Risk

For other uses, see Risk (disambiguation).

Risk is the possibility of something bad happening,^[1] comprising a level of uncertainty about the effects and implications of an activity, particularly negative and undesirable consequences.^[2][3]

Harbor sign warning visitors that use of the walkway is "at your own risk"

Firefighters are exposed to risks of fire and building collapse during their work.

Risk theory, assessment, and management are applied but substantially differ in different practice areas, such as business, economics, environment, finance, information technology, health, insurance, safety, security, and privacy. The international standard for risk management, ISO 31000, provides principles and general guidelines on managing risks faced by organizations.^[4]

Artist's impression of a major asteroid impact, an example of a global catastrophic risk.

Definition

The Oxford English Dictionary (OED) cites the earliest use of the word in English (in the spelling of risque from its French original, 'risque') as of 1621, and the spelling as risk from 1655. While including several other definitions, the OED 3rd edition defines risk as "(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility".^[5] The Cambridge Advanced Learner's Dictionary defines risk as "the possibility of something bad happening".^[1] Some have argued that the definition of risk is subjective and context-specific.^[2][6] The International Organization for Standardization (ISO) 31073 defines risk as:^[7][8]

effect of uncertainty^[9] on objectives^[10]

Note 1: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.^[11]

Note 2: Objectives can have different aspects and categories, and can be applied at different levels.

Note 3: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.

Other general definitions include:

• "Source of harm". The earliest use of the word "risk" was as a synonym for the much older word "hazard", meaning a potential source of harm. This definition comes from Blount's "Glossographia" (1661)^[12] and was the main definition in the OED 1st (1914) and 2nd (1989) editions. Modern equivalents refer to "unwanted events"^[13] or "something bad that might happen".^[1]
• "Chance of harm". This definition comes from Johnson's "Dictionary of the English Language" (1755), and has been widely paraphrased, including "possibility of loss"^[5] or "probability of unwanted events".^[13]
• "Uncertain events affecting objectives". This definition was adopted by the Association for Project Management (1997).^[14][15] With slight rewording it became the definition in ISO Guide 73.^[3]
• "Uncertainty of outcome". This definition was adopted by the UK Cabinet Office (2002)^[16] to encourage innovation to improve public services. It allowed "risk" to describe either "positive opportunity or negative threat of actions and events".
• "Potential returns from an event ['a thing that happens or takes place'], where the returns are any changes, effects, consequences, and so on, of the event". This definition from Newsome (2014) expands the neutrality of 'risk' akin to the UK Cabinet Office (2002) and Knight (1921).^[17]
• "Human interaction with uncertainty". This definition comes from Cline (2015) in the context of adventure education.^[18]

Versus uncertainty

In his seminal 1921 work Risk, Uncertainty, and Profit, Frank Knight established the distinction between risk and uncertainty.

... Uncertainty must be taken in a sense radically distinct from the familiar notion of Risk, from which it has never been properly separated. The term "risk," as loosely used in everyday speech and in economic discussion, really covers two things which, functionally at least, in their causal relations to the phenomena of economic organization, are categorically different. ... The essential fact is that "risk" means in some cases a quantity susceptible of measurement, while at other times it is something distinctly not of this character; and there are far-reaching and crucial differences in the bearings of the phenomenon depending on which of the two is really present and operating. ... It will appear that a measurable uncertainty, or "risk" proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect an uncertainty at all. We ... accordingly restrict the term "uncertainty" to cases of the non-quantitive type.^[19]

Thus, Knightian uncertainty is immeasurable, not possible to calculate, while in the Knightian sense risk is measurable.

