Working In Uncertainty

Defining ‘risk’

by Matthew Leitch, 29 July 2009 (extended 25 March 2010 and 6 August 2010).

Contents


The basic problem with defining ‘risk’ is that we use it to mean several different things. Some of those uses are very hard to pin down and lead to considerable confusion.

Official guides and standards, such as ISO's Guide 73 glossary of risk management terms, naturally want every term to have just one meaning, so this multiplicity is a big problem for them. The usual response is to ignore alternative meanings or write a definition that deliberately preserves the ambiguity. It would be better to understand the main meanings of ‘risk’, define separate terms for each one, and use them – at least when writing technical documents.

This article begins by reviewing a variety of interpretations of the word ‘risk’. It then offers a simple framework for understandng that variety, before suggesting what standard writers could do. If you apply this framework it is possible to unpick many common misconceptions about risk.

How many meanings does ‘risk’ have?

The word ‘risk’, like many other words that refer to mental things, such as ‘idea’, ‘concept’, ‘attitude’, and ‘culture’, is frustratingly slippery. Even in the comparatively narrow field of risk management we use it in more than one sense, often without noticing. To add to the variety that has arisen naturally through laziness, extensions, and misunderstandings there are experts who have promoted definitions they have invented.

‘The new Oxford dictionary of English’ gives definitions for ‘risk’ as both a noun and a verb. For the noun it offers two main senses and six sub-senses, with varied examples. For the verb it offers one main sense and two sub-senses. The dictionary also has explanations for seven phrases in which ‘risk’ appears with yet more meanings.

(‘Risk’ is also the name of a game, a software tool, a magazine, a song, and goodness knows how many other things!)

A survey of senses

Google for ‘risk’ and you will get plenty of hits (an estimated 242,000,000 when I tried it on 25 March 2010 on Google UK). What interpretations of ‘risk’ can be found in this sample?

1. ‘Risk’ as a modifier

The first use of ‘risk’ that came up on Google was in phrases like:

  • risk management

  • risk analysis

Here ‘risk’ is being used as what dictionaries call a ‘modifier’. It's a bit like an adjective, turning ‘management’ and ‘analysis’ into specific types of management and analysis, without really giving us any sense of what risk is thought to be.

2. ‘Risk’ as a concept

The next interpretation I found is exemplified by these phrases:

  • ...why risk has come to such prominence...

  • ...the field of risk studies...

Here ‘risk’ is being used to mean an abstract concept, topic, or perhaps all risk (whatever that is).

3. ‘Risks’ as countable things

The next use comes from a website about health and safety and is exemplified by phrases like these:

  • ...the risks that arise in the workplace...

  • ...how to assess the risks in your...

  • ...evaluate the risks...

  • ...a security risk...

Here ‘risks’ are things you can list and count, like sheep or buses. Documents describing risk management processes use this sense a lot because many of them involve making lists of risks and making a series of decisions concerning each of them.

By looking in detail at hundreds of risks on risk registers I have come to realise that even within the countable sense of ‘risk’ there are some variations in interpretation.

Occasionally, the things on the list are scales of measure, perhaps variables within a model, whose actual value is uncertain.

However, the vast majority of risks on risk registers describe a set of potential outcomes (usually vaguely) so in that way they represent sets of outcomes. In the modern mathematical theory of probability such sets of outcomes are called ‘events’. Risk analysis based on this notion of risk can be called ‘event based’ risk analysis.

Furthermore, if you look at the words more closely you can almost always see that what people have in mind is one or more scales of measure, and regions on those scales that define the events in question. Here are some simple examples:

E.g.Risk descriptionScaleRange included in the risk
1‘Inadequate human resources.’Quantity of human resources.Any human resource quantity below the level of ‘adequate’.
2‘Budget over-run.’Actual expenditure.Any expenditure above the budget.
3‘Complete systems failure.’Performance of systems.Only where performance is zero.
4‘Fire and flood.’Damage/loss from fire or from flood.Any level above zero.
5‘Customer demand is above or below expectation.’Level of customer demand.Any level not equal to the expected level.

These examples illustrate the main variations in thinking about what a risk is.

Examples 1, 2 and 3 concern scales for things that are not inherently bad or associated with external forces largely outside our control. If human resources are anywhere in the wide range of ‘adequate’ we will be happy enough. If expenditure is anywhere within budget there will be no recriminations. If systems are still working a bit the risk will not have happened.

These risks focus on the possiblity of outcomes in an undesirable range. They are often a focus for senior business managers.

In contrast, example 4 focuses on fire and flood, which are classic examples of effects that are bad if they occur to any extent at all, and that are strongly associated with external forces largely outside our control.

Other examples are fraud, theft, accidents, mistakes, severe weather, litigation, and illnesses. These are often given to a specialist manager whose job is to control major expenditures on countermeasures and encourage other control efforts.

