Home > Risk > Defining Risk

Defining Risk

February 11, 2011

There are about as many definitions of risk as people you can ask and I’ve spent far too much energy pursuing this elusive definition but I think I can say, I’ve reached a good place.  After all my reading, pontifications and discussions I feel that I am ready to answer the deceptively simple question “how do you define risk?” with this very simple answer:

I don’t know.

Oh I can toss things out there like “the probable frequency and probable magnitude of future loss” from the FAIR methodology.  I could also wax philosophically about how I *mostly* agree with Douglas Hubbard’s well developed definition of “A state of uncertainty where some of the possibilities involve a loss” (note: I *mostly* agree just to pretend that I know something Mr. Hubbard doesn’t). 

But if I don’t know, how can I say that I’ve reached a good place pursuing a risk definition?  Because I have accepted the ambiguity and I’ve realized that terminology and definitions exist simply to help communicate concepts or ideas.  That’s where we should be spending our efforts, behind the definitions. In that light, I have come to believe that definitions don’t have to be 100% right, they simply have to be helpful.  Take the definition of risk from ISO 31000: “the effect of uncertainty on objectives”.  That sounds cool, even after thinking about it for a while, but when it comes to being helpful?  Nope, not even close.  I may have an objective of defining risk and I’m immersed in uncertainty but I wouldn’t call the effect of that uncertainty “risk”.  If anything, that definition leaves me more confused than when I started. 

There’s some good news though, problems in defining central terms isn’t unique to risk.  Take this from Melanie Mitchell:

In 2004 I organized a panel discussion on complexity at the Santa Fe Institute’s annual Complex Systems Summer School.  It was a special year: 2004 marked the twentieth anniversary of the founding of the institute.  The panel consisted of some of the most prominent members of the SFI faculty…all well-known scientists in fields such as physics, computer science, biology, economics and decision theory.  The students at the school…were given the opportunity to ask any question of the panel.  The first question was, “How do you define complexity?”  Everyone on the panel laughed, because the question was at once so straightforward, so expected, and yet so difficult to answer.

She goes on in her book to say “Isaac Newton did not have a good definition of force” and “geneticists still do not agree on precisely what the term gene refers to at the molecular level.” 

I take comfort in these stories, we are not unique, we are not alone.

As we move forward in the pursuit of information risk, let’s stay focused on where the real work should be done: measuring and communicating risk.  Let’s put a little less effort on defining it just yet.  Don’t’ get me wrong, definitions are helpful, but let’s not get all wrapped up in the precision of words when we’re still struggling with the concepts they are describing.

Categories: Risk Tags:
  1. Jack
    February 11, 2011 at 8:59 am

    Good point. For the practical purposes of what I do as a living, the FAIR definition seems to fit the bill. That said, in conversations with management I’m using the term “Loss Exposure” more and more frequently because there seems to be less room for interpretation and misunderstanding.

  2. February 11, 2011 at 5:57 pm

    Uncertainty has no place in any definition of risk. The ISO definition is ludicrously off base.

    And of course the word risk by itself is meaningless without a qualifier.

    Marty Whitman in “Distress Investing” [1]: ‘Risk is not a meaningful concept unless modified by an adjective. There exist market risk, investment risk, Chapter 11 reorganization risk, credit risk, failure to match maturities risk, hurricane risk, terrorism risk, and so forth; but it not really useful to look at general risk. When risk is discussed in conventional academic finance, the subject is almost always market risk (i.e. fluctuations in market prices). Beta, alpha, and the capital asset pricing model (CAPM) are based on market prices. We ignore market risk and focus on investment risk, especially in distress investing (i.e. the probabilities of something going wrong with the company and/or the securities issued by the company).

    For us there is no risk-reward ratio. A risk-reward ratio exists where price is in equilibrium. In that instance, risk and reward for securities are measured by two variables:

    1. Quality of the issuer.
    2. Terms of the issue.

    The higher the quality and the more senior the terms, the less the risk and the smaller the potential for gain. Introducing price turns the risk-reward ratio on its head. The lower the price, the less the risk of loss and the greater the prospect for gain.’

    1. http://books.google.com/books?id=dKv2Vov54PMC&pg=PT58&lpg=PT58&dq=whitman+risk+adjective&source=bl&ots=w-14X8OIRT&sig=twbL1np9naJNWAh3xxGH9Y9q4YM&hl=en&ei=br4qS6OgA5LUMsTKufcI&sa=X&oi=book_result&ct=result&resnum=3&ved=0CAwQ6AEwAg#v=onepage&q=whitman%20risk%20adjective&f=false

  3. February 15, 2011 at 8:32 am

    A few years ago someone on the Security Metrics list stated that the word ‘risk’ should never be used by itself – but only in conjunction with another word; I tend to agree with this statement (maybe it was Gunnar). There are far too many disciplines that deal with the concept of ‘risk’ and tend to think of it within that context. I am less concerned with a single definition more so then ensuring that the concept of risk being discussed includes both frequency of loss and severity of loss at some level of abstract. If those components exist – then we should be able to have a meaningful discussion. We also need to be mindful that not all IT risk is pure risk – there are some IT loss exposures where there is speculative risk; there could be positive outcomes.

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: