Risk
Encyclopedia
Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome exists (or existed). Potential losses themselves may also be called "risks". Almost any human endeavor carries some risk, but some are much more risky than others.
cites the earliest use of the word in English (in the spelling of risque) as from 1621, and the spelling as risk from 1655. It defines risk as:
For the sociologist Niklas Luhmann
the term 'risk' is a neologism that appeared with the transition from traditional to modern society. "In the Middle Ages
the term risicum was used in highly specific contexts, above all sea trade and its ensuing legal problems of loss and damage." In the vernacular languages
of the 16th century the words rischio and riezgo were used. This was introduced to continental Europe, through interaction with Middle Eastern and North African Arab traders. In the English language
the term risk appeared only in the 17th century, and "seems to be imported from continental Europe." When the terminology of risk took ground, it replaced the older notion that thought "in terms of good and bad fortune
." Niklas Luhmann (1996) seeks to explain this transition: "Perhaps, this was simply a loss of plausibility of the old rhetorics of Fortuna
as an allegorical figure of religious content and of prudentia as a (noble) virtue in the emerging commercial society."
Scenario analysis
matured during Cold War
confrontations between major powers, notably the United States
and the Soviet Union
. It became widespread in insurance circles in the 1970s when major oil tanker disasters
forced a more comprehensive foresight. The scientific approach to risk entered finance in the 1960s with the advent of the capital asset pricing model
and became increasingly important in the 1980s when financial derivatives
proliferated. It reached general professions in the 1990s when the power of personal computing allowed for widespread data collection and numbers crunching.
Governments are using it, for example, to set standards for environmental regulation, e.g. "pathway analysis" as practiced by the United States Environmental Protection Agency
.
s, the lapsing of deadlines for construction of a new operating facility, disruptions in a production process, emergence of a serious competitor on the market, the loss of key personnel, the change of a political regime, or natural disasters. Reference class forecasting
was developed to eliminate or reduce economic risk.
with individual patients to obtain informed consent
for secondary and tertiary prevention efforts, whereas public health efforts in primary prevention require education of the entire population at risk. In each case, careful communication about risk factors, likely outcomes and certainty
must distinguish between causal events that must be decreased and associated events that may be merely consequences rather than causes.
In epidemiology, the lifetime risk of an effect is the cumulative incidence
, also called incidence proportion over an entire lifetime.
. This relatively new term due to an increasing awareness that information security
is simply one facet of a multitude of risks that are relevant to IT and the real world processes it supports.
The increasing dependencies of modern society on information and computers networks (both in private and public sectors, including military)
has led to a new terms like IT risk
and Cyberwarfare.
Information security means protecting information and information system
s from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security grew out of practices and procedures of computer security
.
Information security has grown to information assurance (IA) i.e. is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.
While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form.
Information assurance is interdisciplinary and draws from multiple fields, including accounting, fraud
examination, forensic science, management science, systems engineering
, security engineering
, and criminology
, in addition to computer science.
So, IT risk is narrowly focused on computer security
, while information security extends on risks related to other forms of information (paper, microfilm). Information assurance risks include the ones related to the consistency of the business information stored in IT systems and the one stored on other means and the relevant business consequences.
is a risk treatment option which involves risk sharing. It can be considered as a form of contingent capital and is akin to purchasing an Option (finance)
in which the buyer pays a small premium to be protected from a potential large loss.
code of ethics is usually focused on risk assessment and mitigation (by the professional on behalf of client, public, society or life in general).
In the workplace, incidental and inherent risks exist. Incidental risks are those that occur naturally in the business but are not part of the core of the business. Inherent risks have a negative effect on the operating profit of the business.
(HRO) is an organization
that has succeeded in avoiding catastrophes in an environment where normal accidents can be expected due to risk factor
s and complexity
. Most studies of HROs involve areas such as nuclear aircraft carriers, air traffic control, aerospace and nuclear power stations. Organizations such as these share in common the ability to consistently operate safely in complex, interconnected environments where a single failure in one component could lead to catastrophe. Essentially, they are organizations which appear to operate 'in spite' of an enormous range of risks.
Some of these industries manage risk in a highly quantified and enumerated way. These include the nuclear power
and aircraft industries
, where the possible failure of a complex series of engineered systems could result in highly undesirable outcomes. The usual measure of risk for a class of events is then: R = probability of the event × C
The total risk is then the product of the individual class-risks.
In the nuclear industry, consequence is often measured in terms of off-site radiological release, and this is often banded into five or six decade-wide bands.
The risks are evaluated using fault tree/event tree techniques (see safety engineering
). Where these risks are low, they are normally considered to be "Broadly Acceptable". A higher level of risk (typically up to 10 to 100 times what is considered Broadly Acceptable) has to be justified against the costs of reducing it further and the possible benefits that make it tolerable—these risks are described as "Tolerable if ALARP
". Risks beyond this level are classified as "Intolerable".
The level of risk deemed Broadly Acceptable has been considered by regulatory bodies in various countries—an early attempt by UK government regulator and academic F. R. Farmer
used the example of hill-walking and similar activities, which have definable risks that people appear to find acceptable. This resulted in the so-called Farmer Curve of acceptable probability of an event versus its consequence.
The technique as a whole is usually referred to as Probabilistic Risk Assessment (PRA) (or Probabilistic Safety Assessment, PSA). See WASH-1400
for an example of this approach.
, risk is the probability that an investment's actual return will be different than expected. This includes the possibility of losing some or all of the original investment. In a view advocated by Damodaran, risk includes not only "downside risk" but also "upside risk" (returns that exceed expectations). Some regard a calculation of the standard deviation of the historical returns or average returns of a specific investment as providing some historical measure of risk; see modern portfolio theory
. Financial risk may be market-dependent, determined by numerous market factors, or operational, resulting from fraudulent behavior (e.g. Bernard Madoff
). Recent studies suggest that testosterone level plays a major role in risk taking during financial decisions.
In finance
, risk has no one definition, but some theorists, notably Ron Dembo
, have defined quite general methods to assess risk as an expected after-the-fact level of regret. Such methods have been uniquely successful in limiting interest rate risk
in financial markets. Financial markets are considered to be a proving ground for general methods of risk assessment.
However, these methods are also hard to understand. The mathematical difficulties interfere with other social goods such as disclosure, valuation
and transparency
. In particular, it is not always obvious if such financial instruments
are "hedging
" (purchasing/selling a financial instrument specifically to reduce or cancel out the risk in another investment) or "speculation
" (increasing measurable risk and exposing the investor to catastrophic loss in pursuit of very high windfalls that increase expected value).
As regret
measures rarely reflect actual human risk-aversion, it is difficult to determine if the outcomes of such transactions will be satisfactory. Risk seeking describes an individual whose utility function's second derivative is positive. Such an individual would willingly (actually pay a premium to) assume all risk in the economy and is hence not likely to exist.
In financial markets, one may need to measure credit risk
, information timing and source risk, probability model risk, and legal risk
if there are regulatory or civil actions taken as a result of some "investor's regret". Knowing one's risk appetite in conjunction with one's financial well-being are most crucial.
A fundamental idea in finance is the relationship between risk and return (see modern portfolio theory
). The greater the potential return one might seek, the greater the risk that one generally assumes. A free market reflects this principle in the pricing of an instrument: strong demand for a safer instrument drives its price higher (and its return proportionately lower), while weak demand for a riskier instrument drives its price lower (and its potential return thereby higher).
"For example, a US Treasury bond is considered to be one of the safest investments and, when compared to a corporate bond, provides a lower rate of return. The reason for this is that a corporation is much more likely to go bankrupt than the U.S. government. Because the risk of investing in a corporate bond is higher, investors are offered a higher rate of return."
