Why do people take risks?
This week, I was privileged to speak at the 2nd Caribbean Risk Management Conference in Trinidad and Tobago. It was attended by decision-makers from all sectors of the economy, from large public companies to entrepreneurs in the local fashion industry to the heads of government agencies.
My ego was stroked nicely when the opening speaker, the Minister of Trade and Industry, talked about effective risk management enabling her agency to set the right policy and take the right steps – in other words, making informed, intelligent decisions rather than simply avoiding threats and other harms. She stunned me when she quoted from my book, World-Class Risk Management.
Later, I was on a panel when an attendee asked how she should rate risks. One of my co-panelists, a highly-respected practitioner with more than 20 years’ experience, responded by recommending a red-yellow-green set of ‘traffic lights’ to illustrate which are high, medium, and low risks. He agreed with the concept of rating risks based on their level (qualitative and quantitative).
My answer was different. I pointed out that risk is the effect of uncertainty on objectives, and that we need to assess risks not on their level alone, but whether that level is acceptable. Unfortunately, there was insufficient time to expand on this thought.
So, let’s do so now.
Why do people take risks?
I think there are two aspects to this. One is the culture of the organization and the inclination of the individual making the decision whether or not to ‘take’ the risk. Richard Anderson will expand on this point at Risk Reimagined in April and May. (Seats are still available at both the Chicago and London venues.)
The other involves understanding that people take risks because they believe there is more ‘upside’ than ‘downside’.
- We drive to work, which is taking a risk, because we need to earn a living.
- We invest in a mutual fund, which is taking a risk, because we anticipate a positive return on that investment.
- We hire a new staff member, which is taking a risk, because we need work to be completed.
We decide whether or not to take a risk based on more than the level of risk involved.
- Would you buy a lottery ticket for $10 when there is a 5% chance of winning $100? Probably not – unless you are an inveterate gambler.
- Would you buy that lottery ticket for $10 if there was a 5% chance of winning $1 million? Probably yes, unless you are violently opposed to gambling.
In the first instance, we might say that the level of risk ($10 * 95%) is not acceptable. But in the second, while the level of risk is exactly the same, it would be acceptable to most people.
Rather than report risks based on their level, we should report based on whether their level is acceptable.
This is why, in my book, I recommend that boards and top management receive risk management reports that help them understand the aggregate level of risk to each objective. That way, they know whether they need to act, such as changing strategies or even the objectives themselves.
Now, I agree that the level of risk can be useful in deciding how to allocate funds to their mitigation. But, assessing risks without the context of enterprise objectives may well lead you to (a) take the wrong risks, and (b) mitigate the wrong risks.
I welcome your thoughts.