In simple terms, risk is the possibility of something bad happening.
Risk involves
uncertainty
Uncertainty refers to epistemic situations involving imperfect or unknown information. It applies to predictions of future events, to physical measurements that are already made, or to the unknown. Uncertainty arises in partially observable ...
about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences.
Many different definitions have been proposed. The international standard definition of risk for common understanding in different applications is “effect of uncertainty on objectives”.
The understanding of risk, the methods of assessment and management, the descriptions of risk and even the definitions of risk differ in different practice areas (
business,
economics
Economics () is the social science that studies the production, distribution, and consumption of goods and services.
Economics focuses on the behaviour and interactions of economic agents and how economies work. Microeconomics analyzes ...
,
environment
Environment most often refers to:
__NOTOC__
* Natural environment, all living and non-living things occurring naturally
* Biophysical environment, the physical and biological factors along with their chemical interactions that affect an organism or ...
,
finance,
information technology
Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of Data (computing), data . and information. IT forms part of information and communications technology (ICT). An information te ...
,
health
Health, according to the World Health Organization, is "a state of complete physical, mental and social well-being and not merely the absence of disease and infirmity".World Health Organization. (2006)''Constitution of the World Health Organiza ...
,
insurance
Insurance is a means of protection from financial loss in which, in exchange for a fee, a party agrees to compensate another party in the event of a certain loss, damage, or injury. It is a form of risk management, primarily used to hedge ...
,
safety
Safety is the state of being "safe", the condition of being protected from harm or other danger. Safety can also refer to the control of recognized hazards in order to achieve an acceptable level of risk.
Meanings
There are two slightly dif ...
,
security" \n\n\nsecurity.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called \"security.txt\" in the well known locat ...
etc). This article provides links to more detailed articles on these areas. The international standard for risk management,
ISO 31000
ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines on managing risks that could be negative faced by organizatio ...
, provides principles and generic guidelines on managing risks faced by organizations.
Definitions of risk
Oxford English Dictionary
The
Oxford English Dictionary
The ''Oxford English Dictionary'' (''OED'') is the first and foundational historical dictionary of the English language, published by Oxford University Press (OUP). It traces the historical development of the English language, providing a co ...
(OED) cites the earliest use of the word in English (in the spelling of ''risque'' from its French original, 'risque') as of 1621, and the spelling as ''risk'' from 1655. While including several other definitions, the OED 3rd edition defines ''risk'' as:
(Exposure to) the possibility of loss, injury, or other adverse or
welcome circumstance; a chance or situation involving such a possibility.
The
Cambridge Advanced Learner's Dictionary
The ''Cambridge Advanced Learner's Dictionary'' (abbreviated ''CALD'') was first published in 1995 under the name ''Cambridge International Dictionary of English'', by the Cambridge University Press
Cambridge University Press is the ...
gives a simple summary, defining risk as “the possibility of something bad happening”.
International Organization for Standardization
The
International Organization for Standardization
The International Organization for Standardization (ISO ) is an international standard development organization composed of representatives from the national standards organizations of member countries. Membership requirements are given in Art ...
(ISO) Guide 73 provides basic vocabulary to develop common understanding on risk management concepts and terms across different applications. ISO Guide 73:2009 defines risk as:
effect of uncertainty on objectives
Note 1: An effect is a deviation from the expected – positive or negative.
Note 2: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
Note 3: Risk is often characterized by reference to potential events and consequences or a combination of these.
Note 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
This definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts. It was first adopted in 2002. Its complexity reflects the difficulty of satisfying fields that use the term risk in different ways. Some restrict the term to negative impacts (“downside risks”), while others include positive impacts (“upside risks”).
ISO 31000
ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines on managing risks that could be negative faced by organizatio ...
:2018 “Risk management — Guidelines” uses the same definition with a simpler set of notes.
Other
Many other definitions of risk have been influential:
:“Source of harm”. The earliest use of the word “risk” was as a synonym for the much older word “
hazard”, meaning a potential source of harm. This definition comes from Blount’s “Glossographia” (1661) and was the main definition in the OED 1st (1914) and 2nd (1989) editions. Modern equivalents refer to “unwanted events”
[Hansson, Sven Ove]
"Risk"
''The Stanford Encyclopedia of Philosophy (Fall 2018 Edition)'', Edward N. Zalta (ed.) or “something bad that might happen”.
:“Chance of harm”. This definition comes from Johnson’s “Dictionary of the English Language” (1755), and has been widely paraphrased, including “possibility of loss”
or “probability of unwanted events”.
:“Uncertainty about loss”. This definition comes from Willett’s “Economic Theory of Risk and Insurance” (1901). This links “risk” to “
uncertainty
Uncertainty refers to epistemic situations involving imperfect or unknown information. It applies to predictions of future events, to physical measurements that are already made, or to the unknown. Uncertainty arises in partially observable ...
”, which is a broader term than chance or probability.
:“Measurable uncertainty”. This definition comes from Knight’s “Risk, Uncertainty and Profit” (1921). It allows “risk” to be used equally for positive and negative outcomes. In insurance, risk involves situations with unknown outcomes but known probability distributions.
:“Volatility of return”. Equivalence between risk and variance of return was first identified in Markovitz’s “Portfolio Selection” (1952). In finance, volatility of return is often equated to risk.
:“Statistically expected loss”. The
expected value of loss was used to define risk by Wald (1939) in what is now known as
decision theory
Decision theory (or the theory of choice; not to be confused with choice theory) is a branch of applied probability theory concerned with the theory of making decisions based on assigning probabilities to various factors and assigning numerical ...
. The probability of an event multiplied by its magnitude was proposed as a definition of risk for the planning of the
Delta Works
The Delta Works ( nl, Deltawerken) is a series of construction projects in the southwest of the Netherlands to protect a large area of land around the Rhine–Meuse–Scheldt delta from the sea. Constructed between 1954 and 1997, the works con ...
in 1953, a flood protection program in the
Netherlands
)
, anthem = ( en, "William of Nassau")
, image_map =
, map_caption =
, subdivision_type = Sovereign state
, subdivision_name = Kingdom of the Netherlands
, established_title = Before independence
, established_date = Spanish Netherl ...
. It was adopted by the US Nuclear Regulatory Commission (1975), and remains widely used.
:“Likelihood and severity of events”. The “triplet” definition of risk as “scenarios, probabilities and consequences” was proposed by Kaplan & Garrick (1981).
Many definitions refer to the likelihood/probability of events/effects/losses of different severity/consequence, e.g. ISO Guide 73 Note 4.
:“Consequences and associated uncertainty”. This was proposed by Kaplan & Garrick (1981).
This definition is preferred in
Bayesian analysis
Bayesian inference is a method of statistical inference in which Bayes' theorem is used to update the probability for a hypothesis as more evidence or information becomes available. Bayesian inference is an important technique in statistics, and e ...
, which sees risk as the combination of events and uncertainties about them.
:“Uncertain events affecting objectives”. This definition was adopted by the Association for Project Management (1997). With slight rewording it became the definition in ISO Guide 73.
:“Uncertainty of outcome”. This definition was adopted by the UK Cabinet Office (2002) to encourage innovation to improve public services. It allowed “risk” to describe either “positive opportunity or negative threat of actions and events”.
:“Asset, threat and vulnerability”. This definition comes from the Threat Analysis Group (2010) in the context of computer security.
:“Human interaction with uncertainty”. This definition comes from Cline (2015) in the context of adventure education.
Some resolve these differences by arguing that the definition of risk is subjective. For example:
No definition is advanced as the correct one, because there is no one definition that is suitable for all problems. Rather, the choice of definition is a political one, expressing someone’s views regarding the importance of different adverse effects in a particular situation.
The
Society for Risk Analysis
The Society for Risk Analysis (SRA) is a learned society providing an open forum for anyone interested in risk analysis. SRA seeks to:
* Bring together individuals from diverse disciplines and from different countries and provide them opportuni ...
concludes that “experience has shown that to agree on one unified set of definitions is not realistic”. The solution is “to allow for different perspectives on fundamental concepts and make a distinction between overall qualitative definitions and their associated measurements.”