By field

Definitions of risk

Field	Definition	Sources	Related concepts
Economics	Uncertainty about loss	Willett's "Economic Theory of Risk and Insurance" (1901).[20]
Insurance	Measurable uncertainty	Knight's "Risk, Uncertainty and Profit" (1921).[21][22][23]	Knightian uncertainty, mortality risk, longevity risk, interest rate risk
	Possibility of an event occurring which causes injury or loss	Lloyd's.[24]
Finance	Volatility of return	Markovitz's "Portfolio Selection" (1952).[25][26]	Financial risk management, Risk aversion
			Components: Downside risk, Upside risk, Inherent risk, Benefit risk
			Business risks: Enterprise risk management, Audit risk, Process risk, Legal risk, Reputational risk, Peren–Clement index
			Investments: Modern portfolio theory, Value at risk, Hedge
			Types of financial risks: Market risk, Credit risk, Liquidity risk, Operational risk
Decision theory	Statistically expected loss	Wald (1939).[27] Used in planning of Delta Works in 1953.[28] Adopted by the US Nuclear Regulatory Commission in 1975.[29] Remains widely used.[13]
Bayesian analysis[30]	Scenarios, probabilities and consequences: Consequences and associated uncertainty; likelihood and severity of events	Kaplan & Garrick (1981).[31] Found in ISO Guide 73 Note 4.[3]
Occupational health and safety	Combination of the likelihood and consequence(s) of a specified hazardous event occurring	Occupational Health and Safety Assessment Series (OHSAS) standard OHSAS 18001, 1999.	Occupational hazard, High reliability organisation, Probabilistic risk assessment, WASH-1400[32]
Cybersecurity	Asset, threat and vulnerability	Threat Analysis Group (2010).[33]	Information security, IT risk management, IT risk
Environment	Chance of harmful effects to human health or to ecological systems	United States Environmental Protection Agency.[34]	Environmental hazards, Environmental issues[35]
Health	Possibility that something will cause harm	Centres for Disease Control and Prevention.[36]	Epidemiology, Risk factors, Health risk assessment, Relative risk, Mortality rate, Loss of life expectancy
Project management	An uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives	Project Management Institute.[37][38]	Project risk management
Security	Any event that could result in the compromise of organizational assets i.e. the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities	[39]	Security management

Mathematical

Triplets

Risk is often considered to be a set of triplets^[31][26]

${\displaystyle {\text{R}}=(s_{i},p_{i},x_{i})}$ for i = 1,2,....,N

where:

${\displaystyle s_{i}}$ is a scenario describing a possible event

${\displaystyle p_{i}}$ is the probability of the scenario

${\displaystyle x_{i}}$ is the consequence of the scenario

${\displaystyle N}$ is the number of scenarios chosen to describe the risk

Risks expressed in this way can be shown in a risk register or a risk matrix. They may be quantitative or qualitative, and can include positive as well as negative consequences.^[40]

An updated version recommends the following general description of risk:^[30]

${\displaystyle R=({A,C,U,P,K})}$

where:

${\displaystyle A}$ is an event that might occur

${\displaystyle C}$ is the consequences of the event

${\displaystyle U}$ is an assessment of uncertainties

${\displaystyle P}$ is a knowledge-based probability of the event

${\displaystyle K}$ is the background knowledge that U and P are based on

Probability distributions

If all the consequences are expressed in the same units (or can be converted into a consistent loss function), the risk can be expressed as a probability density function describing the uncertainty about outcome:

${\displaystyle R=p(x)}$

This can also be expressed as a cumulative distribution function (CDF) (or S curve).^[40] One way of highlighting the tail of this distribution is by showing the probability of exceeding given losses, known as a complementary cumulative distribution function, plotted on logarithmic scales. For example, frequency-number diagrams show the annual frequency of exceeding given numbers of fatalities.^[40] Another way of summarizing the size of the distribution's tail is the loss with a certain probability of exceedance, that is, the value at risk.

Expected values

Risk is often measured as the expected value of the loss. This combines the probabilities and consequences into a single value. See also expected utility. The simplest case is a binary possibility of Accident or No accident. The associated formula for calculating risk is then:

${\displaystyle R=({\text{probability of the accident occurring}})\times ({\text{expected loss in case of the accident}})}$

In a situation with several possible accident scenarios, total risk is the sum of the risks for each scenario, provided that the outcomes are comparable:

${\displaystyle R=\sum _{i=1}^{N}p_{i}x_{i}}$

In statistical decision theory, the risk function is defined as the expected value of a given loss function as a function of the decision rule used to make decisions in the face of uncertainty.

