What is Risk ?

Risk. A term which we use on a daily basis although naively. From the time we get up we are worried about the risk of going to school late, while driving the risk of getting stuck in a traffic jam, while in office the risk of getting a bad review, while working late the risk of health problems, the risk of losing money etc. But have you ever wondered What is Risk? Think about it for a second.

Risk is a very common and popular term in the world of consulting as well. I was hit by it during my early days of consulting. In fact most consulting firms have a Risk Management department or a Risk Advisory Service in operation today. However there are no clear answers to the question what is Risk?

I read through a number of books and online articles but most answers are very specific to domains like managing risk in finance or managing risk in information security. Risk seemed to have different answers in different domains but there was no single definition. For newbies it is very difficult put the word Risk into perspective. One my managers gave a very simple example to explain Risk which I have carried since and I want to share the same in this article. The following article explains the word Risk and the various terminologies which are associated with it like assets, vulnerability, control, impact etc.

History of Risk

The word Risk has its origins in the Greek word rhizikon, which was used as a metaphor by sailors to refer to “difficulty to avoid in the sea”. Ancient mariners traveling along Mediterranean seas used this term to refer to ships hitting rocks in shallow waters. Sailors referred to this as they assumed that the uncertainty of survival on the seas was caused by the will of the gods.

 The word Risk started getting used in business terminology by upper Germany around 16th century referring to dare or venture the unknown for economic success. Post the Renaissance period around the 17th century mathematicians started with work on the logic of quantifying the value of risk. Modern day Risk Management theories and practices started evolving post World War II. Today Risk management is used in all sorts of places ranging from the financial world, security, health , disaster recovery, logistics, energy etc.

What is Risk ?

In simple terms, Risk is the chance that something bad may happen. I like to think of it as the “Art of dealing with the unknown”. A more comprehensive definition from modern theorists is “Risk is probability of a threat causing harm by exploiting a vulnerability in the absence of a control which impacts negatively on assets like individuals or an organization”. There are many definitions of Risk as it has evolved over time from the days of the Greek sailors. However the base premise is the same which is the uncertainly of something negative to happen.

Any action or endeavor taken by humans carries an element of risk, some more risky compared to the rest. Almost all human activity has an element of risk in it, whether you are driving a car, flying a plane, you invest money, build a house, become old, or to go to space – there is risk in any human endeavor. Having said this almost all risks can be managed which reduces the chance of injury or hurt. 

Risk Example 1: Walking to a shop

 Let’s understand the word Risk with an easy example. Say you need to walk across the street to go to a shop. Imagine there are clouds in the area. The Cloud in this example is a threat which could burst anytime and give rain. If it rains, you have a chance of getting wet. Getting wet is the Risk on you - the asset. The point at which you get wet is the impact point.

Now you can manage this risk by applying controls or treating this risk. For example if you have an umbrella or a rain coat you will not get wet. Hence having an umbrella is a control which you may have along with you to reduce your chance of getting wet, reducing the overall impact of the risk. In the absence of an umbrella or the control you become vulnerable to the risk. The absence of controls is referred as vulnerability.

Risk Example 2: Driving a Car

 In the early days of car travel though it was quite an invention to make wheels move forward, it was another invention which could get a car to stop – the Brake. Let’s assume you are on the highway, driving a car. The car being the asset has a chance of getting into an accident with another vehicle like a truck – this is the Risk. Without availability of a control to stop your car, you are likely to have an accident. Having brakes in the car is a control which enables you to not only avoid accidents, but also provides you with the confidence to go faster.

Another thing to notice about driving cars is that today a whole host of features are presented to you which can reduce the chance of an accident. For example headlights for driving in the dark, seat belts for protection during an accident, air bags for protection from head injury and proximity sensors which automatically detect a cars speed with respect to incoming objects and decreases the car speed. There is also insurance which protects you from financial liability of medical bills in case an accident does happen.  Thus you see, there are a host of controls which can be applied to any Risky situation in order to reduce the harmful impact in case the risk comes true.

