When risk is consciously accepted
Within the same organization, I've seen a different pattern repeat over time. We make deliberate decisions to live with risk.
An older system still works. It isn't ideal, but it's stable enough. Investment in it competes with new initiatives, and the decision is made to leave it as is. That decision is usually explicit: risks are identified, security concerns are documented, limitations are acknowledged, and there is a shared understanding that the system will not evolve for now.
In that moment, the risk is owned. Engineering helps frame it. Leadership agrees to live with it. The tradeoff is visible and understood.
When the risk returns
For a while, this works. The system continues operating, features are delivered elsewhere, and the accepted risk remains accepted as long as nothing forces it back into focus.
Eventually, something does. A vulnerability is reported. A dependency becomes unsupported. A system behaves unpredictably. Engineering is brought back into the conversation with a familiar question: what are we going to do about it?
What's often missing in that moment is memory of the earlier decision, the known risk, and the tradeoff that was consciously made. Under pressure, the situation feels new. Expectations shift, and the system is treated as if it should have been resilient all along.
The response is pragmatic: patch, stabilize, reduce immediate exposure. That's usually the right short-term move. But it also reaffirms the original boundary. The system still isn't worth reinvesting in, only fixing enough to move forward.
How debt compounds quietly
This is one way technical debt compounds quietly. Not through negligence, but through repeated confirmation of the same decision.
Over time, something else changes. Risk conversations become more careful, more documented, and sometimes more defensive. If raising a concern eventually leads to being treated as responsible for its outcome, incentives shift.
Strategy discussions lose continuity. Each incident is handled in isolation, and the connection to prior tradeoffs fades. The cost isn't only technical. It's organizational memory.
Strategy as stewardship
After reading Crafting Engineering Strategy by Will Larson, I started to see this less as a delivery problem and more as a stewardship problem.
Strategy isn't only about deciding where to invest. It's also about maintaining ownership of the decisions not to invest. Accepting risk is a strategic act. Continuing to own that risk when it materializes is also a strategic act.
When that ownership fades, engineering ends up responding to symptoms while the underlying tradeoff remains untouched. Over time, that creates a familiar loop: incidents are managed, pressure is reduced, and the deeper decision stays in place.
Breaking that loop doesn't require eliminating risk. It requires revisiting the tradeoff deliberately, with the same clarity that existed when it was first accepted. Without that continuity, the pattern repeats.
I used to treat these incidents as isolated operational failures. Over time, I started seeing them as continuity failures in how we carry decisions forward.
- Patrick