Risk Management These Days

It seems like companies and governments can’t effectively manage risk. From a nuclear disaster apparently made out of a radioactive Pinocchio’s nose (it keeps growing every time the management lies), to badly bungled warzones, to banks that can’t pay for their mistakes, to the spill in the Gulf of Mexico…it’s like a thousand points of light, each representing some mismanaged risk that’s turned into a fire leaving people worse than they came.

Often it is the government that first requires an industry to manage its risk, then decides to help by assuming the risk (and in some cases even paying for the privilege). But you and I help, too.

In every contract of adhesion with major businesses, the language is replete with the customer holding the risk. And if that risk materializes, you can challenge in binding arbitration.

Systemic risk mismanagement is what we see, from the congress failing to do their jobs, to businesses going scot-free (or maybe they pay a modest tribute to the gods the judge favors) no matter how egregious their crimes.

But combating the problem seems difficult. For one, the governments that are supposed to enforce risk management seem ill-equipped and reluctant. For another, while much of the internet passes around image memes of one sort, the corporations pass around their own image memes detailing how to deflect, understate, or otherwise mismanage their risk. [Use your imagination, “destroy all the things,” or “why don’t we take our risk, and move it to the children of the earth,” etc.]

Lots of solutions come to mind, but most of them rely on functional government. And unless we solve the problem of functional government soon, that’s just not a viable option to force the proper management of risk.

Why do companies insist on being risk-addled so-and-sos? The naive belief that not paying for risk will make them more money? Their corporate brothers bragging up how they just built a new virulence research facility on the roof of a preschool? Do regulations contribute to a false sense that risk is overmanaged? Is it overmanaged in some places which gives the illusion of safety?

These questions, this post, tends to overstate the problem. There are problematic industries, yes. But in all likelihood many industries are doing a great job of managing their risks. Statistically we’re pretty safe these days. It’s easy to overstate some risks, due to their visibility, magnitude, impact.

Yes, government is currently mismanaging some risks due to their inaction. The banking industry has it as an endemic problem (and it even seems somewhat proud of the fact). And a few other bad industries can be lumped in with these.

But most business doesn’t seem to like the risk. We should expect them to tire of helping prop up or cover the risk loving industries. That leverage they hold should be key, if they ever wake up to what the bad bets and deflected risks are costing them. Indeed, in many cases they may be required to take action, as they are otherwise not maximizing their shareholders’ value.


Ownership and Inertia in an Open World

One problem that crops up in open source is ownership. If the user has a bug, and it’s not clear where that bug lives (ie, in the actual application or one of its libraries) it can be difficult to get traction toward a fix. This is true even if the user/bug advocate is somewhat knowledgeable about the environment.

The bug advocate goes to the developer community of the application that exhibits the problem, explains the details they uncovered, only to be met with a kind of skepticism or hunch on the part of the developers that it’s Not Our Bug.

The bug advocate goes to the developers of the library that may have the problem, and it’s the same thing: downstream is Doing It Wrong.

Neither sets of developers really wants to step on the territory of the other set more than they have to.

It can get worse. If downstream commits to an idea and tries to convince upstream, only to fail to walk away with a good outcome, they may fork or at least extend the upstream. And the next time, even if it’s a different upstream, they may be faster to fork/extend than to try to engage.

And that leads to the other problem of inertia.

A hardened outlook by downstream or upstream against third-party interactions can be a sort of inertia. Often times there are perceived allies, enemies (though probably not so harsh, simply seeing them as uncooperative), and neutral (or maybe nearly-abandoned) projects.

But there are other inertiæ as well. User inertia can thwart advancements in a project, as can the inertia borne out of developer visions. Often these can be overcome through more liberal forking policies.

Liberal forking policies are great and the best way to see projects advance, but they are hard to justify when the projects in question are very monolithic and complex. Forking the Linux kernel, for example, is not something anyone would do lightly. Small software is more liberal about forks, where the amount of code in question, and its complexity, is low.

Take Conky configurations and scripts, for example. There are thousands floating around, and it’s relatively simple to take one up and modify it to taste. As none have very widespread adoption, there will be little friction or burden in a fork.

But if you want to make fundamental changes to Cairo, so much code depends on it that it’s a major undertaking for changing more than amounts to a few minor patches.

Reddit is open-source, but it doesn’t see much third-party adoption because there are few projects that benefit from reuse of its code that aren’t full implementations of its services. If it is possible that some of the code from Reddit can be less-integrated, it would likely see more reuse and therefore more participation by third parties.

The bottom line is that while open source does have many benefits, it can have more benefits if we can come to terms with how to best dispose a project to participation and can work out some of the ownership issues that do thwart greater participation.