The most popular, and also the most vilified lately risk measurement is Value-at-Risk (VaR). There are different types of VaR - Long Term VaR, Marginal VaR, Factor VaR and Shock VaR The latter is used in measuring risk during the extreme market stress conditions.
risk management involves protection of assets from harm caused by deliberate acts. A more detailed definition is: "A security risk is any event that could result in the compromise of organizational assets. the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities constitutes a compromise of the asset, and includes the risk of harm to people. Compromise of organizational assets may adversely affect the enterprise, its business units and their clients. As such, consideration of security risk is a vital component of risk management."
s of projects were typically higher than estimated costs; cost overruns of 50% were common, overruns above 100% not uncommon. Actual demand
was often lower than estimated; demand shortfalls of 25% were common, of 50% not uncommon.
Due to such cost and demand risks, cost-benefit analyses of public works projects have proved to be highly uncertain.
The main causes of cost and demand risks were found to be optimism bias
and strategic misrepresentation
. Measures identified to mitigate this type of risk are better governance
through incentive alignment and the use of reference class forecasting
.
where behavioral and organizational psychology underpin our understanding of risk based decision making. This field considers questions such as "how do we make risk based decisions?", "why are we irrationally more scared of sharks and terrorists than we are of motor vehicles and medications?"
In decision theory
, regret (and anticipation of regret) can play a significant part in decision-making, distinct from risk aversion
(preferring the status quo in case one becomes worse off).
Framing
is a fundamental problem with all forms of risk assessment. In particular, because of bounded rationality
(our brains get overloaded, so we take mental shortcuts), the risk of extreme events is discounted because the probability is too low to evaluate intuitively. As an example, one of the leading causes of death is road accidents caused by drunk driving
—partly because any given driver frames the problem by largely or totally ignoring the risk of a serious or fatal accident.
For instance, an extremely disturbing event (an attack by hijacking, or moral hazard
s) may be ignored in analysis despite the fact it has occurred and has a nonzero probability. Or, an event that everyone agrees is inevitable may be ruled out of analysis due to greed or an unwillingness to admit that it is believed to be inevitable. These human tendencies for error and wishful thinking
often affect even the most rigorous applications of the scientific method
and are a major concern of the philosophy of science
.
All decision-making under uncertainty must consider cognitive bias
, cultural bias
, and notational bias: No group of people assessing risk is immune to "groupthink
": acceptance of obviously wrong answers simply because it is socially painful to disagree, where there are conflicts of interest
. One effective way to solve framing problems in risk assessment or measurement (although some argue that risk cannot be measured, only assessed) is to raise others' fears or personal ideals by way of completeness.
Framing involves other information that affects the outcome of a risky decision. The right prefrontal cortex has been shown to take a more global perspective while greater left prefrontal activity relates to local or focal processing
From the Theory of Leaky Modules McElroy and Seta proposed that they could predictably alter the framing effect by the selective manipulation of regional prefrontal activity with finger tapping or monaural listening. The result was as expected. Rightward tapping or listening had the effect of narrowing attention such that the frame was ignored. This is a practical way of manipulating regional cortical activation to affect risky decisions, especially because directed tapping or listening is easily done.
and risk management
for such actions are crucial to making them successful.
Since risk assessment and management is essential in security management, both are tightly related. Security
assessment methodologies like CRAMM
contain risk assessment modules as an important part of the first steps of the methodology. On the other hand, risk assessment methodologies like Mehari
evolved to become security assessment methodologies.
A ISO standard on risk management (Principles and guidelines on implementation) was published under code ISO 31000
on 13 November 2009.
.
Even when statistical estimates are available, in many cases risk is associated with rare failures of some kind, and data may be sparse. Often, the probability of a negative event is estimated by using the frequency of past similar events or by event tree
methods, but probabilities for rare failures may be difficult to estimate if an event tree cannot be formulated. This makes risk assessment difficult in hazardous industries (for example nuclear energy) where the frequency of failures is rare and harmful consequences of failure are very high.
Statistical methods may also require the use of a Cost function, which in turn often requires the calculation of the cost of the loss of human life, a difficult problem. One approach is to ask what people are willing to pay to insure against death, and radiological release (e.g., GBq of radio-iodine), but as the answers depend very strongly on the circumstances it is not clear that this approach is effective.
In statistics, the notion of risk is often modelled as the expected value
of some outcome seen as undesirable. This combines the probabilities of various possible events and some assessment of the corresponding harms into a single value. (See also Expected utility.) In a formula that can be used in the simple case of a binary possibility (accident or no accident), risk is then:
For example: if activity X may suffer an accident of A at a probability of 0.01 with a loss of 1000, the total risk is a loss of 10, since that is the product of 0.01 and 1 000.
In case of there being several possible accidents, risk is the sum of the all risks for the different accidents, provided that the outcomes are comparable:
For example: if activity X may suffer an accident of A at a probability of 0.01 with a loss of 1000, and an accident of type B at probability of 0.000 001 at a loss of 2 000 000, the total risk is a loss of 12, that is 10 from accident of types A and 2 from accidents of type B.
One of the first major uses of this concept was at the planning of the Delta Works
in 1953, a flood protection program in the Netherlands
, with the aid of the mathematician David van Dantzig
. The kind of risk analysis pioneered here has become common today in fields like nuclear power
, aerospace
and the chemical industry
.
In statistical decision theory
, the risk function
is defined as the expected value of a given loss function
as a function of the decision rule
used to make decisions in the face of uncertainty.
In The Gift of Fear
, Gavin de Becker
argues that "True fear is a gift. It is a survival signal that sounds only in the presence of danger. Yet unwarranted fear has assumed a power over us that it holds over no other creature on Earth. It need not be this way."
Risk could be said to be the way we collectively measure and share this "true fear"—a fusion of rational doubt, irrational fear, and a set of unquantified biases from our own experience.
The field of behavioral finance
focuses on human risk-aversion, asymmetric regret, and other ways that human financial behavior varies from what analysts call "rational". Risk in that case is the degree of uncertainty
associated with a return on an asset
.
Recognizing and respecting the irrational influences on human decision making may do much to reduce disasters caused by naive risk assessments that pretend to rationality but in fact merely fuse many shared biases together.
expresses the risk of an auditor providing an inappropriate opinion of a commercial entity's financial statements. It can be analytically expressed as:
Where AR is audit risk, IR is inherent risk, CR is control risk and DR is detection risk.
(1921) established the distinction between risk and uncertainty
.
Thus, Knightian uncertainty
is immeasurable, not possible to calculate, while in the Knightian sense risk is measurable.
Another distinction between risk and uncertainty is proposed in How to Measure Anything: Finding the Value of Intangibles in Business and The Failure of Risk Management: Why It's Broken and How to Fix It by Doug Hubbard:
In this sense, Hubbard uses the terms so that one may have uncertainty without risk but not risk without uncertainty. We can be uncertain about the winner of a contest, but unless we have some personal stake in it, we have no risk. If we bet money on the outcome of the contest, then we have a risk. In both cases there are more than one outcome. The measure of uncertainty refers only to the probabilities assigned to outcomes, while the measure of risk requires both probabilities for outcomes and losses quantified for outcomes.
Gambling
is a risk-increasing investment, wherein money on hand is risked for a possible large return, but with the possibility of losing it all. Purchasing a lottery ticket is a very risky investment with a high chance of no return and a small chance of a very high return. In contrast, putting money in a bank at a defined rate of interest is a risk-averse action that gives a guaranteed return of a small gain and precludes other investments with possibly higher gain.
. Only for a risk neutral person is the "certain monetary equivalent" exactly equal to the probability of the loss times the amount of the loss. For example, a risk neutral person would consider 20% chance of winning $1 million exactly equal to $200,000 (or a 20% chance of losing $1 million to be exactly equal to losing $200,000). However, most decision makers are not actually risk neutral and would not consider these equivalent choices. This gave rise to Prospect theory
and Cumulative prospect theory
. Hubbard proposes instead that risk is a kind of "vector quantity" that does not collapse the probability and magnitude of a risk by presuming anything about the risk tolerance of the decision maker. Risks are simply described as a set or function of possible loss amounts each associated with specific probabilities. How this array is collapsed into a single value cannot be done until the risk tolerance of the decision maker is quantified.
Risk can be both negative and positive, but it tends to be the negative side that people focus on. This is because some things can be dangerous, such as putting their own or someone else’s life at risk. Risks concern people as they think that they will have a negative effect on their future.
