If there is one thing I learned as a CRO, it is crucial to understand the nature of each and every risk we have to work with. I will no doubt write a separate article about the mistake of aggregating various risks into a risk register or attempting to use the same methodology to quantify different risks, but that will come later. This article is about understanding the nature of the risk. Not the risk definition in ISO31000 because that has hardly any practical use, but understanding the true nature of each risk, from first principles.
To make this article easier to digest, there at least three forms a risk can take. Possibly more, write in the comments if you can think of others.
Uncertain event with uncertain effect
This is probably the most known way to describe risk. Risk is represented as an uncertain event within a given timeframe that if it happens will have an effect on objectives, decisions or some other important aspect of the business.
Make no mistake, I am not talking about qualitative nonsense you would see in a heatmap. Risks don’t have a single consequence, it is always a range. Smaller consequences usually have higher probability and catastrophic consequences usually have lower probability. Consequences of any given risk are a probability distribution. Understanding the nature of that distribution is crucial for risk mitigation, whether it is lognormal, metalog or something more exotic. In the next article I will go into more detail why risk consequences are not actually just a distribution but actually a product of distributions derived through a stochastic decision tree.
What about frequency or probability? First basic math, risk doesn’t happen on average (unless we are dealing with some portfolio risk analysis), it either happens or it doesn’t. That’s why probability is also a distribution, like Bernoulli for example. But wait, many risks may happen more than once per period. That’s why it’s actually often useful to replace probability with frequency which is also a distribution, like Poisson.
So, how do we multiply 2 probability distributions to get the risk value? We simulate it, Monte-Carlo in a free excel add-on SIPmath or ModelRisk.
Do this basic test, take a risk register and compare what will happen if you just multiple probability x impact and if you simulate probabilities as Bernoulli. The mean of the simulation would be very similar to the sum of risks derived by simple multiplication, but the volatility around the mean would be huge. p95% is almost double the sum of risks derived by simple multiplication. Scary how many risks managers underestimate the risk by using the wrong math.
And that’s not it, the examples above assume that risks are totally independent, which is rarely if ever true. So we need to add correlations to our calculations at least. By the way that will likely reduce the combined range of risk consequences.
Uncertainty between limited choices
The second form of risk is when we have a discrete set of possible outcomes but the actual outcome is uncertain. For example a company applies to various taxation discount schemes but is uncertain which one it will get. That’s why some risks are better represented by a discrete distribution, where there a number of scenarios each with it’s own probability of occurring.
Volatility of assumptions
Finally the most common form of risk is the volatility around a base case for an assumption. All of the assumptions made in business plans, project schedules, budgets, investment valuations and decision models are uncertain. They are all distributions. Some ranges are wider (where there is a lot of uncertainty), some ranges are smaller, but they are distributions nevertheless. Understanding the nature of these distributions is absolutely critical for decision making and risk analysis.
I added this final section a year after writing the original post because so many questions, so many risk managers missing the plot completely on risk. Erosion of goodwill, reputation, cash flow, NPV are NOT RISKS. They are what Taleb calls function of risk or F(X). Goodwill, reputation, cash flow, NPV are all very important business metrics and we of course can measure the EFFECT risks may have on these metrics by simulation various risk scenarios and how they will collectively affect the desired metric. NPV@risk or CF@risk are common risk management practices. I have an article here on the topic and detailed steps. Same can be done for goodwill, reputation, government funding or literally any other metric, financial or otherwise.
This was just a short intro into what is risk and what it is not. Risk is not likelihood x consequences in a risk matrix, that’s for sure. In the next part I will talk about why dumbing down different risks to a risk register is a horrible idea and how different and unique each risks are and how stochastic decision trees can help.