Risk management is a way of dispelling the fog of uncertainty in which we live, says H Felix Kloman

Risk management has morphed from its original use as a euphemism for insurance buying into a rainbow of different interpretations and usages. It is now found in public policy pronouncements, financial trading, advice on investments, safety and security, politics, and in almost every aspect of our daily lives. That we have actually made some modest progress in managing life’s uncertain affairs is more the result of some intelligent use of the ideas behind the phrase than of the convoluted semantics and unnecessary complexities offered by somany organisations and observers.

Fifty years after my introduction to the idea of risk management, I think it appropriate to try and whittle away the excess lard that encumbers the idea and suggest a fresh and brief definition of what we are talking about.

First, all of us, individuals and organisations alike, necessarily live in a fog of uncertainty. In Capital Ideas Evolving, Peter Bernstein describes it as ‘the bewildering jumble of facts, rumours, discontinuities, vagueness, and black uncertainty that make up the real world around us.’ Nassim Taleb, in The Black Swan describes a ‘world that is dominated by the extreme, the unknown, and the very improbable ... and all the while we spend our time engaged in small talk, focusing on the known and therepeated.’

There is no way we can know for certain what the next moment, day, month or year will bring. Candid acknowledgement of uncertainty may be contrary to the desire of the human species, but it is essential for our evolution. Throughout history we have found that subscribing to some artificial explanation for unexpected events delays our ability to collect information and experience so that we can, over time, begin to understand why things have occurred in the past and how we can better prepare ourselves for the uncertain future.

In the past 400 years, for example, we have learned how to collect information and manipulate it so that we can create ‘risk’, a modest measure of future likelihood and consequences, to enable us to make better decisions. Whether qualitative or quantitative, these measures are becoming the basesof how we decide to move ahead.

Even so, we must resist the intoxication of new knowledge. Richard Feynman describes our condition in an essay in The Pleasures of Finding Things Out: ‘People search for certainty.

But there is no certainty. You only think you know...’ Any management of risk begins with an acknowledgement that we really don’t know. Instead of trying to avoid surprisewe should relish it.

Second, the word risk requires a definition, as it is the linchpin of the idea. Risk is a measure of the probable likelihood, consequences and timing of an event. A critical ingredient is that an outcome may be either favourable or unfavourable, or, in some instances, a combination of both.

Risk is a measure of possibility; it is not an event, situation or physical structure. It is best described as a range of outcomes – likelihoods and consequences – often shown as a mathematical distribution based on prior data. But outliers, extreme events, ‘unknown unknowns’ often bring huge consequences and remain beyond our capacity to measure.

How, then, do we define the idea of trying to manage risk? Risk management is a discipline for dealing with uncertainty. It is a controlled, logical, rational means of understanding the past and projecting possible alternative futures so that we can make better decisions. It is still evolving and may always be evolving. Its proper focus is uncertainty and that includes the acknowledgement that absolutely nothing is certain.

Most definitions of risk management are too long and wrapped in business jargon. As a result, they are difficult to remember. ‘A discipline for dealing with uncertainty’ is brief and memorable.

Third, how do we apply risk management to individual and organisational decision-making? We accumulate knowledge from what we see and hear, from teachings, genetic heritage and shared experience, creating rough heuristics, or rules-of-thumb, to use as guides. More recently we have developed the ideas of probability mathematics and decision theory to improve how we decide. Even as we rely more on numbers we must acknowledge that moral (and qualitative) factors are as important as economic ones. Add the problem of the totally unexpected, the outliers that we cannot even imagine, and we find that this newly-developed ‘process’ is not the final answer.

“Any management of risk begins with an acknowledgement that we really don't know

If the process of managing risk to make better decisions is basically instinctual, how best to describe it for application in organisations? I suggest again a brief approach – the risk management process: risk analysis and risk response. Risk analysis has three logical sub-steps:

Event identification: possible unexpected events, situations, contingencies, and/or sequences of events, whether favourable or unfavourable. Imagining the never experienced outliers remains a real problem.

Risk assessment: qualitative and quantitative estimates of the ranges (distribution) of likelihood, consequences, timing and assessment credibility for events, using multiple perceptions of affected stakeholders. And always consider those nasty outliers!

Evaluation: probable and possible effects on an organisation, its reputation, its economic capital, and, most importantly, its stakeholders. Risk response also includes three sub-steps:

Control: mechanisms, incentives and penalties to improve the possibility of favourable and reduce the possibility of unfavourable outcomes.

Contingency planning: preparation for the predicted plus the most extreme of outcomes, the ‘tails’ and ‘outliers’ that too many disregard. Consequence always trumps likelihood. Preparation beats prediction.

Communications: creation of an ongoing, two-way dialogue with all stakeholders on key elements of analyses and responses.

Finally, what is the goal of risk management? The goal of risk management is to build and maintain the confidence of stakeholders in the organisation. Trust, the most important asset of any organisation, is difficult to measure.

Yet this is and must be the focus of an organisation. Trust and confidence come first. Capital assets, earning power, skills of employees, management, credit lines, and quality of products or services are all secondary. So, we begin by acknowledging that we exist in a fog of uncertainty.

We can translate some of this fog into ‘risk’, enabling us to make more informed decisions about the future. Our approach is to think about risk and then do something about it.