The art of doing nothing: risk acceptance should be your most considered risk-avoidance strategy

By: In: Information Risk On: Oct 14, 2014
The art of doing nothing: risk acceptance should be your most considered risk-avoidance strategy

The very term “risk” can make people feel uncomfortable, with its connotations of bad things happening and the threat that if risk is not minimized or removed then life (or business) may well just become too dangerous to carry on.

Crossing the road is risky, especially if you live in a busy city. Yet people, young and old, do it every day. In fact, it’s riskier than flying but, I would argue, there far more people are afraid of flying than crossing the road. Hugh Thompson of RSA put it very well in his presentation at 2011 RSA Conference Europe in which he raised the issue of “Sharkmageddon”: more people are killed every year sitting on the beach by falling coconuts than those killed by sharks. There is an almost universal fear of sharks. So much so that even when armed with the facts, most of us would still consider swimming in the surf of a sun-soaked holiday beach a far greater risk than taking shade under a coconut tree.

Risk is an inherent part of our lives, and if we let the realities of risk take control of our business decisions we can fast become the corporate version of an agoraphobic, sat tight in the safe confines of the environment we know rather than venturing out to experience life in the outside world. With such an approach we would ultimately wither, failing to find success as an individual or indeed as a business.

In my experience, one of the most misunderstood approaches to treating risk is to either accept or manage it. Most people are comfortable with mitigating, transferring or avoiding a risk through simple acts with which  we are all familiar. We fix a problem, for example, or  give it to someone else to deal with, or stop doing the thing that caused us the problem in the first place.

However, no one feels quite so comfortable simply accepting a risk and in essence doing nothing. Although this may not strictly be the case, it is essentially how we feel we are dealing with risk. Yet we are accepting that there is either nothing we can do, or nothing we are willing to do to reduce the risk. Either way, we are not blindly accepting it at face value. Rather, we are aware of the risk as we continue our operational activities. We know it is there as you carry on the day job. These activities and the very environment in which we are operating can change without notice, and soon turn the decision to accept the risk into the wrong course of action.

For instance, it may now be cheaper to address the risk than it would have cost you to do so originally ‒ perhaps the highly lucrative contract that made the risk acceptable is over and there is a now greater risk of financial loss that would cost more than the revenue you are currently bringing in. The reasons for change are often financial, but not always. Your appetite for risk may also have changed or your industry has become more regulated; all of these example mean the decision to accept risk needs to be reconsidered.

All risk decisions need to be reviewed regularly, for exactly the reasons given above, but in my opinion it is risk acceptance decisions that should be reviewed more often, as they are the ones that are made as a result of more transient and changing factors, and are the ones that could harm the organisation most.


← Are you running fast enough to beat information risk? Emerging trends in information management: closing the gap between risk and value →

Leave A Comment

About the author

Thom Langford

Thom is a highly qualified information security specialist with a proven track record of leading globally diverse teams and successfully implementing information security programmes, IT services, infrastructure, procedures and projects across multiple geographies and cultures. Currently, Thom is the Director of Security Risk Management in Sapient’s Global Security Office, responsible for highlighting and advising on delivery, compliance and industry security risks across North America, Europe and India. Thom speaks frequently at conferences and is a regular blogger. He won the award for Best Personal Security Blog at the 2013 European Security Bloggers Awards.. As well as information security, Thom’s specialities include compliance; risk management; IT governance; incident management; IT service & support; global operations; international team building; help desk support management; facilities management, and office design, build & relocation. Thom can be found at and on twitter @thomlangford.