Risk

From Wikipedia, the free encyclopedia

Jump to: navigation, search

Risk is a concept that denotes the precise probability of specific eventualities. Technically, the notion of risk is independent from the notion of value and, as such, eventualities may have both beneficial and adverse consequences. However, in general usage the convention is to focus only on potential negative impact to some characteristic of value that may arise from a future event.

Contents

[edit] Historical background

The term risk only emerged in the modernity. "In the Middle Ages the term riscium was used in highly specific contexts, above all sea trade and its ensuing legal problems of loss and damage."[1] In the vernacular languages of the 16th century the words rischio and riezgo were used,[1] both terms derived from the Arabic word "رزق", "rizk", meaning 'to seek prosperity'. This was introduced to continental Europe, through interaction with Middle Eastern and North African Arab traders. In the English language the term risk appeared only in the 17th century, and "seems to be imported from continental Europe."[1] When the terminology of risk took ground, it replaced the older notion that thought "in terms of good and bad fortune."[1] Niklas Luhmann (1996) seeks to explain this transition: "Perhaps, this was simply a loss of plausibility of the old rhetorics of Fortuna as an allegorical figure of religious content and of prudentia as a (noble) virtue in the emerging commercial society."[2]

Scenario analysis matured during Cold War confrontations between major powers, notably the U.S. and the USSR. It became widespread in insurance circles in the 1970s when major oil tanker disasters forced a more comprehensive foresight.[citation needed] The scientific approach to risk entered finance in the 1980s when financial derivatives proliferated. It reached general professions in the 1990s when the power of personal computing allowed for widespread data collection and numbers crunching.

Governments are using it, for example, to set standards for environmental regulation, e.g. "pathway analysis" as practiced by the United States Environmental Protection Agency.

[edit] Definitions of risk

There are many definitions of risk that vary by specific application and situational context. One is that risk is an issue, which can be avoided or mitigated (wherein an issue is a potential problem that has to be fixed now.) Risk is described both qualitatively and quantitatively. In some texts risk is described as a situation which would lead to negative consequences.

Qualitatively, risk is proportional to both the expected losses which may be caused by an event and to the probability of this event. Greater loss and greater event likelihood result in a greater overall risk.

Frequently in the subject matter literature, risk is defined in pseudo-formal forms where the components of the definition are vague and ill-defined, for example, risk is considered as an indicator of threat, or depends on threats, vulnerability, impact and uncertainty.[citation needed]

In engineering, the definition risk often simply is:

 \text{Risk} = (\text{probability of an accident}) \times  (\text{losses per accident}).\,

Or in more general terms:

 \text{Risk} = (\text{probability of event occurring}) \times  (\text{impact of event occuring}).\,

One of the first major uses of this concept was at the planning of the Delta Works in 1953, a flood protection program in the Netherlands, with the aid of the mathematician David van Dantzig.[3] The kind of risk analysis pioneered here has become common today in fields like nuclear power, aerospace and chemical industry.

There are more sophisticated definitions, however. Measuring engineering risk is often difficult, especially in potentially dangerous industries such as nuclear energy. Often, the probability of a negative event is estimated by using the frequency of past similar events or by event-tree methods, but probabilities for rare failures may be difficult to estimate if an event tree cannot be formulated. Methods to calculate the cost of the loss of human life vary depending on the purpose of the calculation. Specific methods include what people are willing to pay to insure against death,[4] and radiological release (e.g., GBq of radio-iodine).[citation needed] There are many formal methods used to assess or to "measure" risk, considered as one of the critical indicators important for human decision making.

Financial risk is often defined as the unexpected variability or volatility of returns and thus includes both potential worse-than-expected as well as better-than-expected returns. References to negative risk below should be read as applying to positive impacts or opportunity (e.g., for "loss" read "loss or gain") unless the context precludes.

In statistics, risk is often mapped to the probability of some event which is seen as undesirable. Usually, the probability of that event and some assessment of its expected harm must be combined into a believable scenario (an outcome), which combines the set of risk, regret and reward probabilities into an expected value for that outcome. (See also Expected utility.)

Thus, in statistical decision theory, the risk function of an estimator δ(x) for a parameter θ, calculated from some observables x, is defined as the expectation value of the loss function L,

 R(\theta,\delta(x)) = \int L(\theta,\delta(x)) f(x|\theta)\,dx

In information security[citation needed], a risk is written as an asset, the threats to the asset and the vulnerability that can be exploited by the threats to impact the asset - an example being: Our desktop computers (asset) can be compromised by malware (threat) entering the environment as an email attachment (vulnerability).

