*William Storage – Oct 29, 2016*

*VP, LiveSky, Inc., Visiting Scholar, UC Berkeley History of Science*

Wikipedia describes risk-neutrality in these terms: “A risk neutral party’s decisions are not affected by the degree of uncertainty in a set of outcomes, so a risk-neutral party is indifferent between choices with equal expected payoffs even if one choice is riskier”

While a useful definition, this statement is still problematic, since we don’t all agree on what “riskier” means. We can compare both the likelihoods and the costs of different risks, but comparing their *riskiness* using a one-dimensional range (i.e., higher vs. lower) requires a scalar calculus of risk. If risk is a combination of probability and severity of an unwanted outcome, *riskier* might equate to a larger value of the arithmetic product of the relevant probability and severity. But defining risk as such a scalar (area under the curve, therefore one dimensional) value is a big step, one which analysis of human behavior suggests is not at all an accurate representation of how we perceive risk. It implies risk-neutrality.

Most people agree, as Wikipedia states, that a risk-neutral party’s decisions are not affected by the degree of uncertainty in a set of outcomes. On that view, a risk-neutral party is indifferent between all choices having equal expected payoffs.

Under this definition, if risk-neutral, you would have no basis for preferring any of the following four choices over another:

1) a 50% chance of winning $100.00

2) An unconditional award of $50.

3) A 0.01% chance of winning $500,000.00

4) A 90% chance of winning $55.56.

If risk-averse, you’d prefer choices 2 or 4. If risk-seeking, you’d prefer 1 or 3.

Now let’s imagine, instead of potential winnings, an assortment of possible unwanted events, which we can call *hazards*, for which we know, or believe we know, probability values. One example would be to simply turn the above gains into losses:

1) a 50% chance of losing $100.00

2) An unconditional payment of $50.

3) A 0.01% chance of losing $500,000.00

4) A 90% chance of losing $55.56.

In this example, there are four different hazards. To be accurate, we observe that loss of money is not a useful statement of a hazard. Loss of a *specific amount* of money is. The idea that rational analysis of risk entails quantification of hazards (independent of whether probabilities are quantified) is missed by many risk management efforts, and is something I discuss here often. For now, note that this example uses four separate hazards, each having different probabilities, resulting in four risks, all having the same $50 expected value, labeled 1 through 4. Whether those four risks can be considered *equal* depends on whether you are risk-neutral.

If forced to accept one of the four risks, a risk-neutral person would be indifferent to the choice; a risk seeker might choose risk 3, etc. Banks are often found to be risk-averse. That is, they will pay more to prevent risk 3 than to prevent risk 4, even though they have the same expected value. Viewed differently, banks often pay much more to prevent one occurrence of hazard 3 than to prevent 9000 occurrences of hazard 4, i.e., $500,000 worth of them. Note the use of the terms “hazard 3” and “risk 3” in the preceding two sentences; *hazard* and *risk* have very different meanings here.

If we use the popular heat-map approach (sometimes called risk registers) to visualizing risks by plotting the four probability-cost vector values (coordinates) on a graph, they will fall on the same line of constant risk. Lines of constant risk, as risk is envisioned in popular risk frameworks, take the form of y = 1/x. To be precise, they take the form of y = a/x where * a *represents a constant number of dollars called the expected value (or mathematical expectation or

*first moment*) depending on area of study. For those using the heap-map concept, this number is exactly equal to the “risk” being modeled. In other words, in their model, risk equals probability times cost of the hazard: R = p * c. So if we graph probability on the x-axis and cost on the y-axis, we are graphing c = R/p, which is analogous to the y=a/x curve mentioned above. A sample curve of this form, representing a line of constant risk appears below on the left.

In my example above, the four points (50% chance of losing $100, etc.) have a large range of probabilities. Plotting these actual values on a simple grid isn’t very informative because the data points are far from the part of the plotted curve where the bend is visible (plot below on the right).

Good students of high-school algebra know a fix for the problem of graphing data of this sort (monomials): use log paper. By plotting equations of the form described above using logarithmic scales for both axes, we get a straight line, having data points that are visually compressed, thereby taming the large range of the data, as below.