A disadvantage of defining risk as the product of impact and probability is that it presumes, unrealistically, that decision-makers are risk-neutral. A risk-neutral person's utility is proportional to the expected value of the payoff. For example, a risk-neutral person would consider 20% chance of winning $1 million exactly as desirable as getting a certain $200,000. However, most decision-makers are not actually risk-neutral and would not consider these equivalent choices.^[26] Pascal's mugging is a philosophical thought experiment that demonstrates issues in assessing risk solely by the expected value of loss or return.

Outcome frequencies

Risks of discrete events such as accidents are often measured as outcome frequencies, or expected rates of specific loss events per unit time. When small, frequencies are numerically similar to probabilities, but have dimensions of ⁠1/t⁠ and can sum to more than 1. Typical outcomes expressed this way include:^[41]

• Individual risk - the frequency of a given level of harm to an individual.^[42] It often refers to the expected annual probability of death, and is then comparable to the mortality rate.
• Group (or societal risk) – the relationship between the frequency and the number of people suffering harm.^[42]
• Frequencies of property damage or total loss.
• Frequencies of environmental damage such as oil spills.

Financial risk

In finance, volatility is the degree of variation of a trading price over time, usually measured by the standard deviation of logarithmic returns. Modern portfolio theory measures risk using the variance (or standard deviation) of asset prices. The risk is then:

${\displaystyle R=\sigma }$

The beta coefficient measures the volatility of an individual asset to overall market changes. This is the asset's contribution to systematic risk, which cannot be eliminated by portfolio diversification. It is the covariance between the asset's return r_i and the market return r_m, expressed as a fraction of the market variance:^[43]

${\displaystyle \beta _{i}={\frac {\sigma _{im}}{\sigma _{m}^{2}}}={\frac {\mathrm {Cov} (r_{i},r_{m})}{\mathrm {Var} (r_{m})}}}$

Risk-neutral measure

In mathematical finance, a risk-neutral measure is a probability measure such that each share price is exactly equal to the discounted expectation of the share price under the measure. This is heavily used in the pricing of financial derivatives due to the fundamental theorem of asset pricing.

Let ${\displaystyle S}$ be a d-dimensional market representing the price processes of the risky assets, ${\displaystyle B}$ the risk-free bond and ${\displaystyle (\Omega ,{\mathcal {F}},P)}$the underlying probability space. Then a measure ${\displaystyle Q}$ is a risk-neutral measure if

1. ${\displaystyle Q\approx P}$, i.e., ${\displaystyle Q}$ is equivalent to ${\displaystyle P}$,
2. the processes ${\displaystyle \left({\frac {S_{t}^{i}}{B_{t}}}\right)_{t}}$ are (local) martingales w.r.t. ${\displaystyle Q}$ ${\displaystyle \forall \,i=1,\dots ,d}$.^[44]

Mandelbrot's mild and wild theory

Benoit Mandelbrot distinguished between "mild" and "wild" risk and argued that risk assessment and analysis must be fundamentally different for the two types of risk.^[45] Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable. Wild risk follows fat-tailed distributions, e.g., Pareto or power-law distributions, is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict. A common error in risk assessment and analysis is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and analysis are to be valid and reliable, according to Mandelbrot.

Estimation

• Proxy or analogue data from other contexts, presumed to be similar in some aspects of risk.
• Theoretical models, such as Monte Carlo simulation and Quantitative risk assessment software.
• Logical models, such as Bayesian networks, fault tree analysis and event tree analysis
• Expert judgement, such as absolute probability judgement or the Delphi method.