(with Nils Bruzelius and Werner Rothengatter) demonstrates that big ventures (big construction projects, big capital investments, etc.) are highly risky. For instance, such ventures typically have high cost overruns, benefit shortfalls, and schedule delays, plus negative and unanticipated social and environmental impacts.
Historical background
The Oxford English DictionaryOxford English Dictionary
The Oxford English Dictionary , published by the Oxford University Press, is the self-styled premier dictionary of the English language. Two fully bound print editions of the OED have been published under its current name, in 1928 and 1989. The first edition was published in twelve volumes , and...
cites the earliest use of the word in English (in the spelling of risque) as from 1621, and the spelling as risk from 1655. It defines risk as:
(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.
For the sociologist Niklas Luhmann
Niklas Luhmann
Niklas Luhmann was a German sociologist, and a prominent thinker in sociological systems theory.-Biography:...
the term 'risk' is a neologism that appeared with the transition from traditional to modern society. "In the Middle Ages
Middle Ages
The Middle Ages is a periodization of European history from the 5th century to the 15th century. The Middle Ages follows the fall of the Western Roman Empire in 476 and precedes the Early Modern Era. It is the middle period of a three-period division of Western history: Classic, Medieval and Modern...
the term risicum was used in highly specific contexts, above all sea trade and its ensuing legal problems of loss and damage." In the vernacular languages
Vernacular
A vernacular is the native language or native dialect of a specific population, as opposed to a language of wider communication that is not native to the population, such as a national language or lingua franca.- Etymology :The term is not a recent one...
of the 16th century the words rischio and riezgo were used. This was introduced to continental Europe, through interaction with Middle Eastern and North African Arab traders. In the English language
English language
English is a West Germanic language that arose in the Anglo-Saxon kingdoms of England and spread into what was to become south-east Scotland under the influence of the Anglian medieval kingdom of Northumbria...
the term risk appeared only in the 17th century, and "seems to be imported from continental Europe." When the terminology of risk took ground, it replaced the older notion that thought "in terms of good and bad fortune
Luck
Luck or fortuity is good fortune which occurs beyond one's control, without regard to one's will, intention, or desired result. There are at least two senses people usually mean when they use the term, the prescriptive sense and the descriptive sense...
." Niklas Luhmann (1996) seeks to explain this transition: "Perhaps, this was simply a loss of plausibility of the old rhetorics of Fortuna
Fortuna
Fortuna can mean:*Fortuna, the Roman goddess of luck -Geographical:*19 Fortuna, asteroid*Fortuna, California, town located on the north coast of California*Fortuna, United States Virgin Islands...
as an allegorical figure of religious content and of prudentia as a (noble) virtue in the emerging commercial society."
Scenario analysis
Scenario analysis
Scenario analysis is a process of analyzing possible future events by considering alternative possible outcomes . Thus, the scenario analysis, which is a main method of projections, does not try to show one exact picture of the future. Instead, it presents consciously several alternative future...
matured during Cold War
Cold War
The Cold War was the continuing state from roughly 1946 to 1991 of political conflict, military tension, proxy wars, and economic competition between the Communist World—primarily the Soviet Union and its satellite states and allies—and the powers of the Western world, primarily the United States...
confrontations between major powers, notably the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
and the Soviet Union
Soviet Union
The Soviet Union , officially the Union of Soviet Socialist Republics , was a constitutionally socialist state that existed in Eurasia between 1922 and 1991....
. It became widespread in insurance circles in the 1970s when major oil tanker disasters
Oil spill
An oil spill is the release of a liquid petroleum hydrocarbon into the environment, especially marine areas, due to human activity, and is a form of pollution. The term is mostly used to describe marine oil spills, where oil is released into the ocean or coastal waters...
forced a more comprehensive foresight. The scientific approach to risk entered finance in the 1960s with the advent of the capital asset pricing model
Capital asset pricing model
In finance, the capital asset pricing model is used to determine a theoretically appropriate required rate of return of an asset, if that asset is to be added to an already well-diversified portfolio, given that asset's non-diversifiable risk...
and became increasingly important in the 1980s when financial derivatives
Derivative (finance)
A derivative instrument is a contract between two parties that specifies conditions—in particular, dates and the resulting values of the underlying variables—under which payments, or payoffs, are to be made between the parties.Under U.S...
proliferated. It reached general professions in the 1990s when the power of personal computing allowed for widespread data collection and numbers crunching.
Governments are using it, for example, to set standards for environmental regulation, e.g. "pathway analysis" as practiced by the United States Environmental Protection Agency
United States Environmental Protection Agency
The U.S. Environmental Protection Agency is an agency of the federal government of the United States charged with protecting human health and the environment, by writing and enforcing regulations based on laws passed by Congress...
.
ISO31000:2009 Risk Management Standard
- The ISO 31000ISO 31000ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management...
(2009) /ISO Guide 73 definition of risk is the 'effect of uncertainty on objectives'. In this definition, uncertainties include events (which may or not happen) and uncertainties caused by a lack of information or ambiguity. It also includes both negative and positive impacts on objectives. Many definitions of risk exist in common usage, however this definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts.
Other definitions of risk
The many inconsistent and ambiguous meanings attached to "risk" lead to widespread confusion and also mean that very different approaches to risk management are taken in different fields. For example:- Risk can be seen as relating to the ProbabilityProbabilityProbability is ordinarily used to describe an attitude of mind towards some proposition of whose truth we arenot certain. The proposition of interest is usually of the form "Will a specific event occur?" The attitude of mind is of the form "How certain are we that the event will occur?" The...
of uncertain future events.. For example, according to Factor Analysis of Information RiskFactor Analysis of Information RiskFactor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...
, risk is: the probable frequency and probable magnitude of future loss. In computer science this definition is used by The Open GroupThe Open GroupThe Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...
.
- OHSAS (Occupational Health & Safety Advisory Services) defines risk as the product of the probability of a hazard resulting in an adverse event, times the severity of the event.
- In information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
risk is defined as "the potential that a given threatThreat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
will exploit vulnerabilitiesVulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
of an assetAssetIn financial accounting, assets are economic resources. Anything tangible or intangible that is capable of being owned or controlled to produce value and that is held to have positive economic value is considered an asset...
or group of assets and thereby cause harm to the organization",
- Financial riskFinancial riskFinancial risk an umbrella term for multiple types of risk associated with financing, including financial transactions that include company loans in risk of default. Risk is a term often used to imply downside risk, meaning the uncertainty of a return and the potential for financial loss...
is often defined as the unexpected variability or volatilityVolatility (finance)In finance, volatility is a measure for variation of price of a financial instrument over time. Historic volatility is derived from time series of past market prices...
of returns and thus includes both potential worse-than-expected as well as better-than-expected returns. References to negative risk below should be read as applying to positive impacts or opportunity (e.g., for "loss" read "loss or gain") unless the context precludes this interpretation.
- The related terms "threatThreatThreat of force in public international law is a situation between states described by British lawyer Ian Brownlie as:The 1969 Vienna convention on the Law of Treaties notes in its preamble that both the threat and the use of force are prohibited...
" and "hazardHazardA hazard is a situation that poses a level of threat to life, health, property, or environment. Most hazards are dormant or potential, with only a theoretical risk of harm; however, once a hazard becomes "active", it can create an emergency situation. A hazard does not exist when it is not...
" are often used to mean something that could cause harm.
Practice Areas
Risk is ubiquitous in all areas of life and risk management is something that we all must do, whether we are managing a major organization or simply crossing the road. When describing risk however, it is convenient to consider that risk practitioners operate in some specific practice areas.Economic risk
Economic risks can be manifested in lower incomes or higher expenditures than expected. The causes can be many, for instance, the hike in the price for raw materialRaw material
A raw material or feedstock is the basic material from which a product is manufactured or made, frequently used with an extended meaning. For example, the term is used to denote material that came from nature and is in an unprocessed or minimally processed state. Latex, iron ore, logs, and crude...
s, the lapsing of deadlines for construction of a new operating facility, disruptions in a production process, emergence of a serious competitor on the market, the loss of key personnel, the change of a political regime, or natural disasters. Reference class forecasting
Reference class forecasting
Reference class forecasting is the method of predicting the future, through looking at similar past situations and their outcomes.Reference class forcasting predicts the outcome of a planned action based on actual outcomes in a reference class of similar actions to that being forecast. The theories...
was developed to eliminate or reduce economic risk.
