March 3, 2009 by John Sherwood
(With thanks to Hans Hopman, who started this line of thought for me)
Imagine a life modelled on 'heaven', in which risks do not exist. You wake up in the morning, perfectly safe and secure in the knowledge that there you face no risks. (This itself is a paradox, because why would you have needed to sleep if constant wakefulness posed no risks?). Anyway, you go about your life knowing nothing can go wrong. No deadlines will be missed. No injuries will be sustained, no matter what you do. No one will be offended, no matter what you say or do. You eat as little or as much as you like without any anxiety about the effects. You will never die. Eternity stretches before you unhindered in any way by 'risk'. There will be no failures of any kind. That means also there will be no successes.
So why bother?
Risk drives life. Risk makes you 'feel alive'. It's a good job that the creator (whatever or whoever you believe that to be) incorporated risk into the universe, otherwise it would be eternally boring. Long live Heisenberg and the uncertainty principle, because that's where risk begins!
Real life of any kind is full of risk. From the moment of our conception to the moment of our death, everything has risk in it. However, risk appetite is the key here – how much risk do you want to take? Risk appetite is not infinite, and it varies from person to person, from organisation to organisation, and from society to society. Policies and rules are one of the ways in which we articulate and bound our risk appetite at any level - personal, family, corporate or society as a whole, and compliance with those policies and rules is one of the mechanisms by which we mitigate certain risks and accept others, according to appetite. Thus, to me, the question, as always, is how much appetite for risk do we have? Total risk aversion would be an attempt to zeroise risk appetite, which would stifle creativity and progress, blocking all opportunities for gain, but the opposite would be an attempt to push risk appetite to infinity, which would create only chaos and unsustainable losses. Somewhere in that continuum lies the path to managing risk according to appetite, and the internal debate for any entity should constantly be about what our appetite for risk really is, and how we can manage risk appropriately according to that appetite.
Security, or resilience, or control, are relative terms and never absolute. They relate only to risk appetite and the ability to implement measures that are commensurate with that risk appetite. To the question 'Is it secure?', the answer can only be: 'What do you mean by secure?', in other words: 'What's your risk appetite and are you meeting that?'.