In the wake of an incident, we can often identify a risky action that was taken by an engineer that contributed to the incident. However, actions that look risky to us in retrospect didn’t necessarily look risky to the engineer who took the action in the moment. In the SINTEF A17034 report on Organizational Accidents and Resilient Organisations: Six Perspectives, the authors draw a distinction between taking a risk and running a risk.
When you take a risk, you are taking an action that you know to be risky. When an engineer says they are YOLO’ing a change, they’re taking a risk.
On the other hand, running a risk refers to taking a course of action that is not believed to be risky. These are the kinds of actions that we only categorize as risky in hindsight, when we have more information than the engineer who took the course of action in the moment.
Sometimes we deliberately take a risk because we believe there is greater risk if we don’t take action. But running a risk is never deliberate, because we didn’t know the risk was there in the first place.