Health
Risks in personal health may be reduced by primary prevention actions that decrease early causes of illness or by secondary prevention actions after a person has clearly measured clinical signs or symptoms recognized as risk factors. Tertiary prevention reduces the negative impact of an already established disease by restoring function and reducing disease-related complications. Ethical medical practice requires careful discussion of risk factorsRisk factors
A risk factor is a concept in finance theory such as the CAPM, APT and other theories that use pricing kernels. In these models, the rate of return of an asset is a random variable whose realization in any time period is a linear combination of other random variables plus a disturbance term or...
with individual patients to obtain informed consent
Informed consent
Informed consent is a phrase often used in law to indicate that the consent a person gives meets certain minimum standards. As a literal matter, in the absence of fraud, it is redundant. An informed consent can be said to have been given based upon a clear appreciation and understanding of the...
for secondary and tertiary prevention efforts, whereas public health efforts in primary prevention require education of the entire population at risk. In each case, careful communication about risk factors, likely outcomes and certainty
Certainty
Certainty can be defined as either:# perfect knowledge that has total security from error, or# the mental state of being without doubtObjectively defined, certainty is total continuity and validity of all foundational inquiry, to the highest degree of precision. Something is certain only if no...
must distinguish between causal events that must be decreased and associated events that may be merely consequences rather than causes.
In epidemiology, the lifetime risk of an effect is the cumulative incidence
Cumulative incidence
Cumulative incidence or incidence proportion is a measure of frequency, as in epidemiology, where it is a measure of disease frequency during a period of time...
, also called incidence proportion over an entire lifetime.
Health, Safety and Environment
Health, Safety and Environment (HSE) are separate practice areas, however they are often linked. The reason for this is typically to do with organizational management structures however there are strong links between these disciplines. One of the strongest links between these is that a single risk event may have impacts in all three areas, albeit over differing timescales. For example, the uncontrolled release of radiation or a toxic chemical may have immediate short term safety consequences, more protracted health impacts and much longer term environmental impacts. Events such as Chernobyl for example caused immediate deaths, longer term deaths from cancers and left a lasting environmental impact leading to birth defects, impacts on wildlife, etc.Information Technology and Information Security
Information technology risk, or IT risk, IT-related risk, is a risk related to information technologyInformation technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
. This relatively new term due to an increasing awareness that information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
is simply one facet of a multitude of risks that are relevant to IT and the real world processes it supports.
The increasing dependencies of modern society on information and computers networks (both in private and public sectors, including military)
has led to a new terms like IT risk
IT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
and Cyberwarfare.
Information security means protecting information and information system
Information system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...
s from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security grew out of practices and procedures of computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
.
Information security has grown to information assurance (IA) i.e. is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.
While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form.
Information assurance is interdisciplinary and draws from multiple fields, including accounting, fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
examination, forensic science, management science, systems engineering
Systems engineering
Systems engineering is an interdisciplinary field of engineering that focuses on how complex engineering projects should be designed and managed over the life cycle of the project. Issues such as logistics, the coordination of different teams, and automatic control of machinery become more...
, security engineering
Security engineering
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
, and criminology
Criminology
Criminology is the scientific study of the nature, extent, causes, and control of criminal behavior in both the individual and in society...
, in addition to computer science.
So, IT risk is narrowly focused on computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, while information security extends on risks related to other forms of information (paper, microfilm). Information assurance risks include the ones related to the consistency of the business information stored in IT systems and the one stored on other means and the relevant business consequences.
Insurance
InsuranceInsurance
In law and economics, insurance is a form of risk management primarily used to hedge against the risk of a contingent, uncertain loss. Insurance is defined as the equitable transfer of the risk of a loss, from one entity to another, in exchange for payment. An insurer is a company selling the...
is a risk treatment option which involves risk sharing. It can be considered as a form of contingent capital and is akin to purchasing an Option (finance)
Option (finance)
In finance, an option is a derivative financial instrument that specifies a contract between two parties for a future transaction on an asset at a reference price. The buyer of the option gains the right, but not the obligation, to engage in that transaction, while the seller incurs the...
in which the buyer pays a small premium to be protected from a potential large loss.
Business and Management
Means of assessing risk vary widely between professions. Indeed, they may define these professions; for example, a doctor manages medical risk, while a civil engineer manages risk of structural failure. A professionalProfessional
A professional is a person who is paid to undertake a specialised set of tasks and to complete them for a fee. The traditional professions were doctors, lawyers, clergymen, and commissioned military officers. Today, the term is applied to estate agents, surveyors , environmental scientists,...
code of ethics is usually focused on risk assessment and mitigation (by the professional on behalf of client, public, society or life in general).
In the workplace, incidental and inherent risks exist. Incidental risks are those that occur naturally in the business but are not part of the core of the business. Inherent risks have a negative effect on the operating profit of the business.
High Reliability Organizations (HROs)
A 'High reliability organizationHigh reliability organization
A High Reliability Organization is an organization that has succeeded in avoiding catastrophes in an environment where normal accidents can be expected due to risk factors and complexity....
(HRO) is an organization
Organization
An organization is a social group which distributes tasks for a collective goal. The word itself is derived from the Greek word organon, itself derived from the better-known word ergon - as we know `organ` - and it means a compartment for a particular job.There are a variety of legal types of...
that has succeeded in avoiding catastrophes in an environment where normal accidents can be expected due to risk factor
Risk factor
In epidemiology, a risk factor is a variable associated with an increased risk of disease or infection. Sometimes, determinant is also used, being a variable associated with either increased or decreased risk.-Correlation vs causation:...
s and complexity
Complex system
A complex system is a system composed of interconnected parts that as a whole exhibit one or more properties not obvious from the properties of the individual parts....
. Most studies of HROs involve areas such as nuclear aircraft carriers, air traffic control, aerospace and nuclear power stations. Organizations such as these share in common the ability to consistently operate safely in complex, interconnected environments where a single failure in one component could lead to catastrophe. Essentially, they are organizations which appear to operate 'in spite' of an enormous range of risks.
Some of these industries manage risk in a highly quantified and enumerated way. These include the nuclear power
Nuclear power
Nuclear power is the use of sustained nuclear fission to generate heat and electricity. Nuclear power plants provide about 6% of the world's energy and 13–14% of the world's electricity, with the U.S., France, and Japan together accounting for about 50% of nuclear generated electricity...
and aircraft industries
Aerospace manufacturer
An aerospace manufacturer is a company or individual involved in the various aspects of designing, building, testing, selling, and maintaining aircraft, aircraft parts, missiles, rockets, and/or spacecraft....
, where the possible failure of a complex series of engineered systems could result in highly undesirable outcomes. The usual measure of risk for a class of events is then: R = probability of the event × C
The total risk is then the product of the individual class-risks.
In the nuclear industry, consequence is often measured in terms of off-site radiological release, and this is often banded into five or six decade-wide bands.
The risks are evaluated using fault tree/event tree techniques (see safety engineering
Safety engineering
Safety engineering is an applied science strongly related to systems engineering / industrial engineering and the subset System Safety Engineering...
). Where these risks are low, they are normally considered to be "Broadly Acceptable". A higher level of risk (typically up to 10 to 100 times what is considered Broadly Acceptable) has to be justified against the costs of reducing it further and the possible benefits that make it tolerable—these risks are described as "Tolerable if ALARP
ALARP
ALARP stands for "as low as reasonably practicable", and is a term often used in the milieu of safety-critical and safety-involved systems. The ALARP principle is that the residual risk shall be as low as reasonably practicable...
". Risks beyond this level are classified as "Intolerable".