The risk is then assessed as a function of three variables:

  1. the probability that there is a threat
  2. the probability that there are any vulnerabilities
  3. the potential impact to the business.

The two probabilities are sometimes combined and are also known as likelihood. If any of these variables approaches zero, the overall risk approaches zero.

The management of actuarial risk is called risk management.

[edit] Risk versus uncertainty

In his seminal work Risk, Uncertainty, and Profit, Frank Knight (1921) established the distinction between risk and uncertainty.

... Uncertainty must be taken in a sense radically distinct from the familiar notion of Risk, from which it has never been properly separated. The term "risk," as loosely used in everyday speech and in economic discussion, really covers two things which, functionally at least, in their causal relations to the phenomena of economic organization, are categorically different. ... The essential fact is that "risk" means in some cases a quantity susceptible of measurement, while at other times it is something distinctly not of this character; and there are far-reaching and crucial differences in the bearings of the phenomenon depending on which of the two is really present and operating. ... It will appear that a measurable uncertainty, or "risk" proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect an uncertainty at all. We ... accordingly restrict the term "uncertainty" to cases of the non-quantitive type.

A solution to this ambiguity is proposed in "How to Measure Anything: Finding the Value of Intangibles in Business" by Doug Hubbard:[5]

Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility. The "true" outcome/state/result/value is not known.
Measurement of uncertainty: A set of probabilities assigned to a set of possibilities. Example: "There is a 60% chance this market will double in five years"
Risk: A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome.
Measurement of risk: A set of possibilities each with quantified probabilities and quantified losses. Example: "There is a 40% chance the proposed oil well will be dry with a loss of $12 million in exploratory drilling costs".

In this sense, Hubbard uses the terms so that one may have uncertainty without risk but not risk without uncertainty. We can be uncertain about the winner of a contest, but unless we have some personal stake in it, we have no risk. If we bet money on the outcome of the contest, then we have a risk. In both cases there are more than one outcome. The measure of uncertainty refers only to the probabilities assigned to outcomes, while the measure of risk requires both probabilities for outcomes and losses quantified for outcomes.

[edit] Insurance and health risk

Insurance is a risk-reducing investment in which the buyer pays a small fixed amount to be protected from a potential large loss. Gambling is a risk-increasing investment, wherein money on hand is risked for a possible large return, but with the possibility of losing it all. Purchasing a lottery ticket is a very risky investment with a high chance of no return and a small chance of a very high return. In contrast, putting money in a bank at a defined rate of interest is a risk-averse action that gives a guaranteed return of a small gain and precludes other investments with possibly higher gain.

Risks in personal health may be reduced by primary prevention actions that decrease early causes of illness or by secondary prevention actions after a person has clearly measured clinical signs or symptoms recognized as risk factors. Tertiary prevention (medical) reduces the negative impact of an already established disease by restoring function and reducing disease-related complications. Ethical medical practice requires careful discussion of risk factors with individual patients to obtain informed consent for secondary and tertiary prevention efforts, whereas public health efforts in primary prevention require education of the entire population at risk. In each case, careful communication about risk factors, likely outcomes and certainty must distinguish between causal events that must be decreased and associated events that may be merely consequences rather than causes.

[edit] Economic risk

[edit] Insight

The central insight in the methodology for incorporating economic risks arise from the realization of the fact that however manifold and diverse might be the causes, or factors, of risks around a specific project or business (for instance, the hike in the price for raw materials, the lapsing of deadlines for construction of a new operating facility, disruptions in a production process, emergence of a serious competitor on the market, the loss of key personnel, the change of a political regime, natural contingencies, etc.), all of these are ultimately manifested under only two guises. According to CCF Conception the economic risk consists in that: "Actual positive conventional cash flows (income, inflows) turn out to be less than expected AND / OR Actual negative conventional cash flows (expenditures, outflows) turn out to be larger than expected (in absolute terms)".

Such lucid and unambiguous conceptual treatment of such a complex and multi-faceted notion as the economic risk emphasizes the very core of the question. The "economic risk is not an abstract ‘uncertainty’ or ‘possibility of failure’ or changeableness (variability) of the outcome... The economic risk – is a monetary amount which might be under-collected and/or over-paid." Just as in music, one must use musical notes and staves—not alphabet letters or colors—to render a melody, in describing economic risk, we must ultimately operate with monetary units and not with the percentages of discount rates, magnitudes of volatility or anything else. (See [1].)

