not doing the same thing? I am living with that risk as part of my operational plan as an organization.

Some would say that it is foolish to ignore risks. However I am seeing it this way - The only difference between an accepted risk and an ignored risk, is the mere fact that what I am accepting a risk, I am keeping myself and my organization self-aware to that risk. And if a risk is ignored, then I probably ignored it because it is a lightweight risk, the chance of it being leveraged is minimal, and the costs of the vulnerability associated with it being exploited is zero to none.

So, is the difference so big?

Franko
  • 1,530
  • 5
  • 18
  • 30

3 Answers3

5

Despite the gigabytes written on risk management, I don't think there is a consistent, coherent terminology for risk management. So the answer to your question is local; unless you define "ignore" differently from "accept" within your risk management program, there is no difference.

That said, I would suggest that if I were one of the decision makers, I would treat the two differently. Even if I were to accept a risk, I would continue to monitor that risk, periodically re-assess that risk, and consider assigning risk triggers and risk metrics. I'm accepting that risk today because of my evaluation of the risk likelihood and impact, the cost and efficacy of my potential responses, and my priorities. Next month those factors may change. In my mind "accepted" risks are still managed, but "ignored" risks are not.

MCW
  • 2,572
  • 1
  • 15
  • 26
2

In the context you have described, there is no such thing as an ignored risk. What you have outlined is risk acceptance.

If you weigh up the risk and decide not to do anything, you are accepting that risk, not ignoring it.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • How would you describe an ignored threat? Perhaps I am presenting the context in a wrong way. – Franko Jan 06 '13 at 20:11
0

I accept the risk that I may die in a car accident.

The convenience of the car is great enough that I continue to drive it.

The risk of death is low enough that I have decided the existing measures (air bags, seat-belts) are good and no other measures (jump jets) are worth the cost they require. I will periodically check to see if any new measures are introduced.

I would not describe this attitude as foolish because a reasonable evaluation of vulnerability was done. Mitigation costs and benefits were considered and rejected. And a commitment to periodic re-evaluation was made.

I do not know about the asteroid that will impact and destroy my car.

Have I made enough inquiries into threats and vulnerabilities and failed to detect the asteroid threat?

Or was my research insufficient to uncover threats and vulnerabilities for which reasonable mitigations exist?

I think the last question can help you decide if you are truly ignoring risk.

this.josh
  • 8,843
  • 2
  • 29
  • 51