The level of risk deemed Broadly Acceptable has been considered by regulatory bodies in various countries—an early attempt by UK government regulator and academic F. R. Farmer
F. R. Farmer
F. Reg Farmer OBE, FRS, was a British nuclear regulator and later an academic at Imperial College London.-Accomplishments:...
used the example of hill-walking and similar activities, which have definable risks that people appear to find acceptable. This resulted in the so-called Farmer Curve of acceptable probability of an event versus its consequence.
The technique as a whole is usually referred to as Probabilistic Risk Assessment (PRA) (or Probabilistic Safety Assessment, PSA). See WASH-1400
WASH-1400
WASH-1400, 'The Reactor Safety Study, was a report produced in 1975 for the Nuclear Regulatory Commission by a committee of specialists under Professor Norman Rasmussen. It "generated a storm of criticism in the years following its release"...
for an example of this approach.
Finance
In financeFinance
"Finance" is often defined simply as the management of money or “funds” management Modern finance, however, is a family of business activity that includes the origination, marketing, and management of cash and money surrogates through a variety of capital accounts, instruments, and markets created...
, risk is the probability that an investment's actual return will be different than expected. This includes the possibility of losing some or all of the original investment. In a view advocated by Damodaran, risk includes not only "downside risk" but also "upside risk" (returns that exceed expectations). Some regard a calculation of the standard deviation of the historical returns or average returns of a specific investment as providing some historical measure of risk; see modern portfolio theory
Modern portfolio theory
Modern portfolio theory is a theory of investment which attempts to maximize portfolio expected return for a given amount of portfolio risk, or equivalently minimize risk for a given level of expected return, by carefully choosing the proportions of various assets...
. Financial risk may be market-dependent, determined by numerous market factors, or operational, resulting from fraudulent behavior (e.g. Bernard Madoff
Bernard Madoff
Bernard Lawrence "Bernie" Madoff is a former American businessman, stockbroker, investment advisor, and financier. He is the former non-executive chairman of the NASDAQ stock market, and the admitted operator of a Ponzi scheme that is considered to be the largest financial fraud in U.S...
). Recent studies suggest that testosterone level plays a major role in risk taking during financial decisions.
In finance
Finance
"Finance" is often defined simply as the management of money or “funds” management Modern finance, however, is a family of business activity that includes the origination, marketing, and management of cash and money surrogates through a variety of capital accounts, instruments, and markets created...
, risk has no one definition, but some theorists, notably Ron Dembo
Ron Dembo
Ron S. Dembo is the Founder and CEO of Zerofootprint, a socially responsible enterprise whose mission is to apply technology, design and risk management to the massive reduction of our environmental footprint...
, have defined quite general methods to assess risk as an expected after-the-fact level of regret. Such methods have been uniquely successful in limiting interest rate risk
Rate risk
In finance, rate risk is the risk of losses caused by interest rate changes. The prices of most financial instruments, such as stocks and bonds move inversely with interest rates, so investors are subject to capital loss when rates rise....
in financial markets. Financial markets are considered to be a proving ground for general methods of risk assessment.
However, these methods are also hard to understand. The mathematical difficulties interfere with other social goods such as disclosure, valuation
Valuation
-Economics:*Valuation , the determination of the economic value of an asset or liability**Real estate appraisal, sometimes called property valuation , the appraisal of land or buildings...
and transparency
Transparency (humanities)
Transparency, as used in science, engineering, business, the humanities and in a social context more generally, implies openness, communication, and accountability. Transparency is operating in such a way that it is easy for others to see what actions are performed...
. In particular, it is not always obvious if such financial instruments
Financial instruments
A financial instrument is a tradable asset of any kind, either cash; evidence of an ownership interest in an entity; or a contractual right to receive, or deliver, cash or another financial instrument....
are "hedging
Hedge (finance)
A hedge is an investment position intended to offset potential losses that may be incurred by a companion investment.A hedge can be constructed from many types of financial instruments, including stocks, exchange-traded funds, insurance, forward contracts, swaps, options, many types of...
" (purchasing/selling a financial instrument specifically to reduce or cancel out the risk in another investment) or "speculation
Speculation
In finance, speculation is a financial action that does not promise safety of the initial investment along with the return on the principal sum...
" (increasing measurable risk and exposing the investor to catastrophic loss in pursuit of very high windfalls that increase expected value).
As regret
Regret
Regret or Regrets may refer to:* Regret * Regret, France, a village about 2 miles south-west of Verdun* Expression of regret, a common gambit in politics and public relations, used as an alternative to actually apologizing...
measures rarely reflect actual human risk-aversion, it is difficult to determine if the outcomes of such transactions will be satisfactory. Risk seeking describes an individual whose utility function's second derivative is positive. Such an individual would willingly (actually pay a premium to) assume all risk in the economy and is hence not likely to exist.
In financial markets, one may need to measure credit risk
Credit risk
Credit risk is an investor's risk of loss arising from a borrower who does not make payments as promised. Such an event is called a default. Other terms for credit risk are default risk and counterparty risk....
, information timing and source risk, probability model risk, and legal risk
Legal risk
Legal risk is risks that counterparty are not legally able to enter into a contract. Another legal risk relates to regulatory risk, i.e., that a transaction could conflict with a regulator's policy or, more generally, that legislation might change during the life of a financial contract.-The Risk...
if there are regulatory or civil actions taken as a result of some "investor's regret". Knowing one's risk appetite in conjunction with one's financial well-being are most crucial.
A fundamental idea in finance is the relationship between risk and return (see modern portfolio theory
Modern portfolio theory
Modern portfolio theory is a theory of investment which attempts to maximize portfolio expected return for a given amount of portfolio risk, or equivalently minimize risk for a given level of expected return, by carefully choosing the proportions of various assets...
). The greater the potential return one might seek, the greater the risk that one generally assumes. A free market reflects this principle in the pricing of an instrument: strong demand for a safer instrument drives its price higher (and its return proportionately lower), while weak demand for a riskier instrument drives its price lower (and its potential return thereby higher).
"For example, a US Treasury bond is considered to be one of the safest investments and, when compared to a corporate bond, provides a lower rate of return. The reason for this is that a corporation is much more likely to go bankrupt than the U.S. government. Because the risk of investing in a corporate bond is higher, investors are offered a higher rate of return."
The most popular, and also the most vilified lately risk measurement is Value-at-Risk (VaR). There are different types of VaR - Long Term VaR, Marginal VaR, Factor VaR and Shock VaR The latter is used in measuring risk during the extreme market stress conditions.
Security
SecuritySecurity
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
risk management involves protection of assets from harm caused by deliberate acts. A more detailed definition is: "A security risk is any event that could result in the compromise of organizational assets. the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities constitutes a compromise of the asset, and includes the risk of harm to people. Compromise of organizational assets may adversely affect the enterprise, its business units and their clients. As such, consideration of security risk is a vital component of risk management."
Societal Risk
In a peer reviewed study of risk in public works projects located in twenty nations on five continents, Flyvbjerg, Holm, and Buhl (2002, 2005) documented high risks for such ventures for both costs and demand. Actual costCost
In production, research, retail, and accounting, a cost is the value of money that has been used up to produce something, and hence is not available for use anymore. In business, the cost may be one of acquisition, in which case the amount of money expended to acquire it is counted as cost. In this...
s of projects were typically higher than estimated costs; cost overruns of 50% were common, overruns above 100% not uncommon. Actual demand
Demand
- Economics :*Demand , the desire to own something and the ability to pay for it*Demand curve, a graphic representation of a demand schedule*Demand deposit, the money in checking accounts...
was often lower than estimated; demand shortfalls of 25% were common, of 50% not uncommon.
Due to such cost and demand risks, cost-benefit analyses of public works projects have proved to be highly uncertain.
The main causes of cost and demand risks were found to be optimism bias
Optimism bias
Optimism bias is the demonstrated systematic tendency for people to be overly optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. Along with the illusion of control and illusory...
and strategic misrepresentation
Strategic misrepresentation
"Strategic misrepresentation is the planned, systematic distortion or misstatement of fact—lying—in response to incentives in the budget process...