Management

A general definition is that risk management consists of "coordinated activities to direct and control an organization with regard to risk".^[3] In general, the aim of risk management is to assist organizations in "setting strategy, achieving objectives and making informed decisions".^[4] The outcomes should be "scientifically sound, cost-effective, integrated actions that [treat] risks while taking into account social, cultural, ethical, political, and legal considerations".^[46] In contexts where risks are always harmful, risk management aims to "reduce or prevent risks".^[46] In the safety field it aims "to protect employees, the general public, the environment, and company assets, while avoiding business interruptions".^[47] For organizations whose definition of risk includes upside as well as downside risks, risk management is "as much about identifying opportunities as avoiding or mitigating losses".^[48] It then involves "getting the right balance between innovation and change on the one hand, and avoidance of shocks and crises on the other".^[49]

Assessment

Risk assessment is a systematic approach to recognising and characterising risks, and evaluating their significance, in order to support decisions about how to manage them. ISO 31000 defines it in terms of its components as "the overall process of risk identification, risk analysis and risk evaluation":^[4]

• Risk identification is "the process of finding, recognizing and recording risks". It "involves the identification of risk sources, events, their causes and their potential consequences."^[3] ISO 31000 describes it as the first step in a risk assessment process, preceding risk analysis and risk evaluation.^[4] In safety contexts, where risk sources are known as hazards, this step is known as "hazard identification".^[50]
• The ISO defines risk analysis as "the process to comprehend the nature of risk and to determine the level of risk".^[3] In the ISO 31000 risk assessment process, risk analysis follows risk identification and precedes risk evaluation.^[40] Risk analysis often uses data on the probabilities and consequences of previous events.
• Risk evaluation involves comparing estimated levels of risk against risk criteria to determine the significance of the risk and make decisions about risk treatment actions.^[40] In most activities, risks can be reduced by adding further controls or other treatment options, but typically this increases cost or inconvenience. It is rarely possible to eliminate risks altogether without discontinuing the activity. Sometimes it is desirable to increase risks to secure valued benefits. Risk criteria are intended to guide decisions on these issues.^[51]

For example, the tolerability of risk framework, developed by the UK Health and Safety Executive, divides risks into three bands:^[52]

• Unacceptable risks – only permitted in exceptional circumstances.
• Tolerable risks – to be kept as low as reasonably practicable (ALARP), taking into account the costs and benefits of further risk reduction.
• Broadly acceptable risks – not normally requiring further reduction.

Transformation

Risk transformation describes the process of not only mitigating risks but also employing risk factors into advantages.^[53]

Governance, risk, and compliance

Governance, risk, and compliance is an overarching approach covering risk management in addition to governance and compliance.

Attitude, appetite and tolerance

The terms risk appetite, attitude, and tolerance are often used similarly to describe an organisation's or individual's attitude towards risk-taking. One's attitude may be described as risk-averse, risk-neutral, or risk-seeking.^[54]

Psychology of risk

Risk perception

Risk perception is the subjective judgement that people make about the characteristics and severity of a risk. At its most basic, the perception of risk is an intuitive form of risk analysis.^[55]

Adults have an intuitive understanding of risk, which may not be exclusive to humans.^[56] Many ancient societies believed in divinely determined fates, and attempts to influence the gods can be seen as early forms of risk management. Early uses of the word 'risk' coincided with an erosion of belief in divinely ordained fate.^[57] Notwithstanding, intuitive perceptions of risk are often inaccurate owing to reliance on psychological heuristics, which are subject to systematic cognitive biases.^[58] In particular, the accuracy of risk perception can be adversely affected by the affect heuristic, which relies on emotion to make decisions.^[59][60]

The availability heuristic is the process of judging the probability of an event by the ease with which instances come to mind. In general, rare but dramatic causes of death are over-estimated while common unspectacular causes are under-estimated;^[61] an "availability cascade" is a self-reinforcing cycle in which public concern about relatively minor events is amplified by media coverage until the issue becomes politically important.^[62] Despite the difficulty of thinking statistically, people are typically subject to the overconfidence effect in their judgements, tending to overestimate their understanding of the world and underestimate the role of chance,^[63] with even experts subject to this effect.^[64] Other biases that affect the perception of risk include ambiguity aversion.

