The Semantics of Risk
There is a great deal of ambiguity around the terms we will use in our discussion of Risk Management (capitalised to represent the whole body of thought). The reason for this unfortunate circumstance, I would guess, is that risks have been managed in many different domains of human activity, but always independently. The risks were specific to the activity, so the terminology around their management was too. We are only beginning to study risk as a single, general topic, so perhaps it’s no surprise that the terms haven’t yet been standardised. In any case, I will address these semantic issues up front to mitigate the risk of confusion later on.
Economists use the words ‘risk’ to describe a situation where the probability of the event is known, and ‘uncertainty’ when the probability is unknown or unknowable. To them, the toss of a fair coin would be a risk scenario because all events and probabilities are known, whereas the result of the Ukraine war would be uncertain because we wouldn’t be able to agree on a complete list of all potential outcomes. But even if we did, we couldn’t calculate a probability for each. Anything is possible in an uncertain environment.
This nomenclature is growing in popularity outside of economics, however the terms are by no means universal or settled. It is important that we can recognise the difference between calculable and incalculable risks (‘Mediocristan’ vs ‘Extremistan’) because our decision-making will differ greatly from one environment to the other. Naturally, we need different words to describe these different environments. However, it would be wrong to assume that everyone follows this convention.
To some non-economists, the word ‘uncertainty’ simply refers to any fact which is not known for sure. If there is any doubt, then there is uncertainty, whether probabilities are supplied or not. It is difficult to fault this more literal interpretation of the word, or to argue that an alternative interpretation is clearly preferable – as long as those who use it can still distinguish between the threats which can and cannot be estimated.
The word ‘risk’ might be the most troublesome of all. It could refer to the outcome to be avoided, the possibility of it occurring (estimatable or not), or the combination of both. Some argue that an event can only be a risk if there is something at stake. From that perspective, it would be uncertain whether the coin will land heads or tails, but if no one is betting on it, then there is no risk either way.
If you think it’s a bit weird that we are discussing a subject which has no formal definition, fair enough! It is a bit odd. How can we study ‘risk’ when we can’t even agree on what it is we are discussing? Well, we can and we do. Such is the nature of our work: the risks must be managed regardless.
A final example would be the use of the word ‘hazard’ to refer to the bad event, and ‘risk’ to encapsulate the consequences of it. This term tends to be used by the insurance industry and those who work on natural disasters. For example, the hazard could be a hurricane and the risk would be the potential $ costs if it made landfall. I think it is helpful to have a word to distinguish the specific event from its costs or consequences. I normally use the word ‘threat’ for this job, but I might also use ‘hazard’ in future.
The key point here is that there are no universal definitions for these words, so don’t let them confuse you and don’t lose your time to semantic arguments. What really matters is that we understand the underlying concepts and that we can communicate them to each other. If you would like a more comprehensive discussion of risk terminology, I suggest this Glossary from the Society for Risk Analysis.
With that out of the way, let’s begin our discussion of risk.
What Is a Risk?
A risk is a bad thing which could happen to you in the future. It could be a known, predictable threat (hurricane season) or it could be an unforeseeable event, the result of pure dumb luck (a tree falls on your car, not your neighbour’s). What matters is that it is any future outcome which would cost you time, money, health, or any other valuable resource were it to occur.
If you manufactured jeans for example, then there would be a risk of your factory flooding, bad weather increasing inputs costs, your accountant embezzling funds, or your designs going out of fashion. Each of these events would increase your costs, lower your revenues, damage your capital, destroy your stock, and / or take up management’s decision-making time, so each would be considered a risk.
Risk Depends on Context
Some risks are obvious because they are intrinsically harmful, like those listed above. There are no benefits to flooding, for example. Every business, home, or any kind of building would be negatively impacted by a flood, so everyone would consider flooding a risk. Most risks, however, depend on context.
What an individual considers to be ‘risky’ will be determined by their goals. Rain would be a risk if you were organising a summer garden party, but maybe not if you were working on a farm two miles down the road. Higher interest rates are a risk for borrowers, but a reward for lenders and savers. It is entirely possible (and indeed, quite common) for the same factor to present different risk profiles to different people.
It is also possible for a factor to be a risk one day, but not the next. Risk environments are dynamic and the pattern of risk is constantly evolving. From the farmer’s perspective, both too much rain and too little could be risks – it all depends on what his crops need. If it has been a particularly wet summer already, he might prefer blue skies and sunshine. The ‘path’ matters when managing risk.
This leads us to an idea which I believe to be one of the fundamental laws of Risk Management (if you’ll allow me): one cannot have risks without goals.
To invert Seneca: if a man knows not to which port he sails, then no wind is unfavourable either, right?
If you don’t have a goal – a state of the world which you would like to achieve or maintain – then any outcome is acceptable. It can’t go right and it can’t go wrong. But if there’s no risk of it going wrong, then there are no risks to manage. There has to be a goal before there can be risks.
This is not a theoretical or academic point. It is both, actually, but it is also a message of immense practical importance, as it contains a salutary warning to all risk managers: be clear about your goals and keep your progress front of mind. Otherwise, you might end up managing the wrong risks, and that can be just as disastrous as managing none at all.
