In my last post, I talked about the semantic difference (in my view) between “Risk” and “a risk”. In this post, I want to talk about the implications of this distinction.

As you may recall, I said that “Risk” is a concept that relates to general uncertainty about whether or not you can actually accomplish a goal.  “A risk”, on the other hand, usually refers to a specific event — something specific that could happen and cause us problems.

When management asks the broad question Do we have too much risk in the organization? what do they mean? Are they asking if  there are too many discrete events that could cause problems? Or are they asking if there is too much uncertainty?

Generally speaking, executive leadership would love to have assurance that their strategies will actually achieve their goals. That helps them keep their jobs. They would love to have certainty about every strategy. The opposite side of this coin, obviously, is uncertainty. If certainty is what they want, then uncertainty is often what they want to avoid. Uncertainty causes sleepless nights.

Since “Risk” (or “uncertainty”) is not terribly concrete, it’s very hard to measure. So, we devise a stand-in, or proxy, for this concept. We say that “Risk” exists in a strategy because there are certain discrete events that could occur and cause  that strategy to fail. Examples of “a risk” might be “consumers won’t like the new product” or “production costs will push the retail price too high”. These are individual risks — discrete events that could occur. If we have too many of these, and if they have a real likelihood of occurring, then the strategy might be thought of as having too much “Risk”. This means that there is little assurance that the strategy will actually achieve the goal.

So, if there are a lot of “risks” (potential bad events), then there might be too much “Risk” (uncertainty). Right?

The most important point, of course, is to recognize the semantic use of the word “r-i-s-k” to mean two different, albeit related things. When you’re discussing “r-i-s-k” with someone you can help assure a fruitful conversation by recognizing that you may not be coming from the same point of reference. One of you may be talking about “Risk” while the other is talking about “a risk”. Once you recognize this difference and put yourselves on the same page, your conversation will proceed much more smoothly.

What do you think?

There is an important semantic distinction that is often missed when discussing risk management. When you say “risk”, are you talking about “Risk”? or are you talking about “a risk”? Let me explain.

“Risk” 

I am capitalizing this word just so I can keep myself on point. “Risk” is an idea – a concept. The adjective is “risky”. This relates to the potential of something bad happening. When you drive a car with your eyes closed, you are experiencing “Risk”.

ISO 31000 defines “Risk” as the effect of uncertainty on objectives.

COSO ‘s ERM Framework defines “Risk” as the possibility that an event will occur and adversely affect the achievement of objectives.

“a risk”

On the other hand, when people talk about “a risk” they are commonly thinking about a specific event or occurrence. It is one of the specific bad things that could happen. When you drive a car with your eyes closed, you experience many risks — you could hit a tree, you could drive into a ditch, etc.

ISO 31000 says that risk is often characterized by reference to potential events and consequences, or a combination of these.

COSO’s ERM Framework takes a different approach. They focus on ‘events’ as a major specific topic and say that an event is an incident or occurrence from internal or external sources that affects achievement of objectives. The implication is that an event with a negative impact is a risk, while an event with a positive impact is an opportunity.

So what does this mean?

This means that you need to be careful when talking about risk. Sometimes you may be talking about the general uncertainty of a strategy relative to its ability to actually achieve its goal — “this is a risky strategy”. Other times you’re talking about specific events. “What’s our biggest risk?” Unfortunately, we’re saddled with the same word being used in different, although obviously related, ways.

In my next post I’ll talk about this a little more.

Your thoughts?

I have never been completely satisfied that professional literature has correctly addressed the concept of Risk Assessments. COSO’s Enterprise Risk Management – Integrated Framework says that the uncertainty of potential events is evaluated from two perspectives – likelihood and impact. This seems so logical that it should defy critical examination. You take each identified risk (assuming that you’ve been able to pull together a reasonable list) and knock them off one by one focusing on likelihood and impact. This process is either explicitly stated or implicitly obvious in just about every piece of “risk management” literature.

Unfortunately, these two concepts – likelihood and impact – tend to be an ineffective way to measure risk in the real world.

The Problem

Although it seems like you should be able to look at a particular risk and make these two evaluations – “what is its potential impact?” and “what is its likelihood?” – you immediately run into problems. Here’s an example. You’ve identified the risk of ‘Inaccurate data stored in our customer files.’ You’re starting to assess its likelihood and impact and the following incongruity pops up. It’s very reasonable for both of these statements to be true:

1. It’s very unlikely that we’ll have wide-spread data errors.
2. It’s very likely that we’ll have isolated data errors.

Said another way, there’s a low likelihood of a high impact, but there’s also a high likelihood of a low impact. Your answer to one question depends upon which view you’ve taken of the other. Which is the right answer to capture in the risk assessment process? If both are true then you are almost assured of getting some combination of both responses from different evaluators or even the same evaluator across different risks. My experience has been that this problem pops up almost every time. You can’t avoid it because the underlying assumption that you can make independent unqualified evaluations of likelihood and impact is FALSE.

Fixing the Problem

The problem results from the interdependence of the two concepts. So, let’s work to eliminate this interdependence by coming up with a less ambiguous and more practical approach to evaluate risks.

What are we actually trying to accomplish with this risk assessment process? Which of these two questions is your executive leadership more likely to ask?

1. Which risks require our vigilance because they will occur on a regular basis?
2. Which risks require our vigilance because they could cause us some real hardships?

Both questions are valid but I think that in most organizations question #2 has more practical value, especially at the executive level. So, let’s move forward by first focusing on ‘impact’.

To avoid the problem we just identified, is there a way to identify the level of potential ‘impact’ while initially ignoring the concept of ‘likelihood’? An easy way to accomplish this is to examine the specific objective(s) that this risk relates to. For instance, if management has indicated that an email marketing objective is highly critical to the organization’s success, then the risk of incorrect data in the customer files has high potential impact to the organization. In fact, every risk that you associate with this goal has high potential impact. This ‘high’ impact does not result from an independent evaluation of the risk itself, but rather from its association with a high impact goal.

Next, we look at likelihood. Let’s address this at a very practical level. We will ignore the possibility that the risk could occur at some minimal level. The very fact that we have identified the risk in the first place tells us that. Instead, ask the evaluators to consider the likelihood that this risk will actually prevent the success of this goal. This lets us look at the likelihood of the risk using a very clear point of reference. Provide your evaluator(s) with instructions  like “Given everything that you know about our operations, personnel, and external factors: how likely is it that this risk will prevent our current strategy from achieving this goal?” This question has some very profound implications that I’ll address in a subsequent post.

To recap – we typically experience a very real problem when we evaluate each risk as a stand-alone exercise. The problem is that the two typical “independent” risk assessment questions are not, in fact, independent. The key to eliminating this problem is to focus on the goal, not the risk. Impact gets a better definition by focusing on the significance of the associated goal (as determined by management separate from any risk assessment activity). Likelihood gets redefined to focus on the real-world potential that this risk will prevent the organization from achieving the goal.

Using this approach, risk assessment activities are less theoretical and far less ambiguous. Because the risk assessment process is now based on the importance of the related goal(s), it operates within the boundaries of what’s important to your organization.

Please share your thoughts.