Managing risk in technology is exactly like taking care of a small dog. There are only two ways to handle a dog’s needs: proactively or reactively. If you assume you can tell when a dog has to go outside, you can try to only take the dog out when you see those signs. However, no matter how attentive you are, you will inevitably miss some sign and the dog may have an accident inside. To combat this, you must take the dog out when the dog isn’t exhibiting any signs of having to go out.

Technology issues are similarly unable to voice every single time there is a vulnerability being exploited. The best hacks are the ones you can’t see at first glance. Therefore, initiating proactive risk management (PRM) regardless of signs of problems will provide the best safety dragnet for any tech risks. For example, PRM insists that unit testing must be comprehensive and run on a regular basis to be effective. Think of the number of errors that still creep in because someone didn’t make or run a good test on the functionality they added. This testing is a required component of software design when implementing a PRM strategy.

In the extreme, reactive vs. proactive risk management is about gambling.  Extremely reactive risk management is taking a gamble that if something bad will happen to your business or technology strategy, it will be a minor problem.  Extremely proactive risk management is gambling that something bad will happen eventually, and so you should create mitigations for serious problems before they actually happen.  Thus, the extremely proactive cannot guarantee they won’t get hit by something bad any more than the extremely reactive.  However, the extremely proactive will have a workable solution when they are hit by a bad risk, whereas the extremely reactive will have to come up with a solution after the problem has hit.