Risk concerns the
expected value of one or more
results of one or more future
events. Technically, the value of
those results may be positive or negative. However, general usage
tends focus only on potential
harm
that may arise from a future event, which may accrue either from
incurring a
cost ("
downside risk") or by failing to attain some
benefit ("
upside risk").
Historical background
The term
risk may be traced back to classical Greek
rizikon (Greek ριζα, riza), meaning root, later used in Latin for
cliff. The term is used in Homer’s Rhapsody M of Odyssey "Sirens,
Scylla, Charybdee and the bulls of Helios (Sun)" Odysseus tried to
save himself from Charybdee at the cliffs of Scylla, where his ship
was destroyed by heavy seas generated by Zeus as a punishment for
his crew killing before the bulls of Helios (the god of the sun),
by grapping the roots of a wild fig tree.
For the sociologist
Niklas Luhmann
the term 'risk' is a neologism which appeared with the transition
from traditional to modern society. "In the
Middle Ages the term
riscium was used
in highly specific contexts, above all sea trade and its ensuing
legal problems of loss and damage." In the
vernacular languages of the 16th century the
words
rischio and
riezgo were used, both terms
derived from the Arabic word "رزق", "rizk", meaning 'to seek
prosperity'. This was introduced to continental Europe, through
interaction with Middle Eastern and North African Arab traders. In
the
English language the term
risk appeared only in the 17th century, and "seems to be
imported from continental Europe." When the terminology of
risk took ground, it replaced the older notion that
thought "in terms of good and bad
fortune."
Niklas Luhmann (1996) seeks to explain this transition: "Perhaps,
this was simply a loss of plausibility of the old rhetorics of
Fortuna as an allegorical figure of
religious content and of
prudentia as a (noble) virtue in
the emerging commercial society."
Scenario analysis matured during Cold War confrontations between major powers,
notably the U.S. and the
USSR. It
became widespread in insurance circles in the 1970s when major
oil tanker disasters forced a more
comprehensive foresight. The scientific approach to risk entered
finance in the 1980s when
financial
derivatives proliferated. It reached general professions in the
1990s when the power of personal computing allowed for widespread
data collection and numbers crunching.
Governments are using it, for example, to set standards for
environmental regulation,
e.g. "
pathway analysis" as
practiced by the
United States
Environmental Protection Agency.
Definitions of risk
There are many definitions of risk that vary by specific
application and situational context. The widely inconsistent and
ambiguous use of the word is one of several current criticisms of
the methods to manage risk.
One set of definitions presents
risks simply as future
issues which can be avoided or mitigated, rather than present
problems that must be immediately addressed. E.g. "Risk is the
unwanted subset of a set of uncertain outcomes." (Cornelius
Keating)
More formally (and quantitatively), risk is proportional to both
the results expected from an event and to the probability of this
event. E.g. "Risk is a combination of the likelihood of an
occurrence of a hazardous event or exposure(s) and the severity of
injury or ill health that can be caused by the event or
exposure(s)" (OHSAS 18001:2007). Mathematically, risk often simply
defined as
- \text{Risk} = (\text{probability of an accident}) \times
(\text{losses per accident}).\,
Or more generally,
- \text{Risk} = (\text{probability of event occurring}) \times
(\text{impact of event occurring}).\,
One of the
first major uses of this concept was at the planning of the
Delta
Works in 1953, a flood protection program in the Netherlands, with the aid of the mathematician David van Dantzig. The kind of risk
analysis pioneered here has become common today in fields like
nuclear power,
aerospace and
chemical industry.
There are more sophisticated definitions, however. Measuring
engineering risk is often difficult, especially in potentially
dangerous industries such as nuclear energy. Often, the
probability of a negative event is estimated by
using the frequency of past similar events or by event-tree
methods, but probabilities for rare failures may be difficult to
estimate if an event tree cannot be formulated. Methods to
calculate the cost of the loss of human life vary depending on the
purpose of the calculation. Specific methods include what people
are willing to pay to insure against death, and radiological
release (e.g., GBq of radio-iodine).There are many formal methods
used to assess or to "measure" risk, considered as one of the
critical indicators important for human
decision making.
Financial risk is often defined as
the unexpected variability or
volatility of returns and thus includes
both potential worse-than-expected as well as better-than-expected
returns. References to negative risk below should be read as
applying to positive impacts or opportunity (e.g., for "loss" read
"loss or gain") unless the context precludes.