There Are Risks Everywhere
Risk is inescapable, and not because the world is inherently dangerous, but because we have so many goals.
Eating, sleeping, getting to work on time, being promoted, saving for retirement, winning a Nobel, not getting divorced, etc. Most of our goals are, by now, mundane, quotidienne responsibilities which we take for granted. Others are more personal, ambitious, or demanding, but at the end of the day, they are all goals to be achieved and they all come with risks to be managed.
Anything could be a risk, in theory. Any object, idea, organism, person, construction – literally any ‘thing’ – could pose a threat to someone, somewhere, at some point in time. Again, it all depends on the context.
The fountain pen on your desk could be a risk, were it to be wielded by one of your mortal enemies. It would also be a risk just sitting there, as it could leak, sending you to the dry cleaners.
The chair you are sitting on could splinter and collapse, leaving you shocked, possibly embarrassed, and with an aching backside. The roof could fall in. The floor could give way. None of this is likely of course, but if it could happen, then it is a risk.
If you think I’m being facetious, consider how risky it is just to walk to the bus stop. You could step on fresh chewing gum (or worse), a passing car could speed through a puddle, a bird could relieve itself at your expense, or a kid on an e-scooter could whizz by nearly knocking you over. And what if you are late for your appointment – dare you run for the bus?
You could slip, fall, twist an ankle, break a heel, or pull a muscle. You probably won’t, but you might still miss the bus. Or worse: you get to the bus stop in time, but the bus is already full, leaving you hot and sweaty and still late for your appointment. And now likely frustrated too that you had wasted the effort. (Risk managers always leave early: a healthy margin of safety is an excellent preventative and a cheap luxury.)
It is by no means trivial to say that there are risks all around us, and that we are managing them all the time. Anything could go wrong at any given moment and each one of those ‘things’ is a risk we run every second of every day. Fortunately, there is Risk Management all around us too, which is why we can get through the day without losing our minds.
Commentators throughout the ages have lamented that humans are so blind to the risks which threaten us every day. I would counter that we are similarly blind to the Risk Management which quietly but effectively protects us from them. Perhaps if we could unblind ourselves to the Risk Management, we might also develop a greater consciousness of the risks which motivated it in the first place?
Risks, Probabilities, Contingencies
One of the key characteristics of a risk problem is its contingent nature. The risk event might happen or it might not, but you have no way of knowing either way. It probably won’t happen, but if it does, it will be very painful. However, if you batten down the hatches too soon and / or the storm passes you by, you might be left looking like a fool.
So what’s a policy-maker to do? Should they prepare for something that probably won’t happen based on the tiny fear that it might, or would their resources be more productively deployed elsewhere? Why spend money trying to solve a problem that might not even exist – especially with an election around the corner?
Risks would be a lot easier to manage if you knew for sure where and when the bad news would arrive – or better yet, that it would not arrive at all – but then it wouldn’t be a risk problem, would it? The contingency is inescapable because it’s innate to the problem.
I will make two points here.
The first is that all risk management (the work and the practice, not the whole body of thought) is contingency planning of some sort or other. You’re always asking yourself ‘what if?’, and then planning for those scenarios. Risks aren’t like bills or invoices. They aren’t fixed costs coming through the letter box with regularity and predictability. Risks are bills that arrive at random, for unknown amounts, and you have to pay them immediately, or face worse consequences. (So yes, that policy-maker should prepare for the risk, even if the event is unlikely to happen.)
The second point is that the ‘risk’ in this context is not just the bad event itself (the threat or hazard), it also includes the doubt about whether the event will happen. So the risks we manage are composed of two parts: the probability of the bad event occurring (within a given period of time1), and the cost to us if it does.
The probability is always above 0 and always less than 1. In statistics, probabilities lie between 0 (impossible) and 1 (certain) inclusive, but in Risk Management we drop the ‘inclusive’ as the impossible does not require management and the certain is not a risk. In our practice, the threat is always possible, never guaranteed, but we must be prepared regardless.
The second part of the risk equation – the estimated cost of the bad event – will be specific to the context: the individual, the game they’re playing, their goals, the environment, their current position, etc. The estimation of potential costs is clearly an important part of effective risk management, but it is too specific to be relevant to this discussion.
Risk and Return
Finally, risk is conventionally thought of as something inherently bad and always to be avoided (eg house-fires, flooding, heart disease, physical violence), and that is the context in which it is discussed in this Substack. However, we should also note that some risks are two-sided: they offer the potential of positive outcomes as well as negative.
Gambling, for example, is a game of risk which can either make you or break you (or make you then break you). Similarly, financial investors will talk of currency risk, liquidity risk, or credit risk, but these are not just threats: they are exposures for which the investors expect to be compensated. You’ll often hear them talk of a ‘risk premium’, and this is the higher return they need to justify taking on that extra risk.
None of that applies to pandemic prevention, however. Pandemics are one-way risks which can only ever break us, and the only way we can ‘win’ is by ensuring they never get the chance.
The proviso “within a given period of time” is necessary because on a long enough time frame, all probabilities go to 1. Another fundamental law (selon moi) of Risk Management is that if it can happen, it will happen – eventually. If time is infinite, then all risks are guaranteed. Time limits are needed to make risk problems finite and tractable.