Practice areas
The understanding of risk, the common methods of management, the measurements of risk and even the definition of risk differ in different practice areas. This section provides links to more detailed articles on these areas.
Business risk
Business risks arise from uncertainty about the profit of a commercial business due to unwanted events such as changes in tastes, changing preferences of consumers, strikes, increased competition, changes in government policy, obsolescence etc.
Business risks are controlled using techniques of
risk management. In many cases they may be managed by intuitive steps to prevent or mitigate risks, by following regulations or standards of good practice, or by
insurance
Insurance is a means of protection from financial loss in which, in exchange for a fee, a party agrees to compensate another party in the event of a certain loss, damage, or injury. It is a form of risk management, primarily used to hedge ...
.
Enterprise risk management Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typi ...
includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives;
see also .
Economic risk
Economics
Economics () is the social science that studies the production, distribution, and consumption of goods and services.
Economics focuses on the behaviour and interactions of economic agents and how economies work. Microeconomics analyzes ...
is concerned with the production, distribution and consumption of goods and services. Economic risk arises from uncertainty about economic outcomes. For example, economic risk may be the chance that macroeconomic conditions like exchange rates, government regulation, or political stability will affect an investment or a company’s prospects.
In economics, as in finance, risk is often defined as quantifiable uncertainty about gains and losses.
Environmental risk
Environmental risk arises from
environmental hazards
An environmental hazard is a substance, state or event which has the potential to threaten the surrounding natural environment or adversely affect people's health, including pollution and natural disasters such as storms and earthquakes. It can i ...
or
environmental issues
Environmental issues are effects of human activity on the biophysical environment, most often of which are harmful effects that cause environmental degradation. Environmental protection is the practice of protecting the natural environment on t ...
.
In the environmental context, risk is defined as “The chance of harmful effects to human health or to ecological systems”.
Environmental risk assessment aims to assess the effects of stressors, often chemicals, on the local environment.
Financial risk
Finance is concerned with money management and acquiring funds.
Financial risk arises from uncertainty about financial returns. It includes
market risk
Market risk is the risk of losses in positions arising from movements in market variables like prices and volatility.
There is no unique classification as each classification may refer to different aspects of market risk. Nevertheless, the most ...
,
credit risk
A credit risk is risk of default on a debt that may arise from a borrower failing to make required payments. In the first resort, the risk is that of the lender and includes lost principal and interest, disruption to cash flows, and increased ...
,
liquidity risk and
operational risk.
In finance, risk is the possibility that the actual return on an investment will be different from its expected return. This includes not only "
downside risk
Downside risk is the financial risk associated with losses. That is, it is the risk of the actual return being below the expected return, or the uncertainty about the magnitude of that difference.
Risk measures typically quantify the downside risk ...
" (returns below expectations, including the possibility of losing some or all of the original investment) but also "upside risk" (returns that exceed expectations). In Knight’s definition, risk is often defined as quantifiable uncertainty about gains and losses. This contrasts with
Knightian uncertainty
In economics, Knightian uncertainty is a lack of any quantifiable knowledge about some possible occurrence, as opposed to the presence of quantifiable risk (e.g., that in statistical noise or a parameter's confidence interval). The concept acknow ...
, which cannot be quantified.
Financial risk modeling Financial risk modeling is the use of formal mathematical and econometric techniques to measure, monitor and control the market risk, credit risk, and operational risk on a firm's balance sheet, on a bank's trading book, or re a fund manager ...
determines the aggregate risk in a financial portfolio.
Modern portfolio theory
Modern portfolio theory (MPT), or mean-variance analysis, is a mathematical framework for assembling a portfolio of assets such that the expected return is maximized for a given level of risk. It is a formalization and extension of diversificati ...
measures risk using the
variance
In probability theory and statistics, variance is the expectation of the squared deviation of a random variable from its population mean or sample mean. Variance is a measure of dispersion, meaning it is a measure of how far a set of numbe ...
(or standard deviation) of asset prices. More recent risk measures include
value at risk
Value at risk (VaR) is a measure of the risk of loss for investments. It estimates how much a set of investments might lose (with a given probability), given normal market conditions, in a set time period such as a day. VaR is typically used by ...
.
Because investors are generally
risk averse, investments with greater inherent risk must promise higher expected returns.
Financial risk management uses
financial instruments
Financial instruments are monetary contracts between parties. They can be created, traded, modified and settled. They can be cash (currency), evidence of an ownership interest in an entity or a contractual right to receive or deliver in the form ...
to manage exposure to risk. It includes the use of a
hedge
A hedge or hedgerow is a line of closely spaced shrubs and sometimes trees, planted and trained to form a barrier or to mark the boundary of an area, such as between neighbouring properties. Hedges that are used to separate a road from adjoin ...
to offset risks by adopting a position in an opposing market or investment.
In financial
audit,
audit risk
Audit risk (also referred to as residual risk) as per ISA 200 refers to the risk that the auditor expresses an inappropriate opinion when the financial statements are materiality misstated. This risk is composed of:
* Inherent risk (IR), the ri ...
refers to the potential that an audit report may fail to detect material misstatement either due to error or fraud.
Health risk
Health risks arise from
disease
A disease is a particular abnormal condition that negatively affects the structure or function of all or part of an organism, and that is not immediately due to any external injury. Diseases are often known to be medical conditions that a ...
and other
biological hazards
A biological hazard, or biohazard, is a biological substance that poses a threat to the health of living organisms, primarily humans. This could include a sample of a microorganism, virus or toxin that can adversely affect human health. A bio ...
.
Epidemiology
Epidemiology is the study and analysis of the distribution (who, when, and where), patterns and determinants of health and disease conditions in a defined population.
It is a cornerstone of public health, and shapes policy decisions and evide ...
is the study and analysis of the distribution, patterns and determinants of health and disease. It is a cornerstone of
public health
Public health is "the science and art of preventing disease, prolonging life and promoting health through the organized efforts and informed choices of society, organizations, public and private, communities and individuals". Analyzing the det ...
, and shapes policy decisions by identifying risk factors for disease and targets for
preventive healthcare
Preventive healthcare, or prophylaxis, consists of measures taken for the purposes of disease prevention.Hugh R. Leavell and E. Gurney Clark as "the science and art of preventing disease, prolonging life, and promoting physical and mental hea ...
.
In the context of
public health
Public health is "the science and art of preventing disease, prolonging life and promoting health through the organized efforts and informed choices of society, organizations, public and private, communities and individuals". Analyzing the det ...
,
risk assessment
Broadly speaking, a risk assessment is the combined effort of:
# identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and
# making judgments "on the ...
is the process of characterizing the nature and likelihood of a harmful effect to individuals or populations from certain human activities. Health risk assessment can be mostly qualitative or can include statistical estimates of probabilities for specific populations.
A
health risk assessment
A health risk assessment (also referred to as a health risk appraisal and health & well-being assessment) is a questionnaire about a person's medical history, demographic characteristics and lifestyle. It is one of the most widely used screening t ...
(also referred to as a health risk appraisal and health & well-being assessment) is a questionnaire screening tool, used to provide individuals with an evaluation of their health risks and quality of life
Health, safety, and environment risks
Health, safety, and environment (HSE) are separate practice areas; however, they are often linked. The reason is typically to do with organizational management structures; however, there are strong links among these disciplines. One of the strongest links is that a single risk event may have impacts in all three areas, albeit over differing timescales. For example, the uncontrolled release of radiation or a toxic chemical may have immediate short-term safety consequences, more protracted health impacts, and much longer-term
environmental impact
Environmental issues are effects of human activity on the biophysical environment, most often of which are harmful effects that cause environmental degradation. Environmental protection is the practice of protecting the natural environment on t ...
s. Events such as
Chernobyl
Chernobyl ( , ; russian: Чернобыль, ) or Chornobyl ( uk, Чорнобиль, ) is a partially abandoned city in the Chernobyl Exclusion Zone, situated in the Vyshhorod Raion of northern Kyiv Oblast, Ukraine. Chernobyl is about no ...
