What is a risk? It’s not what you think it is

If there is one thing I learned as a CRO, it is crucial to understand the nature of each and every risk we have to work with. I will no doubt write a separate article about the mistake of aggregating various risks into a risk register or attempting to use the same methodology to quantify different risks, but that will come later. This article is about understanding the nature of the risk. Not the risk definition in ISO31000 because that has hardly any practical use, but understanding the true nature of each risk, from first principles.

To make this article easier to digest, there at least three forms a risk can take. Possibly more, write in the comments if you can think of others.

Uncertain event with uncertain effect

This is probably the most known way to describe risk. Risk is represented as an uncertain event within a given timeframe that if it happens will have an effect on objectives, decisions or some other important aspect of the business.

Make no mistake, I am not talking about qualitative nonsense you would see in a heatmap. Risks don’t have a single consequence, it is always a range. Smaller consequences usually have higher probability and catastrophic consequences usually have lower probability. Consequences of any given risk are a probability distribution. Understanding the nature of that distribution is crucial for risk mitigation, whether it is lognormal, metalog or something more exotic. In the next article I will go into more detail why risk consequences are not actually just a distribution but actually a product of distributions derived through a stochastic decision tree.

What about frequency or probability? First basic math, risk doesn’t happen on average (unless we are dealing with some portfolio risk analysis), it either happens or it doesn’t. That’s why probability is also a distribution, like Bernoulli for example. But wait, many risks may happen more than once per period. That’s why it’s actually often useful to replace probability with frequency which is also a distribution, like Poisson.

So, how do we multiply 2 probability distributions to get the risk value? We simulate it, Monte-Carlo in a free excel add-on SIPmath or ModelRisk.

Do this basic test, take a risk register and compare what will happen if you just multiple probability x impact and if you simulate probabilities as Bernoulli. The mean of the simulation would be very similar to the sum of risks derived by simple multiplication, but the volatility around the mean would be huge. p95% is almost double the sum of risks derived by simple multiplication. Scary how many risks managers underestimate the risk by using the wrong math.

And that’s not it, the examples above assume that risks are totally independent, which is rarely if ever true. So we need to add correlations to our calculations at least. By the way that will likely reduce the combined range of risk consequences.

But the biggest irony is that this form of risk is the most common in RM1 and probably the least used in RM2.

Uncertainty between limited choices

The second form of risk is when we have a discrete set of possible outcomes but the actual outcome is uncertain. For example a company applies to various taxation discount schemes but is uncertain which one it will get. That’s why some risks are better represented by a discrete distribution, where there a number of scenarios each with it’s own probability of occurring.

Volatility of assumptions

Finally the most common form of risk is the volatility around a base case for an assumption. All of the assumptions made in business plans, project schedules, budgets, investment valuations and decision models are uncertain. They are all distributions. Some ranges are wider (where there is a lot of uncertainty), some ranges are smaller, but they are distributions nevertheless. Understanding the nature of these distributions is absolutely critical for decision making and risk analysis.


This was just a short intro into what is risk and what it is not. Risk is not likelihood x consequences in a risk matrix, that’s for sure. In the next part I will talk about why dumbing down different risks to a risk register is a horrible idea and how different and unique each risks are and how stochastic decision trees can help.

RISK-ACADEMY offers online courses

+ Buy now

Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

+ Buy now

ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

+ Buy now

Управление рисками

В этом коротком и очень увлекательном курсе, Алексей Сидоренко расскажет о причинах внедрения риск менеджмента, об особенностях принятия управленческих решений в ситуации неопределенности и изменениях в новом стандарте ИСО 31000:2018.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.