Life has always been a risky business. The fear and concern generated by Covid-19 has served to surface the fact that there are widely varying understandings of risk across our community. There are equally broad views as to how serious risk can and should be managed or, to use the technical term, mitigated. Cost is always an issue in dealing with risk. Even as I write the debate is growing about cost and impact of managing the current pandemic. That is, how much should we spend for how long to protect how many people from catching the disease - and what impacts are we prepared to accept on our personal freedoms, livelihoods, and the broader economy. These questions are not recent: they have been raised across millennia. Talk of risk raises emotional issues, a point I will return to.
So, what is risk? Some definitions are broad and others quite narrow. One states that risk is the potential for the uncontrolled loss of something of value. Another that risk is the chance of something happening that will have a negative effect. A narrower, more business focussed understanding sees risk as an ongoing or upcoming concern that has a significant probability of adversely affecting the success of major milestones.
Most risk definitions encompass two aspects: 1. Uncertainty as to whether or not a particular event will happen; and: 2. Loss, the notion that an event or occurrence will have unwanted consequences or result in loss of some kind. Embedded in the twin ideas of uncertainty and loss are the very reasons why it is not easy to get people to agree on what is, and is not, a risk. Firstly, individuals may have widely different views as to how likely it is that an event will happen, and secondly, they disagree on whether or not a particular consequence is acceptable. For example, a 30% risk of losing $1000 on an investment may mean little to a multi-millionaire but much more to a pensioner. A sixteen year old spending the day on the beach with friends is likely to have a different view of the risk of skin cancer than their parents or, indeed, to a dermatologist whose waiting room is filled with adults wishing they had ‘slip, slop, slap-ed’ when they were young!
The role of values and emotions
Values, emotions, and beliefs impact how we understand, perceive, and react to, risk. It is human for individuals to see ourselves as rational beings whose views are objective and thus correct. In fact, all of us interpret life through our personal values and observe events with our unique set of emotional lenses.
In regard to the pandemic, for example, a values dichotomy has emerged which is expressed as the risk of death from the disease versus the risk to the economy from a shut down. Some would have governments focus their strategies on absolutely minimising the pandemic’s health impact on people. They argue that each and every human life is of value. Others claim that it is no good saving human lives if the economy is in ruins and thus unable to fund health and education services when the pandemic is over. The question is, how much are we willing to invest in minimising the health risk to individuals and at what risk to the economy? Or to be blunt, how many lives should be saved and at what cost?
An even more acute frame than people versus the economy is the relative value of younger versus older citizens. In this rationale, it is correctly argued that the risk of dying from Covid-19 is disproportionately higher for the those over 70 years of age and otherwise frail. Given that the elderly and chronically ill have little economic value and have lived the greater part of their lives already, proponents argue, they should either accept the greater risk of death or be prepared to isolate themselves. The economy must go on. Some commentators and politicians have even said that it is selfish for the elderly not to accept that they are going to die in disproportionate numbers!
Values and emotions have a deep impact on how we understand and act in regard to risk.
Risk concepts
Leaving aside the pandemic, there are several concepts that can assist in better understanding, discussing, and dealing with risk and, in the process, help answer the age-old question, ‘what’s the risk?’
Risk likelihood and impact
Project managers and board directors will be familiar with this 2x2 matrix that is often used in risk discussions. All organisations can use a framework such as this to generate insightful conversations about the 8-10 key risks the organisation faces and how they might be categorised or segregated. Risk segregation is an important concept as it introduces the notion that not all risk is the same. It is generally accepted that the most attention should be given to managing those risks that are likely to happen, and will have a high impact, followed by those that are less likely to happen but will have a significant negative impact if they do. As with all 2x2 matrices, this one has its strengths and downsides. It is helpful, however, in commencing the risk journey.
Risk mitigation
Once key risks have been segregated or categorised another set of conversations can commence around mitigation. That is, what can be done to lessen the likelihood and/or impact of an unwanted occurrence. Put another way, how might uncertainty and loss be minimised? There are at least four types of risk mitigation strategies. These include:
• risk avoidance
• risk acceptance
• risk transference; and:
• risk limitation
In a stock market listed company, insolvency is a risk executives and boards wish to avoid. As a result, strong risk avoidance controls are put place. This may be less so in an entrepreneurial start-up venture where the owner accepts a higher risk of insolvency.
The concept of risk acceptance acknowledges the fact that there are risks that individuals and organisations choose to accept. Walking down a street has its risks but unless the street is a known crime haunt, we accept those risks as minor. Risk acceptance is not the same as risk ignorance. Risk acceptance should be a chosen rather than accidental strategy.
Risk transference may be as simple as contracting an insurance company to take over all or some aspect of risk via an insurance policy. Insurers then bundle up their many policies and offload their aggregated risk through buying reinsurance. Modern insurance policies allow consumers to set their own level of risk. For example, a car owner agreeing to pay the first $500 of any claim. Outsourcing offers another strategy whereby enterprises can transfer risk. For example, choosing to outsource security services, payroll of even manufacturing.
Risk limitation is a common form of mitigation. To limit the risk of hacking, a company may have a policy of setting complex passwords. To minimise the impact of a computer systems failure, organisations implement off-site back-up processes. Similarly, wearing an approved face mask lowers the chance of infection during an epidemic.
Differential risk
Differential risk refers to the fact that there are known links between one factor and another. For example, a person who is older has a statistically greater chance of being diagnosed with dementia. As a corollary, young persons have a lower risk profile for dementia-related illnesses. A town built on a fault line is very likely to have a differentially higher risk of being destroyed by an earthquake than a similar village elsewhere. Insurers use differential risk frameworks to price insurance policies in areas prone to bushfire or cyclones. A homeowner can limit the possibility of their house being damaged by a cyclone, and potentially pay lower insurance premiums, by building to accepted cyclone standards.
Timing
As comedians say, timing is everything. It is often forgotten that risk can increase and decrease over time with or without intervention. The philosopher G.K. Chesterton observed:
‘If you leave a thing alone you leave it to a torrent of change. If you leave a white post alone it will soon be a black post.’
A small pothole in a road potentially becomes a dangerous crevasse if left to its own devices for long enough. Not visiting the doctor about chest pain could lead to a heart attack. Choosing not to pay for regular small upgrades of a key software program may result in having to invest a substantial sum to purchase a major new version.
Perception and understanding of risk changes over time. Forty years ago, virtually no school did a risk assessment before taking a group of children camping in the bush. In 2020, whole manuals are written on the topic!
Risk is not static. Risk can and does change over time. Leaving a known risk alone rarely makes it go away.
Summary
Business and corporate governance circles often express a concern that too much attention is now paid to risk and risk management. This may well be the case, but then along comes the GFC or a massive bushfire season and society appears woefully unprepared. Equally, the possibility of pandemic is a low likelihood, high impact event – and Australia’s last major epidemic was the Spanish flu 100 years ago. In general, I believe a deeper and broader understanding of risk and risk management is a positive at an international, national, institutional and community level. A little knowledge of risk might be a dangerous thing, but zero understanding leads to disaster.
Philip Pogson FAICD