There are many definitions of risk, with most coming pretty close to each other. Interestingly, most of these definitions put "risk" well beyond the point of "expected losses" (think of the high point on the actuarial loss curve that trails off into infinity as loss becomes less and less likely to occur but more and more severe; see figure 1 below). But are expected losses and those that fall to the right on the loss curve below really "risks?" If risk is the effect of uncertainty on objectives (one common and simple view of risk), then "expected losses" would not be materially "uncertain;" they would be "expected" (though not certain).
[caption id="attachment_7817" align="aligncenter" width="550"]
insurance thought leadership managing risk along a curve[/caption]
Figure 1
This issue has perplexed many risk professionals, especially those who lean into the traditional realm, which bases risk management on insurance. These professionals perform a very necessary function but, by focusing on managing expected losses, may be limiting their influence and, in some cases, upward mobility. After all, senior managers are typically interested in the unexpected and uncertain potential for disruption to the organization, its strategy and its plans that define success. As one CEO I worked for would say: "Tell me what I don’t know and can’t foresee." That is an understandable interest because the CEO is the person ultimately accountable for success, both short and long term.
Can expected losses prevent that success? The answer is generally "no," assuming these losses have been accounted for in budgets, whether they are funded as retained losses or transferred to others through insurance or contract. Now, budget shortfalls do occur, and some claims may not be paid under certain insurance or contract conditions, but these are typically one-off variances that are typically well within risk appetite (whether defined formally or not) and thus usually wouldn't prevent accomplishment of most objectives.
So, the obvious questions are two: 1] How does your organization define risk, and is it the right definition, which all stakeholders understand, agree upon and can manage to? and 2] Where on the loss curve do you want to manage risk to?
Other questions will emerge in trying to get to the second question, in particular. For example, do you assign more importance to likelihood or impact? I would suggest they are not of equivalent import and get their relative importance from a well-defined risk strategy and the risk culture that undergirds it.
Another question that quickly becomes critical is: How far out on the likelihood axis is relevant to your risk strategy? This is the ultimate question that will define where you focus along the x-axis (likelihood or frequency), what your resource needs are, the level of sophistication of tools and techniques necessary to manage risk effectively, etc.
I urge you to get your key risk stakeholders together and vet these issues to ensure you have the right priorities and focus for managing risk within your organization. Absent this, you'll be flying blind along a curve that presents an infinite number of combinations of likelihood and impact. Can you afford to fly blind in the face of the potential of catastrophic uncertainty?