Sample Risk List

Risks can be found in any human / natural endeavor and each one comes with a unique set of threats and controls. Find below a SAMPLE list of Assets, Threats, Controls / Vulnerabilities and associated Risks which we deal with in our daily lives. There are risks which we face as individuals, as organizations or as part of nations or simply as a part of nature. It is important to understand these risks so as prioritize and work towards reducing the impact of those risks.

Why Treat Risk ?

Not treating a risk correctly can lead to an extremely disastrous situation like loss of life(s). Many people live in the denial of risks. The first step in managing risks is the acknowledgement of it. Treating risks may not reduce the chance of the risk, however it can definitely reduce the impact of the risk. For example if there are clouds we may not be able to reduce the probability of rain however carrying an umbrella will definitely reduce the risk of you getting wet.

The Titanic was a British passenger liner that sank in the Atlantic Ocean in the early morning of 15 April 1912 after colliding with an iceberg during her maiden voyage. The sinking resulted in the loss of more than 1,500 passengers and crew, making it one of the deadliest commercial peacetime maritime disasters in modern history. The disaster was greeted with worldwide shock and outrage at the huge loss of life and the regulatory and operational failures that had led to it. Public inquiries in Britain and the United States led to major improvements in maritime safety and the ability of ships to survive in unpredictable seas & oceans. One of their most important legacies was the establishment in 1914 of the International Convention for the Safety of Life at Sea (SOLAS), which still governs maritime safety today. These safety standards are an example of Risk Treatment.

Treatment of Risk – RAAT Principle

 Now that we have understood Risk and the various components associated with it, let’s look how we can treat risk. There are many theories around ways to treat risk, especially when it comes to domain specific risks, however generally there are 4 ways of treating a risk. I like to call this the RAAT principle (it’s easy to remember this way) which stands for Reducing Risk, Avoiding Risk, Accepting Risk and Transferring Risk. Let’s look at these concepts closely.

• Reducing Risk: This typically means that one can implement controls to reduce the impact or chance of the risk. For example you use an umbrella to reduce the impact of getting wet or the use of brakes to stop you vehicle. It refers to the usage of controls to reduce the risk in hand.
• Avoiding Risk: Avoiding Risks stands for situations when you decide to avoid the risk altogether. For example you decide not to go to the shop now or decide not to drive at all. Avoiding risk is not always possible however depending upon circumstances avoiding certain risks is a good option.
• Accepting Risk: One can accept the risk and continue on the course of action irrespective of the risk. This largely depends on the nature of risk and the risk taking ability of the individuals or organizations. In our example you may decide to cross the street even though you may get wet, however if you decide to drive your car without brakes then the risks are quite high as it may not only injure you but also others .
• Transfer Risk: Transferring Risks refers to the movement of risk to someone or something else. For example you may ask a friend to cross the street to go to the shop or you may decide not drive but go in a bus, thus transferring the risk to someone else. Insurance is a great example of Risk Transfer where your risks are insured by another organization for a premium. Thus depending on the nature of risks and their controls, one can choose the appropriate risk transfer mechanism.

 Most risks in the world have a number of treatment options where either one or a combination of RAAT principle components may come together to reduce the chance of risk or the impact of it. It depends on individuals and organizations to take the appropriate treatment action based on the nature of the risk.

Being Risk Averse: Avoiding Risk

 One may argue that avoiding risk is always the best course of action, however no human achievement has been possible by avoiding risk. Some risks need to be taken to overcome situations or test heights of human endeavor. Like they say: there is no gain without pain. Hence avoiding risk itself is at times an impediment to achieving goals. No successful business has started by avoiding all risks.

If Edmund Hilary and Tenzing Norgay were risk averse then they would have never been able to climb Mount Everest. High altitude climbing has a lot of risks associated with them with most of them leading to death. However undeterred both of them did finally climb Mount Everest. I am all too well aware of high altitude sickness having contracted HAPO at 17,000+ thousand feet myself and spending 2 nights in the ICU. I truly respect people those who have been able to climb Mount Everest standing at over 29,000 feet.

Risk Management

 Risk Management is concerned with the identification, estimation, treatment and acceptance of risks. Typically each domain like finance, security, health etc. have very specific ways of doing the above, however I would like to explain a general sense of risk management and how things can be evaluated for daily life. The entire risk management phrase is linked to the overall supervision of risks and how they are treated.