. Measures identified to mitigate this type of risk are better governance
Governance
Governance is the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of management or leadership processes...
through incentive alignment and the use of reference class forecasting
Reference class forecasting
Reference class forecasting is the method of predicting the future, through looking at similar past situations and their outcomes.Reference class forcasting predicts the outcome of a planned action based on actual outcomes in a reference class of similar actions to that being forecast. The theories...
.
Human Factors
One of the growing areas of focus in risk management is the field of human factorsHuman factors
Human factors science or human factors technologies is a multidisciplinary field incorporating contributions from psychology, engineering, industrial design, statistics, operations research and anthropometry...
where behavioral and organizational psychology underpin our understanding of risk based decision making. This field considers questions such as "how do we make risk based decisions?", "why are we irrationally more scared of sharks and terrorists than we are of motor vehicles and medications?"
In decision theory
Decision theory
Decision theory in economics, psychology, philosophy, mathematics, and statistics is concerned with identifying the values, uncertainties and other issues relevant in a given decision, its rationality, and the resulting optimal decision...
, regret (and anticipation of regret) can play a significant part in decision-making, distinct from risk aversion
Risk aversion
Risk aversion is a concept in psychology, economics, and finance, based on the behavior of humans while exposed to uncertainty....
(preferring the status quo in case one becomes worse off).
Framing
Framing
Framing or enframing may refer to:* Framing , the most common carpentry work* Framing or Framing effect , terminology used in communication theory, sociology, and other disciplines where it relates to the construction and presentation of a fact or issue "framed" from a particular perspective*...
is a fundamental problem with all forms of risk assessment. In particular, because of bounded rationality
Bounded rationality
Bounded rationality is the idea that in decision making, rationality of individuals is limited by the information they have, the cognitive limitations of their minds, and the finite amount of time they have to make a decision...
(our brains get overloaded, so we take mental shortcuts), the risk of extreme events is discounted because the probability is too low to evaluate intuitively. As an example, one of the leading causes of death is road accidents caused by drunk driving
Driving under the influence
Driving under the influence is the act of driving a motor vehicle with blood levels of alcohol in excess of a legal limit...
—partly because any given driver frames the problem by largely or totally ignoring the risk of a serious or fatal accident.
For instance, an extremely disturbing event (an attack by hijacking, or moral hazard
Moral hazard
In economic theory, moral hazard refers to a situation in which a party makes a decision about how much risk to take, while another party bears the costs if things go badly, and the party insulated from risk behaves differently from how it would if it were fully exposed to the risk.Moral hazard...
s) may be ignored in analysis despite the fact it has occurred and has a nonzero probability. Or, an event that everyone agrees is inevitable may be ruled out of analysis due to greed or an unwillingness to admit that it is believed to be inevitable. These human tendencies for error and wishful thinking
Wishful thinking
Wishful thinking is the formation of beliefs and making decisions according to what might be pleasing to imagine instead of by appealing to evidence, rationality or reality...
often affect even the most rigorous applications of the scientific method
Scientific method
Scientific method refers to a body of techniques for investigating phenomena, acquiring new knowledge, or correcting and integrating previous knowledge. To be termed scientific, a method of inquiry must be based on gathering empirical and measurable evidence subject to specific principles of...
and are a major concern of the philosophy of science
Philosophy of science
The philosophy of science is concerned with the assumptions, foundations, methods and implications of science. It is also concerned with the use and merit of science and sometimes overlaps metaphysics and epistemology by exploring whether scientific results are actually a study of truth...
.
All decision-making under uncertainty must consider cognitive bias
Cognitive bias
A cognitive bias is a pattern of deviation in judgment that occurs in particular situations. Implicit in the concept of a "pattern of deviation" is a standard of comparison; this may be the judgment of people outside those particular situations, or may be a set of independently verifiable...
, cultural bias
Cultural bias
Cultural bias is the phenomenon of interpreting and judging phenomena by standards inherent to one's own culture. The phenomenon is sometimes considered a problem central to social and human sciences, such as economics, psychology, anthropology, and sociology...
, and notational bias: No group of people assessing risk is immune to "groupthink
Groupthink
Groupthink is a psychological phenomenon that occurs within groups of people. It is the mode of thinking that happens when the desire for harmony in a decision-making group overrides a realistic appraisal of alternatives. Group members try to minimize conflict and reach a consensus decision without...
": acceptance of obviously wrong answers simply because it is socially painful to disagree, where there are conflicts of interest
Conflicts of Interest
"Conflicts of Interest" is an episode from the fourth season of the science fiction television series Babylon 5.-Arc significance:* Garibaldi begins to work for William Edgars. In the process Garibaldi is reintroduced to his ex-girlfriend, Lise, who is currently married to Edgars.* The "Voice of...
. One effective way to solve framing problems in risk assessment or measurement (although some argue that risk cannot be measured, only assessed) is to raise others' fears or personal ideals by way of completeness.
Framing involves other information that affects the outcome of a risky decision. The right prefrontal cortex has been shown to take a more global perspective while greater left prefrontal activity relates to local or focal processing
From the Theory of Leaky Modules McElroy and Seta proposed that they could predictably alter the framing effect by the selective manipulation of regional prefrontal activity with finger tapping or monaural listening. The result was as expected. Rightward tapping or listening had the effect of narrowing attention such that the frame was ignored. This is a practical way of manipulating regional cortical activation to affect risky decisions, especially because directed tapping or listening is easily done.
Risk assessment and analysis
Because planned actions are subject to large cost and benefit risks, proper risk assessmentRisk assessment
Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...
and risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
for such actions are crucial to making them successful.
Since risk assessment and management is essential in security management, both are tightly related. Security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
assessment methodologies like CRAMM
CRAMM
- History :CRAMM was created in 1987 by the Central Computing and Telecommunications Agency of the United Kingdom government. CRAMM is currently on its fifth version, CRAMM Version 5.0. It comprises three stages, each supported by objective questionnaires and guidelines. The first two stages...
contain risk assessment modules as an important part of the first steps of the methodology. On the other hand, risk assessment methodologies like Mehari
Mehari
MEHARI is a method for risk analysis and risk management developed and distributed by .- History :...
evolved to become security assessment methodologies.
A ISO standard on risk management (Principles and guidelines on implementation) was published under code ISO 31000
ISO 31000
ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management...
on 13 November 2009.
Quantitative Analysis
As risk carries so many different meanings there are many formal methods used to assess or to "measure" risk. Some of the quantitative definitions of risk are well-grounded in statistics theory and lead naturally to statistical estimates, but some are more subjective. For example in many cases a critical factor is human decision makingDecision making
Decision making can be regarded as the mental processes resulting in the selection of a course of action among several alternative scenarios. Every decision making process produces a final choice. The output can be an action or an opinion of choice.- Overview :Human performance in decision terms...
.
Even when statistical estimates are available, in many cases risk is associated with rare failures of some kind, and data may be sparse. Often, the probability of a negative event is estimated by using the frequency of past similar events or by event tree
Event tree
Error tree is an inductive analytical diagram in which an event is analyzed using Boolean logic to examine a chronological series of subsequent events or consequences...
methods, but probabilities for rare failures may be difficult to estimate if an event tree cannot be formulated. This makes risk assessment difficult in hazardous industries (for example nuclear energy) where the frequency of failures is rare and harmful consequences of failure are very high.
Statistical methods may also require the use of a Cost function, which in turn often requires the calculation of the cost of the loss of human life, a difficult problem. One approach is to ask what people are willing to pay to insure against death, and radiological release (e.g., GBq of radio-iodine), but as the answers depend very strongly on the circumstances it is not clear that this approach is effective.
In statistics, the notion of risk is often modelled as the expected value
Expected value
In probability theory, the expected value of a random variable is the weighted average of all possible values that this random variable can take on...
of some outcome seen as undesirable. This combines the probabilities of various possible events and some assessment of the corresponding harms into a single value. (See also Expected utility.) In a formula that can be used in the simple case of a binary possibility (accident or no accident), risk is then:
For example: if activity X may suffer an accident of A at a probability of 0.01 with a loss of 1000, the total risk is a loss of 10, since that is the product of 0.01 and 1 000.