In statistics, risk is often mapped to the probability of some
event which is seen as undesirable. Usually, the probability of
that event and some assessment of its expected harm must be
combined into a believable
scenario (an
outcome), which combines the set of risk, regret and reward
probabilities into an
expected value
for that outcome. (See also
Expected
utility.)
Thus, in
statistical decision
theory, the
risk function of an
estimator δ(x) for a
parameter θ, calculated from some
observables x, is defined as the
expectation value of the
loss function
L,
- R(\theta,\delta(x)) = \int L(\theta,\delta(x))
f(x|\theta)\,dx
In
information security , a
risk is written as an asset, the threats to the asset and
the vulnerability that can be exploited by the threats to impact
the asset - an example being: Our desktop computers (asset) can be
compromised by malware (threat) entering the environment as an
email attachment (vulnerability).
The risk is then assessed as a function of three variables:
- the probability that there is a threat
- the probability that there are any vulnerabilities
- the potential impact to the business.
The two probabilities are sometimes combined and are also known as
likelihood. If any of these variables approaches zero, the overall
risk approaches zero.
The management of actuarial risk is called
risk management.
Risk versus uncertainty
Risk:Combination of the likelihood of an occurrence of a hazardous
event or exposure(s) and the severity of injury or ill health that
can be caused by the event or exposure(s)
In his seminal work
Risk, Uncertainty, and Profit,
Frank Knight (1921) established the
distinction between risk and
uncertainty.
A solution to this ambiguity is proposed in
How to Measure
Anything: Finding the Value of Intangibles in Business and
The Failure of Risk Management: Why It's Broken and How to Fix
It by Doug Hubbard:
- :Uncertainty: The lack of complete certainty,
that is, the existence of more than one possibility. The "true"
outcome/state/result/value is not known.
- :Measurement of uncertainty: A set of
probabilities assigned to a set of possibilities. Example: "There
is a 60% chance this market will double in five years"
- :Risk: A state of uncertainty where some of
the possibilities involve a loss, catastrophe, or other undesirable
outcome.
- :Measurement of risk: A set of possibilities
each with quantified probabilities and quantified losses. Example:
"There is a 40% chance the proposed oil well will be dry with a
loss of $12 million in exploratory drilling costs".
In this sense, Hubbard uses the terms so that one may have
uncertainty without risk but not risk without uncertainty. We can
be uncertain about the winner of a contest, but unless we have some
personal stake in it, we have no risk. If we bet money on the
outcome of the contest, then we have a risk. In both cases there
are more than one outcome. The measure of uncertainty refers only
to the probabilities assigned to outcomes, while the measure of
risk requires both probabilities for outcomes and losses quantified
for outcomes.
Risk as a vector quantity
Hubbard also argues that that defining risk as the product of
impact and probability presumes (probably incorrectly) that the
decision makers are
risk neutral. Only
for a risk neutral person is the "certain monetary equivalent"
exactly equal to the probability of the loss times the amount of
the loss. For example, a risk neutral person would consider 20%
chance of winning $1 million exactly equal to $200,000 (or a 20%
chance of losing $1 million to be exactly equal to losing
$200,000). However, most decision makers are not actually risk
neutral and would not consider these equivalent choices. This gave
rise to
Prospect theory and
Cumulative prospect theory.
Hubbard proposes instead that risk is a kind of "
vector quantity" that does not collapse
the probability and magnitude of a risk by presuming anything about
the risk tolerance of the decision maker. Risks are simply
described as an set or function of possible loss amounts each
associated with specific probabilities. How this array is collapsed
into a single value cannot be done until the risk tolerance of the
decision maker is quantified.
Insurance and health risk
Insurance is a risk-reducing
investment in which the buyer pays a small fixed
amount to be protected from a potential large loss.
Gambling is a risk-increasing investment, wherein
money on hand is risked for a possible large return, but with the
possibility of losing it all. Purchasing a lottery ticket is a very
risky investment with a high chance of no return and a small chance
of a very high return. In contrast, putting money in a bank at a
defined rate of interest is a risk-averse action that gives a
guaranteed return of a small gain and precludes other investments
with possibly higher gain.
