What is risk? It is such a simple question. It is a question that anyone over the age of three can answer. The answer, however, is also the basis of most of the current problems and inefficiencies in risk management today. Humor me for a second and take a moment to say out loud what your definition of risk is. (Okay, if you are too risk-adverse to chance being heard talking to yourself, you can simply think it out loud in your head.)
When doing risk workshops, it is always quite telling how people will squirm and fidget in their seat as I ask them what their definition of risk is. Workshop participants then go to great lengths to avoid eye contact, so that they will not be selected to give their definition of risk. Again, this is a definition that almost every three-year old can articulate. It then starts to get really interesting as workshop participants strive to demonstrate their risk prowess by seeing who can come up with the most precise, and consequently, the most academic definition. Inevitably, the answers start to get more quantitatively oriented, or more regulatory and legalistic in nature. Carry the conversation on long enough and you will need a doctorate in math and or laws in order to make sense of it.
You might think that it is absolutely bizarre, or at least a waste of space by spending a chapter talking about the definition of risk. However, I believe that having a clear and consistently understood definition of risk throughout an organization is one of the easiest, yet one of the most beneficial steps that a company can take in improving their risk management activities. Conversely, not having the right definition of risk, and not having a clear and consistently understood definition is the root cause of many of the problems in risk management.
If you ask the average person on the street what their definition of risk is, they will likely respond that risk is a chance that something bad will happen. Indeed, if you look up risk in the dictionary, you will get, “the possibility that something bad or unpleasant (such as an injury or a loss) will happen.”1 This definition is fine and good, but it leaves a lot to be desired for risk management purposes.
Firstly, the definition of “possibility of something bad happening” is not consistent with the mathematics of the most common ways to measure risk. Secondly, it is an extremely limiting definition that forces most of the potential value of a risk management function wasting away. Thirdly, and perhaps most importantly, it is a very negative definition, which, in turn, imparts a negative pall over all of risk management. Finally, this common (mistaken) definition of risk is one of the reasons I decided that this book needed to be written.
Rethinking the Definition of Risk
The Chinese symbol for risk is often cited as being composed of danger and opportunity. This is a much more enlightened definition, as well as a much more useful and productive definition for risk management purposes. Another way to state this is to define risk as the possibility that bad or good things may happen.
You might be thinking that defining risk as “the possibility that bad or good things may happen” is a convenient butchering of the English language. While it is true that the editor of this book will find many instances of my butchering of the English language, the definition of risk as given is perfectly legitimate and valid in the context of organizations and in the context of risk management. Indeed, as will be argued, it is, by far, the preferred definition. It is also the de facto mathematical definition of most risk management measurements—whether you realize it or not.2
The Committee of Sponsoring Organizations of the Treadway Commission, more commonly known as COSO, is a joint initiative of a variety of organizations with a common interest in developing standards and frameworks for effective risk management. The COSO framework for enterprise risk management is considered by many to be the definitive framework for risk management. Their definition for risk is:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.3
A moment’s reflection will show that it is consistent with the proposed definition of risk, while albeit being a bit more sophisticated in its wording.
There are three elements to my proposed definition of risk; firstly, there is an element of uncertainty, secondly there is an element of the future, and thirdly, and perhaps most significantly (and unconventionally), there is an element that risk has both upside and downside components.
The first element of the definition involves uncertainty. In simple terms, with risk, there is an element of not knowing what will happen. Frequently, risk and uncertainty are used as synonyms for each other. When we state that a situation is uncertain, we may as well say that it is a risky situation and viceversa.
In the technical mathematical literature, as well as in the academic risk community, risk and uncertainty have close, but different meanings. With risk, you have a range of possible outcomes, but the mathematical distribution is known. For instance, we can state what the average daily returns of the S&P 500 index were, as well as what the standard deviation for the index was, for any given year for which we have the data.4 However, what will be the most popular genre of music among high school students 10 years hence is, however, unknown, and at the present time, unknowable. It is quite possible that the most popular genre of music 10 years hence has not yet been conceived of. This is uncertainty. Given the pace of technological change in the music industry, it is also hard to envision how that music will be distributed and consumed as well. Thus, we see that stock returns can be labeled as risky, while future popular music genres are uncertain.
This parsing of the difference between risk and uncertainty is, for the most part, academic and does not really need to concern us. There is, however, one catch: risk management as a profession is becoming enthralled with what can be quantified, and thus, there is an inherent biases toward elements that can be measured with precision, which includes events for which a known mathematical distribution such as the normal distribution or a Poisson distribution (or perhaps even something sexier sounding such as a Gaussian distribution) can be applied to. Experienced organizational professionals will immediately see a problem with this, as many key risks cannot be so easily distilled to such a known distribution. As management guru Peter Drucker famously stated, “what gets measured gets managed.” However, that does not mean that all that needs to be managed gets measured, or conversely, that everything that can be measured needs to be managed. It might be argued that the most important risks are precisely those that cannot be measured—a theme that we will return to later.