[edit] In business

Means of assessing risk vary widely between professions. Indeed, they may define these professions; for example, a doctor manages medical risk, while a civil engineer manages risk of structural failure. A professional code of ethics is usually focused on risk assessment and mitigation (by the professional on behalf of client, public, society or life in general).

In the workplace, incidental and inherent risks exist. Incidental risks are those which occur naturally in the business but are not part of the core of the business. Inherent risks have a negative effect on the operating profit of the business.

[edit] Criticism

Criticism has been leveled at the amoral ("rational") application of quantitative risk assessment.[citation needed]

[edit] Risk-sensitive industries

Some industries manage risk in a highly quantified and numerate way. These include the nuclear power and aircraft industries, where the possible failure of a complex series of engineered systems could result in highly undesirable outcomes. The usual measure of risk for a class of events is then:

R = probability of the event × C

The total risk is then the sum of the individual class-risks.

In the nuclear industry, consequence is often measured in terms of off-site radiological release, and this is often banded into five or six decade-wide bands.

The risks are evaluated using fault tree/event tree techniques (see safety engineering). Where these risks are low, they are normally considered to be "Broadly Acceptable". A higher level of risk (typically up to 10 to 100 times what is considered Broadly Acceptable) has to be justified against the costs of reducing it further and the possible benefits that make it tolerable—these risks are described as "Tolerable if ALARP". Risks beyond this level are classified as "Intolerable".

The level of risk deemed Broadly Acceptable has been considered by regulatory bodies in various countries—an early attempt by UK government regulator and academic F. R. Farmer used the example of hill-walking and similar activities which have definable risks that people appear to find acceptable. This resulted in the so-called Farmer Curve of acceptable probability of an event versus its consequence.

The technique as a whole is usually referred to as Probabilistic Risk Assessment (PRA) (or Probabilistic Safety Assessment, PSA). See WASH-1400 for an example of this approach.

[edit] In finance

In finance, risk is the probability that an investment's actual return will be different than expected. This includes the possibility of losing some or all of the original investment. Some regard a calculation of the standard deviation of the historical returns or average returns of a specific investment as providing some historical measure of risk.[citation needed] Financial risk may market-dependent, determined by numerous market factors, or operational, resulting from fraudulent behavior (e.g. Bernard Madoff).

In finance, risk has no one definition, but some theorists, notably Ron Dembo, have defined quite general methods to assess risk as an expected after-the-fact level of regret. Such methods have been uniquely successful in limiting interest rate risk in financial markets. Financial markets are considered to be a proving ground for general methods of risk assessment. However, these methods are also hard to understand. The mathematical difficulties interfere with other social goods such as disclosure, valuation and transparency. In particular, it is not always obvious if such financial instruments are "hedging" (purchasing/selling a financial instrument specifically to reduce or cancel out the risk in another investment) or "speculation" (increasing measurable risk and exposing the investor to catastrophic loss in pursuit of very high windfalls that increase expected value).

As regret measures rarely reflect actual human risk-aversion, it is difficult to determine if the outcomes of such transactions will be satisfactory. Risk seeking describes an individual whose utility function's second derivative is positive. Such an individual would willingly (actually pay a premium to) assume all risk in the economy and is hence not likely to exist.

In financial markets, one may need to measure credit risk, information timing and source risk, probability model risk, and legal risk if there are regulatory or civil actions taken as a result of some "investor's regret".

A fundamental idea in finance is the relationship between risk and return. The greater the potential return one might seek, the greater the risk that one generally assumes. A free market reflects this principle in the pricing of an instrument: strong demand for a safer instrument drives its price higher (and its return proportionately lower), while weak demand for a riskier instrument drives its price lower (and its potential return thereby higher).

"For example, a US Treasury bond is considered to be one of the safest investments and, when compared to a corporate bond, provides a lower rate of return. The reason for this is that a corporation is much more likely to go bankrupt than the U.S. government. Because the risk of investing in a corporate bond is higher, investors are offered a higher rate of return."

The most popular, and also the most vilified lately risk measurement is Value-at-Risk (VaR). There are different types of VaR - Long Term VaR, Marginal VaR, Factor VaR and Shock VaR [6] The latter is used in measuring risk during the extreme market stress conditions.

[edit] In public works

In a peer reviewed study of risk in public works projects located in twenty nations on five continents, Flyvbjerg, Holm, and Buhl (2002, 2005) documented high risks for such ventures for both costs[7] and demand.[8] Actual costs of projects were typically higher than estimated costs; cost overruns of 50% were common, overruns above 100% not uncommon. Actual demand was often lower than estimated; demand shortfalls of 25% were common, of 50% not uncommon.