In case of there being several possible accidents, risk is the sum of the all risks for the different accidents, provided that the outcomes are comparable:
For example: if activity X may suffer an accident of A at a probability of 0.01 with a loss of 1000, and an accident of type B at probability of 0.000 001 at a loss of 2 000 000, the total risk is a loss of 12, that is 10 from accident of types A and 2 from accidents of type B.
One of the first major uses of this concept was at the planning of the Delta Works
Delta Works
The Delta Works is a series of construction projects in the southwest of the Netherlands to protect a large area of land around the Rhine-Meuse-Scheldt delta from the sea. The works consist of dams, sluices, locks, dikes, levees, and storm surge barriers...
in 1953, a flood protection program in the Netherlands
Netherlands
The Netherlands is a constituent country of the Kingdom of the Netherlands, located mainly in North-West Europe and with several islands in the Caribbean. Mainland Netherlands borders the North Sea to the north and west, Belgium to the south, and Germany to the east, and shares maritime borders...
, with the aid of the mathematician David van Dantzig
David van Dantzig
David van Dantzig was a Dutch mathematician, well known for the construction in topology of the dyadic solenoid....
. The kind of risk analysis pioneered here has become common today in fields like nuclear power
Nuclear power
Nuclear power is the use of sustained nuclear fission to generate heat and electricity. Nuclear power plants provide about 6% of the world's energy and 13–14% of the world's electricity, with the U.S., France, and Japan together accounting for about 50% of nuclear generated electricity...
, aerospace
Aerospace
Aerospace comprises the atmosphere of Earth and surrounding space. Typically the term is used to refer to the industry that researches, designs, manufactures, operates, and maintains vehicles moving through air and space...
and the chemical industry
Chemical industry
The chemical industry comprises the companies that produce industrial chemicals. Central to the modern world economy, it converts raw materials into more than 70,000 different products.-Products:...
.
In statistical decision theory
Decision theory
Decision theory in economics, psychology, philosophy, mathematics, and statistics is concerned with identifying the values, uncertainties and other issues relevant in a given decision, its rationality, and the resulting optimal decision...
, the risk function
Risk function
In decision theory and estimation theory, the risk function R of a decision rule, δ, is the expected value of a loss function L:...
is defined as the expected value of a given loss function
Loss function
In statistics and decision theory a loss function is a function that maps an event onto a real number intuitively representing some "cost" associated with the event. Typically it is used for parameter estimation, and the event in question is some function of the difference between estimated and...
as a function of the decision rule
Decision rule
In decision theory, a decision rule is a function which maps an observation to an appropriate action. Decision rules play an important role in the theory of statistics and economics, and are closely related to the concept of a strategy in game theory....
used to make decisions in the face of uncertainty.
Fear as intuitive risk assessment
For the time being, people rely on their fear and hesitation to keep them out of the most profoundly unknown circumstances.In The Gift of Fear
The Gift of Fear
The Gift of Fear is a nonfiction self help book written by Gavin de Becker. The book provides strategies to help readers avoid trauma and violence by teaching them various warning signs and precursors to violence.- Text summary :...
, Gavin de Becker
Gavin de Becker
Gavin de Becker is a specialist in security issues, primarily for governments, large corporations, and celebrities.-Career:...
argues that "True fear is a gift. It is a survival signal that sounds only in the presence of danger. Yet unwarranted fear has assumed a power over us that it holds over no other creature on Earth. It need not be this way."
Risk could be said to be the way we collectively measure and share this "true fear"—a fusion of rational doubt, irrational fear, and a set of unquantified biases from our own experience.
The field of behavioral finance
Behavioral finance
Behavioral economics and its related area of study, behavioral finance, use social, cognitive and emotional factors in understanding the economic decisions of individuals and institutions performing economic functions, including consumers, borrowers and investors, and their effects on market...
focuses on human risk-aversion, asymmetric regret, and other ways that human financial behavior varies from what analysts call "rational". Risk in that case is the degree of uncertainty
Uncertainty
Uncertainty is a term used in subtly different ways in a number of fields, including physics, philosophy, statistics, economics, finance, insurance, psychology, sociology, engineering, and information science...
associated with a return on an asset
Asset
In financial accounting, assets are economic resources. Anything tangible or intangible that is capable of being owned or controlled to produce value and that is held to have positive economic value is considered an asset...
.
Recognizing and respecting the irrational influences on human decision making may do much to reduce disasters caused by naive risk assessments that pretend to rationality but in fact merely fuse many shared biases together.
Risk in auditing
The audit risk modelAudit risk
Audit risk refers to acceptable audit risk, i.e. it indicates the auditor's willingness to accept that the financial statements may be materially misstated after the audit is completed and an unqualified opinion was issued...
expresses the risk of an auditor providing an inappropriate opinion of a commercial entity's financial statements. It can be analytically expressed as:
- AR = IR x CR x DR
Where AR is audit risk, IR is inherent risk, CR is control risk and DR is detection risk.
In human services
Huge ethical and political issues arise when human beings themselves are seen or treated as 'risks', or when the risk decision making of people who use human services might have an impact on that service. The experience of many people who rely on human services for support is that 'risk' is often used as a reason to prevent them from gaining further independence or fully accessing the community, and that these services are often unnecessarily risk averse.Other Considerations
- Another consideration in terms of managing risk, is that risks are future problems that can be treated, rather than current ones that must be immediately addressed.
Risk versus uncertainty
In his seminal work Risk, Uncertainty, and Profit, Frank KnightFrank Knight
Frank Hyneman Knight was an American economist who spent most of his career at the University of Chicago, where he became one of the founders of the Chicago school. Nobel laureates James M. Buchanan, Milton Friedman and George Stigler were all students of Knight at Chicago. Knight supervised...
(1921) established the distinction between risk and uncertainty
Uncertainty
Uncertainty is a term used in subtly different ways in a number of fields, including physics, philosophy, statistics, economics, finance, insurance, psychology, sociology, engineering, and information science...
.
Thus, Knightian uncertainty
Knightian uncertainty
In economics, Knightian uncertainty is risk that is immeasurable, not possible to calculate.Knightian uncertainty is named after University of Chicago economist Frank Knight , who distinguished risk and uncertainty in his work Risk, Uncertainty, and Profit:- Common-cause and special-cause :The...
is immeasurable, not possible to calculate, while in the Knightian sense risk is measurable.
Another distinction between risk and uncertainty is proposed in How to Measure Anything: Finding the Value of Intangibles in Business and The Failure of Risk Management: Why It's Broken and How to Fix It by Doug Hubbard:
-
- Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility. The "true" outcome/state/result/value is not known.
-
- Measurement of uncertainty: A set of probabilities assigned to a set of possibilities. Example: "There is a 60% chance this market will double in five years"
-
- Risk: A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome.
-
- Measurement of risk: A set of possibilities each with quantified probabilities and quantified losses. Example: "There is a 40% chance the proposed oil well will be dry with a loss of $12 million in exploratory drilling costs".
In this sense, Hubbard uses the terms so that one may have uncertainty without risk but not risk without uncertainty. We can be uncertain about the winner of a contest, but unless we have some personal stake in it, we have no risk. If we bet money on the outcome of the contest, then we have a risk. In both cases there are more than one outcome. The measure of uncertainty refers only to the probabilities assigned to outcomes, while the measure of risk requires both probabilities for outcomes and losses quantified for outcomes.
Risk Attitude
The terms attitude, appetite and tolerance are often used similarly to describe an organization's or individual's attitude towards risk taking. Risk averse, risk neutral and risk seeking are examples of the terms that may be used to describe a risk attitude.Gambling
Gambling
Gambling is the wagering of money or something of material value on an event with an uncertain outcome with the primary intent of winning additional money and/or material goods...
is a risk-increasing investment, wherein money on hand is risked for a possible large return, but with the possibility of losing it all. Purchasing a lottery ticket is a very risky investment with a high chance of no return and a small chance of a very high return. In contrast, putting money in a bank at a defined rate of interest is a risk-averse action that gives a guaranteed return of a small gain and precludes other investments with possibly higher gain.
