Areas of risk include:
- Financing and credit
- Life and limb (safety)
- Natural hazard
- Human capital
Prelude to the question: “What is risk?” –
If the borrower fails to repay the loan, how do we describe the associated risk? What are the parameters of that risk?
The meaning of “risk,” according to different sources:
- Uncertainty – Association for Project Management, Frank Knight, PRAM
- Volatility – in finance
- Probability of a threat or opportunity – BS6079-1, Project Management Institute, COSO
- Effect of uncertainty on objectives (positive or negative) – ISO 31000
- Something bad might happen – pragmatist
- Arithmetic product of probability * quantified severity of unwanted event – many engineers
- A combination of probability and severity of an unwanted event – FAA, FDA
Taken literally, the definition of risk used in most project-management and enterprise-risk frameworks, you are required to say that there is risk in a coin flip on which you have wagered nothing but that there is not uncertainty in the outcome of that flip.
Incoherent conceptions of probability, uncertainty, “strict uncertainty” and risk undermine many if not most of the frameworks, commercial tools, standards, training and certification in the fields of risk.
Nearly all risk organizations and standards bodies regularly cite commercial aviation as a precedent for their frameworks. There is good reason for such citation. In no other area has an activity so inherently dangerous been made quantifiably safe – one of the safest activities on earth, in fact. But the conceptions of risk and the implementation of risk management outside of engineering, actuarial science (where both risk and the effectiveness of risk management are measured) and a few other exemplars are often feeble and insincere, and are completely at odds with aviation’s conception of risk.
Having worked in enterprise and project risk management for a decade and in aerospace, nuclear, and chemical processing frisk management for three decades, I feel that enterprise risk management has a very long way to go to fulfill its promise; and I’m here to take part in its development. This will take some work. There’s a lot to learn, and a lot to unlearn.
On the question at the top of this page about loan default, most rational people judge the risk to have something to do with the likelihood (i.e., probability) of the default and its dollar value. That is, they judge risk to be the possibility of an unwanted loss of some magnitude. The risk of default on a single $1 loan is low regardless of probability. Riskiness involves two quantities: the probability and the cost of the loss. The risk of the loss is not merely the probability of the loss, as it is defined to be in most enterprise risk frameworks. Further, a lender might have sound reasons for judging ten $1 losses to be more undesirable than one $10 loss. Thus, it is erroneous to embed risk-neutrality into risk analysis (i.e., risk must be modeled as a vector quantity). Finally, while something good might follow from default on a loan, no lender views default itself as having positive value. Yet most risk frameworks violate all of the rational judgments above, because they adhere to definitions and risk models developed by those with no background in risk analysis.
Risk is neither abstract nor intangible. Advancing risk management will require replacing some of the long-held (starting with Frank Knight’s 1921 Risk, Uncertainty, and Profit) but confused and problematic concepts of risk (adopted by PMI, COSO, PRAM, APM, and even NIST) with ideas more consistent with established science and mathematics. For example:
- Risk is always bad, never good. Taking risk is necessary to get rewards and benefits, but if we could get the rewards without the risk we would do so. (It is incoherent to say risk is the chance of positive or negative unexpected turns while also talking of risk abatement and risk mitigation.)
- Risk is not uncertainty. Uncertainty is uncertainty. Uncertainty has a specific meaning in math and science, which is very useful in risk management.
- Risk involves a combination of probability and severity of a loss, whether the loss is expressed in dollars, reputation, or lives. (1 in 1 billion chance of fatal crash, e.g.)
- Risk is a vector quantity, not a scalar.
- Uncertainty is not the inability to quantify probabilities of various outcomes ( per Knight, as adopted by PMI, etc.). Nor is it ambiguity or vagueness.
- Uncertainty can always be quantified, either by measurement or by rational estimation (Bayesian networks, e.g.)
- Uncertainty can be expressed as a probability. Ignorance cannot.
- Risk culture is important but useless without accompanying risk science.
- Risk management must extend beyond Management and management initiatives.
- There is more to risk management than risk transfer.
- Risk management is about what might happen tomorrow, not yesterday’s news.
- Risk management is not regulatory compliance.
- Risk assessment is part of decision analysis, not the other way around.
If item 13 strikes you as an odd claim, consider the following statement from the risk practice of one of the Big 4 consultancies:
“It is the added insight of the risk factors driving uncertainty that makes causal models a step up from simply extrapolating past relationships in a pro forma approach.”
Risk factors don’t drive uncertainty. Uncertainty is a component of risk.
Another of the Big 4’s risk practices tells us that “senior executives determine levels of risk” by using “the company risk insight” to “embed risk management principles” into business decisions. These are nice words, but risk insights didn’t make flying safe. Sound risk analysis did. Risk is neither abstract nor intangible.
To move beyond platitudes into a realm where we are actually managing risks, we still need Management, changes in corporate culture, regulatory compliance and part of the core of popular risk frameworks. But there’s a much greater need for the relevant, established tools of science, engineering, and behavioral economics that have made flying the safest way to travel.