Institutions that manage the risk of action systematically under-manage the risk of inaction, which is often larger and always less visible.
The Asymmetric Accountability of Action and Inaction
Institutional risk management processes are designed to manage the risk of doing things. They evaluate proposals, assess their risks, require mitigation plans, and create accountability structures for the outcomes of the actions taken. They are not designed to manage the risk of not doing things — of deferring decisions, declining opportunities, maintaining existing approaches in the face of changing conditions, or failing to act in response to emerging threats.
This asymmetry reflects the accountability structures that institutions operate within. Actions have visible authors who can be held responsible for their consequences. Inactions do not — the decision not to act is distributed across the actors who chose not to prioritise the issue, declined to escalate it, or lacked the authority to force action on it. The result is that action risk is systematically over-managed and inaction risk is systematically under-managed, producing institutions that are cautious about what they do and careless about what they fail to do.
Where Inaction Risk Is Largest
The risk of inaction is largest in three categories of institutional decision. The first is the response to emerging threats — the slow-developing risk that has not yet produced a crisis but is on a trajectory that will. The institution that identifies this threat and fails to act absorbs the full cost of waiting; the institution that acts early absorbs only the cost of the action. The second is the response to competitive or environmental change — the institutional adaptation that could have been initiated early and at low cost but was deferred until change was forced by external pressure and the adaptation window had significantly narrowed. The third is talent and capability investment — the development of the people and systems that the institution will need in the future but which are not yet urgently needed in the present.
In each category, inaction defers cost from the present into the future while compounding it — the threat grows, the adaptation window narrows, the capability deficit deepens. The inaction risk is the expected cost of this compounding, discounted by the probability that the threatening condition materialises before action is taken.
The risk of doing nothing is almost never zero and is often larger than the risk of doing something. The institution that manages only the risk of action is managing half the risk landscape and systematically choosing the half that is easier to account for rather than the half that is more consequential to address.
Discussion