10.1: What is Risk?

Intuitively, risk is the possibility that we will not get what we expect. To quantify risk, a good starting point would be to define the term more precisely. However, here, we stumble on a roadblock — even though we all have an intuitive understanding of risk, there is no single, universally accepted definition.

Definitions of risk are applied in different disciplines, such as economics and mathematics; however, the definitions used vary across and even within those disciplines. To complicate matters further, the definition could be context-specific. For example, the Risk and Insurance Management Society (RIMS), a global organization dedicated to risk management, defines risk as “uncertain future outcome(s) that can either improve or worsen one’s position.” In investments, risk can be defined as the likelihood that an investment’s actual return will differ from the one expected. In the context of insurance, risk can be defined as the possibility of loss or injury.

For our purposes, we will use risk and uncertainty interchangeably. However, in his 1921 book Risk, Uncertainty and Profit, Professor Frank Knight distinguishes between risk and uncertainty depending on whether the objective probabilities are known. According to him, risk applies to situations where objective probabilities are known, while uncertainty applies to situations where the objective probabilities are unknown. Because, in the words of Prof. Knight, “true uncertainty is not susceptible to measurement,” it is not easy to analyze uncertain situations when the objective probabilities are not known. Consequently, we focus here on objective risk, i.e., quantifying risk using objective probabilities.

Eminent mathematicians such as Laplace, Jacob Bernoulli and Poincaré believed that we live in a deterministic world where there are definite causes for each effect; everything happens for a reason, and there is no such thing as luck. In such a cause-and-effect world, there is no place for games of chance as we would know exactly what outcome will occur when we throw a die or spin the wheel of a roulette. Knowing the causes, it is a simple matter of mathematical calculations to predict the future stock price or the value of life insurance. However, as we do not always know the underlying laws of nature, we tend to attribute outcomes to chance. In our world of limited knowledge of natural laws, Poincaré notes, “Chance is only the measure of our ignorance.” (Poincaré in Bernstein, 1996, p. 200.)

Games of chance have existed since the dawn of civilization. The interest in gambling led to the probability theory’s origin in 17th-century Renaissance Europe. A branch of mathematics, probability theory is a powerful tool for modelling risk and making predictions and decisions. We begin our study of risk by reviewing major concepts from probability theory that will enable us to define several measures of risk.

Measuring Risk

There are two different approaches to measuring risk:

1. Analytical or theoretical
2. Empirical or experimental

The theoretical approach is based on probability theory and formal mathematical reasoning. On the other hand, the empirical approach uses data from controlled or uncontrolled experiments. While for clarity, we discuss these two approaches separately, we are going to see that, ultimately, these two different approaches are mathematically equivalent. Empirical observations inform theoretical reasoning, and the empirical approach is based on theory.

Risk and Return

Although the standard deviation is a conventional measure of risk, it considers both positive and negative deviations from the mean. Would you be concerned about getting returns that are higher than expected? Probably not — your reward for taking a risk is the opportunity to get a return much higher than expected. Our concern is obtaining returns on investment that are lower than expected, so what we intuitively mean by risk is downside risk, the possibility that our return will turn out well below what we expect.

Quantifying Downside Risk

Standard deviation is an adequate measure of risk if the underlying distribution is normal; because the normal distribution is symmetric, the probability of observing a positive deviation from the mean is exactly equal to the probability of observing a negative deviation equal to 0.5. In other words, half of the time, we would observe negative deviations and half of the time, we would observe positive deviations from the mean. If you want a measure of the negative deviations from the mean for a normal distribution, you can simply divide the standard deviation by 2.

However, the standard deviation is not an adequate measure of risk if the underlying distribution is not normal. In such cases, other measures of the shape of a distribution, such as skewness and kurtosis, will be informative in assessing risk.

Subjective Probability

Economic models often assume that we know the objective probability of an uncertain event and risk can be defined through numerical probabilities. In reality, we rarely know the underlying, true distribution of uncertain events, and even then, we typically do not engage in data collection to estimate objective probabilities. In some cases, there is simply no data to estimate empirical probabilities, especially in the case of rare events such as natural disasters. In dealing with risk in our daily lives, we rely on our subjective judgments and beliefs about how likely an uncertain event is, and our beliefs are not necessarily expressible in numerical terms. Subjective probability refers to the likelihood an individual attributes to an event based on the individual’s own experience or personal judgement. It differs from person to person.

The human tendency to overestimate our actual ability to perform a task successfully is termed overconfidence by cognitive psychologists. Studies show that people tend to be unrealistically optimistic about their health, believing themselves to be at a significantly lower risk for a wide range of physical diseases and health outcomes (e.g., cancer or heart disease) relative to their peers. Students, employers, and CEOs have been shown to routinely overestimate their performance. Generally, psychologists find a low correlation between our subjective beliefs about abilities and actual or objective performance.

Many factors affect subjective probability, such as age, gender, experience, and education. Often, we make decisions based on our subjective beliefs rather than objective probabilities, which has real economic consequences for us and society as a whole.

Risk and Insurance

How can we reduce or eliminate risk ex-ante? Financial markets offer different mechanisms that enable us to choose how much risk we want to bear and transfer the rest to an external party. Insurance is one such mechanism whereby the buyer of an insurance policy transfers some or all the risk to an insurer in exchange for regular payments commensurate with the risk involved and the insured loss.

Suppose, for example, that your house can be burglarized with some positive probability. You can transfer that risk to an insurance company by buying home insurance. The insurer bears the risk in exchange for regular payments called premiums. The premium that you pay on your insurance contract is the price of insurance. It is commensurate with the likelihood of your home being burglarized and the size of the loss. Notice that a risk transfer does not eradicate the risk. Your home can still get burglarized even if you have insurance. However, in that case, your insurance company will indemnify or compensate you depending on your loss and the contract agreement.

Risk transfer is one of the four major risk management strategies. The remaining three strategies are risk reduction, risk avoidance and risk acceptance. You can take an action to reduce a risk. For example, you can install a home security system to prevent your home from being burglarized. Sometimes, risk can be eliminated by choosing an appropriate course of action. For example, investing in the stock market is risky. You can eradicate this risk by choosing not to invest. If you do not take any action to mitigate risk, you accept it and will have to deal with its consequences when the risk occurs. Your best course of action will depend on the context, the potential loss, and your preferences.

The Risk Management Framework

Organizations use risk management frameworks (RMFs) to identify, assess, and manage risks. A risk management framework provides guidance and strategic decision-making in any management of risk.

The COSO Enterprise Risk Management Framework aims to help organizations understand risks and create a link between risk, strategy, and how a business performs.

ISO 31000 is an international standard that provides principles and guidelines for risk management. It outlines a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring and communicating risks across an organization.

While organizations can use both frameworks, the ISO model contains a generic framework that many feel is easier to implement.  The ISO 31000 RMF has three main elements:

• The principles guiding the risk management activities.
• The risk management framework — the operation of risk management across the organization.
• The risk management process — how are risks identified, analyzed and treated?

With a defined risk identification process, understanding the sources and causes of identified risk helps determine the level of risk and magnitude of risk treatment.

Attributions

“10.1 What is Risk?” is an adaptation of Chapters 1 to 6 of Module 1: What Is Risk?, copyright © by Tsvetanka Karagyozova, licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

The multiple choice questions in the Checkpoint boxes were created using the output from the Arizona State University Question Generator tool and are shared under the Creative Commons – CC0 1.0 Universal License.