Risks in personal health may be reduced by
primary prevention actions that decrease
early causes of illness or by
secondary prevention actions after a
person has clearly measured clinical signs or symptoms recognized
as risk factors. Tertiary
prevention reduces the negative impact
of an already established disease by restoring function and
reducing disease-related complications. Ethical medical practice
requires careful discussion of
risk
factors with individual patients to obtain
informed consent for secondary and tertiary
prevention efforts, whereas public health efforts in primary
prevention require education of the entire population at risk. In
each case, careful communication about risk factors, likely
outcomes and
certainty must distinguish
between causal events that must be decreased and associated events
that may be merely consequences rather than causes.
Economic risk
Economic risks can be manifested in lower incomes or higher
expenditures than expected. The causes can be many, for instance,
the hike in the price for
raw
materials, the lapsing of deadlines for construction of a new
operating facility, disruptions in a production process, emergence
of a serious competitor on the market, the loss of key personnel,
the change of a political regime, or natural disasters.
In business
Means of assessing risk vary widely between professions. Indeed,
they may define these professions; for example, a doctor manages
medical risk, while a civil engineer manages risk of structural
failure. A
professional code of ethics is usually focused on risk
assessment and mitigation (by the professional on behalf of client,
public, society or life in general).
In the workplace, incidental and inherent risks exist. Incidental
risks are those which occur naturally in the business but are not
part of the core of the business. Inherent risks have a negative
effect on the operating profit of the business.
Risk-sensitive industries
Some industries manage risk in a highly quantified and numerate
way. These include the
nuclear power
and
aircraft industries,
where the possible failure of a complex series of engineered
systems could result in highly undesirable outcomes. The usual
measure of risk for a class of events is then:
- R = probability of the event × C
The total risk is then the sum of the individual class-risks.
In the nuclear industry, consequence is often measured in terms of
off-site radiological release, and this is often banded into five
or six decade-wide bands.
The risks are evaluated using fault tree/event tree techniques (see
safety engineering). Where these
risks are low, they are normally considered to be "Broadly
Acceptable". A higher level of risk (typically up to 10 to 100
times what is considered Broadly Acceptable) has to be justified
against the costs of reducing it further and the possible benefits
that make it tolerable—these risks are described as "Tolerable if
ALARP". Risks beyond this level are classified
as "Intolerable".
The level of risk deemed Broadly Acceptable has been considered by
regulatory bodies in various countries—an early attempt by UK
government regulator and academic
F.
R. Farmer
used the example of hill-walking and similar activities which have
definable risks that people appear to find acceptable. This
resulted in the so-called Farmer Curve of acceptable probability of
an event versus its consequence.
The technique as a whole is usually referred to as Probabilistic
Risk Assessment (PRA) (or Probabilistic Safety Assessment, PSA).
See
WASH-1400 for an example of this
approach.
In finance
In finance, risk is the probability that an investment's actual
return will be different than expected. This includes the
possibility of losing some or all of the original investment. Some
regard a calculation of the standard deviation of the historical
returns or average returns of a specific investment as providing
some historical measure of risk. Financial risk may be
market-dependent, determined by numerous market factors, or
operational, resulting from fraudulent behavior (e.g.
Bernard Madoff).
In
finance,
risk has no one
definition, but some theorists, notably
Ron
Dembo, have defined quite general methods to assess risk as an
expected after-the-fact level of regret. Such methods have been
uniquely successful in limiting interest
rate
risk in
financial markets.
Financial markets are considered to be a proving ground for general
methods of risk assessment.However, these methods are also hard to
understand. The mathematical difficulties interfere with other
social goods such as
disclosure,
valuation and
transparency. In particular, it is
not always obvious if such
financial instruments are "
hedging" (purchasing/selling a financial
instrument specifically to reduce or cancel out the risk in another
investment) or "
speculation" (increasing
measurable risk and exposing the investor to catastrophic loss in
pursuit of very high windfalls that increase expected value).
As
regret measures rarely reflect actual
human risk-aversion, it is difficult to determine if the outcomes
of such transactions will be satisfactory. Risk seeking describes
an individual whose utility function's second derivative is
positive. Such an individual would willingly (actually pay a
premium to) assume all risk in the economy and is hence not likely
to exist.
In financial markets, one may need to measure
credit risk, information timing and source risk,
probability model risk, and
legal risk if
there are regulatory or civil actions taken as a result of some
"
investor's regret". Knowing one's
risk appetite in conjunction with one's financial well-being are
most crucial.