, for example, caused immediate deaths, and in the longer term, deaths from cancers, and left a lasting environmental impact leading to
birth defect
A birth defect, also known as a congenital disorder, is an abnormal condition that is present at birth regardless of its cause. Birth defects may result in disabilities that may be physical, intellectual, or developmental. The disabilities ca ...
s, impacts on wildlife, etc.
Information technology risk
Information technology
Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of Data (computing), data . and information. IT forms part of information and communications technology (ICT). An information te ...
(IT) is the use of computers to store, retrieve, transmit, and manipulate data.
IT risk
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
(or cyber risk) arises from the potential that a
threat
A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...
may exploit a
vulnerability
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
to breach security and cause harm.
IT risk management
IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:
:''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an ...
applies risk management methods to IT to manage IT risks.
Computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
is the protection of IT systems by managing IT risks.
Information security
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
is the practice of protecting information by mitigating information risks. While IT risk is narrowly focused on computer security, information risks extend to other forms of information (paper, microfilm).
Insurance risk
Insurance
Insurance is a means of protection from financial loss in which, in exchange for a fee, a party agrees to compensate another party in the event of a certain loss, damage, or injury. It is a form of risk management, primarily used to hedge ...
is a risk treatment option which involves risk sharing. It can be considered as a form of contingent capital and is akin to purchasing an
option in which the buyer pays a small premium to be protected from a potential large loss.
Insurance risk is often taken by insurance companies, who then bear a pool of risks including market risk, credit risk, operational risk, interest rate risk, mortality risk, longevity risks, etc.
The term “risk” has a long history in insurance and has acquired several specialised definitions, including “the subject-matter of an insurance contract”, “an insured peril” as well as the more common “possibility of an event occurring which causes injury or loss”.
Occupational risk
Occupational health and safety
Occupational safety and health (OSH), also commonly referred to as occupational health and safety (OHS), occupational health, or occupational safety, is a multidisciplinary field concerned with the safety, health, and welfare of people at wor ...
is concerned with
occupational hazard
An occupational hazard is a hazard experienced in the workplace. This encompasses many types of hazards, including chemical hazards, biological hazards (biohazards), psychosocial hazards, and physical hazards. In the United States, the Nation ...
s experienced in the workplace.
The Occupational Health and Safety Assessment Series (OHSAS) standard OHSAS 18001 in 1999 defined risk as the “combination of the likelihood and consequence(s) of a specified hazardous event occurring”. In 2018 this was replaced by ISO 45001 “Occupational health and safety management systems”, which use the ISO Guide 73 definition.
Project risk
A
project is an individual or collaborative undertaking planned to achieve a specific aim. Project risk is defined as, "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives”.
Project risk management Within project management, risk management refers to activities for minimizing project risks, and thereby ensuring that a project is completed within time and budget, as well as fulfilling its goals.
Definition of risk and risk management
Risk ma ...
aims to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events in the project.
Safety risk
Safety
Safety is the state of being "safe", the condition of being protected from harm or other danger. Safety can also refer to the control of recognized hazards in order to achieve an acceptable level of risk.
Meanings
There are two slightly dif ...
is concerned with a variety of
hazards
A hazard is a potential source of harm. Substances, events, or circumstances can constitute hazards when their nature would allow them, even just theoretically, to cause damage to health, life, property, or any other interest of value. The probabi ...
that may result in
accidents
An accident is an unintended, normally unwanted event that was not directly caused by humans. The term ''accident'' implies that nobody should be blamed, but the event may have been caused by unrecognized or unaddressed risks. Most researche ...
causing harm to people, property and the environment. In the safety field, risk is typically defined as the “likelihood and severity of hazardous events”. Safety risks are controlled using techniques of
risk management.
A
high reliability organisation (HRO) involves complex operations in environments where catastrophic accidents could occur. Examples include aircraft carriers, air traffic control, aerospace and nuclear power stations. Some HROs manage risk in a highly quantified way. The technique is usually referred to as
Probabilistic Risk Assessment (PRA). See
WASH-1400
WASH-1400, 'The Reactor Safety Study', was a report produced in 1975 for the Nuclear Regulatory Commission by a committee of specialists under Professor Norman Rasmussen. It "generated a storm of criticism in the years following its release". In th ...
for an example of this approach. The incidence rate can also be reduced due to the provision of better occupational health and safety programmes
Security risk
Security" \n\n\nsecurity.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called \"security.txt\" in the well known locat ...
is freedom from, or resilience against, potential harm caused by others.
A security risk is "any event that could result in the compromise of organizational assets i.e. the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities."
Security risk management involves protection of assets from harm caused by deliberate acts.
Assessment and management of risk
Risk management
Risk is ubiquitous in all areas of life and we all manage these risks, consciously or intuitively, whether we are managing a large organization or simply crossing the road. Intuitive risk management is addressed under the
psychology of risk below.
Risk management refers to a systematic approach to managing risks, and sometimes to the profession that does this. A general definition is that risk management consists of “coordinated activities to direct and control an organization with regard to risk".
ISO 31000
ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines on managing risks that could be negative faced by organizatio ...
, the international standard for risk management,
describes a risk management process that consists of the following elements:
:Communicating and consulting
:Establishing the scope, context and criteria
:
Risk assessment
Broadly speaking, a risk assessment is the combined effort of:
# identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and
# making judgments "on the ...
- recognising and characterising risks, and evaluating their significance to support decision-making. This includes
risk identification,
risk analysis and
risk evaluation.
:Risk treatment - selecting and implementing options for addressing risk.
:Monitoring and reviewing
:Recording and reporting
In general, the aim of risk management is to assist organizations in “setting strategy, achieving objectives and making informed decisions”.
The outcomes should be “scientifically sound, cost-effective, integrated actions that
reatrisks while taking into account social, cultural, ethical, political, and legal considerations”.
In contexts where risks are always harmful, risk management aims to “reduce or prevent risks”.
In the safety field it aims “to protect employees, the general public, the environment, and company assets, while avoiding business interruptions”.
For organizations whose definition of risk includes “upside” as well as “downside” risks, risk management is “as much about identifying opportunities as avoiding or mitigating losses”. It then involves “getting the right balance between innovation and change on the one hand, and avoidance of shocks and crises on the other”.
Risk assessment
Risk assessment is a systematic approach to recognising and characterising risks, and evaluating their significance, in order to support decisions about how to manage them.
ISO 31000
ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines on managing risks that could be negative faced by organizatio ...
defines it in terms of its components as “the overall process of risk identification, risk analysis and risk evaluation”.
Risk assessment can be qualitative, semi-quantitative or quantitative:
:Qualitative approaches are based on qualitative descriptions of risks and rely on judgement to evaluate their significance.
:Semi-quantitative approaches use numerical rating scales to group the consequences and probabilities of events into bands such as “high”, “medium” and “low”. They may use a
risk matrix A risk matrix is a matrix that is used during risk assessment to define the level of risk by considering the category of probability or likelihood against the category of consequence severity. This is a simple mechanism to increase visibility of ri ...
to evaluate the significance of particular combinations of probability and consequence.
:Quantitative approaches, including Quantitative risk assessment (QRA) and
probabilistic risk assessment
Probabilistic risk assessment (PRA) is a systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity (such as an airliner or a nuclear power plant) or the effects of stressors on the environm ...
(PRA), estimate probabilities and consequences in appropriate units, combine them into risk metrics, and evaluate them using numerical risk criteria.
The specific steps vary widely in different
practice areas.
Risk identification
Risk identification is “the process of finding, recognizing and recording risks”. It “involves the identification of risk sources, events, their causes and their potential consequences.”
ISO 31000
ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines on managing risks that could be negative faced by organizatio ...
describes it as the first step in a risk assessment process, preceding risk analysis and risk evaluation.
In safety contexts, where risk sources are known as hazards, this step is known as “hazard identification”.
There are many different methods for identifying risks, including:
:Checklists or taxonomies based on past data or theoretical models.
:Evidence-based methods, such as literature reviews and analysis of historical data.
:Team-based methods that systematically consider possible deviations from normal operations, e.g.
HAZOP A hazard and operability study (HAZOP) is a structured and systematic examination of a complex plan or operation in order to identify and evaluate problems that may represent risks to personnel or equipment. The intention of performing a HAZOP is to ...
,
FMEA and
SWIFT
Swift or SWIFT most commonly refers to:
* SWIFT, an international organization facilitating transactions between banks
** SWIFT code
* Swift (programming language)
* Swift (bird), a family of birds
It may also refer to:
Organizations
* SWIFT, ...
.
:Empirical methods, such as testing and modelling to identify what might happen under particular circumstances.
:Techniques encouraging imaginative thinking about possibilities of the future, such as
scenario analysis
Scenario planning, scenario thinking, scenario analysis, scenario prediction and the scenario method all describe a strategic planning method that some organizations use to make flexible long-term plans. It is in large part an adaptation and gener ...
.
:Expert-elicitation methods such as
brainstorming
Brainstorming is a group creativity technique by which efforts are made to find a conclusion for a specific problem by gathering a list of ideas spontaneously contributed by its members.
In other words, brainstorming is a situation where a grou ...
, interviews and
audits.
Sometimes, risk identification methods are limited to finding and documenting risks that are to be analysed and evaluated elsewhere. However, many risk identification methods also consider whether control measures are sufficient and recommend improvements. Hence they function as stand-alone qualitative risk assessment techniques.
Risk analysis
Risk analysis is about developing an understanding of the risk. ISO defines it as “the process to comprehend the nature of risk and to determine the level of risk”.
In the ISO 31000 risk assessment process, risk analysis follows risk identification and precedes risk evaluation. However, these distinctions are not always followed.
Risk analysis may include:
:Determining the sources, causes and drivers of risk
:Investigating the effectiveness of existing controls
:Analysing possible consequences and their likelihood
:Understanding interactions and dependencies between risks
:Determining measures of risk
:Verifying and validating results
:Uncertainty and sensitivity analysis
Risk analysis often uses data on the probabilities and consequences of previous events. Where there have been few such events, or in the context of systems that are not yet operational and therefore have no previous experience, various analytical methods may be used to estimate the probabilities and consequences:
:Proxy or analogue data from other contexts, presumed to be similar in some aspects of risk.
:Theoretical models, such as
Monte Carlo simulation and
Quantitative risk assessment software Quantitative risk assessment (QRA) software and methodologies give quantitative estimates of risks, given the parameters defining them. They are used in the financial sector, the chemical process industry, and other areas.
In financial terms, quant ...
.
:Logical models, such as
Bayesian networks
A Bayesian network (also known as a Bayes network, Bayes net, belief network, or decision network) is a probabilistic graphical model that represents a set of variables and their conditional dependencies via a directed acyclic graph (DAG). Bay ...
,
fault tree analysis
Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined. This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, to identify ...
and
event tree analysis Event tree analysis (ETA) is a forward, top-down, logical modeling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the outcomes and overall system anal ...
:Expert judgement, such as
absolute probability judgement
Absolute probability judgement is a technique used in the field of human reliability assessment (HRA), for the purposes of evaluating the probability of a human error occurring throughout the completion of a specific task. From such analyses measur ...
or the
Delphi method }
The Delphi method or Delphi technique ( ; also known as Estimate-Talk-Estimate or ETE) is a structured communication technique or method, originally developed as a systematic, interactive forecasting method which relies on a panel of experts. The ...
.
Risk evaluation and risk criteria
Risk evaluation involves comparing estimated levels of risk against risk criteria to determine the significance of the risk and make decisions about risk treatment actions.
In most activities, risks can be reduced by adding further controls or other treatment options, but typically this increases cost or inconvenience. It is rarely possible to eliminate risks altogether without discontinuing the activity. Sometimes it is desirable to increase risks to secure valued benefits. Risk criteria are intended to guide decisions on these issues.
Types of criteria include:
:Criteria that define the level of risk that can be accepted in pursuit of objectives, sometimes known as
risk appetite
Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, ...
, and evaluated by risk/reward analysis.
:Criteria that determine whether further controls are needed, such as
benefit-cost ratio.
:Criteria that decide between different risk management options, such as
multiple-criteria decision analysis
Multiple-criteria decision-making (MCDM) or multiple-criteria decision analysis (MCDA) is a sub-discipline of operations research that explicitly evaluates multiple conflicting criteria in decision making (both in daily life and in settings ...
.
The simplest framework for risk criteria is a single level which divides acceptable risks from those that need treatment. This gives attractively simple results but does not reflect the uncertainties involved both in estimating risks and in defining the criteria.
The tolerability of risk framework, developed by the UK
Health and Safety Executive, divides risks into three bands:
:Unacceptable risks – only permitted in exceptional circumstances.
:Tolerable risks – to be kept as low as reasonably practicable (
ALARP
ALARP ("as low as reasonably practicable"), or ALARA ("as low as reasonably achievable"), is a principle in the regulation and management of safety-critical and safety-involved systems. The principle is that the residual risk shall be reduced as f ...
), taking into account the costs and benefits of further risk reduction.
:Broadly acceptable risks – not normally requiring further reduction.
Descriptions of risk
There are many different
risk metric
In the context of risk measurement, a risk metric is the concept quantified by a risk measure. When choosing a risk metric, an agent is picking an aspect of perceived risk to investigate, such as volatility or probability of default.
Risk measu ...
s that can be used to describe or “measure” risk.
Triplets
Risk is often considered to be a set of triplets
(also described as a vector
):
:
for i = 1,2,....,N
where:
:
is a scenario describing a possible event
:
is the probability of the scenario
:
is the consequence of the scenario
:
is the number of scenarios chosen to describe the risk
These are the answers to the three fundamental questions asked by a risk analysis:
:What can happen?
:How likely is it to happen?
:If it does happen, what would the consequences be?
Risks expressed in this way can be shown in a table or
risk register
A risk register (PRINCE2) is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g., nature of the risk, reference an ...
. They may be quantitative or qualitative, and can include positive as well as negative consequences.
The scenarios can be plotted in a consequence/likelihood matrix (or
risk matrix A risk matrix is a matrix that is used during risk assessment to define the level of risk by considering the category of probability or likelihood against the category of consequence severity. This is a simple mechanism to increase visibility of ri ...
). These typically divide consequences and likelihoods into 3 to 5 bands. Different scales can be used for different types of consequences (e.g. finance, safety, environment etc.), and can include positive as well as negative consequences.
An updated version
recommends the following general description of risk:
:
where:
:
is an event that might occur
:
is the consequences of the event
:
is an assessment of uncertainties
:
is a knowledge-based probability of the event
:
is the background knowledge that U and P are based on
Probability distributions
If all the consequences are expressed in the same units (or can be converted into a consistent
loss function), the risk can be expressed as a
probability density function
In probability theory, a probability density function (PDF), or density of a continuous random variable, is a function whose value at any given sample (or point) in the sample space (the set of possible values taken by the random variable) ca ...
describing the “uncertainty about outcome”:
:
This can also be expressed as a
cumulative distribution function (CDF) (or S curve
).
One way of highlighting the tail of this distribution is by showing the probability of exceeding given losses, known as a
complementary cumulative distribution function, plotted on logarithmic scales. Examples include frequency-number (FN) diagrams, showing the annual frequency of exceeding given numbers of fatalities.
A simple way of summarising the size of the distribution’s tail is the loss with a certain probability of exceedance, such as the
Value at Risk
Value at risk (VaR) is a measure of the risk of loss for investments. It estimates how much a set of investments might lose (with a given probability), given normal market conditions, in a set time period such as a day. VaR is typically used by ...
.
Expected values
Risk is often measured as the
expected value of the loss. This combines the probabilities and consequences into a single value. See also
Expected utility The expected utility hypothesis is a popular concept in economics that serves as a reference guide for decisions when the payoff is uncertain. The theory recommends which option rational individuals should choose in a complex situation, based on the ...
. The simplest case is a binary possibility of ''Accident'' or ''No accident''. The associated formula for calculating risk is then:
:
For example, if there is a probability of 0.01 of suffering an accident with a loss of $1000, then total risk is a loss of $10, the product of 0.01 and $1000.
