Risk - Wikipedia, the free encyclopedia http://en.wikipedia.

org/wiki/Risk

Risk
From Wikipedia, the free encyclopedia.

This article is about the concept of risk. There is also a popular board game named Risk, and an album by
Megadeth named Risk.

Risk is the potential harm that may arise from some present process or from some future event. In everyday usage, "risk"
is often used synonymously with "probability", but in professional risk assessments, risk combines the probability of a
negative event occurring with how harmful that event would be.

Contents
1 Definitions
1.1 Examples
1.2 Background
2 Risk in business
2.1 Risk-sensitive industries
2.2 Risk in finance
3 Psychology of risk
3.1 Regret
3.2 Framing
3.3 Fear as intuitive risk assessment?
4 References
4.1 Papers
4.2 Books
4.3 Magazines
5 See also
6 Topics

Definitions
Risk is often mapped to the probability of some event which is seen as undesirable. Usually the probability of that event
and some assessment of its expected harm must be combined into a believable scenario (an outcome) which combines the
set of risk, regret and reward probabilities into an expected value for that outcome. There are many informal methods
which are used to assess (or to "measure" although it is not usually possible to directly measure) risk, and (for some
applications) formal methods such as value at risk.

In scenario analysis "risk" is distinct from "threat." A threat is a very low-probability but serious event - which some
analysts may be unable to assign a probability in a risk assessment because it has never occurred, and for which no
effective preventive measure (a step taken to reduce the probability or impact of a possible future event) is available. The
difference is most clearly illustrated by the precautionary principle which seeks to reduce threat by requiring it to be
reduced to a set of well-defined risks before an action, project, innovation or experiment is allowed to proceed.

In information security a "risk" is defined as a function of three variables: the probability that there's a threat, the
probability that there are any vulnerabilities, and the potential impact. If any of these variables approaches zero, the
overall risk approaches zero. For example, human beings are completely vulnerable to the threat of mind control by aliens,
which would have a fairly serious impact. But as we haven't yet met aliens, we can assume that they don't pose much of a
threat, and the overall risk is almost zero.

1 of 5 9/1/2005 2:26 PM
Risk - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Risk

Examples

An example of the distinction between threat and risk is the preparedness of the United States of America prior to the
devastating attack on September 11th, 2001. Although the Central Intelligence Agency had often warned of a "clear and
present danger" of using planes as weapons, this was considered a threat, not a risk. Accordingly, no comprehensive
scenarios of probabilities and counter-measures were ever prepared for the type of attack that occurred. Taking a
frequentist probability approach, a threat cannot be characterized as a risk without at least one specific incident wherein
the threat can be said to have "realized". From that point, there is at least some basis to characterize a probability, e.g. "in
the entire history of air travel, X flights have led to 1 incident of..." By contrast Bayesian probability methods would
allow threats to be assigned a degree of belief, even if they had never happened before, and this could then be treated as a
probability.

Threats in an information security context include deliberate/directed acts (e.g. by crackers) and
undirected/random/unpredictable events (such as a lightening strike). Vulnerabilities are generally caused by weaknesses
in the system of preventive controls, including missing or ineffective procedural or technical controls, unpatched bugs in
systems etc. Impacts are adverse effects on organizations, individuals or indeed society at large, such as loss of life, direct
financial loss, or reputational damage. A vulnerability is not an issue per se unless a threat exploits it and causes an
impact. Risk management therefore involves any or all of the following activities: removing threats, minimizing the
probabilities, addressing vulnerabilities, and mitigating impacts.

Background

Scenario analysis matured during Cold War confrontations between major powers, notably the USA and USSR, but was
not widespread in insurance circles until the 1970s when major oil tanker disasters forced a more comprehensive
foresight. It entered finance until the 1980s when financial derivatives proliferated. It did not reach most professions in
general until the 1990s when personal computers proliferated.