The second element of our definition of risk is that it concerns the future. That may be an incredibly obvious statement, but too often we are focused on the past; the past crisis, the past mistake, the past regret, and as a result, spend way too little time creatively thinking about what might be. Risk cannot be managed in the rearview mirror, and while the past might be the best precursor to the future, it is not a very reliable one. The professional risk manager must be knowledgeable and respectful of the past, but with a vision focused on the present and an imagination trained on the future. Again, there seems to be a disconnect as risk measures and risk strategies, as well as tactics are frequently (and correctly) criticized for fighting the last crisis. We cannot change the past. The best we can hope for is to manage the future, but obsessively focusing on the known past is not only too convenient and intellectually lazy, but it takes valuable time and energy away from imagining future scenarios that will need to be managed.
The final element of our definition of risk is that risk involves both the downside as well as the upside. Risk is the possibility of both good things as well as bad things happening. This is the element of the definition that causes pause with the most people. In workshops, it is the element that causes the most push-back, as many risk managers, as well as regulators, believe that the sole function of risk management is preventing the downside. It is certainly how almost all risk management functions in practice. However, an equal focus (if not more than equal to overcome long standing biases) on the upside is what makes all the difference.
Why the Definition Is Important?
So why does the definition matter? It matters because of attitude, execution, and effectiveness.
Let’s start with attitude. My experience has been when talking with frontline professionals that they in some way label the risk management function of their organization as the “Department of No!” Admit it, that is likely how the risk management department in your organization is thought of. Not a very optimistic thought, is it? It is kind of like risk management being the dark cloud; the spoil sport of the group; the “it’s sure to rain” declarer. No one wants to invite the party pooper to the party.
A change in the definition is more than a slogan. To begin with, a change in definition can become an attitude changer. In Chapter 8, some ideas for creating a good risk culture will be discussed. This simple, but profound change in definition is a key element in creating a positive and effective risk culture. Instead of a culture of fear, or blame, or a culture of restraint and being held back, the risk culture becomes focused on the positive, the possibilities, and on how risk adds value and effectiveness to the goals and objectives of the organization. This does not diminish the focus on the downside, but counterintuitively can enhance an appreciation for, and the understanding of managing both the downside and the upside both individually and in tandem.
Secondly, a change in the definition helps risk to become a proactive function, rather than a reactive function. Think for a second about the tasks that bring out the best of your procrastination skills. Do you procrastinate on the positive things, the optimistic things, or do you procrastinate more on the perceived negative or downside events? Do you procrastinate more on making your dental appointment or booking tickets to see your favorite sports team play in the finals of the championship? There are upsides and downsides to both events. My dentist recently told me that my teeth are as solid as rocks, and your dentist as well may give your mouth a clean bill of health, but instead you focus unwarrantedly on the need for a potential root canal. Meanwhile, your team may suffer a blow-out in the playoffs, but instead you focus on the joy and thrill of victory and the experience of celebrating with a group of like-minded fans. You do not allow the thought of your team suffering an embarrassing beat-down to enter into your consciousness. It is easy to see why the dentist has a receptionist phone your office to coerce you into making your semiannual appointment while there will be a queue of people camping out overnight in order to buy playoff tickets.
A large part of risk management is dealing with human nature. Having a definition that incorporates both the positive and negative elements of risk works with human nature to produce a far more proactive attitude toward risk. It is human nature to focus on fear and downside risk, unless a more positive element is also explicitly introduced.
A central theme of this book is that risk management function should be a value-oriented function, rather than a cost center. Have some patience and before you start espousing all those studies about companies losing their figurative shorts by making the risk function a profit center, humor me for a few chapters, so that I can explain and build the argument. I am not advocating that risk managers should start trading derivatives in order to time the markets and make exceptional profits. As someone who is trained as a finance professor, and as someone with professional trading experience, I have a strong belief in the efficient markets hypothesis, which states that it is impossible to make positive abnormal returns from financial trading. The exploits of firms such as Procter and Gamble and Metallgesellschaft5 in the 1990s have unambiguously and definitively shown the folly of corporate entities trying to make money solely through sophisticated financial trading, rather than efficiently making things and selling things. What I am advocating is using intelligent and positively focused risk management to enhance the effectiveness and profitability of making things and selling things and services. More on that later, but the point for now is that risk management should be seen as a value-creation activity. Instead of the “Department of No!,” risk management has the capability to become the “Department of How We Can Do It Better!” Many of the techniques and tactics for managing downside risk can also be, and should be, applied toward enhancing upside risk. The proposed definition of risk goes a long way toward allowing this to happen.
The final advantage of the proposed definition is that it changes the definition of what the “risk management” function is. Defining risk as the possibility of bad things happening sets up risk management as the function to prevent losses. Setting the definition of risk as the possibility that bad or good things may happen provides the basis for a much more positive and valuable objective for risk management.
The Definition of Risk Management
If risk is the possibility that bad or good things may happen, then risk management becomes managing so as to increase the possibility and magnitude of good risk events happening while simultaneously managing so as to decrease the possibility and severity of bad risk events happening. The change is simple, subtle, but critically important in dramatically increasing the value and effectiveness of the risk management function in any organization.
As an example (albeit a trivial one), consider the last time that you took a trip in your car. It could have been a cross-country trip with your family or it could have been a five-minute drive to the grocery store. Assuming that you are an experienced driver, and a good driver,6 you almost certainly practiced risk management as I have proposed. You drive defensively to prevent an accident, but you also drive so as to achieve your objective, namely arriving at your destination in a time-efficient manner. If you were acting like most risk management departments, you would take far fewer trips to avoid the chance of an accident. No car trip means no car accident, but also no family viewings of the Grand Canyon or no groceries at home.
Often, when I propose this definition of risk, it will be argued that it is axiomatically impossible to simultaneously manage to increase upside probability of good events while decreasing the possibly of downside events. That argument of course is poppycock and a sign of lazy thinking. We are constantly trying to increase our odds of success while simultaneously decreasing our odds of failure. We do this with almost every activity we undertake. In fact, by focusing on increasing success, we automatically are decreasing the possibility of failure. In school, the best way to avoid failing a course is to work to get a great mark in the course. At work, the best way to avoid getting fired (or demoted) is to work so as to get promoted. In sports, it is often stated the best defense is to have a great offense. Winning is not just preventing your opposition from scoring, it also means scoring yourself. However, how focused is your risk management function on scoring?
If you say that scoring (i.e., creating profits) is the function of operations and marketing, then you are missing the point. In saying that organizations are siloing risk management, while probability also spouting a nice platitude about how risk management is everyone’s responsibility. I believe that risk management truly is everyone’s responsibility, but having a risk function that focuses solely on the downside almost always produces the opposite effect. Assuming that risk management will take care of the bad stuff and marketing will produce the profits is not an effective integration of functions. In Chapter 9, we discuss one unintended and counterintuitive consequence of this, which is known as risk homeostasis: namely having a really strong risk function focused on the downside actually increases the probability and severity of something bad happening.
Defining risk management as increasing the probability and magnitude of good risk while decreasing the probability and severity of bad risk implies balance, and risk management is nothing if not an exercise in balance. It is a balance between art and science, process and judgment, knowledge and intuition, people and processes, and the current and the future. It is extremely difficult to have balance when one is so unbalanced by focusing solely on the downside.
With the balance of considering both upside and downside risk, the tactics and techniques of risk management can be applied for the upside as well. To take a simple example, the techniques of risk measurement can be used to measure upside. Take, for example, the often-used measure of value at risk or VAR, which is primary metric used to measure downside risk in financial institutions. An informal survey of institutions shows that almost no one uses VAR to measure the upside potential of proposed transactions or strategies. However, firms have a battalion of quantitative analysts refining downside VAR. A simple and straightforward application of downside VAR to upside VAR can yield surprising and valuable metrics for assessing and implementing proposed strategies. While a few institutional investors look at upside VAR versus downside VAR, the number doing so is few. This is just one of many different risk techniques for which the potential applications and tools of risk management are literally only being half utilized. More examples will be provided later in this book, but the point here is to quickly point out here the folly of focusing solely on the downside.
Finally (for now), rethinking the definition of risk management allows for a more enhanced set of responses to risk. Traditionally, risk management actions are limited to eliminate, avoid, outsource, or mitigate. Rarely is the embracing of risk considered an appropriate response to risk. However, the examples are numerous, where the potential for upside should be embraced.
In his popular and insightful book “Antifragile: Things That Gain From Disorder,”7 author and risk management guru Nassim Taleb points out the need to think about instances where risk should be embraced and not avoided or mitigated. While there are many more ideas in Taleb’s book, the central thesis is that there are many instances in which risk or volatility are good things and that the inherent risk and volatility should be exploited, and not quashed. One example from the world of sports are those athletes and teams who play so as to not lose, versus those that play to win. While both teams face the same amount of risk and uncertainty, it is a common axiom in sports that those who focus on winning and embrace the possibility of winning become more successful than those who focus on losing, and thus play more conservatively. In risk management, as in sports, embracing the upside can trump protecting against the downside.
The Focus Gets Managed
What you focus on is what you see and what you will manage. I will talk at length later about the focus on measurable risk, but let’s start with a simple experiment. On your way to work today, how many red Volkswagens did you see? You cannot answer the question, can you? Now assume that I rush into your office five minutes before you leave for the day and I shout at the top of my lungs five times the phrase “red Volkswagen.” I bet that you will spot numerous red Volkswagens over the next week. My shouting “red Volkswagen” did not change the number of red Volkswagens on your path, it simply changed your focus. Take another simple example. Think of the last time you bought a new car. You were probably proud of the fact that you were unique, stylish, and one of a very few number of people who had the means and the good taste to buy such a classy car. However, over the next few days after buying your new car, it seems that all you see is cars that are identical to yours. You do not feel so unique and special anymore, do you?
This very simple example shows the power of focus. I used to do the red Volkswagen experiment at workshops until participants started to get annoyed that all they could spot thereafter was red Volkswagens. (I still run into former workshop participants that tell me they can still spot red Volkswagens from a mile away.) However, the point is that if risk management focuses on bad risk, then all it will see is bad risk, while missing the more valuable good risk.
Psychologist Richard Wiseman performed a very interesting series of experiments on luck.8 With a group of research subjects, Dr. Wiseman asked them whether they thought they were generally a lucky person or an unlucky person. You might think that is a very arbitrary, and perhaps irrelevant characterization, but his results are fascinating. Dr. Wiseman put the subjects through a set of exercises. In one exercise, he promised them a monetary reward if they could correctly count the number of times a symbol appeared in a specific section of a newspaper. On the second page of the newspaper section he gave them, he had printed a full page advertisement that told them the number of times the symbol appeared and also promised them double the reward if they stopped counting at that point. A large percentage of the “lucky” people stopped at that point and collected their double reward, while virtually all of the unlucky people continued to examine the rest of the newspaper. A powerful illustration of keeping an open mindset and perhaps an explanation for why so many organizations known for their impressive risk management departments get involved in risk debacles. More on this in Chapter 9, which hopefully incents you to keep reading.
Risk is dynamic, not static; seems obvious, and it should seem obvious. However, constraining risk to the downside takes away the dynamism. With the focus on the downside, there is a focus on preventing recurring events—preventing the downside risk that happened in the past. It is the main reason behind risk managers being criticized for managing the past crisis, not the forthcoming issues.
Concluding Remarks
William James, considered by many to be the founder of the field of psychology, wrote that “pessimism leads to weakness, optimism to power.” Focusing strictly on the downside is limiting, while focusing on both the upside and the downside of risk is empowering. It expands the possibilities for risk management and makes risk management a much more powerful part of an organization’s success.
Admittedly, it is true that often there is more organizational risk on the downside than on the upside. For instance, in credit risk, there is little upside risk; there has never been a case of a bank borrower paying back more than the required principal and interest of their loan. However, whenever and wherever appropriate, risk and risk management should be thought of as two-sided. Redefining risk as the possibility that bad or good things may happen, and redefining risk management as a function to focus on the upside as well as the downside, is a game changer and a necessary paradigm shift for effective risk management.
1 http://www.merriam-webster.com/dictionary/risk.
2 Almost all quantitative risk measures are related to variance or standard deviation of outcomes, which implicitly assumes that outcomes can be positive or negative. Unless your organization (or regulator) uses measures based on semistandard deviation, or semivariance, then you are implicitly measuring risk using the good and bad things may happen definition.
3 http://www.coso.org/documents/coso_erm_executivesummary.pdf.
4 I am playing fast and loose with the facts here. Later, in Chapter 2, it will be discussed that in reality, stock returns are not normally distributed (as is commonly assumed and is implicitly implied by using the standard deviation as a useful parameter), but, in fact, are sneakily leptokurtic, but that is a subject for Chapter 2.
5 Procter and Gamble lost significant sums with an interest rate hedging program that was designed to save them a few basis points on their borrowing costs. Metallgesellschaft likewise lost significant sums with an aggressive strategy of hedging oil.
6 Interestingly, when asked about their driving skills, a large majority of drivers respond that they are well above average when it comes to driving skill and with being a safe driver. Humorist Garrison Keillor called this the Lake Wobegon effect, where school districts report that almost all of their students are above average. Of course, this is a mathematical impossibility, but an important risk management effect caused by overconfidence.
7 Nassim Taleb, “Antifragile: Things That Gain From Disorder,” Random House, 2012.
8 Richard Wiseman, “The Luck Factor: The Scientific Study of the Lucky Mind,” Cornerstone Digital (Kindle Edition), 2011.