A survey of existing definitions of risk:
When looking up the meaning of Risk we are confronted with a surprising situation. There is no satisfying and authoritative general purpose one-line definition that we can adopt without second thoughts. Let us start with the standard dictionary definitions:
- The online Merriam Webster Dictionary defines risk as the possibility of loss or injury
- The online Cambridge Dictionary opines that risk means the possibility of something bad happening
- The Oxford English (Concise, Hardcover!) suggests: a chance or possibility of danger, loss, injury or other adverse consequences
If we lookup the wikipedia entry, its first sentence offers the following wording: Risk is the potential for uncontrolled loss of something of value. Immediately afterwards there is an entire section of various incompatible and confusing definitions:
- Risk is an influence affecting strategy caused by an incentive or condition that inhibits transformation to quality excellence(!)
- Risk is an uncertain event or condition that, if it occurs, has an effect on at least one objective
- The probability of something happening multiplied by the resulting cost or benefit if it does
- The probability or threat of quantifiable damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action
- The possibility that an actual return on an investment will be lower than the expected return
- A situation where the probability of a variable (such as burning down of a building) is known but when a mode of occurrence or the actual value of the occurrence (whether the fire will occur at a particular property) is not. A risk is not an uncertainty (where neither the probability nor the mode of occurrence is known), a peril (cause of loss), or a hazard (something that makes the occurrence of a peril more likely or more severe).
Finally, the definition adopted by professional risk managers is the somewhat controversial ISO 31000:2009 definition that states: Risk is the effect of uncertainty on objectives
When reviewing the above multitude of approaches to defining Risk is hard to conclude we don’t have a definitional problem:
- Significant and subtle concepts such as probability, possibility, uncertainty and chance are used as alternatives although their meaning can be dramatically different depending on the context
- Concepts that are only applicable to risk quantification are mixed with the definition of the risk concept itself
- It is unclear whether risk is always a negative scenario and the relation of risk with positive scenarios
- It is frequently unclear who or what is at risk
Is the multitude of definitions actually an issue?
For a concept such a Risk that is of major importance to practically everybody, a definition that is decidedly ambiguous and uncertain can negatively influence the quality of practical risk management efforts in all domains.
While we are all equipped to understand risk at an intuitive level, formal risk management involves analytic thinking. One of the important first steps in such an analytic framework is risk identification. It stands to reason that it is easier to identify risks if we have a clear idea what we want to identify!
Furthermore, the quality and effectiveness of risk management efforts depends (in general) on coordinated collective behaviors. Thus, developing consensus may be easier if there is conceptual agreement as to what is being managed.
Can we distill a better definition of risk?
To clean up the ground towards a better definition there are i) some mistakes we might want to avoid and ii) some neglected aspects we might want to emphasize:
- We want to avoid the narrow definition of risk as quantifiable uncertainty. There are very few real world instances (if any) where risk is 100% quantifiable. The degree to which material, non-quantifiable, uncertainties creep into our risk views is variable, but it is best to admit that an element of model risk is always there.
- Even worse, we want to avoid the specific definition of risk as some combination of likelihood and severity. Not only are such combinations wrong and/or meaningless, the implied separation only applies to certain risk types (where risk is materializing as a discrete, identifiable, event)
- We emphasize uncertainty over divergence from expectation. A certain bad outcome (once it is known) is no longer a risk.
- We want to avoid a symmetric definition of risk that includes also upside potential. While it is true that “positive risk” is of the same nature as negative risk in most cases it is not opportune operationally to mix the two directions. It is of course entirely legitimate to reuse the thought processes, tools and procedures to systematically explore opportunities in studying uncertain (risky) upside.
- Emphasize the subjectivity of risk perception. Even the most natural of risks (say, hurricanes or earthquakes) have no intrinsic existence as risks unless and until there is a human agent involved. A risk literally comes into existence once a human agent declares it to be a risk.
- Avoid the ambiguity of leaving undefined the subject perceiving or facing a risk. One person’s risk is another person’s opportunity. For large organizations with multiple stakeholders identifying who is actually bearing the risk can be quite tricky and it is possible that different subsets experience the same risk in different ways.
- Emphasize the complexity and ever-changing reality of the future states of the world that are relevant to people and the varying granularity and accuracy by which different people may be imagining those future states of the world
- Decouple the notion of risk mitigation from the risk it self. Risk mitigation requires further actions - assuming they are at all feasible.
Is a better definition even possible?
A simple definition that avoids many of the mistakes identified above could be along the lines of:
Risk is an uncertain future outcome that is unfavorable for a person or a collection of persons
Hence, under this definition Risk is simply a subjective label that a specific entity puts on a subset of possible futures (states of the world).