A fundamental idea in finance is the relationship between risk and
return. The greater the potential return one might seek, the
greater the risk that one generally assumes. A free market reflects
this principle in the pricing of an instrument: strong demand for a
safer instrument drives its price higher (and its return
proportionately lower), while weak demand for a riskier instrument
drives its price lower (and its potential return thereby
higher).
"For example, a US Treasury bond is considered to be one of the
safest investments and, when compared to a corporate bond, provides
a lower rate of return. The reason for this is that a corporation
is much more likely to go bankrupt than the U.S. government.
Because the risk of investing in a corporate bond is higher,
investors are offered a higher rate of return."
The most popular, and also the most vilified lately risk
measurement is Value-at-Risk (VaR). There are different types of
VaR - Long Term VaR, Marginal VaR, Factor VaR and Shock VaR The
latter is used in measuring risk during the extreme market stress
conditions.
In public works
In a peer reviewed study of risk in public works projects located
in twenty nations on five continents, Flyvbjerg, Holm, and Buhl
(2002, 2005) documented high risks for such ventures for both costs
and demand. Actual
costs of projects were
typically higher than estimated costs;
cost overruns of 50% were common, overruns
above 100% not uncommon. Actual
demand was
often lower than estimated;
demand
shortfalls of 25% were common, of 50% not uncommon.
Due to such cost and demand risks,
cost-benefit analyses of public works
projects have proved to be highly uncertain.
The main causes of cost and demand risks were found to be
optimism bias and
strategic misrepresentation.
Measures identified to mitigate this type of risk are better
governance through incentive alignment
and the use of
reference
class forecasting.
In human services
Huge ethical and political issues arise when human beings
themselves are seen or treated as 'risks', or when the risk
decision making of people who use human services might have an
impact on that service. The experience of many people who rely on
human services for support is that 'risk' is often used as a reason
to prevent them from gaining further independence or fully
accessing the community, and that these services are often
unnecessarily risk averse.
Risk in psychology
Regret
In
decision theory, regret (and
anticipation of regret) can play a significant part in
decision-making, distinct from
risk
aversion (preferring the status quo in case one becomes worse
off).
Framing
Framing is a fundamental problem with all
forms of risk assessment. In particular, because of
bounded rationality (our brains get
overloaded, so we take mental shortcuts), the risk of extreme
events is discounted because the probability is too low to evaluate
intuitively. As an example, one of the leading causes of death is
road accidents caused by
drunk driving—partly because any
given driver frames the problem by largely or totally ignoring the
risk of a serious or fatal accident.
For instance, an extremely disturbing event (an attack by
hijacking, or
moral hazards) may be
ignored in analysis despite the fact it has occurred and has a
nonzero probability. Or, an event that everyone agrees is
inevitable may be ruled out of analysis due to greed or an
unwillingness to admit that it is believed to be inevitable. These
human tendencies for error and
wishful
thinking often affect even the most rigorous applications of
the
scientific method and are a
major concern of the
philosophy of
science.
All
decision-making under
uncertainty must consider
cognitive
bias,
cultural bias, and
notational bias: No group of people
assessing risk is immune to "
groupthink":
acceptance of obviously wrong answers simply because it is socially
painful to disagree, where there are
conflicts of interest. One effective
way to solve framing problems in risk assessment or measurement
(although some argue that risk cannot be measured, only assessed)
is to raise others' fears or personal ideals by way of
completeness.
Neurobiology of Framing
Framing involves other information that affects the outcome of a
risky decision. The right prefrontal cortex has been shown to take
a more global perspective while greater left prefrontal activity
relates to local or focal processing
From the Theory of Leaky Modules McElroy and Seta proposed that
they could predictably alter the framing effect by the selective
manipulation of regional prefrontal activity with finger tapping or
monaural listening. The result was as expected. Rightward tapping
or listening had the effect of narrowing attention such that the
frame was ignored. This is a practical way of manipulating regional
cortical activation to affect risky decisions, especially because
directed tapping or listening is easily done.
Fear as intuitive risk assessment
For the time being, people rely on their fear and hesitation to
keep them out of the most profoundly unknown circumstances.
In
The Gift of Fear,
Gavin de Becker argues that "True
fear is a gift. It is a survival signal that sounds only in the
presence of danger. Yet unwarranted fear has assumed a power over
us that it holds over no other creature on Earth. It need not be
this way."