Risk as a vector quantity
Hubbard also argues that defining risk as the product of impact and probability presumes (probably incorrectly) that the decision makers are risk neutralRisk neutral
In economics and finance, risk neutral behavior is between risk aversion and risk seeking. If offered either €50 or a 50% chance of each of €100 and nothing, a risk neutral person would have no preference between the two options...
. Only for a risk neutral person is the "certain monetary equivalent" exactly equal to the probability of the loss times the amount of the loss. For example, a risk neutral person would consider 20% chance of winning $1 million exactly equal to $200,000 (or a 20% chance of losing $1 million to be exactly equal to losing $200,000). However, most decision makers are not actually risk neutral and would not consider these equivalent choices. This gave rise to Prospect theory
Prospect theory
Prospect theory is a theory that describes decisions between alternatives that involve risk i.e. where the probabilities of outcomes are known. The model is descriptive: it tries to model real-life choices, rather than optimal decisions.-Model:...
and Cumulative prospect theory
Cumulative prospect theory
Cumulative prospect theory is a model for descriptive decisions under risk which was introduced by Amos Tversky and Daniel Kahneman in 1992 . It is a further development and variant of prospect theory...
. Hubbard proposes instead that risk is a kind of "vector quantity" that does not collapse the probability and magnitude of a risk by presuming anything about the risk tolerance of the decision maker. Risks are simply described as a set or function of possible loss amounts each associated with specific probabilities. How this array is collapsed into a single value cannot be done until the risk tolerance of the decision maker is quantified.
Risk can be both negative and positive, but it tends to be the negative side that people focus on. This is because some things can be dangerous, such as putting their own or someone else’s life at risk. Risks concern people as they think that they will have a negative effect on their future.
Risk and size
In the book Megaprojects and Risk, Professor Bent FlyvbjergBent Flyvbjerg
Bent Flyvbjerg is the first Chair and BT Professor of Major Programme Management at Oxford University's Saïd Business School and is Founding Director of the University's BT Centre for Major Programme Management. He was previously Professor of Planning at Aalborg University, Denmark and Chair of...
(with Nils Bruzelius and Werner Rothengatter) demonstrates that big ventures (big construction projects, big capital investments, etc.) are highly risky. For instance, such ventures typically have high cost overruns, benefit shortfalls, and schedule delays, plus negative and unanticipated social and environmental impacts.
Referred literature
- Bent FlyvbjergBent FlyvbjergBent Flyvbjerg is the first Chair and BT Professor of Major Programme Management at Oxford University's Saïd Business School and is Founding Director of the University's BT Centre for Major Programme Management. He was previously Professor of Planning at Aalborg University, Denmark and Chair of...
, 2006: From Nobel Prize to Project Management: Getting Risks Right. Project Management Journal, vol. 37, no. 3, August, pp. 5–15. Available at homepage of author. - James FranklinJames Franklin (philosopher)James Franklin is an Australian philosopher, mathematician and historian of ideas. He was educated at St. Joseph's College, Hunters Hill, New South Wales. His undergraduate work was at the University of Sydney , where he attended St John's College and he was influenced by philosophers David Stove...
, 2001: The Science of Conjecture: Evidence and Probability Before Pascal, Baltimore: Johns Hopkins University Press. - Niklas LuhmannNiklas LuhmannNiklas Luhmann was a German sociologist, and a prominent thinker in sociological systems theory.-Biography:...
, 1996: Modern Society Shocked by its Risks (= University of Hong Kong, Department of Sociology Occasional Papers 17), Hong Kong, available via HKU Scholars HUB.
Books
- Historian David A. MossDavid A. MossDavid A. Moss is a writer and professor at the Harvard Business School of the Harvard University in Cambridge, Massachusetts, United States. He has published two books Socializing Security: Progressive-Era Economists and the Origins of American Social Policy and When All Else Fails: Government as...
's book When All Else Fails explains the U.S. government's historical role as risk manager of last resort. - Peter L. Bernstein. Against the Gods ISBN 0-471-29563-9. Risk explained and its appreciation by man traced from earliest times through all the major figures of their ages in mathematical circles.
- Flyvbjerg, Bent, Nils Bruzelius, and Werner Rothengatter, 2003. Megaprojects and Risk: An Anatomy of Ambition (Cambridge: Cambridge University Press)..
- Gardner, Dan, Risk: The Science and Politics of Fear, Random House, Inc., 2008. ISBN 0771032994.
Articles and papers
- Clark, L., Manes, F., Antoun, N., Sahakian, B. J., & Robbins, T. W. (2003). "The contributions of lesion laterality and lesion volume to decision-making impairment following frontal lobe damage." Neuropsychologia, 41, 1474-1483.
- Drake, R. A. (1985). "Decision making and risk taking: Neurological manipulation with a proposed consistency mediation." Contemporary Social Psychology, 11, 149-152.
- Drake, R. A. (1985). "Lateral asymmetry of risky recommendations." Personality and Social Psychology Bulletin, 11, 409-417.
- Gregory, Kent J., Bibbo, Giovanni and Pattison, John E. (2005), "A Standard Approach to Measurement Uncertainties for Scientists and Engineers in Medicine", Australasian Physical and Engineering Sciences in Medicine 28(2):131-139.
- Hansson, Sven Ove. (2007). "Risk", The Stanford Encyclopedia of Philosophy (Summer 2007 Edition), Edward N. Zalta (ed.), forthcoming http://plato.stanford.edu/archives/sum2007/entries/risk/.
- Holton, Glyn A. (2004). "Defining Risk", Financial Analysts Journal, 60 (6), 19–25. A paper exploring the foundations of risk. (PDF file).
- Knight, F. H. (1921) Risk, Uncertainty and Profit, Chicago: Houghton Mifflin Company. (Cited at: http://www.econlib.org/library/Knight/knRUP1.html, § I.I.26.).
- Kruger, Daniel J., Wang, X.T., & Wilke, Andreas (2007) "Towards the development of an evolutionarily valid domain-specific risk-taking scale" Evolutionary Psychology (PDF file).
- Metzner-Szigeth, A. (2009). "Contradictory Approaches? – On Realism and Constructivism in the Social Sciences Research on Risk, Technology and the Environment." Futures, Vol. 41, No. 2, March 2009, pp. 156–170 (fulltext journal: http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V65-4TGS7JY-1&_user=10&_coverDate=04%2F30%2F2009&_rdoc=1&_fmt=high&_orig=search&_sort=d&_docanchor=&view=c&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=054fec1f03e9ec784596add85197d2a8) (free preprint: http://egora.uni-muenster.de/ifs/personen/bindata/metznerszigeth_contradictory_approaches_preprint.PDF).
- Miller, L. (1985). "Cognitive risk taking after frontal or temporal lobectomy I. The synthesis of fragmented visual information." Neuropsychologia, 23, 359 369.
- Miller, L., & Milner, B. (1985). "Cognitive risk taking after frontal or temporal lobectomy II. The synthesis of phonemic and semantic information." Neuropsychologia, 23, 371 379.
- Neill, M. Allen, J. Woodhead, N. Reid, S. Irwin, L. Sanderson, H. 2008 "A Positive Approach to Risk Requires Person Centred Thinking" London, CSIP Personalisation Network, Department of Health. Available from: http://networks.csip.org.uk/Personalisation/Topics/Browse/Risk/ [Accessed 21 July 2008].
External links
- Risk - The entry of the Stanford Encyclopedia of Philosophy
- Risk Management magazine, a publication of the Risk and Insurance Management SocietyRisk and Insurance Management SocietyThe Risk and Insurance Management Society, Inc. is a professional association for risk management professionals dedicated to advancing the practice of risk management. Founded in 1950, RIMS represents more than 3,500 industrial, service, nonprofit, charitable and governmental entities. The Society...
. - The Institute of Risk Management (IRM) is risk management's leading international professional education and training body
- Risk and Insurance
- StrategicRISK, a risk management journal
- "Risk preference and religiosity" article from the Institute for the Biocultural Study of Religion