Due to such cost and demand risks, cost-benefit analyses of public works projects have proved to be highly uncertain.

The main causes of cost and demand risks were found to be optimism bias and strategic misrepresentation. Measures identified to mitigate this type of risk are better governance through incentive alignment and the use of reference class forecasting.[9]

[edit] In human services

Huge ethical and political issues arise when human beings themselves are seen or treated as 'risks', or when the risk decision making of people who use human services might have an impact on that service. The experience of many people who rely on human services for support is that 'risk' is often used as a reason to prevent them from gaining further independence or fully accessing the community, and that these services are often unnecessarily risk averse.[10]

[edit] Risk in psychology

[edit] Regret

In decision theory, regret (and anticipation of regret) can play a significant part in decision-making, distinct from risk aversion (preferring the status quo in case one becomes worse off).

[edit] Framing

Framing[11] is a fundamental problem with all forms of risk assessment. In particular, because of bounded rationality (our brains get overloaded, so we take mental shortcuts), the risk of extreme events is discounted because the probability is too low to evaluate intuitively. As an example, one of the leading causes of death is road accidents caused by drunk driving—partly because any given driver frames the problem by largely or totally ignoring the risk of a serious or fatal accident.

For instance, an extremely disturbing event (an attack by hijacking, or moral hazards) may be ignored in analysis despite the fact it has occurred and has a nonzero probability. Or, an event that everyone agrees is inevitable may be ruled out of analysis due to greed or an unwillingness to admit that it is believed to be inevitable. These human tendencies to error and wishful thinking often affect even the most rigorous applications of the scientific method and are a major concern of the philosophy of science.

All decision-making under uncertainty must consider cognitive bias, cultural bias, and notational bias: No group of people assessing risk is immune to "groupthink": acceptance of obviously wrong answers simply because it is socially painful to disagree, where there are conflicts of interest. One effective way to solve framing problems in risk assessment or measurement (although some argue that risk cannot be measured, only assessed) is to raise others' fears or personal ideals by way of completeness.

[edit] Fear as intuitive risk assessment

For the time being, people rely on their fear and hesitation to keep them out of the most profoundly unknown circumstances.

In The Gift of Fear, Gavin de Becker argues that "True fear is a gift. It is a survival signal that sounds only in the presence of danger. Yet unwarranted fear has assumed a power over us that it holds over no other creature on Earth. It need not be this way."

Risk could be said to be the way we collectively measure and share this "true fear"—a fusion of rational doubt, irrational fear, and a set of unquantified biases from our own experience.

The field of behavioral finance focuses on human risk-aversion, asymmetric regret, and other ways that human financial behavior varies from what analysts call "rational". Risk in that case is the degree of uncertainty associated with a return on an asset.

Recognizing and respecting the irrational influences on human decision making may do much to reduce disasters caused by naive risk assessments that pretend to rationality but in fact merely fuse many shared biases together.

[edit] Root causes of risk

Optimism bias and strategic misrepresentation have been found to be root causes of risk.[citation needed][12]

[edit] Risk assessment and management

Because planned actions are subject to large cost and benefit risks, proper risk assessment and risk management for such actions are crucial to making them successful.[13]

Since Risk assessment and management is essential in security management, both are tightly related. Security assessment methodologies like BEATO or CRAMM contain risk assessment modules as an important part of the first steps of the methodology. On the other hand, Risk Assessment methodologies, like Mehari evolved to become Security Assessment methodologies. A ISO standard on risk management (Principles and guidelines on implementation) is currently being draft under code ISO/DIS 31000. Target publication date 30 May 2009.

[edit] Risk in auditing

The audit risk model expresses the risk of an auditor providing an inappropriate opinion of a commercial entity's financial statements. It can be analytically expressed as:

AR = IR x CR x DR

Where AR is audit risk, IR is inherent risk, CR is control risk and DR is detection risk.