Popular risk frameworks use a different approach. Instead of plotting actual probability values and actual costs, they plot scores, say from one ten. Their reason for doing this is more likely to convert an opinion into a numerical value than to cluster data for easy visualization. Nevertheless, plotting scores – on linear, not logarithmic, scales – inadvertently clusters data, though the data might have lost something in the translation to scores in the range of 1 to 10. In heat maps, this compression of data has the undesirable psychological effect of implying much small ranges for the relevant probability values and costs of the risks under study.

A rich example of this effect is seen in the 2002 PmBok (Project Management Body of Knowledge) published by the Project Management Institute. It assigns a score (which it curiously calls a rank) of 10 for probability values in the range of 0.5, a score of 9 for p=0.3, and a score of 8 for p=0.15. It should be obvious to most having a background in quantified risk that differentiating failure probabilities of .5, .3, and .15 is pointless and indicative of bogus precision, whether the probability is drawn from observed frequencies or from subjectivist/Bayesian-belief methods.

The methodological problem described above exists in frameworks that are implicitly risk-neutral (most are, with a few noted exceptions, e.g., commercial aviation, medical devices, and some of NASA). The real problem with the implicit risk-neutrality of risk frameworks is that very few of us – individuals or corporations – are risk-neutral. And no framework has any business telling us that we should be. Saying that it is somehow rational to be risk-neutral pushes the definition of rationality too far. Doing so crosses the line from deductive (or inductive) reasoning to human values. It is convenient, for those seeking the persuasive power of numbers (however arbitrary or error-laden those scores and ranks might be) to model the universe as risk-neutral. But human preferences, values, and ethics need not abide that convenience, a convenience persuasive because of apparent mathematical rigor, but one that makes recommendations inconsistent with our values.

As proud king of a small distant planet of 10 million souls, you face an approaching comet that, on impact, will kill one million in your otherwise peaceful world. Your planet’s scientists and engineers rush to build a comet-killer nuclear rocket. The untested device has a 90% chance of destroying the comet but a 10% chance of exploding on launch thereby killing everyone on your planet. Do you launch the comet-killer, knowing that a possible outcome is total extinction? Or do you sit by and watch one million die from a preventable disaster? Your risk managers see two choices of equal risk: 100% chance of losing one million and a 10% chance of losing 10 million. The expected value is one million lives in both cases. But in that 10% chance of losing 10 million, there is no second chance – an existential risk.

If these two choices seem somehow different, you are not risk-neutral. If you’re tempted to leave problems like this in the capable hands of ethicists, good for you. But unaware boards of directors have left analogous dilemmas in the incapable hands of facile risk frameworks.

The risk-neutrality embedded in risk frameworks is a subtle and pernicious case of Hume’s Guillotine – an inference from “is” to “ought” concealed within a fact-heavy argument. No amount of data, whether measured frequencies or subjective probability estimates, whether historical expenses or projected costs, even if recorded as PmBok’s scores and ranks, can justify risk-neutrality to parties who are not risk-neutral. So why do we embed it in our frameworks?

*“If we take in our hand any volume; of divinity or school metaphysics, for instance; let us ask, Does it contain any abstract reasoning concerning quantity or number? No. Does it contain any experimental reasoning concerning matter of fact and existence? No. Commit it then to the flames: for it can contain nothing but sophistry and illusion.”* – David Hume, *An Enquiry Concerning Human Understanding*

**– – –**

**In the San Francisco Bay area?**

If you are, consider joining us in a newly formed *Risk Management meetup group*.

Risk assessment, risk analysis, and risk management have evolved nearly independently in a number of industries. This group aims to cross-pollinate, compare and contrast the methods and concepts of diverse areas of risk including enterprise risk (ERM), project risk, safety, product reliability, aerospace and nuclear, financial and credit risk, market, data and reputation risk, and so on.

This meetup aims to build community among risk professionals – internal auditors and practitioners, external consultants, job seekers, and students – by providing forums and events that showcase leading-edge trends, case studies, and best practices in our profession, with a focus on practical application and advancing the state of the art.

If you’re in the bay area, please join us, and let us know your preferences for meeting times.

## 2 thoughts on “Risk Neutrality and Risk Frameworks”