WiRM 1: Risks
What do we mean by 'risk'?
There is a great deal of ambiguity around the terms we use in our discussion of Risk Management (capitalised to represent the philosophy and practice). I will address these semantic issues up front to mitigate the risk of confusion later on.
The reason for this unfortunate circumstance is that, I would guess, while risks have been managed throughout history across all domains of human activity, it was always done independently. That is, the risks were specific to the activity, so the terminology around their management remained local too. We are only beginning to study risk as a single, generalisable topic, so the terms aren’t yet standardised.
The Semantics of Risk
Economists use the words ‘risk’ to describe a situation where the probability of the event is known and ‘uncertainty’ when the probability is unknown or unknowable. To them, the toss of a fair coin would be a risk scenario because all events and probabilities are known, whereas the result of a war would be uncertain because we wouldn’t be able to agree on a complete list of all potential outcomes nor estimate a probability for each.
This nomenclature is growing in popularity outside of economics, however the terms are by no means universal or settled. It is important that we can recognise the difference between calculable and incalculable risks (e.g. Taleb’s ‘Mediocristan’ vs ‘Extremistan’) because our decision-making will differ greatly from one environment to the other. Naturally, we need different words to describe these different environments, but it would be wrong to assume that everyone follows the economist’s convention.
To some non-economists, the word ‘uncertainty’ simply refers to any fact which is not known for sure. If there is any doubt, then there is uncertainty, whether probabilities are supplied or not. It is difficult to fault this more literal interpretation of the word, or to argue that an alternative interpretation is clearly preferable. However, those who use uncertainty in this context must still be able to distinguish between threats which can be identified and estimated, and those which cannot.
Another example would be the use of the word ‘hazard’ to refer to the bad event, and ‘risk’ to encapsulate the consequences of it. This term tends to be used by the insurance industry and those who work on catastrophe risk and other natural disasters. For example, the hazard could be a hurricane, and then the risk would be the potential $ costs if it made landfall. I think this is a useful distinction because it helps us to distinguish the specific event from its consequences and costs.
The key point here, and the motivation for this preamble, is to emphasize that there are no universal definitions for these words, so don’t let them confuse you and don’t lose your time to semantic arguments. What really matters is that we understand the underlying concepts and that we can communicate them to each other – whatever labels we chose to use.
If you would like a more comprehensive discussion of risk terminology, I suggest this Glossary from the Society for Risk Analysis. Otherwise, let’s begin our discussion of risk.
What Is a Risk?
A risk is a bad thing which could happen to you in the future. It could be a known, predictable threat (hurricane season) or it could be an unforeseeable event, the result of pure dumb luck (the tree falls on your car, not your neighbour’s). What matters is that it is any future outcome which would cost you time, money, health, or any other valuable resource were it to occur.
If you were a manufacturer of jeans, for example, then there would be a risk of your factory flooding, bad weather increasing inputs costs, your accountant embezzling funds, or your designs going out of fashion. Each of these events would increase your costs, lower your revenues, damage your capital, destroy your stock, and / or take up management’s decision-making time, so each would be considered a risk.
So some risks are obvious because they are intrinsically harmful, like those listed above. There are no benefits to flooding, for example. Every business, home, or any kind of building would be negatively impacted by a flood, so everyone would consider flooding a risk. Other risks are specific to the domain.
Risk Depends on Context
What an individual considers to be ‘risky’ will primarily be determined by their goals. Rain would be a risk if you were organising a summer garden party, but maybe not if you were working on a farm two miles down the road. Higher interest rates are a risk for borrowers, but a reward for lenders and savers. It is entirely possible (and indeed, quite common) for the same factor to present different risk profiles to different people.
It is also possible for a factor to be a risk one day, but not the next. Risk environments are dynamic and the pattern of risk is constantly evolving. From the farmer’s perspective, both too much rain and too little could be risks – it all depends on what his crops need. If it has been a particularly wet summer already, he might prefer blue skies and sunshine. The ‘path’ matters when managing risk.
This leads us to an idea which I believe to be one of the fundamental laws of Risk Management: one cannot have risks without goals.
Risks are inseparable from goals because it is the statement of the goal that engenders the risks. By establishing a goal, we define a future outcome we would like to achieve. In doing so, we simultaneously establish the factors that could stop us from realising that goal i.e. the risks.
If we don’t have goals then we can’t have risks because, to invert Seneca, if a man knows not to which port he sails, then no wind is unfavourable either. Right? If any outcome is acceptable then it can’t go wrong, which means there is no risk in the outcome and therefore no risk to manage.
There Are Risks Everywhere
Risk is inescapable, and not because the world is inherently dangerous, but because we have so many goals: eating, sleeping, getting to work on time, being promoted, saving for retirement, winning a Nobel, not getting divorced, etc. They are all outcomes we would like to achieve, so they all contain risks.
