As I have said in a previous article risk is something we are all familiar with in a common sense kind of way. But if risk is be properly dealt with – for example by a business – then common sense needs to be translated into some kind of structure for dealing with any issues. This article gives one such translation. It also tackles the interesting question of the difference between risk and uncertainty.
Let’s start with risk.
Risk is traditionally represented as a simple two dimensional equation of the form:
Risk = Likelihood (probability) x magnitude of consequences
This is particularly the way in which risk is presented in most organisational risk analyses, and that is probably a contributing factor to the failure of many of those analyses to enable major risks to be well managed.
The problem is two-fold:
The first is that risk is not two dimensional – it is at least 3 dimensional if not more. This can be seen most clearly in the field of earthquake science where ii is usual to express risk as the frequency with which a certain magnitude of event will occur, e.g. there may be a magnitude 8 movement of the Wellington fault every 300 years on the average. In practice of course quakes occur much more frequently than that – it is just that the magnitude of more frequent quakes is lower. So if you want a true picture you need at least a 3 dimensional diagram.
The two dimensional approach can be very misleading to people trying to use the information. It is for example quite common for engineers to use the two dimensional approach in setting design standards because it is hard to do it any other way without getting very complicated. So river works may be constructed on the basis of being able to withstand a 100 year flood event. If such an event does occur there is an instinctive assessment that it won’t occur again for a long time – maybe not 100 years but a long time. But of course that is not the way that nature works. Having a 100 year event last year does nothing to change the probability of having another similar event or even say a 200 year event the following year. But people feel badly let down if that is what happens. The trouble is that if you designed to cover say a 500 year event the costs could well be astronomical – it makes more sense to build at lower cost and accept a higher but still low risk.
Similarly in doing business analyses there is an understandable tendency to look at event magnitudes that have a finite probably of occurring. This may completely miss events that are catastrophic but appear to have a very low probability – the appearance itself can be misleading as there is an instinct to discount things that are too horrific to contemplate until it is too late. The financial crisis of a few years back is a classic example of that.
This leads to the second problem which is that the risk equation is not linear. In particular as the magnitude of the consequences rises there is an increasing degree of conservatism evident, i.e. a much lower preparedness to accept the risk. This is evident in everyday life. One way of representing this is to allow the magnitude if the risk to have a non-linear influence on the calculation of the risk. So the risk equation becomes of the form:
Risk = Likelihood x f(magnitude of consequences).
I am not sure what form the function should have but it could well be exponential.
As indicated above, there is a converse form of behaviour which is to simply ignore consequences with very large magnitudes. A business example could be complete failure of a business, e.g. becoming bankrupt. I wonder how many Boards seriously contemplate that magnitude of consequence. In the field of environmental risk management a similar example is that of not considering that all of the controls applied by the regulators to an experiment or the use of a material may be ignored or completely misapplied by the applicant.
So there is more to characterising risk than meets the eye. But characterising risk is the first step toward properly managing risk.
Risk and Uncertainty
There is much confusion about the differences (and similarities) between risk and uncertainty and there is a temptation to treat them as the same thing. They are not the same thing but are closely related – accordingly they often get managed (or “treated” more correctly) in the same way.
Here are some key points of difference:
- Risk is about events that might or will occur in the future: Uncertainty is not time bound – you can be uncertain about historical or current events, as well as future events
- Risk and uncertainty are measured/expressed in quite different ways. Risk is represented by ideally a “map” of the likelihood of occurrence and the magnitude of the consequences. Uncertainty is most commonly expressed through uncertainty limits with specific levels of confidence, e.g. there is a 90% level of confidence that the real value lie between this low and this high value. Using techniques such as Monte Carlo analysis it is possible to go one step further and create a probability curve.
- It is fair to say that uncertainty is a universal concept – risk is a very specific technical concept.
Language certainly gets in the way of all of this. It is common to hear people sat there is “a risk of this event happening”. What they really mean is that there is a chance of the event happening. If they are prepared to put a quantity rider on this, e.g. there is a high chance etc. then it begins to look like a risk statement, but an important risk question is then whether it is a well-defined event with a fixed impact (magnitude) or whether there are a range of likely impacts, and if so if they are linked at all to likelihood and hey presto we have what looks like a risk analysis.
Uncertainty language is more appropriate if it is a single defined event and it will either happen or not i.e. there is no likelihood profile, e.g. I am not certain whether Fred is coming to this meeting or not.
Uncertainty and risk can and should go together, although it gets complicated if uncertainty is attached to both the likelihood and the magnitude of consequences. A legitimate statement for example is that there is high confidence in our estimate that a particular level of consequence (magnitude) has a 64% (say) chance of occurring. If the confidence of the likelihood estimate is low then arguably it is better not to make an estimate but to simply say “there is a chance of this level of event happening but we are not able to estimate the likelihood of occurrence with any confidence.”
Although they are different uncertainty and risk tend to be “managed” in similar ways. Common techniques include:
- Avoidance strategies, e. do something else which is less risky/less uncertain
- Mitigation strategies – we will minimise the adverse effects or the chance of it happening by doing ………
- Contingency plans – if we can’t do what we planned to do or if what actually happens exceeds the uncertainty limits, be prepared to do something else.