Governments are apparently only now learning to use sophisticated risk methods, most obviously to set standards for
environmental regulation, e.g. "pathway analysis" as practiced by the US EPA.

Risk in business
See also insurance industry

Means of measuring and assessing risk vary widely across different professions--indeed, means of doing so may define
different professions, e.g. a doctor manages medical risk, a civil engineer manages risk of structural failure, etc. A
professional code of ethics is usually focused on risk assessment and mitigation (by the professional on behalf of client,
public, society or life in general).

Risk-sensitive industries

Some industries manage risk in a highly-quantified and numerate way. These include the nuclear power and aircraft
industries, where the possible failure of a complex series of engineered systems could result in highly undesirable
outcomes. The usual measure of risk for a class of events is then

Risk = Probability (of the Event) times Consequence.

(The total risk is then the sum of the individual class-risks)

The risks are evaluated using Fault Tree/Event Tree techniques (see safety engineering). Where these risks are low they
are normally considered to be 'Broadly Acceptable'. A higher level of risk (typically up to 10 to 100 times BA) has to be
justified against the costs of reducing it further and the possible benefits that make it tolerable - these risks are described
as 'Tolerable if ALARP'. Risks beyond this level are of course 'Intolerable'.

2 of 5 9/1/2005 2:26 PM
Risk - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Risk

The level of risk deemed 'Broadly Acceptable' has been considered by Regulatory bodies in various countries - an early
attempt by UK government regulator & academic F. R. Farmer used the example of hill-walking and similar activities
which have definable risks that people appear to find aceptable.

The technique as a whole is usually refered to as Probabilistic Risk Assessment (PRA), (or Probabilistic Safety
Assessment, PSA). See WASH-1400 for an example of this approach.

Risk in finance

Risk in finance has no one definition, but some theorists, notably Ron Dembo, have defined quite general methods to
assess risk as an expected after-the-fact level of regret. Such methods have been uniquely successful in limiting interest
rate risk in financial markets. Financial markets are considered to be a proving ground for general methods of risk
assessment.

However, these methods are also hard to understand. The mathematical difficulties interfere with other social goods such
as disclosure, valuation and transparency.

In particular, it is often difficult to tell if such financial instruments are "hedging" (decreasing measurable risk by giving
up certain windfall gains) or "gambling" (increasing measurable risk and exposing the investor to catastrophic loss in
pursuit of very high windfalls that increase expected value).

As regret measures rarely reflect actual human risk-aversion, it is difficult to determine if the outcomes of such
transactions will be satisfactory. Risk seeking describes an individual who cares more about the potential gains than about
the expected gains from an investment. For example, an individual who invests in a small stock, knowing there is a large
chance of losing some money, but a small chance of making a great deal of money could be described as a risk seeker.

In financial markets one may need to measure credit risk, information timing and source risk, probability model risk, and
legal risk if there are regulatory or civil actions taken as a result of some "investor's regret".

In futures contracts trading, risk is a loss of trading capital.

Psychology of risk
Main articles: decision theory, prospect theory

Regret

Main article: regret theory

In decision theory, regret (and anticipation of regret) can play a significant part in decision-making, distinct from risk
aversion (preferring the status quo in case one gets worse off).

Framing

Framing is a fundamental problem with all forms of risk assessment. In particular, because of bounded rationality (our
brains get overloaded, so we take mental shortcuts) the risk of extreme events is discounted because the probability is too
low to evaluate intuitively. As an example, one of the leading causes of death is road accidents caused by speeding - partly
because any given driver frames the problem by largely or totally ignoring the risk of a serious or fatal accident.

The above examples: body, threat, price of life, professional ethics and regret show that the risk adjustor or assessor often
faces serious conflict of interest. The assessor also faces cognitive bias and cultural bias, and cannot always be trusted to
avoid all moral hazards. This represents a risk in itself, which grows as the assessor is less like the client.