In a situation with several possible accident scenarios, total risk is the sum of the risks for each scenario, provided that the outcomes are comparable:
:
(terms defined above)
In statistical decision theory, the
risk function is defined as the expected value of a given
loss function as a function of the
decision rule
In decision theory, a decision rule is a function which maps an observation to an appropriate action. Decision rules play an important role in the theory of statistics and economics, and are closely related to the concept of a strategy in game t ...
used to make decisions in the face of uncertainty.
A disadvantage of defining risk as the product of impact and probability is that it presumes, unrealistically, that decision-makers are
risk-neutral
In economics and finance, risk neutral preferences are preferences that are neither risk averse nor risk seeking. A risk neutral party's decisions are not affected by the degree of uncertainty in a set of outcomes, so a risk neutral party is indif ...
. A risk-neutral person's utility is proportional to the
expected value of the payoff. For example, a risk-neutral person would consider 20% chance of winning $1 million exactly as desirable as getting a certain $200,000. However, most decision-makers are not actually risk-neutral and would not consider these equivalent choices.
Volatility
In
finance,
volatility is the degree of variation of a trading price over time, usually measured by the standard deviation of logarithmic returns.
Modern portfolio theory
Modern portfolio theory (MPT), or mean-variance analysis, is a mathematical framework for assembling a portfolio of assets such that the expected return is maximized for a given level of risk. It is a formalization and extension of diversificati ...
measures risk using the
variance
In probability theory and statistics, variance is the expectation of the squared deviation of a random variable from its population mean or sample mean. Variance is a measure of dispersion, meaning it is a measure of how far a set of numbe ...
(or standard deviation) of asset prices. The risk is then:
:
The
beta coefficient
In finance, the beta (β or market beta or beta coefficient) is a measure of how an individual asset moves (on average) when the overall stock market increases or decreases. Thus, beta is a useful measure of the contribution of an individual a ...
measures the volatility of an individual asset to overall market changes. This is the asset’s contribution to
systematic risk
In finance and economics, systematic risk (in economics often called aggregate risk or undiversifiable risk) is vulnerability to events which affect aggregate outcomes such as broad market returns, total economy-wide resource holdings, or aggreg ...
, which cannot be eliminated by portfolio diversification. It is the
covariance
In probability theory and statistics, covariance is a measure of the joint variability of two random variables. If the greater values of one variable mainly correspond with the greater values of the other variable, and the same holds for the ...
between the asset’s return r
i and the market return r
m, expressed as a fraction of the market variance:
:
Outcome frequencies
Risks of discrete events such as accidents are often measured as outcome
frequencies, or expected rates of specific loss events per unit time. When small, frequencies are numerically similar to probabilities, but have dimensions of
/timeand can sum to more than 1. Typical outcomes expressed this way include:
:Individual risk - the frequency of a given level of harm to an individual.
It often refers to the expected annual probability of death. Where
risk criteria refer to the individual risk, the risk assessment must use this metric.
:Group (or societal risk) – the relationship between the frequency and the number of people suffering harm.
:Frequencies of property damage or total loss.
:Frequencies of environmental damage such as oil spills.
Relative risk
In health, the
relative risk is the ratio of the probability of an outcome in an exposed group to the probability of an outcome in an unexposed group.
Psychology of risk
Risk perception
Intuitive risk assessment
An understanding that future events are uncertain and a particular concern about harmful ones may arise in anyone living in a community, experiencing seasons, hunting animals or growing crops. Most adults therefore have an intuitive understanding of risk. This may not be exclusive to humans.
In ancient times, the dominant belief was in divinely determined fates, and attempts to influence the gods may be seen as early forms of risk management. Early uses of the word ‘risk’ coincided with an erosion of belief in divinely ordained fate.
Risk perception
Risk perception is the subjective judgement that people make about the characteristics and severity of a risk. Risk perceptions are different for the real risks since they are affected by a wide range of affective (emotions, feelings, moods, etc.) ...
is the subjective judgement that people make about the characteristics and severity of a risk. At its most basic, the perception of risk is an intuitive form of risk analysis.
Heuristics and biases
Intuitive understanding of risk differs in systematic ways from accident statistics. When making judgements about uncertain events, people rely on a few
heuristic
A heuristic (; ), or heuristic technique, is any approach to problem solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect, or rational, but is nevertheless sufficient for reaching an immediate ...
principles, which convert the task of estimating probabilities to simpler judgements. These heuristics are useful but suffer from systematic biases.
The “
availability heuristic
The availability heuristic, also known as availability bias, is a mental shortcut that relies on immediate examples that come to a given person's mind when evaluating a specific topic, concept, method, or decision. This heuristic, operating on the ...
” is the process of judging the probability of an event by the ease with which instances come to mind. In general, rare but dramatic causes of death are over-estimated while common unspectacular causes are under-estimated.
An “
availability cascade An availability cascade is a self-reinforcing cycle that explains the development of certain kinds of collective beliefs. A novel idea or insight, usually one that seems to explain a complex process in a simple or straightforward manner, gains rapid ...
” is a self-reinforcing cycle in which public concern about relatively minor events is amplified by media coverage until the issue becomes politically important.
Despite the difficulty of thinking statistically, people are typically over-confident in their judgements. They over-estimate their understanding of the world and under-estimate the role of chance. Even experts are over-confident in their judgements.
Psychometric paradigm
The “
psychometric
Psychometrics is a field of study within psychology concerned with the theory and technique of measurement. Psychometrics generally refers to specialized fields within psychology and education devoted to testing, measurement, assessment, and ...
paradigm” assumes that risk is subjectively defined by individuals, influenced by factors that can be elicited by surveys. People’s perception of the risk from different hazards depends on three groups of factors:
*Dread – the degree to which the hazard is feared or might be fatal, catastrophic, uncontrollable, inequitable, involuntary, increasing or difficult to reduce.
*Unknown - the degree to which the hazard is unknown to those exposed, unobservable, delayed, novel or unknown to science.
*Number of people exposed.
Hazards with high perceived risk are in general seen as less acceptable and more in need of reduction.
Cultural theory of risk
Cultural Theory
Cultural studies is an interdisciplinary field that examines the political dynamics of contemporary culture (including popular culture) and its historical foundations. Cultural studies researchers generally investigate how cultural practices r ...
views risk perception as a collective phenomenon by which different cultures select some risks for attention and ignore others, with the aim of maintaining their particular way of life. Hence risk perception varies according to the preoccupations of the culture. The theory distinguishes variations known as “group” (the degree of binding to social groups) and “grid” (the degree of social regulation), leading to four world-views:
*Hierarchists (high group /high grid), who tend to approve of technology providing its risks are evaluated as acceptable by experts.
*Egalitarians (high group/low grid), who tend to object to technology because it perpetuates inequalities that harm society and the environment.
*Individualists (low group/low grid), who tend to approve of technology and see risks as opportunities.
*Fatalists (low group/high grid), who do not knowingly take risks but tend to accept risks that are imposed on them
Cultural Theory helps explain why it can be difficult for people with different world-views to agree about whether a hazard is acceptable, and why risk assessments may be more persuasive for some people (e.g. hierarchists) than others. However, there is little quantitative evidence that shows cultural biases are strongly predictive of risk perception.
Risk and emotion
The importance of emotion in risk
While risk assessment is often described as a logical, cognitive process, emotion also has a significant role in determining how people react to risks and make decisions about them. Some argue that intuitive emotional reactions are the predominant method by which humans evaluate risk. A purely statistical approach to disasters lacks emotion and thus fails to convey the true meaning of disasters and fails to motivate proper action to prevent them. This is consistent with psychometric research showing the importance of “dread” (an emotion) alongside more logical factors such as the number of people exposed.
The field of
behavioural economics
Behavioral economics studies the effects of psychological, cognitive, emotional, cultural and social factors on the decisions of individuals or institutions, such as how those decisions vary from those implied by classical economic theory.
...
studies human risk-aversion, asymmetric regret, and other ways that human financial behaviour varies from what analysts call "rational". Recognizing and respecting the irrational influences on human decision making may improve naive risk assessments that presume rationality but in fact merely fuse many shared biases.
The affect heuristic
The “
affect heuristic
The affect heuristic is a heuristic, a mental shortcut that allows people to make decisions and solve problems quickly and efficiently, in which current emotion—fear, pleasure, surprise, etc.—influences decisions. In other words, it is a typ ...
” proposes that judgements and decision-making about risks are guided, either consciously or unconsciously, by the positive and negative feelings associated with them. This can explain why judgements about risks are often inversely correlated with judgements about benefits. Logically, risk and benefit are distinct entities, but it seems that both are linked to an individual’s feeling about a hazard.
Fear, anxiety and risk
Worry
Worry refers to the thoughts, images, emotions, and actions of a negative nature in a repetitive, uncontrollable manner that results from a proactive cognitive risk analysis made to avoid or solve anticipated potential threats and their poten ...
or
anxiety
Anxiety is an emotion which is characterized by an unpleasant state of inner turmoil and includes feelings of dread over anticipated events. Anxiety is different than fear in that the former is defined as the anticipation of a future threat wh ...
is an emotional state that is stimulated by anticipation of a future negative outcome, or by uncertainty about future outcomes. It is therefore an obvious accompaniment to risk, and is initiated by many hazards and linked to increases in perceived risk. It may be a natural incentive for risk reduction. However, worry sometimes triggers behaviour that is irrelevant or even increases objective measurements of risk.
Fear
Fear is an intensely unpleasant emotion in response to perceiving or recognizing a danger or threat. Fear causes physiological changes that may produce behavioral reactions such as mounting an aggressive response or fleeing the threat. Fear ...
is a more intense emotional response to danger, which increases the perceived risk. Unlike anxiety, it appears to dampen efforts at risk minimisation, possibly because it provokes a feeling of helplessness.
Dread risk
It is common for people to dread some risks but not others: They tend to be very afraid of epidemic diseases, nuclear power plant failures, and plane accidents but are relatively unconcerned about some highly frequent and deadly events, such as traffic crashes, household accidents, and medical errors. One key distinction of dreadful risks seems to be their potential for catastrophic consequences,
threatening to kill a large number of people within a short period of time. For example, immediately after the
11 September attacks
The September 11 attacks, commonly known as 9/11, were four coordinated suicide terrorist attacks carried out by al-Qaeda against the United States on Tuesday, September 11, 2001. That morning, nineteen terrorists hijacked four commerci ...
, many Americans were afraid to fly and took their car instead, a decision that led to a significant increase in the number of fatal crashes in the time period following the 9/11 event compared with the same time period before the attacks.
Different hypotheses have been proposed to explain why people fear dread risks. First, the
psychometric paradigm suggests that high lack of control, high catastrophic potential, and severe consequences account for the increased risk perception and anxiety associated with dread risks. Second, because people estimate the frequency of a risk by recalling instances of its occurrence from their social circle or the media, they may overvalue relatively rare but dramatic risks because of their overpresence and undervalue frequent, less dramatic risks.
Third, according to the preparedness hypothesis, people are prone to fear events that have been particularly threatening to survival in human evolutionary history. Given that in most of human evolutionary history people lived in relatively small groups, rarely exceeding 100 people, a dread risk, which kills many people at once, could potentially wipe out one's whole group. Indeed, research found that people's fear peaks for risks killing around 100 people but does not increase if larger groups are killed. Fourth, fearing dread risks can be an ecologically rational strategy. Besides killing a large number of people at a single point in time, dread risks reduce the number of children and young adults who would have potentially produced offspring. Accordingly, people are more concerned about risks killing younger, and hence more fertile, groups.
Outrage
Outrage
Outrage may refer to:
* Outrage (emotion), an emotion
* Tort of outrage, in law, an alternative term for ''intentional infliction of emotional distress''
Books
* ''Outrage'', a novel by Henry Denker 1982
* ''Outrage'', a play by Itamar Moses 2 ...
is a strong moral emotion, involving anger over an adverse event coupled with an attribution of blame towards someone perceived to have failed to do what they should have done to prevent it. Outrage is the consequence of an event, involving a strong belief that risk management has been inadequate. Looking forward, it may greatly increase the perceived risk from a hazard.
Human factors
One of the growing areas of focus in risk management is the field of
human factors
Human factors and ergonomics (commonly referred to as human factors) is the application of psychological and physiological principles to the engineering and design of products, processes, and systems. Four primary goals of human factors learnin ...
where behavioural and organizational psychology underpin our understanding of risk based decision making. This field considers questions such as "how do we make risk based decisions?", "why are we irrationally more scared of sharks and terrorists than we are of motor vehicles and medications?"
In
decision theory
Decision theory (or the theory of choice; not to be confused with choice theory) is a branch of applied probability theory concerned with the theory of making decisions based on assigning probabilities to various factors and assigning numerical ...
, regret (and anticipation of regret) can play a significant part in decision-making, distinct from
risk aversion
In economics and finance, risk aversion is the tendency of people to prefer outcomes with low uncertainty to those outcomes with high uncertainty, even if the average outcome of the latter is equal to or higher in monetary value than the more c ...
(preferring the status quo in case one becomes worse off).
Framing is a fundamental problem with all forms of risk assessment. In particular, because of
bounded rationality (our brains get overloaded, so we take mental shortcuts), the risk of extreme events is discounted because the probability is too low to evaluate intuitively. As an example, one of the leading causes of death is
road accidents caused by
drunk driving – partly because any given driver frames the problem by largely or totally ignoring the risk of a serious or fatal accident.
For instance, an extremely disturbing event (an attack by hijacking, or
moral hazard
In economics, a moral hazard is a situation where an economic actor has an incentive to increase its exposure to risk because it does not bear the full costs of that risk. For example, when a corporation is insured, it may take on higher risk ...
s) may be ignored in analysis despite the fact it has occurred and has a nonzero probability. Or, an event that everyone agrees is inevitable may be ruled out of analysis due to greed or an unwillingness to admit that it is believed to be inevitable. These human tendencies for error and
wishful thinking
Wishful thinking is the formation of beliefs based on what might be pleasing to imagine, rather than on evidence, rationality, or reality. It is a product of resolving conflicts between belief and desire.
Methodologies to examine wishful thin ...
often affect even the most rigorous applications of the
scientific method
The scientific method is an empirical method for acquiring knowledge that has characterized the development of science since at least the 17th century (with notable practitioners in previous centuries; see the article history of scientific ...
and are a major concern of the
philosophy of science
Philosophy of science is a branch of philosophy concerned with the foundations, methods, and implications of science. The central questions of this study concern what qualifies as science, the reliability of scientific theories, and the ult ...
.
All
decision-making under uncertainty must consider
cognitive bias,
cultural bias, and notational bias: No group of people assessing risk is immune to "
groupthink
Groupthink is a psychological phenomenon that occurs within a group of people in which the desire for harmony or conformity in the group results in an irrational or dysfunctional decision-making outcome. Cohesiveness, or the desire for cohesiveness ...
": acceptance of obviously wrong answers simply because it is socially painful to disagree, where there are
conflicts of interest
A conflict of interest (COI) is a situation in which a person or organization is involved in multiple wikt:interest#Noun, interests, finance, financial or otherwise, and serving one interest could involve working against another. Typically, t ...
.
Framing involves other information that affects the outcome of a risky decision. The right prefrontal cortex has been shown to take a more global perspective while greater left prefrontal activity relates to local or focal processing.
From the Theory of Leaky Modules McElroy and Seta proposed that they could predictably alter the framing effect by the selective manipulation of regional prefrontal activity with finger tapping or monaural listening. The result was as expected. Rightward tapping or listening had the effect of narrowing attention such that the frame was ignored. This is a practical way of manipulating regional cortical activation to affect risky decisions, especially because directed tapping or listening is easily done.
Psychology of risk taking
A growing area of research has been to examine various psychological aspects of risk taking. Researchers typically run randomised experiments with a treatment and control group to ascertain the effect of different psychological factors that may be associated with risk taking. Thus, positive and negative feedback about past risk taking can affect future risk taking. In an experiment, people who were led to believe they are very competent at decision making saw more opportunities in a risky choice and took more risks, while those led to believe they were not very competent saw more threats and took fewer risks.