[edit] See also

[edit] References

  1. ^ a b c d Luhmann 1996:3
  2. ^ Luhmann 1996:4
  3. ^ Wired Magazine, Before the leaves brake, page 3
  4. ^ Landsburg, Steven (2003-03-03). "Is your life worth $10 million?". Everyday Economics (Slate). http://www.slate.com/id/2079475/. Retrieved on 2008-03-17. 
  5. ^ Douglas Hubbard "How to Measure Anything: Finding the Value of Intangibles in Business" pg. 46, John Wiley & Sons, 2007
  6. ^ http://en.wikipedia.org/wiki/Value_at_risk
  7. ^ http://flyvbjerg.plan.aau.dk/JAPAASPUBLISHED.pdf
  8. ^ http://flyvbjerg.plan.aau.dk/Traffic91PRINTJAPA.pdf
  9. ^ http://flyvbjerg.plan.aau.dk/0406DfT-UK%20OptBiasASPUBL.pdf
  10. ^ A person centred approach to risk - Risk - Advice on Personalisation - Personalisation - Homepage - CSIP Networks
  11. ^ Amos Tversky / Daniel Kahneman, 1981. "The Framing of Decisions and the Psychology of Choice."[verification needed]
  12. ^ Megaprojects and Risk, an Anatomy of Ambition, Bent Flyvbjerg, ISBN 0521 00946 4
  13. ^ Flyvbjerg 2006

[edit] Bibliography

[edit] Referred literature

  • Bent Flyvbjerg, 2006: From Nobel Prize to Project Management: Getting Risks Right. Project Management Journal, vol. 37, no. 3, August, pp. 5-15. Available at homepage of author
  • Niklas Luhmann, 1996: Modern Society Shocked by its Risks (= University of Hongkong, Department of Sociology Occasional Papers 17), Hongkong, available via HKU Scholars HUB

[edit] Books

  • Historian David A. Moss's book When All Else Fails explains the U.S. government's historical role as risk manager of last resort.
  • Peter L. Bernstien. Against the Gods ISBN 0-471-29563-9. Risk explained and its appreciation by man traced from earliest times through all the major figures of their ages in mathematical circles.
  • Porteous, Bruce T.; Pradip Tapadar (2005). Economic Capital and Financial Risk Management for Financial Services Firms and Conglomerates. Palgrave Macmillan. ISBN 1-4039-3608-0. 
  • Tom Kendrick (2003). Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project. AMACOM/American Management Association. ISBN 978-0814407615. 
  • Lev Virine & Michael Trumper (2007). Project Decisions: The Art and Science. Management Concepts. ISBN 978-1567262179. 
  • David Hillson (2007). Practical Project Risk Management: The Atom Methodology. Management Concepts. ISBN 978-1567262025. 
  • Kim Heldman (2005). Project Manager's Spotlight on Risk Management. Jossey-Bass. ISBN 978-0782144116. 
  • Dirk Proske (2008). Catalogue of risks - Natural, Technical, Social and Health Risks. Springer. ISBN 978-3540795544. 

[edit] Articles and papers

  • Clark, L., Manes, F., Antoun, N., Sahakian, B. J., & Robbins, T. W. (2003). "The contributions of lesion laterality and lesion volume to decision-making impairment following frontal lobe damage." Neuropsychologia, 41, 1474-1483.
  • Drake, R. A. (1985). "Decision making and risk taking: Neurological manipulation with a proposed consistency mediation." Contemporary Social Psychology, 11, 149-152.
  • Drake, R. A. (1985). "Lateral asymmetry of risky recommendations." Personality and Social Psychology Bulletin, 11, 409-417.
  • Hansson, Sven Ove. (2007). "Risk", The Stanford Encyclopedia of Philosophy (Summer 2007 Edition), Edward N. Zalta (ed.), forthcoming [2].
  • Holton, Glyn A. (2004). "Defining Risk", Financial Analysts Journal, 60 (6), 19–25. A paper exploring the foundations of risk. (PDF file)
  • Knight, F. H. (1921) Risk, Uncertainty and Profit, Chicago: Houghton Mifflin Company. (Cited at: [3], § I.I.26.)
  • Kruger, Daniel J., Wang, X.T., & Wilke, Andreas (2007) "Towards the development of an evolutionarily valid domain-specific risk-taking scale" Evolutionary Psychology (PDF file)
  • Miller, L. (1985). "Cognitive risk taking after frontal or temporal lobectomy I. The synthesis of fragmented visual information." Neuropsychologia, 23, 359 369.
  • Miller, L., & Milner, B. (1985). "Cognitive risk taking after frontal or temporal lobectomy II. The synthesis of phonemic and semantic information." Neuropsychologia, 23, 371 379.
  • Neill, M. Allen, J. Woodhead, N. Reid, S. Irwin, L. Sanderson, H. 2008 "A Positive Approach to Risk Requires Person Centred Thinking" London, CSIP Personalisation Network, Department of Health. Available from: http://networks.csip.org.uk/Personalisation/Topics/Browse/Risk/ [Accessed 21 July 2008]

[edit] External links

[edit] Further reading

[edit] Magazines and journals

[edit] Societies

[edit] Wikimedia sister projects

Personal tools