Risk could be said to be the way we collectively measure and share
this "true fear"—a fusion of rational doubt, irrational fear, and a
set of unquantified biases from our own experience.
The field of
behavioral finance
focuses on human risk-aversion, asymmetric regret, and other ways
that human financial behavior varies from what analysts call
"rational". Risk in that case is the degree of
uncertainty associated with a
return on an
asset.
Recognizing and respecting the irrational influences on human
decision making may do much to reduce disasters caused by naive
risk assessments that pretend to rationality but in fact merely
fuse many shared biases together.
Risk assessment and management
Because planned actions are subject to large cost and benefit
risks, proper
risk assessment and
risk management for such actions are
crucial to making them successful.
Since Risk assessment and management is essential in security
management, both are tightly related.
Security assessment methodologies like
CRAMM contain risk assessment modules as an important
part of the first steps of the methodology. On the other hand, Risk
Assessment methodologies, like
Mehari evolved
to become Security Assessment methodologies.A
ISO standard on risk management (Principles and
guidelines on implementation) is currently being draft under code
ISO 31000. Target publication date 30 May
2009.
Risk in auditing
The
audit risk model expresses the risk
of an
auditor providing an inappropriate
opinion of a commercial entity's financial statements. It can be
analytically expressed as:
- AR = IR x CR x DR
Where AR is
audit risk, IR is
inherent risk, CR
is
control risk and DR is
detection risk.
See also
References
Bibliography
Referred literature
- Bent Flyvbjerg, 2006: From
Nobel Prize to Project Management: Getting Risks Right.
Project Management Journal, vol. 37, no. 3, August, pp. 5-15.
Available at homepage of author
- Niklas Luhmann, 1996: Modern
Society Shocked by its Risks (= University of Hongkong,
Department of Sociology Occasional Papers 17), Hongkong, available
via HKU Scholars HUB
Books
- Historian David A. Moss's book When All Else Fails explains the U.S. government's historical role as risk
manager of last resort.
- Peter L. Bernstein. Against the Gods ISBN
0-471-29563-9. Risk explained and its appreciation by man traced
from earliest times through all the major figures of their ages in
mathematical circles.
- Gardner, Dan, Risk: The Science and Politics of
Fear, Random House, Inc., 2008. ISBN 0771032994
Articles and papers
- Clark, L., Manes, F., Antoun, N., Sahakian, B. J., &
Robbins, T. W. (2003). "The contributions of lesion laterality and
lesion volume to decision-making impairment following frontal lobe
damage." Neuropsychologia, 41, 1474-1483.
- Drake, R. A. (1985). "Decision making and risk taking:
Neurological manipulation with a proposed consistency mediation."
Contemporary Social Psychology, 11, 149-152.
- Drake, R. A. (1985). "Lateral asymmetry of risky
recommendations." Personality and Social Psychology
Bulletin, 11, 409-417.
- Hansson, Sven Ove. (2007). "Risk", The Stanford Encyclopedia of
Philosophy (Summer 2007 Edition), Edward N. Zalta (ed.),
forthcoming [842286].
- Holton, Glyn A. (2004). "Defining Risk", Financial Analysts Journal,
60 (6), 19–25. A paper exploring the foundations of risk. (PDF
file)
- Knight, F. H. (1921) Risk, Uncertainty and Profit,
Chicago: Houghton Mifflin Company. (Cited at: [842287], § I.I.26.)
- Kruger, Daniel J., Wang, X.T., & Wilke, Andreas (2007)
"Towards the development of an evolutionarily valid
domain-specific risk-taking scale" Evolutionary
Psychology (PDF file)
- Miller, L. (1985). "Cognitive risk taking after frontal or
temporal lobectomy I. The synthesis of fragmented visual
information." Neuropsychologia, 23, 359 369.
- Miller, L., & Milner, B. (1985). "Cognitive risk taking
after frontal or temporal lobectomy II. The synthesis of phonemic
and semantic information." Neuropsychologia, 23, 371
379.
- Neill, M. Allen, J. Woodhead, N. Reid, S. Irwin, L. Sanderson,
H. 2008 "A Positive Approach to Risk Requires Person Centred
Thinking" London, CSIP Personalisation Network, Department of
Health. Available from:
http://networks.csip.org.uk/Personalisation/Topics/Browse/Risk/
[Accessed 21 July 2008]
External links
Further reading
Magazines and journals
Societies
Wikimedia sister projects