Other considerations
Risk and uncertainty
In his seminal work ''Risk, Uncertainty, and Profit'',
Frank Knight
Frank Hyneman Knight (November 7, 1885 – April 15, 1972) was an American economist who spent most of his career at the University of Chicago, where he became one of the founders of the Chicago School. Nobel laureates Milton Friedman, George ...
(1921) established the distinction between risk and uncertainty.
Thus,
Knightian uncertainty
In economics, Knightian uncertainty is a lack of any quantifiable knowledge about some possible occurrence, as opposed to the presence of quantifiable risk (e.g., that in statistical noise or a parameter's confidence interval). The concept acknow ...
is immeasurable, not possible to calculate, while in the Knightian sense risk is measurable.
Another distinction between risk and uncertainty is proposed by Douglas Hubbard:
[Douglas Hubbard "The Failure of Risk Management: Why It's Broken and How to Fix It, John Wiley & Sons, 2009. Page 22 of https://canvas.uw.edu/courses/1066599/files/37549842/download?verifier=ar2VjVOxCU8sEQr23I5LEBpr89B6fnwmoJgBinqj&wrap=1]
:Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility. The "true" outcome/state/result/value is not known.
:Measurement of uncertainty: A set of probabilities assigned to a set of possibilities. Example: "There is a 60% chance this market will double in five years"
:Risk: A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome.
:Measurement of risk: A set of possibilities each with quantified probabilities and quantified losses. Example: "There is a 40% chance the proposed oil well will be dry with a loss of $12 million in exploratory drilling costs".
In this sense, one may have uncertainty without risk but not risk without uncertainty. We can be uncertain about the winner of a contest, but unless we have some personal stake in it, we have no risk. If we bet money on the outcome of the contest, then we have a risk. In both cases there are more than one outcome. The measure of uncertainty refers only to the probabilities assigned to outcomes, while the measure of risk requires both probabilities for outcomes and losses quantified for outcomes.
Mild Versus Wild Risk
Benoit Mandelbrot distinguished between "mild" and "wild" risk and argued that risk assessment and analysis must be fundamentally different for the two types of risk. Mild risk follows
normal Normal(s) or The Normal(s) may refer to:
Film and television
* ''Normal'' (2003 film), starring Jessica Lange and Tom Wilkinson
* ''Normal'' (2007 film), starring Carrie-Anne Moss, Kevin Zegers, Callum Keith Rennie, and Andrew Airlie
* ''Norma ...
or near-normal
probability distributions, is subject to
regression to the mean
In statistics, regression toward the mean (also called reversion to the mean, and reversion to mediocrity) is the fact that if one sample of a random variable is extreme, the next sampling of the same random variable is likely to be closer to it ...
and the
law of large numbers, and is therefore relatively predictable. Wild risk follows
fat-tailed distribution
A fat-tailed distribution is a probability distribution that exhibits a large skewness or kurtosis, relative to that of either a normal distribution or an exponential distribution. In common usage, the terms fat-tailed and heavy-tailed are someti ...
s, e.g.,
Pareto or
power-law distributions
In statistics, a power law is a functional relationship between two quantities, where a relative change in one quantity results in a proportional relative change in the other quantity, independent of the initial size of those quantities: one q ...
, is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict. A common error in risk assessment and analysis is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and analysis are to be valid and reliable, according to Mandelbrot.
Risk attitude, appetite and tolerance
The terms ''risk attitude'', ''appetite'', and ''tolerance'' are often used similarly to describe an organisation's or individual's attitude towards risk-taking. One's attitude may be described as ''risk-averse'', ''risk-neutral'', or ''risk-seeking''. Risk tolerance looks at acceptable/unacceptable deviations from what is expected. Risk appetite looks at how much risk one is willing to accept. There can still be deviations that are within a risk appetite. For example, recent research finds that insured individuals are significantly likely to divest from risky asset holdings in response to a decline in health, controlling for variables such as income, age, and out-of-pocket medical expenses.
Gambling is a risk-increasing investment, wherein money on hand is risked for a possible large return, but with the possibility of losing it all. Purchasing a lottery ticket is a very risky investment with a high chance of no return and a small chance of a very high return. In contrast, putting money in a bank at a defined rate of interest is a risk-averse action that gives a guaranteed return of a small gain and precludes other investments with possibly higher gain. The possibility of getting no return on an investment is also known as the
rate of ruin
Rate or rates may refer to:
Finance
* Rates (tax), a type of taxation system in the United Kingdom used to fund local government
* Exchange rate, rate at which one currency will be exchanged for another
Mathematics and science
* Rate (mathema ...
.
Risk compensation
Risk compensation is a theory which suggests that people typically adjust their behavior in response to perceived levels of risk, becoming more careful where they sense greater risk and less careful if they feel more protected. Although usually ...
is a
theory
A theory is a rational type of abstract thinking about a phenomenon, or the results of such thinking. The process of contemplative and rational thinking is often associated with such processes as observational study or research. Theories may be ...
which suggests that people typically adjust their
behavior in response to the perceived level of risk, becoming more careful where they sense greater risk and less careful if they feel more protected.
By way of example, it has been observed that motorists drove faster when wearing
seatbelt
A seat belt (also known as a safety belt, or spelled seatbelt) is a vehicle safety device designed to secure the driver or a passenger of a vehicle against harmful movement that may result during a collision or a sudden stop. A seat belt red ...
s and closer to the vehicle in front when the vehicles were fitted with
anti-lock brakes
An anti-lock braking system (ABS) is a automobile safety, safety anti-Skid (automobile), skid Brake, braking system used on aircraft and on land motor vehicle, vehicles, such as cars, motorcycles, trucks, and buses. ABS operates by preventing t ...
.
Risk and autonomy
The experience of many people who rely on human services for support is that 'risk' is often used as a reason to prevent them from gaining further independence or fully accessing the community, and that these services are often unnecessarily risk averse. "People's autonomy used to be compromised by institution walls, now it's too often our risk management practices", according to
John O'Brien. Michael Fischer and Ewan Ferlie (2013) find that contradictions between formal risk controls and the role of subjective factors in human services (such as the role of emotions and ideology) can undermine service values, so producing tensions and even intractable and 'heated' conflict.
Risk society
Anthony Giddens and
Ulrich Beck argued that whilst humans have always been subjected to a level of risk – such as
natural disasters – these have usually been perceived as produced by non-human forces. Modern societies, however, are exposed to risks such as
pollution
Pollution is the introduction of contaminants into the natural environment that cause adverse change. Pollution can take the form of any substance (solid, liquid, or gas) or energy (such as radioactivity, heat, sound, or light). Pollutants, the ...
, that are the result of the
modernization process itself. Giddens defines these two types of risks as
external risk External risks are generally something that is uncontrollable by the first party.
In contract law
In contract law, are risks that are produced by a non-human source and are beyond human control. They are unexpected but happen regularly enough in a ...
s and
manufactured risks Manufactured risks are risks that are produced by the modernization process, particularly by innovative developments in science and technology. They create risk environments that have little historical reference, and are therefore largely unpredicta ...
. The term ''
Risk society
Risk society is the manner in which modern society organizes in response to risk. The term is closely associated with several key writers on modernity, in particular Ulrich Beck and Anthony Giddens. The term was coined in the 1980s and its popula ...
'' was coined in the 1980s and its popularity during the 1990s was both as a consequence of its links to trends in thinking about wider modernity, and also to its links to popular discourse, in particular the growing environmental concerns during the period.
List of related books
This is a list of books about risk issues.
See also
*
Ambiguity aversion
In decision theory and economics, ambiguity aversion (also known as uncertainty aversion) is a preference for known risks over unknown risks. An ambiguity-averse individual would rather choose an alternative where the probability distribution of th ...
*
Audit risk
Audit risk (also referred to as residual risk) as per ISA 200 refers to the risk that the auditor expresses an inappropriate opinion when the financial statements are materiality misstated. This risk is composed of:
* Inherent risk (IR), the ri ...