For instance, an extremely disturbing event that all participants wish not to happen again may be ignored in analysis
despite the fact it has occurred and has a nonzero probability. Or, an event that everyone agrees is inevitable may be ruled

3 of 5 9/1/2005 2:26 PM
Risk - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Risk

out of analysis due to greed or an unwillingness to admit that it is believed to be inevitable. These human tendencies to
error and wishful thinking often affect even the most rigorous applications of the scientific method and are a major
concern of the philosophy of science. But all decision-making under uncertainty must consider cognitive bias, cultural
bias, and notational bias: No group of people assessing risk is immune to "groupthink": acceptance of obviously-wrong
answers simply because it is socially painful to disagree.

One effective way to solve framing problems in risk assessment or measurement (although some argue that risk cannot be
measured, only assessed) is to ensure that scenarios, as a strict rule, must include unpopular and perhaps unbelievable (to
the group) high-impact low-probability "threat" and/or "vision" events. This permits participants in risk assessment to
raise others' fears or personal ideals by way of completeness, without others concluding that they have done so for any
reason other than satisfying this formal requirement.

For example, an intelligence analyst with a scenario for an attack by hijacking might have been able to insert mitigation
for this threat into the U.S. budget. It would be admitted as a formal risk with a nominal low probability. This would
permit coping with threats even though the threats were dismissed by the analyst's superiors. Even small investments in
diligence on this matter might have disrupted or prevented the attack-- or at least "hedged" against the risk that an
Administration might be mistaken.

Fear as intuitive risk assessment?

For the time being, we must rely on our own fear and hesitation to keep us out of the most profoundly unknown
circumstances.

In "The Gift of Fear", Gavin de Becker argues that "True fear is a gift." (from book jacket) "It is a survival signal that
sounds only in the presence of danger. Yet unwarranted fear has assumed a power over us that it holds over no other
creature on Earth. It need not be this way."

Risk could be said to be the way we collectively measure and share this "true fear" - a fusion of rational doubt, irrational
fear, and a set of unquantified biases from our own experience.

The field of behavioral finance focuses on human risk-aversion, asymmetric regret, and other ways that human financial
behavior varies from what analysts call "rational". Risk in that case is the degree of uncertainty associated with a return on
an asset.

A recognition of, and respect for, the irrational influences on our decisions, may go far in itself to reduce disasters due to
naive risk assessments that pretend to rationality but in fact merely fuse many shared biases together.

References
Papers

Holton, Glyn A. (2004). Defining Risk (http://www.riskexpertise.com/papers/risk.pdf) , Financial Analysts

Journal, 60 (6), 19–25. A paper exploring the foundations of risk. (PDF file)

Books

A good example for a risk-controlling, yet utopian civilisation was written by Ian M. Banks in his science fiction Culture
novels.

Magazines

Risk and Insurance : Home (http://www.riskandinsurance.com/)

Actuary .NET Actuarial News and Risk Management Info: Home (http://www.actuary.net/)
Actuarial News And Risk Management Resource : Home (http://www.actuarialnews.org/)

4 of 5 9/1/2005 2:26 PM
Risk - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Risk

See also
safety engineering
civil defense
International Risk Governance Council.

Topics
Credit risk
Interest rate risk
Legal risk
Liquidity risk
Market risk
Operational risk
Systemic risk
Value at risk
Volatility risk
Risk aversion
Glossary (http://www.risk-glossary.com/)
Whitehead quotations (http://www-groups.dcs.st-and.ac.uk/~history/Quotations/Whitehead.html)
Certainty equivalents applet (http://www.gametheory.net/Mike/applets/Risk/)

Retrieved from "http://en.wikipedia.org/wiki/Risk"

Categories: Core issues in ethics | Risk

This page was last modified 00:57, 1 September 2005.

All text is available under the terms of the GNU Free Documentation License (see Copyrights for
details).

5 of 5 9/1/2005 2:26 PM