Paul Slovic's "psychometric paradigm" assumes that risk is subjectively defined by individuals, influenced by factors such as lack of control, catastrophic potential, and severity of consequences, such that risk perception can be psychometrically measured by surveys.^[65][66][67] Slovic argues that intuitive emotional reactions are the predominant method by which humans evaluate risk, and that a purely statistical approach to disasters lacks emotion and thus fails to convey the true meaning of disasters and fails to motivate proper action to prevent them.^[68] This theory has received support from retrospective studies and evolutionary psychology.^{[69][70][71][72][73][74]} Hazards with high perceived risk are therefore, in general, seen as less acceptable and more in need of reduction.^[75]

Cultural theory of risk views risk perception as a collective phenomenon by which different cultures select some risks for attention and ignore others, with the aim of maintaining their particular way of life.^[76] Hence risk perception varies according to the preoccupations of the culture. The theory outlines two categories, the degree of binding to social groups, the degree of social regulation.^[77] Cultural theory can be used to explain why it can be difficult for people with different world-views to agree about whether a hazard is acceptable, and why risk assessments may be more persuasive for some people than others. However, there is little quantitative evidence that shows cultural biases are strongly predictive of risk perception.^[78]

Decision theory

Main articles: Decision theory and Prospect theory

In decision theory, regret (and anticipation of regret) can play a significant part in decision-making, distinct from risk aversion.^[79][80] Framing is also a fundamental problem with all forms of risk assessment.^[81] In particular, because of bounded rationality, the risk of extreme events is discounted because the probability is too low to evaluate intuitively. As an example, one of the leading causes of death is road accidents caused by drunk driving – partly because any given driver frames the problem by largely or totally ignoring the risk of a serious or fatal accident. The right prefrontal cortex has been shown to take a more global perspective,^[82] while greater left prefrontal activity relates to local or focal processing.^[83][84][85] Reference class forecasting is a forecasting method by which biases associated with risks can be mitigated.

Risk taking

Psychologists have run randomised experiments with a treatment and control group to ascertain the effect of different psychological factors that may be associated with risk taking,^[86] finding that positive and negative feedback about past risk taking can affect future risk taking. For example, one experiment showed that belief in competence correlated with risk-taking behavior.^[87] Risk compensation is a theory that suggests that people typically adjust their behavior in response to the perceived level of risk, becoming more careful where they sense greater risk and less careful if they feel more protected.^[88] People also show risk aversion, such that they reject fair risky offers because of the perception of loss.^[89][90] Further, intuitive responses have been found to be less risk-averse than subsequent reflective response.^[91]

Sex differences

This section is an excerpt from Sex differences in humans § Financial risk-taking.[edit]

Sex differences in financial decision making are relevant and significant. Numerous studies have found that women tend to be financially more risk-averse than men and hold safer portfolios.^[92][93] Scholarly research has documented systematic differences in financial decisions such as buying investments versus insurance, donating to ingroups versus outgroups (such as terrorism victims in Iraq versus the United States), spending in stores,^[94] and the endowment effect-or asking price for goods people have.^[95]

Society and culture

Risk and autonomy

The experience of many people who rely on human services for support is that 'risk' is often used as a reason to prevent them from gaining further independence or fully accessing the community, and that these services are often unnecessarily risk averse.^[96] "People's autonomy used to be compromised by institution walls, now it's too often our risk management practices", according to John O'Brien.^[97] Michael Fischer and Ewan Ferlie (2013) find that contradictions between formal risk controls and the role of subjective factors in human services (such as the role of emotions and ideology) can undermine service values, so producing tensions and even intractable and 'heated' conflict.^[98]

Risk society

Main article: Risk society

Anthony Giddens and Ulrich Beck argued that whilst humans have always been subjected to a level of risk – such as natural disasters – these have usually been perceived as produced by non-human forces. Modern societies, however, are exposed to risks such as pollution, that are the result of the modernization process itself. Giddens defines these two types of risks as external risks and manufactured risks.^[99] The term Risk society was coined in the 1980s and its popularity during the 1990s was both as a consequence of its links to trends in thinking about wider modernity, and also to its links to popular discourse, in particular the growing environmental concerns during the period.

See also

• Ambiguity aversion
• Benefit shortfall
• Civil defence
• Countermeasure
• Early case assessment
• Event chain methodology
• Fuel price risk management
• Identity resolution
• Information assurance
• ISO/PAS 28000
• Life-critical system
• Preventive maintenance
• Reliability engineering
• Peltzman effect