*
Benefit shortfall
When the actual benefits of a venture are less than the projected or estimated benefits, the result is known as a benefit shortfall.
If, for instance, a company is launching a new product or service and projected sales are 40 million dollars per ...
*
Civil defence
Civil defense ( en, region=gb, civil defence) or civil protection is an effort to protect the citizens of a state (generally non-combatants) from man-made and natural disasters. It uses the principles of emergency operations: prevention, mit ...
*
Countermeasure
A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...
*
Early case assessment
*
External risk External risks are generally something that is uncontrollable by the first party.
In contract law
In contract law, are risks that are produced by a non-human source and are beyond human control. They are unexpected but happen regularly enough in a ...
*
Enterprise risk
*
Event chain methodology
Event chain methodology is a network analysis technique that is focused on identifying and managing events and relationship between them (event chains) that affect project schedules. It is an uncertainty modeling schedule technique. Event chain me ...
*
Financial risk
*
Fuel price risk management Fuel price risk management, a specialization of both financial risk management and oil price analysis and similar to conventional risk management practice, is a continual cyclic process that includes risk assessment, risk decision making and the i ...
*
Global catastrophic risk
A global catastrophic risk or a doomsday scenario is a hypothetical future event that could damage human well-being on a global scale, even endangering or destroying modern civilization. An event that could cause human extinction or permanen ...
*
Hazard (risk)
A hazard is a potential source of harm. Substances, events, or circumstances can constitute hazards when their nature would allow them, even just theoretically, to cause damage to health, life, property, or any other interest of value. The probabi ...
*
Identity resolution
Record linkage (also known as data matching, data linkage, entity resolution, and many other terms) is the task of finding records in a data set that refer to the same entity across different data sources (e.g., data files, books, websites, and da ...
*
Information assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, ...
*
Inherent risk Inherent risk, in risk management, is an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amou ...
*
Inherent risk (accounting)
*
International Risk Governance Council
The International Risk Governance Center (IRGC) is a neutral interdisciplinary center based at the École Polytechnique Fédérale de Lausanne (EPFL) in Lausanne, Switzerland. IRGC develops risk governance strategies that focus on involving all k ...
*
ISO/PAS 28000
*
IT risk
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
*
Legal risk
Basel II classified legal risk as a subset of operational risk in 2003. This conception is based on a business perspective, recognizing that there are threats entailed in the business operating environment. The idea is that businesses do not ...
*
Life-critical system
A safety-critical system (SCS) or life-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes:
* death or serious injury to people
* loss or severe damage to equipment/property
* environme ...
*
Liquidity risk
*
Loss aversion
Loss aversion is the tendency to prefer avoiding losses to acquiring equivalent gains. The principle is prominent in the domain of economics. What distinguishes loss aversion from risk aversion is that the utility of a monetary payoff depends o ...
*
Moral hazard
In economics, a moral hazard is a situation where an economic actor has an incentive to increase its exposure to risk because it does not bear the full costs of that risk. For example, when a corporation is insured, it may take on higher risk ...
*
Operational risk
*
Preventive maintenance
The technical meaning of maintenance involves functional checks, servicing, repairing or replacing of necessary devices, equipment, machinery, building infrastructure, and supporting utilities in industrial, business, and residential installa ...
*
Probabilistic risk assessment
Probabilistic risk assessment (PRA) is a systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity (such as an airliner or a nuclear power plant) or the effects of stressors on the environm ...
*
Process risk Process Risk is considered to be a sub-component of operational risk. It exists when the process that supports a business activity lacks both efficiency and effectiveness, which may then lead to financial, customer, and reputational loss. This form ...
*
Reputational risk
Reputational damage is the loss to financial capital, social capital and/or market share resulting from damage to a firm's reputation. This is often measured in lost revenue, increased operating, capital or regulatory costs, or destruction of sh ...
*
Reliability engineering
*
Risk analysis
*
Risk assessment
Broadly speaking, a risk assessment is the combined effort of:
# identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and
# making judgments "on the ...
*
Risk compensation
Risk compensation is a theory which suggests that people typically adjust their behavior in response to perceived levels of risk, becoming more careful where they sense greater risk and less careful if they feel more protected. Although usually ...
**
Peltzman effect
*
Risk management
*
Risk-neutral measure
In mathematical finance, a risk-neutral measure (also called an equilibrium measure, or '' equivalent martingale measure'') is a probability measure such that each share price is exactly equal to the discounted expectation of the share price u ...
*
Risk perception
Risk perception is the subjective judgement that people make about the characteristics and severity of a risk. Risk perceptions are different for the real risks since they are affected by a wide range of affective (emotions, feelings, moods, etc.) ...
*
Risk register
A risk register (PRINCE2) is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g., nature of the risk, reference an ...
*
Sampling risk
*
Systemic risk
In finance, systemic risk is the risk of collapse of an entire financial system or entire market, as opposed to the risk associated with any one individual entity, group or component of a system, that can be contained therein without harming the ...
*
Systematic risk
In finance and economics, systematic risk (in economics often called aggregate risk or undiversifiable risk) is vulnerability to events which affect aggregate outcomes such as broad market returns, total economy-wide resource holdings, or aggreg ...
*
Uncertainty
Uncertainty refers to epistemic situations involving imperfect or unknown information. It applies to predictions of future events, to physical measurements that are already made, or to the unknown. Uncertainty arises in partially observable ...
*
Vulnerability
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
References
Bibliography
Referred literature
*
James Franklin, 2001: ''The Science of Conjecture: Evidence and Probability Before Pascal'', Baltimore: Johns Hopkins University Press.
*
*
Niklas Luhmann
Niklas Luhmann (; ; December 8, 1927 – November 6, 1998) was a German sociologist, philosopher of social science, and a prominent thinker in systems theory.
Biography
Luhmann was born in Lüneburg, Free State of Prussia, where his father's fa ...
, 1996: ''Modern Society Shocked by its Risks'' (= University of Hong Kong, Department of Sociology Occasional Papers 17), Hong Kong, available vi
HKU Scholars HUB
Books
* Historian
David A. Moss' book ''When All Else Fails'' explains the
US government
The federal government of the United States (U.S. federal government or U.S. government) is the national government of the United States, a federal republic located primarily in North America, composed of 50 states, a city within a feder ...
's historical role as risk manager of last resort.
* Bernstein P. L. ''Against the Gods'' . Risk explained and its appreciation by man traced from earliest times through all the major figures of their ages in mathematical circles.
*
*
*
*
*
*
* Gardner D. ''Risk: The Science and Politics of Fear'', Random House Inc. (2008) .
* Novak S.Y. Extreme value methods with applications to finance. London: CRC. (2011) .
* Hopkin P. Fundamentals of Risk Management. 2nd Edition. Kogan-Page (2012)
Articles and papers
*
*
*
*
*
*
* Hansson, Sven Ove. (2007). "Risk", ''The Stanford Encyclopedia of Philosophy'' (Summer 2007 Edition), Edward N. Zalta (ed.), forthcomin
* Holton, Glyn A. (2004). "Defining Risk", ''Financial Analysts Journal'', 60 (6), 19–25. A paper exploring the foundations of risk. (PDF file).
* Knight, F. H. (1921) ''Risk, Uncertainty and Profit'', Chicago: Houghton Mifflin Company. (Cited at
§ I.I.26.).
* Kruger, Daniel J., Wang, X.T., & Wilke, Andreas (2007) "Towards the development of an evolutionarily valid domain-specific risk-taking scale" ''Evolutionary Psychology'' (PDF file).
*
*
*
* Neill, M. Allen, J. Woodhead, N. Reid, S. Irwin, L. Sanderson, H. 2008 "A Positive Approach to Risk Requires Person Centred Thinking" London, CSIP Personalisation Network, Department of Health. Available from: https://web.archive.org/web/20090218231745/http://networks.csip.org.uk/Personalisation/Topics/Browse/Risk/
ccessed 21 July 2008
*
External links
Risk– The entry of the Stanford Encyclopedia of Philosophy
{{DEFAULTSORT:Risk
Actuarial science
Environmental social science concepts