A large part of risk management involves trying to reduce or eliminate the negative impact of possible future events. This blog post discusses ways to manage risk under conditions of uncertainty.
In Plato’s socratic dialogue Meno, Socrates sets forth what has become known as Meno’s Paradox. This paradox states that it is not possible for a man to search for either what he knows or what he does not know. This is because a man cannot seek to know what he already knows and he cannot search for what he does not know because he does not know what to look for.
The second part of this paradox – the logical truism that in essence you cannot know what you do not know – in fact presents a very real risk management challenge. If we start with the premise that risk management involves trying to reduce or eliminate the negative impact of future events, and the future cannot be known with certainty, it might be argued that any attempts to manage risk are by definition futile.
Fortunately for people who have to navigate the many uncertainties of the business world, this is not the case. While it is impossible to defend one’s self from every conceivable risk, and indeed the very attempt to do so would create its own set of risks which could be more damaging than the threats one set out to eliminate, it also would not be true to say that companies are utterly powerless to implement risk management strategies that have a significant chance of leaving them in a better position than they would have been had they simply left their future business fate to chance. This is because, to turn Plato’s reasoning around, all uncertainty is not equally uncertain.
Defining the Target Risk Set
The very first step in risk management is to convert the vast universe of potential risks that a business could conceivably face into a concrete set of risks to be managed. This involves turning Risk with a capital R into risk 1, risk 2, risk 3 etc. Given that companies have different business models and face different internal and external conditions, there is no standard risk template: the key risks for one company can be very different from those of another. Further, it is often the case that events that harm some companies help others.
To further narrow down the set of risks to be managed, the second step is to categorize the risks based on how likely it is that the risks will materialize. This categorization, to use a taxi company as an example, could involve risks that are highly likely to materialize (cars running out of gas or getting into accidents), risks that are less likely to materialize (terrorist attacks that affect transportation) and risks that are completely unknown (technology that makes taxis obsolete).
The third step is to define the relative frequency that these risks could reasonably be expected to occur. As risks are defined in the context of different economic, social, political and technological realities that constantly change, it is likely that there will be different degrees of confidence regarding risk frequency.
For a taxi business that has been in operation for a long time, there may be patterns regarding accidents (such as where or when they tend to occur) or or taxis running out of gas that can serve as a reasonable basis for making guesses about future risk occurrence frequency. With regard to issues such as terrorist attacks and disruptive technology, it may not be possible to define the likelihood with highly useful precision. However, by remaining aware of political and technological trends, it should be possible to make guesses with greater confidence.
Following this, it is necessary to weight risks in the risk set. While there are different ways that this can be done, the key way is to try to assign an economic value to the risk if it occurs. The economic value of taxi down time due to lack of gas could be calculated based on the economic value of fares that could have been charged in the same period.
With these steps, a general grid can be created with a set of risks, the expected frequency of these risks and the economic value of the impact of these risks over a defined time period. While this is a useful way to prepare a risk management strategy, this grid would have to be updated on a regular basis to reflect new information. This would likely involve a continuous process of adding risks, subtracting risks and adjusting their expected frequency and economic impact.
Risk Management
Once the risk grid has been established, the next step is to design a risk management strategy. When doing this, it is very important to keep in mind that risk management must be viewed in the context of the creation of firm value. Spending 1,000 to remove a risk that will cause a loss of 500 if it materializes will obviously not create shareholder value.
With this in mind, there are three general ways that risks can be managed.
The very first of these risk management strategies, and the one that without question is most widely followed, is simply to accept the risk. When we walk to work in the morning, we face a very high number of potential risks (falling, being hit by falling objects from buildings, being hit by cars or other vehicles, being attacked by dogs). While most people will exercise reasonable levels or prudence, these risks are often simply accepted.
The second type of risk management strategy is to actively manage the risk. Exactly how this is done depends on what the risk is, what risk management resources are available to the company managing the risk and what in the context of a firm’s overall operations would be most likely to create firm value. What firms should bear in mind is that a great many risks, once they are identified, can be managed without great financial expenditures.
The third type of risk management strategy is to transfer the risk to another party. The most common example of this is an insurance policy, where other people are paid to assume the negative financial impact of uncertainty. It can also be done in many ways outside of the insurance context, such as where one party to an investment contract agrees to guarantee an investment return.
Not knowing what you do not know is a very significant issue in risk management, but for most businesses the risks that tend to be the most damaging are those that either are in plain sight or that become progressively worse over time. With respect to risks that are unknown, taking a systematic approach to identifying, classifying and weighting risks and then devising a risk management strategy which is reasonably likely to create value will generally put on a firm on stronger footing to face future events.