1.1What is Risk?
Risk is a measure of the probability and consequence of uncertain future events. It is the chance of an undesirable outcome. That outcome could be a loss due to fire, flood, illness, death, financial setback, or any sort of hazard, or a potential gain that is not realized because a new product did not catch on as hoped, your investment did not produce expected benefits, the ecosystem was not restored, or any sort of opportunity is missed. What usually creates the “chance” is a lack of information about events that have not yet occurred. We lack information because there are facts we do not know, the future is fundamentally uncertain, and because the universe is inherently variable. Let’s call all of this “uncertainty” for the moment.
Given the presence of a hazard or an opportunity, there are two important components to a risk: an undesirable outcome or consequence and the chance or probability it will occur. Risk is often described by the simple equation:
Risk = Consequence × Probability | (1.1) |
Consider this expression a mental model that helps us think about risk rather than an equation that defines it. What this expression is conveying is not so much that this is the manner in which all risks are calculated (they are not) as much as that both of these elements must be present for there to be a real risk. If an event of any consequence has no probability of occurrence, there is no risk. Likewise, if there is no consequence or undesirable outcome, then there is no risk.
A hazard is the thing that causes the potential for an adverse consequence. An opportunity causes the potential for a positive consequence. If a population, an individual, or some asset of interest to us is not exposed to the hazard or opportunity, then there will be no consequence and no risk. The range of possible consequences, loss of life, property damage, financial loss or gain, improved environmental conditions, product success, and the like is vast, but even similar types of consequences can vary in frequency, magnitude, severity, and duration.
It is not likely that many risk professionals would agree with such simple definitions. There are any number of alternative definitions in use or found in the literature. Some purists prefer to define risk entirely in terms of adverse consequences, ignoring the chance of gains that may not be realized. These risks of loss are sometimes called pure risks. Some definitions specify the nature of the consequences. The U.S. Environmental Protection Agency (EPA), for example, “considers risk to be the chance of harmful effects to human health or to ecological systems resulting from exposure to an environmental stressor” (EPA 2010).
Storms, hurricanes, floods, forest fires, and earthquakes are examples of natural hazards. When humans and human activity are exposed to these hazards there are risks with consequences that include loss of life, property damage, economic loss, and so on. There are human-made hazards by the scores: tools, weapons, vehicles, chemicals, technology, and activities. They can pose risks to life, property, environment, economies, and the like. Health hazards comprise their own category and include pathogens, disease, and all manner of personal health difficulties and accidents that can arise. These risks of adverse consequences are traditional examples of risk.
Less widely accepted as risks, among the risk analysis community’s members, are potential gains or rewards. Would anyone say they risk a promotion or an inheritance? Probably not, as this is not the traditional use of the word. Nonetheless, when there is some uncertainty that the gain will be realized, it qualifies as a risk under the definition used here. The International Organization for Standardization (ISO 2018) defines risk as the effect of uncertainty on an organization’s objectives. This is clearly broad enough to include uncertain opportunities for gain. Risks of uncertain gain are often called speculative risks.
The language is messy
The language of risk is relatively young and still evolving. The seeds of risk analysis are sown across many disciplines, and each has found it useful to define the terms of risk analysis in a way that best serves the needs of the parent discipline. The EPA, for example, identifies 19 variations on the meaning of risk in their Thesaurus of Terms Used in Microbial Risk Assessment, which eponymously takes a narrow focus on the concept of risk (EPA, 2007).
Frank Knight (1921) is credited with the first modern definition of risk. Kaplan and Garrick (1981) attempted to unify the language with their famous triplet. There is not yet any one universally satisfactory definition of risk nor of many of the other terms used in this book (ISO, 2018). ISO 31000, for example, offers quite a different lexicon than the one used in this book. There is more agreement on the practice of risk analysis than there is on its language.
For those who prefer to think of risks only as adverse consequences, it takes only a small convolution of thought to say that not realizing the gain/promotion/inheritance is the adverse consequence. In any event, loss and uncertain potential gains are considered risks throughout this book. Know that some would prefer to distinguish and separate risks and rewards more carefully.
Thus, we have pure risks, which are losses with no potential gains and no beneficial result, and speculative or opportunity risks, which are generally defined as risks that result in an uncertain degree of gain. They are further distinguished by the fact that pure risk events are beyond the decision maker’s control, the results of uncontrollable circumstances, while speculative risks are the result of conscious choices made in decision making. These two types of risks lead to two distinct risk management strategies: risk avoiding and risk taking. Risk managers select options that will enable them to reduce unacceptable levels of pure risk to acceptable or tolerable levels. Risk managers also choose to take risks when they select an alternative course of action to pursue potential gains. So, risk managers function as risk avoiders when they decide how best to reduce the adverse consequences of risk and as risk takers when they decide how best to realize potential gains in the future. Uncertainty makes all of this necessary; there is no risk without uncertainty.
A few propositions about risk
•Risk is everywhere
•Some risks are more serious than others
•Zero risk is not an option
•Risk is unavoidable
Therefore, we need risk analysis to:
•Describe these risks (risk assessment)
•Talk about them (risk communication)
There is very little we do that is risk free, although risks certainly vary in the magnitudes of their consequences and the frequencies of their occurrences. A leaky ballpoint pen is not in the same class of risks as an asteroid five miles in diameter colliding with Earth.
Risk is sometimes confused with safety. In the past, we have tried to provide safety, and getting to safety has been the goal of many public policies. The problem with a notion like safety is that someone must decide what level of chance or what magnitude of consequence is going to be considered safe. That is a fundamentally subjective decision, and subjective decisions rarely satisfy everyone. Risk, by contrast, can be measurable, objective, and based on fixed criteria.
Safety has been defined in a number of legislative and administrative frameworks as a “reasonable certainty of no harm,” a phrase extended in some contexts to include “when used as in...