If there is one thing I learned as a CRO, it is crucial to understand the nature of each and every risk we have to work with. I will no doubt write a separate article about the mistake of aggregating various risks into a risk register or attempting to use the same methodology to quantify different risks, but that will come later. This article is about understanding the nature of the risk. Not the risk definition in ISO31000 because that has hardly any practical use, but understanding the true nature of each risk, from first principles.

To make this article easier to digest, there at least three forms a risk can take. Possibly more, write in the comments if you can think of others.

## Uncertain event with uncertain effect

This is probably the most known way to describe risk. **Risk is represented as an uncertain event within a given timeframe that if it happens will have an effect on objectives, decisions or some other important aspect of the business.**

Make no mistake, I am not talking about qualitative nonsense you would see in a heatmap. Risks don’t have a single consequence, it is always a range. Smaller consequences usually have higher probability and catastrophic consequences usually have lower probability. Consequences of any given risk are a probability distribution. Understanding the nature of that distribution is crucial for risk mitigation, whether it is lognormal, metalog or something more exotic. In the next article I will go into more detail why risk consequences are not actually just a distribution but actually a product of distributions derived through a stochastic decision tree.

What about frequency or probability? First basic math, risk doesn’t happen on average (unless we are dealing with some portfolio risk analysis), it either happens or it doesn’t. That’s why probability is also a distribution, like Bernoulli for example. But wait, many risks may happen more than once per period. That’s why it’s actually often useful to replace probability with frequency which is also a distribution, like Poisson.

So, how do we multiply 2 probability distributions to get the risk value? We simulate it, Monte-Carlo in a free excel add-on SIPmath or ModelRisk.

Do this basic test, take a risk register and compare what will happen if you just multiple probability x impact and if you simulate probabilities as Bernoulli. The mean of the simulation would be very similar to the sum of risks derived by simple multiplication, but the volatility around the mean would be huge. p95% is almost double the sum of risks derived by simple multiplication. Scary how many risks managers underestimate the risk by using the wrong math.

And that’s not it, the examples above assume that risks are totally independent, which is rarely if ever true. So we need to add correlations to our calculations at least. By the way that will likely reduce the combined range of risk consequences.

But the biggest irony is that this form of risk is the most common in RM1 and probably the least used in RM2.

## Uncertainty between limited choices

**The second form of risk is when we have a discrete set of possible outcomes but the actual outcome is uncertain.** For example a company applies to various taxation discount schemes but is uncertain which one it will get. That’s why some risks are better represented by a discrete distribution, where there a number of scenarios each with it’s own probability of occurring.

## Volatility of assumptions

Finally the **most common form of risk is the volatility around a base case for an assumption**. All of the assumptions made in business plans, project schedules, budgets, investment valuations and decision models are uncertain. They are all distributions. Some ranges are wider (where there is a lot of uncertainty), some ranges are smaller, but they are distributions nevertheless. Understanding the nature of these distributions is absolutely critical for decision making and risk analysis.

This was just a short intro into what is risk and what it is not. Risk is not likelihood consequences in a risk matrix, that’s for sure. Dumbing down different risks to a risk register is a horrible idea.

You liked what you read ? Leave a comment.

See more posts from Alex Sidorenko at RISK-ACADEMY Blog.

This is interesting, but does not make much sense to me yet – I have forgotten Bernoulli and Poisson. But, I have successfully (questionable, OK, accepted) been managing risks (my companies, my clients) in traditional way i.e. likelihood and impact to give risk value and then creating heat map etc. Also, I have come across some large corporates even today not having a risk department/ function – and they have also been successful. Then, is it worth taking this much/ new pain?

How do you know you have successfully been managing risk? Have you back tested it against the baseline? Was the company successful despite flawed methods you used? With so much compelling scientific and verifiable evidence that heatmaps are worse than useless the real question is – are you delusional or just lucky? 🙂

Thanks Alex – sounding little rude when you say ‘flawed methods that I used’. 100% known to me (yes I do not know all) are using the same traditional method described by me. Their balance sheets talk of the success. Happy to be lucky!

I will be happy to know how many (professionals/ organisations) have understood your method and are using it successfully.

Daman, that’s how science works. Once someone proved horoscopes or star sings are useless or “worse than useless” (quoting one scientific paper) continuing to use them for any decisions of value is professional negligence. Heatmaps are no better than horoscopes. And it doesn’t matter how many people understand that, that a typical ad populum fallacy.