Example 5 illustrates a modern idea about risks, which is that they can be nice surprises as well as nasty ones. This particular example considers any outcome other than the expected level to be included in the risk.

The reason that risk management guide writers have largely gone down this route is that managing nice and nasty surprises with one process makes good practical sense, and sometimes it is impossible to tell if an outcome would be nice or nasty, so splitting them isn't feasible. The problem with this is that ‘risk’ is generally thought of as bad and probably always will be. It might have worked better to jettison the word ‘risk’ and write about ‘uncertainty’ management systems instead, but that hasn't happened (yet).

4. ‘Risk’ as divisible, uncountable stuff

In contrast the next batch of examples talk of ‘risk’ as something that cannot be counted, though you might have various different quantities of it. Like water or beer it is infinitely divisible. Examples include:

  • ...taking some risk...

  • ...representing risk...

  • ...operational risk...

  • ...measuring financial risk...

  • ...cardiovascular risk score...

Exactly what this stuff is remains a puzzle. I think for most people it means some exposure to danger, or possibility of loss, or possibly just the potential effects on our position or welfare of factors that are uncertain.

The strong connection with danger is understandable. The word ‘risk’ has its origins in the 17th century, perhaps drawn from Spanish or Portugese, or from French and Italian words meaning danger. Going back to ancient Greece, the ancient word referred to stones or cliffs, and later became associated with the danger to ships posed by rocks. Risk became associated with voyages of exploration.

5. ‘Risk’ as an amount

The use of ‘risk’ to mean an infinitely divisible stuff of some kind often looks identical to ‘risk’ taken to be an amount. The writer may know what they had in mind but the reader can only guess from the context. Here are some examples:

  • long term impact risk

  • ...cancer risk assessment tool...

  • ...reduce the risk of heart disease.

In these examples the context tells me that the writer probably had in mind an amount, such as a number representing the risk of getting or having cancer, or the risk of an impact on the surface of the earth by something currently flying through space towards us.

It may be that when we use ‘risk’ in this sense we are often being a bit lazy and not mentioning explicitly that size is what we are really talking about. Consider this progression.

Full version‘The size of the risk of default on this loan has increased.’
Lazy version‘The risk of default on this loan has increased’
Very lazy version‘The risk on this loan has increased’
Fully abbreviated‘The risk has increased.’

In the last few decades there have been some interesting but unsatisfactory attempts to define ‘risk’ (or perhaps we should say the size of risk) using mathematical formulae applied to probability distributions. The probability distributions are usually for variables representing value, such as the market value of a portfolio, or the profits from a business. Leading examples reflect different interests. Some focus on the uncertainty involved and quantify in some way the spread of the distribution (e.g. variance, standard deviation). Others focus on the importance of undesirable outcomes and quantify something about the downside of the distribution (e.g. semivariance, lower partial moment, value at risk).

When people say ‘risk’ in this sense the measure of risk they have in mind may be even less satisfactory. For example, it may refer to only the probability of something happening, or only the maximum damage it could do.

6. Risks as members of a particular subset of business drivers

One of the most influential senses in which we use the word ‘risk’ is to refer to members of a particular collection of drivers of organizational results. In this usage the idea of uncertainty plays no role.

The results an organization achieves are affected by many different drivers, some of which tend to be called ‘risks’ even though virtually all drivers are to some extent uncertain. For example, the value of sales is driven by factors like the effectiveness of advertising and the prices offered and achieved. From this sales figure must be deducted the cost of goods sold, the debts not paid, the cost of fraud and theft, and many other things. Unpaid debts, fraud, and theft happen to be regarded as ‘risks’, even though the uncertainty around, say, advertising effectiveness is usually more important and in need of management.

Drivers not usually considered ‘risks’Drivers considered ‘risks’
SalesBad debts
Advertising effectivenessFraud
Discounts achieved in purchasingFailures of computer equipment

Organizations appoint people to manage drivers. People who manage drivers such as bad debt, fraud, and theft are often regarded as ‘risk managers’ but those who manage advertising and sales are not, even though the level of uncertainty they deal with, and its importance, is often much greater than that dealt with by the ‘risk managers’.

Why some drivers are said to be ‘risks’ and others are not is unclear. It may be a fuzzy concept. It may be that in our minds these drivers are linked to events that have qualities such as being dramatic, upsetting, unplanned, insurable, accidental, and not directly the result of trading activities. None of these qualities alone seems to work as a definition.

Another possibility is that this usage is the result of a historical progression. Perhaps it began narrowly and has gradually grown to include more and more drivers.

Yet another possibility is that this is purely a matter of language. The names of the drivers we consider ‘risks’ refer to purely negative outcomes, whereas other driver names do not. Perhaps if there was a well known name for advertising that backfires, causing sales to drop, then it might seem more natural to call ‘advertising backfires’ a risk and appoint someone to manage them.

