The risk in eliminating risk

— Update: July 2013 —

Earlier this month there was a news article covering the deaths of two teenagers in a car accident. The cause? It is believed that they were driving dangerously fast in order to get home before a curfew. Missing the deadline would have led to a £100 fine. A lot of money for most students. The car had been fitted (optionally) with a tracking device intended to encourage safer driving. An ill-conceived idea leading to tragic unintended consequences: Insurance curfew blamed for fatal teenage car crash.

Whilst the theory was sound, life can be messy. Would anybody prefer a teenage driver to risk speeding to beat a curfew or risk staying put in a vulnerable location to avoid a fine or driving ban? Legislation to eliminate one risk created another, possibly worse, in its place.

— Original post: September 2010 —

Heard on the radio this morning and currently one of the headlines on the BBC News web site: New driver restrictions would save lives:

Newly qualified young drivers should be banned from night-time motoring and carrying passengers of a similar age, Cardiff University researchers say… “graduated driver licensing” for those aged 17-24 could save more than 200 lives and result in 1,700 fewer serious injuries each year.

The research in question is road accident data from 2000 to 2007 that suggests one in five new drivers crashes within the first six months. So the plan is to try and eliminate the range of conditions that led to the accidents? That’s just delaying taking responsibility for your actions.

Rather than attempting to ban youngsters from certain driving conditions, which would be both expensive and impossible to police, I’ve a better suggestion – advise parents to not pay for driving lessons or buy cars for their children. From my own informal observations, people who have to earn and save money to pay for their own driving lessons and to buy their own car (and then save for another six months to afford the insurance) will treat it with a lot more respect and will therefore be less likely to crash (the insurance premium alone will be a sufficient deterrent for most).

Trying to eliminate risk through legislation is, at best, an inefficient approach. And at worst, can make matters worse – the law of unintended consequences is particularly active in systems involving people. Cue link to information systems 🙂

When deploying intranets and collaborative web sites, the issue of security and permissions is always a challenge. Many organisations want to lock down access to everything, i.e. you can only access documents you have explicit permission to use. It’s a risk avoidance strategy. Research could probably justify it by showing you that one in five new employees leak data during their first six months… The more effective solution for that scenario would be to improve your recruitment process.

Whilst some information does need to be tightly controlled – particularly anything of a legal and/or sensitive nature involving personal information – it is usually a small percentage of an information system. Manage that percentage as an exception rather than the rule and don’t apply rigid security by default. In attempting to eliminate the risk of someone seeing something they shouldn’t you risk making it difficult for everyone to see everything they need. That is not a good outcome for a system that is supposed to improve productivity and collaboration.