A survey of existing definitions
When looking up the meaning of risk we are immediately confronted with a surprising situation. There is no satisfying and authoritative general purpose one-liner that we can adopt without second thoughts.
Let us start with the standard dictionary definitions:
- The online Merriam Webster Dictionary defines risk as the possibility of loss or injury
- The online Cambridge Dictionary opines that risk means the possibility of something bad happening
- The Oxford English (Concise, Hardcover!) suggests: a chance or possibility of danger, loss, injury or other adverse consequences
Further, if we lookup the wikipedia entry, the first sentence offers the following wording: Risk is the potential for uncontrolled loss of something of value. Immediately afterwards there is an entire section of various definitions:
- Risk is an influence affecting strategy caused by an incentive or condition that inhibits transformation to quality excellence(!)
- Risk is an uncertain event or condition that, if it occurs, has an effect on at least one objective
- The probability of something happening multiplied by the resulting cost or benefit if it does
- The probability or threat of quantifiable damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action
- The possibility that an actual return on an investment will be lower than the expected return.
- A situation where the probability of a variable (such as burning down of a building) is known but when a mode of occurrence or the actual value of the occurrence (whether the fire will occur at a particular property) is not. A risk is not an uncertainty (where neither the probability nor the mode of occurrence is known), a peril (cause of loss), or a hazard (something that makes the occurrence of a peril more likely or more severe).
If we turn, finally, towards the definition adopted by professional risk managers we get the somewhat controversial ISO 31000:2009 definition that states: Risk is the effect of uncertainty on objectives
When reviewing the above it is hard to conclude we don’t have a definitional problem:
- Significant and subtle concepts such as probability, possibility, uncertainty and chance are used as alternatives although their meaning can be dramatically different depending on the context
- Concepts that are only applicable to risk quantification are mixed with the definition of the risk concept itself
- It is unclear whether risk is always a negative scenario or is there maybe positive risk?
- It is unclear who or what is at risk
Yes, but is this situation actually an issue?
For a concept that is of such major importance to everybody, a definition that is decidedly ambiguous and uncertain can negatively influence the quality of practical risk management efforts in all domains.
We are all equipped to understand risk at an intuitive level but much of ex-ante (that is, prior to a risk event) formal risk management involves analytic thinking. One of the important first steps in such a framework is risk identification. It stands to reason that it is easier to identify risks if we have a clear idea what we want to identify!
Furthermore, the quality and effectiveness of risk management efforts may depend on coordinated collective behaviors and developing consensus may be easier if there is conceptual agreement as to what is being managed.
Can we distill a better definition of risk?
To clean up the ground towards a better definition there are some mistakes we might want to avoid and some neglected aspects we might want to emphasize:
- Avoid the narrow definition of risk as quantifiable uncertainty. There are very few real world instances (if any) where risk is 100% quantifiable. The degree to which material, non-quantifiable, uncertainties creep into our risk views is variable but it is best to admit that an element of model risk is always there.
- Even worse, avoid the specific definition of risk as some combination of likelihood and severity. Not only are some such combinations wrong and/or meaningless, the implied separation only applies to certain risk types (where risk is materializing as a discrete, identifiable, event)
- Emphasize uncertainty over divergence from expectation. A certain bad outcome (once it is known) is no longer a risk.
- Avoid a symmetric definition of risk that includes also upside potential. While it is true that positive risk is of the same nature as negative risk in most cases it is not opportune operationally to mix the two. It is of course entirely legitimate to reuse the thought processes, tools and procedures to systematically explore opportunities
- Emphasize the subjectivity of risk perception. Even the most natural of risks (say, hurricanes or earthquakes) have no intrinsic existence as risks unless and until there is a human agent involved. A risk literally comes into existence once a human agent declares it so.
- Avoid the ambiguity of leaving undefined the subject perceiving a risk. One person’s risk is another person’s opportunity. For large organizations with multiple stakeholders identifying who is actually bearing the risk; can be quite tricky and it is possible that different subsets experience the same risk in different ways.
- Emphasize the complexity and ever changing reality of the future states of the world that are relevant to people and the varying granularity and accuracy by which different people may be imagining those future states of the world
- Decouple the notion of risk mitigation (which requires further actions - assuming they are at all possible)
Is a better definition even possible?
A definition that avoids many of the mistakes identified above could be along the lines of:
Risk is an uncertain future outcome that is unfavorable for a person or a collection of persons
Hence under this definition Risk is but a subjective label that a specific entity puts on a subset of possible futures (states of the world).