In a recent post I I argued that risk frameworks’ models of an entity’s risk appetite contain implicit risk-neutrality. Some readers understood me to say that the frameworks promote indifference toward taking or not taking a well-motivated business risk. That wasn’t my intent; I don’t think risk frameworks have that particular problem.
Risk registers often model risk as the arithmetic product of likelihood (probability) and the cost of an unwanted event. By doing this, risk frameworks assume an enterprise is indifferent to two risks having the same numerical value of that product, where one risk has high probability and low cost and another has high cost and low probability.
Frameworks further mischaracterize an enterprise resulting in poor risk guidance and crypto-normativity, i.e., implicit bias, telling the enterprise what its values should be rather than supporting a decision process consistent with its values. Assuming that users of frameworks compensate for implicit risk-neutrality, they must then deal with the presumption of constancy of risk-adversity or risk-seekingness across costs or opportunities. This is a highly inaccurate model of how humans and enterprises address risk.
The example in my risk-neutrality post was equivalent to a single horse race with high and low odds options. That is, in a race, one horse has high odds (low probability – high winnings) while another has low odds (high probability – low winnings).
It might be more useful to view business decisions as a day at the races rather than a single race. Not all races at Churchill Downs, on any given day, may have an extreme low-probability bet, so a risk seeker would likely skip betting on that race. In addition to picking horses we must pick the races in which we place bets and decide how much to bet.
How enterprises behave in an equivalent business scenario depends on their values, their distributed knowledge of the domain, and some irrational beliefs. I’m not concerned here with the latter, and risk frameworks do little to dispel such beliefs. I’ll assume, for sake of argument, that an enterprise’s picks of races and bet amounts are justified.
With that assumption, evidence still suggests the complexity of judgment in picking races and the amount to wager (risk preferences) is high, and that risk frameworks cannot accommodate it.
Continuing with the horse race analogy, work of several researchers has shown that the risk appetite of real horse-race gamblers can be modeled with a utility function that, in addition to the mean value and expected value of returns, considers skewness.
At low odds (high probability – low winnings) the gamblers are risk averse, but for high odds (low probability – high winnings) they are risk seeking.
Assume, for sake of argument, that all available bets at the track have roughly the same expected value, i.e., the track or bookie’s income is from margin, not speculation. This is usually true, although bookmakers sometimes adjust odds and point spreads to increase the number of of bettors against a horse perceived as being on a winning streak (thereby making the wager literally unfair).
But all races may not have a high-odds (low probability – high winnings) option. For such races, the gambler might still bet, but be risk-averse, yet be risk-seeking for races having a high-odds option. Golec and Tamarkin cover this in Bettors love skewness, not risk, at the horse track. Garrett and Sobel found the same for state lotteries, giving an explanation for why otherwise risk-averse people pay a dollar for lottery tickets with an expected value of fifty cents.
The economic utility function of a risk-averse entity is convex (blue below) and concave for risk seekers (red). Golec and Tamarkin modeled the utility function of many gamblers as a curve of order 3 (cubic), as seen in green below.
The preferences of organizations, whether reasonable or unreasonable in the view of any particular observer, may be beyond the scope of risk management. If risk frameworks care to judge the justification of preferences, they should do so explicitly, rather than embedding implicit neutrality (or any other utility function) into the frameworks. In addition to the insufficiency of risk registers as a basis for enterprise decision-making, we must accept that risk registers aren’t merely insufficient, they are outright wrong, or worse.
– – –
In the San Francisco Bay area?
If so, consider joining us in a newly formed Risk Management meetup group.
Risk assessment, risk analysis, and risk management have evolved nearly independently in a number of industries. This group aims to cross-pollinate, compare and contrast the methods and concepts of diverse areas of risk including enterprise risk (ERM), project risk, safety, product reliability, aerospace and nuclear, financial and credit risk, market, data and reputation risk, etc.
This meetup will build community among risk professionals – internal auditors and practitioners, external consultants, job seekers, and students – by providing forums and events that showcase leading-edge trends, case studies, and best practices in our profession, with a focus on practical application and advancing the state of the art.
If you are in the bay area, please join us, and let us know your preferences for meeting times.