Other senses

Other senses less relevant to risk management are exemplified by these phrases:

  • heritage at risk

  • ...I wouldn't risk it...

  • ...a bad risk...

  • ...at your own risk...

  • ...the company is on risk...

Putting our definitions in order

Checking dictionaries and looking at actual usage shows that (1) the word ‘risk’ is used in many senses, and (2) although the senses are related the differences are important. How can we make sense of all these interpretations of the word ‘risk’? Here's a suggestion.

The countable things called risks have a relatively simple definition that most English speakers would agree with. They are sets of futures that are (1) possible, (2) not certain, and (3) would be unwelcome if they occurred. For example, losing your home, being injured, and accidentally upsetting a friend are risks in this sense. Each could happen in lots of ways which is why they are sets of futures rather than individual futures.

(I have used the word ‘futures’ but it could have been ‘outcomes’ or ‘states of the world’, though these tend to focus on a particular aspect of the future at a particular time.)

The slippery part of this definition is the bit about the futures being unwelcome. Whether we think an outcome would be good or bad for us involves relativity. It might be relative to what we have now, what we think we are entitled to, what we plan to have, what we expect to have, or even what we would like. Given encouragement to think of ‘risks’ people will sometimes choose very optimistic benchmarks so that a set of outcomes they want to include can be regarded as unwelcome and therefore a ‘risk’.

Some ‘risks’ in this first sense are more important to us than others. The importance also gets called ‘risk’, even when we do not have a way to work it out. (This is the idea of risk as a quantity and probably spills into the indivisible sense of ‘risk’ and its use as an abstract concept.)

This idea also leads on to concepts of risk as a quantity based on the whole probability distribution of some variable, where a risk (as in a set of outcomes) is not specified but some kind of weighting is applied to points on the distribution.

Specifying how this importance is to be worked out is where the main difficulties arise and there have been many different ideas on how to do it. Some methods are calculated from risks while others are based on the whole distribution of some variable. Some methods focus on the value we put on outcomes that are within the risk (e.g. using their expected value, the value at risk, or the chance of a negative impact worse than some specified threshold). Others focus more on the uncertainty involved (e.g. variance).

Different ways to work out importance (a.k.a ‘risk’) lead to different conclusions about the way ‘risk’ should be thought about, and this has become a very confusing area. For example, people are without doubt risk averse if by ‘risk’ we mean a set of unwelcome possible outcomes. If we don't like an outcome then we don't like the possibility of that outcome either (though excitement brought on by the sense of danger may counter this aversion for some people). However, if by ‘risk’ we mean the variance of possible outcomes then it is much less clear when people are risk averse.

Impact for guidance and standards

In most technical guidance on how to manage risk the authors would very much like to offer a singe definition of ‘risk’ rather than an array of possible meanings. For the writers of standards it is a rule that each phrase given a definition should have only one definition.

One way to deal with this is to give ‘risk’ one meaning in the glossary and then just use it in all the usual ways in the main text. Clearly this isn't much of a solution.

Another approach is to define ‘risk’ using a form of words that cleverly preserves the ambiguity we are used to. For example, the definition of ‘risk’ as ‘effect of uncertainty on objectives’ substitutes nicely into phrases were we would say ‘a risk’, ‘some risk’, or ‘the topic of risk’ because the word ‘effect’ has a similar range of uses to ‘risk’.

Unfortunately, preserving the ambiguity still fails to provide a unique definition, even though this failure is disguised. In the text of guidance there may be sentences saying things like ‘The risk should be evaluated...’ where it is unclear whether the thing that should be evaluated is an item on a list of risks, its magnitude, or perhaps the magnitude of a collection of risks.

A solution

The best solution is to define separate terms for each concept we might want to use in a guide or standard. One such set might be:

  • ‘Risk event’: to mean a risk we can list and count, and that is a set of unwelcome outcomes.

  • ‘Risk variable’: to mean a variable whose actual value is uncertain.

  • ‘Risk item’: to mean a risk event or risk variable, usually depending on the style of risk analysis being used.

  • ‘Risk measure’: to mean a defined measure of the amount of risk.

  • ‘Level of risk’: to mean the amount of risk, perhaps according to some risk measure.

  • ‘Topic of risk’: to mean the abstract concept/topic.

Where ‘risk’ is used as a modifier this is usually captured by defining the phrases it is part of e.g. ‘risk management’, ‘risk analysis’.

The sense of risk where it refers to members of a particular subset of business drivers is not usually needed in standards and guides because they are concerned with important uncertainty whatever it is related to, not just where it affects the drivers considered to be ‘risks’ in this sense.

Summary

The word ‘risk’ has many meanings in the English language and guidance on how to manage risk needs to deal with this head on. It is much more important to understand how people actually use the word and work with it sensibly than to invent new meanings.



Words © 2009 Matthew Leitch. First published 29 July 2009.