 For effective Risk Management one must select appropriate controls or countermeasures to measure and treat each risk. Risk mitigation needs to be approved by the appropriate level of management based on financial, effort and time requirements. For instance, a risk concerning the image of the organization needs to be a top management decision whereas IT management would have the authority to decide on computer virus risks (partly that’s also because management may not understand virus related risks).

Given below is an example risk management options selected and implemented for the risk of a landslide.

Risk Identification

Risk Identification process starts with listing of assets and putting a value based on its importance. You can list assets based on the context of what one needs to evaluate. For example give below is an example of 2 Assets – your home and yourself. You can associate values to each asset based on their importance. Either a 3, 4 or 5 point scale is enough generally. You could also use subjective terms like High, Medium and Low.

 If technical resources are not present then personal judgment could be used to set a value to an Asset. The higher the value the more important the asset. The second step is list the known or identified threats against the assets and their likelihood of occurrence. One can use technology also to identify threats like vulnerability scanning in computer science.

 Next comes the impact calculation which can be done based on the perceived impacts of the threats if they come true. For easier calculation an appropriate number may be added to the impacts to show significance similar to the way you set the value of an Asset.

 The last step in Risk Identification is to calculate the Threat Value which can be done by a simple multiplication of the Threat Value by the Impact Value of the threat.

Risk Estimation

In the Risk Estimation step the objective is to quantify each risk item. There are 3 components to calculate this, 1) the Asset Value 2) The Threat Value and 3) Vulnerability Value.  Vulnerability can be calculated by evaluating the controls in place against each risk item. In case controls are not present, the vulnerability can be rated as high and similarly if controls are present and strong, then it could be rated as low. Again in the absence of any particular standard or technology tool, best judgment could be used to evaluate the vulnerability.

This process is particularly useful as it priorities risks and identifies which controls need to be implemented first as typically financial, people and time related resources are limited for an individual or organization which are required for risk mitigation. This approach can help you identify which resources need to be used effectively in order to have an overall lower risk profile. For example if you already have an umbrella then buying a raincoat may not be as eminent.

Risk Treatment

There are 4 types of treatment plans for a risk following the RAAT principle. Risk treatment options should be chosen based on results of risk assessment, cost of implementation and expected benefits of these options. 

Risk treatment involves reducing the severity of the loss or the likelihood of the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage on electronics and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the high cost may be prohibitive to implement.

When risk reductions can be obtained with relatively low cost and can be justified by an acceptable return on investment, these options should be preferentially implemented. Many of risk treatment options are limited by the Organizations or Individuals risk appetite.

The heat map diagram like the one below provides an illustration of how one can map the Measure of Risk including asset values, threats and vulnerabilities on a visualization tool and make decisions on which risks to treat first and how many resources to be utilized.

Risk Acceptance

Residual risk is the risk that remains after existing identified risks have been treated. Residual risk can be defined as being the risk that remains after the implementation of controls. Residual risks need to be accepted by the management or the individual as a cost of doing business or simply living.

Residual risk = inherent risk – treated risk by controls

Risk acceptance is viable for small risks where the cost of insuring against the risk or implementing a control would be greater over time than the total losses sustained. However it’s important to understand which risks have been knowingly accepted so that it does not come as a surprise if and when the risks materialize.

Thank You !!!

References

• Personal experience in Ernst & Young and KPMG
• Book - Against the Gods – Peter L Bernstein
• Book - Freakonomics – Levitt & Dubner
• Book - Financial Risk Manager Handbook Philippe Jordan GARP
• Risk Management - https://www.iso.org/iso/home/standards/iso31000.htm
• Information Security - https://www.iso27001security.com/html/27001.html
• https://people.stern.nyu.edu/adamodar/pdfiles/valrisk/ch1.pdf
• https://www.cirrelt.ca/DocumentsTravail/CIRRELT-2013-17.pdf
• https://en.wikipedia.org/wiki/Value_at_risk
• https://en.wikipedia.org/wiki/Mount_Everest
• https://www.pea.co.th/BCM/DocLib/ISO_22301_2012.pdf