What exactly does "risk" mean? It is a question that, in its simplicity, conceals a devilishly complex problem. There is no consensus definition. For reasons not wholly understood, most believe that there must be one. As a result, there is something of a grassroots campaign afoot that aims to create a universal definition.
This campaign has been remarkably successful in terms of the sheer number of attempts it has produced. Almost every book, ERM framework, course and speech about risk management starts with an attempt to define the word "risk" as if there were some unwritten law requiring it. After decades of this, there are hundreds of different definitions floating around.
The problem with defining terms like "risk" and "risk management" is not that the concepts are particularly abstract. The problem is that, depending on their job and educational background, most people have different understandings of "risk."
People outside of the risk management profession tend to think of risk as a negative event such as a car accident. In common parlance, it is also used as a synonym for probability or chance--for example "the risk of heart attack." Even though the laity might not have a crisp, clear concept of exactly what the word means, they understand that it is something to be avoided, minimized or controlled.
Risk is not perceived by all as strictly negative. Mathematicians and those who study probability tend to think of risk as a synonym for uncertainty, which encompasses all of the potential outcomes, both positive and negative. However, financial risk managers and economists who use Frank Knight's version of "uncertainty" understand the term to mean "those events for which a probability cannot be generated."
Similarly, within the risk management profession, there is little agreement as to what risk is. This disagreement arises because there are so many forms of risk management. Credit, market, hedging, investment portfolio, financial, capital, enterprise, insurance, safety and continuity risk management all engage in very different activities on a daily basis. Insurance might be a form of a futures contract, but a risk manager at a Wall Street investment firm, sitting in front of a Bloomberg, is performing a very different type of risk management than his counterpart who manages the insurance program for a school district.
Given the differences in various risk management jobs, it is unlikely that the numerous subcategories within the risk management profession are ever going to agree on a single definition. Some have tried to get around this problem by defining risk in a more generic way. For example, "risk includes those things that might, or might not, happen in the future that are negative, positive or both." This is not helpful.
While it might be of use to describe the context in which one is using the term "risk"--for example, banking versus loss prevention on an oil rig--crafting precise definitions is an activity we could do without. The seemingly endless wordsmithing has, to date, been entirely unsuccessful in creating consensus on just what "risk" is; it has created more dissention and argument than agreement.
Einstein suggested that a good definition of insanity was doing the same thing over and over and expecting different results. Perhaps it is time to try something radically different: Stop creating definitions of "risk." By ceasing this fruitless activity, we will have a lot more free time that we could use to solve more important questions such as: How do we define a risk appetite? Or how can we create coverage for intellectual property? Surely these will produce more useful results.
lives in Colorado and manages risk for Sun Microsystems Inc.
April 1, 2007
Copyright 2007© LRP Publications