Assuming we have made it successfully to adulthood, most of our goals are by now mundane, quotidian responsibilities which we take for granted, like some of those listed in the previous paragraph. Others are more personal, ambitious, or demanding, but at the end of the day, they are all goals to be achieved and they all come with risks to be managed.
Anything could be a risk, in theory. Any object, idea, organism, person, construction – literally any ‘thing’ – could pose a threat to someone, somewhere, at some point in time. Again, it all depends on the context.
The fountain pen on your desk could be a risk, were it to be wielded by one of your mortal enemies. It would also be a risk just sitting there, as it could leak, sending you to the dry cleaners.
The chair you are sitting on could splinter and collapse, leaving you shocked, possibly embarrassed, and with an aching backside. The roof could fall in. The floor could give way. None of this is likely of course, but if it could happen, then it is a risk.
If you think I’m being facetious, consider how risky it is just to walk to the bus stop. You could step on fresh chewing gum (or worse), a passing car could speed through a puddle, a bird could relieve itself at your expense, or a kid on an e-scooter could whizz by nearly knocking you over. And what if you are late for your appointment – dare you run for the bus?
You could slip, fall, twist an ankle, break a heel, or pull a muscle. You probably won’t, but you might still miss the bus. Or worse: you get to the bus stop in time, but the bus is already full, leaving you hot and sweaty and still late for your appointment. And now likely frustrated too that you had wasted the effort. (Risk Managers always leave early: a healthy margin of safety is an excellent preventative and a cheap luxury.)
It is by no means trivial to say that there are risks all around us, and that we are managing them all the time. Fortunately, there is Risk Management all around us too, which is why we can safely make it through the day without losing our minds.
Commentators throughout the ages have lamented that humans are so blind to the risks which threaten us every day. I would counter that we are similarly blind to the Risk Management which quietly but effectively keeps them at bay. Perhaps if we could unblind ourselves to the Risk Management that surrounds us, we might also develop a greater consciousness of the risks which motivated it in the first place?
Risks, Probabilities, Contingencies
One of the key characteristics of a risk problem is its contingent nature. The risk event might happen or it might not, but you have no way of knowing either way. It probably won’t happen, but if it does, it will be very painful. However if you batten down the hatches and / or the storm passes you by, then you might end up feeling like a fool.
So what’s a policy-maker to do? Should they prepare for something that probably won’t happen based on the tiny fear that it might, or would their resources be more productively deployed elsewhere? Why spend money trying to solve a problem that might not even exist – especially with an election around the corner?
Risks would be a lot easier to manage if you knew for sure where and when the bad news would arrive – or better yet, that it would not arrive at all – but then it wouldn’t be a risk problem, would it? The contingency is inescapable because it’s innate to the problem.
All risk management (the work and the practice, not the whole body of thought) is contingency planning of some sort or other. You’re always asking yourself ‘what if?’, and then planning for those scenarios.
Risks aren’t like bills or invoices. They aren’t fixed costs coming through the letter box with regularity and predictability. Risks are more like bills that arrive at random, for unknown amounts, and you have to pay them immediately, or face worse consequences. (So yes, that policy-maker should prepare for the risk, even if the event is unlikely to happen.)
The ‘risk’ in this context is not just the bad event itself (the threat or hazard), it also includes the doubt about whether the event will happen. So the risks we manage are composed of two parts: the probability of the bad event occurring (within a given period of time1), and the cost to us if it does.
The probability is always above 0 and always less than 1. In statistics, probabilities lie between 0 (impossible) and 1 (certain) inclusive, but in Risk Management we drop the ‘inclusive’ as the impossible does not require management and the certain is not a risk. In our practice, the threat is always possible, never guaranteed, but we must be prepared regardless.
The second part of the risk equation – the estimated cost of the bad event – will be specific to the context: the individual, the game they’re playing, their goals, the environment, their current position, etc. The estimation of potential costs is clearly an important part of effective risk management, but it is too specific to be relevant to this discussion so we won’t discuss it here.
Risk and Return
Finally, risk is conventionally thought of as something inherently bad and always to be avoided (e.g. house-fires, flooding, heart disease, physical violence), and that is the context in which risk is discussed in this Substack. However, we should also note that some risks are two-sided: they offer the potential of positive outcomes as well as negative.
Gambling, for example, is a game of risk which can either make you or break you (or make you then break you). Similarly, financial investors will talk of currency risk, liquidity risk, or credit risk, but these are not threats: they are exposures for which the investors expect to be compensated. You’ll often hear them talk of a ‘risk premium’, and this is the higher return they need to justify taking on that extra risk.
None of that applies to pandemic prevention, however. Pandemics are one-way risks which can only ever break us, and the only way we can ‘win’ is by ensuring they never get the chance.
The proviso “within a given period of time” is necessary because on a long enough time frame, all probabilities go to 1. Another fundamental law (selon moi) of Risk Management is that if it can happen, it will happen – eventually. If time is infinite, then all risks are guaranteed. Time limits are needed to make risk problems finite and tractable.