Home > Risk > Why do people take risks?

Why do people take risks?

This week, I was privileged to speak at the 2nd Caribbean Risk Management Conference in Trinidad and Tobago. It was attended by decision-makers from all sectors of the economy, from large public companies to entrepreneurs in the local fashion industry to the heads of government agencies.

My ego was stroked nicely when the opening speaker, the Minister of Trade and Industry, talked about effective risk management enabling her agency to set the right policy and take the right steps – in other words, making informed, intelligent decisions rather than simply avoiding threats and other harms. She stunned me when she quoted from my book, World-Class Risk Management.

Later, I was on a panel when an attendee asked how she should rate risks. One of my co-panelists, a highly-respected practitioner with more than 20 years’ experience, responded by recommending a red-yellow-green set of ‘traffic lights’ to illustrate which are high, medium, and low risks. He agreed with the concept of rating risks based on their level (qualitative and quantitative).

My answer was different. I pointed out that risk is the effect of uncertainty on objectives, and that we need to assess risks not on their level alone, but whether that level is acceptable. Unfortunately, there was insufficient time to expand on this thought.

So, let’s do so now.

Why do people take risks?

I think there are two aspects to this. One is the culture of the organization and the inclination of the individual making the decision whether or not to ‘take’ the risk. Richard Anderson will expand on this point at Risk Reimagined in April and May. (Seats are still available at both the Chicago and London venues.)

The other involves understanding that people take risks because they believe there is more ‘upside’ than ‘downside’.

  • We drive to work, which is taking a risk, because we need to earn a living.
  • We invest in a mutual fund, which is taking a risk, because we anticipate a positive return on that investment.
  • We hire a new staff member, which is taking a risk, because we need work to be completed.

We decide whether or not to take a risk based on more than the level of risk involved.

  • Would you buy a lottery ticket for $10 when there is a 5% chance of winning $100? Probably not – unless you are an inveterate gambler.
  • Would you buy that lottery ticket for $10 if there was a 5% chance of winning $1 million? Probably yes, unless you are violently opposed to gambling.

In the first instance, we might say that the level of risk ($10 * 95%) is not acceptable. But in the second, while the level of risk is exactly the same, it would be acceptable to most people.

Rather than report risks based on their level, we should report based on whether their level is acceptable.

This is why, in my book, I recommend that boards and top management receive risk management reports that help them understand the aggregate level of risk to each objective. That way, they know whether they need to act, such as changing strategies or even the objectives themselves.

Now, I agree that the level of risk can be useful in deciding how to allocate funds to their mitigation. But, assessing risks without the context of enterprise objectives may well lead you to (a) take the wrong risks, and (b) mitigate the wrong risks.

I welcome your thoughts.

  1. Urvil Khakhar
    March 26, 2016 at 6:21 AM

    Norman, very well explained that ‘acceptable’ risks are taken in anticipation of returns.

  2. March 26, 2016 at 8:43 AM

    Norman, an interesting blog as usual. I would go further t say that risks don’t exist without objectives, so no objectives no risks. So maybe we need to stop talking about risk management, and its related reports,and talk about achieving objectives and the circumstances hindering/helping this achievement. (I think you may have made this point in previous blogs.)
    So we take risks to achieve objectives. More exactly, we have objectives, the achievement of which is threatened by risks (and enhanced by opportunities). So we have to balance the benefit of achieving the objective (get to work, win $1m) with the downside (impact) of the various risks (have an accident, lose our stake) and the likelihood that they will happen. We also have the opportunity to reduce these (inherent) risks by adopting controls (airbags, seat belts) or abandoning the objective (don’t bet). We are then in a position to decide whether to accept the aggregate risks, that is whether the ‘downside’ of the risks (impact and likelihood combination) is less than the ‘upside’ of an achieved objective.Ideally we should not talk about ‘taking risks’ but ‘accepting risks’. (Though there are some who enjoy the thrill of risk taking as much as the objective, such as climbers).
    As you say above, ‘Rather than report risks based on their level, we should report based on whether their level is acceptable’. I would rather reword this to say that we should report against each objective, on whether that objective is likely to be achieved, based on the level of risks threatening its achievement.

    • S A Christman
      March 27, 2016 at 2:02 AM

      Responding to the comment above, the statement “no objectives, no risks” is tricky to use in practice. I have received exactly that argument from colleagues who did not wish to contribute to a risk register. Objective setting isn’t always a mature practice in organisations seeking to develop risk management. Whilst the obvious response is to influence leaders to develop and communicate objectives, that change may come slowly. In the meantime, I use other tools to aid risk identification asking what value the team adds and what can undermine or amplify that value. Perhaps just semantics, but I find it gets people unstuck.

  3. Ronald van den Berg
    March 27, 2016 at 2:11 AM

    I very much agree to David’s remark: no objective, no risk. Thank you Norman for your excellent articles.

    While I fully agree on the essence to base risk management on objectives, I struggle a bit with Norman’s definition of risk as ‘uncertainty on objectives’: it creates in my view a weakness in applying effective risk language:
    – People will phrase Risks as the inverse of an Objective, which in my view does not bring any new insight. For me, even risk assessment alone should always consider the relevant objectives it affects (as consequences/impact are part of the equation)
    – It may not bring the focus on identifying relevant uncertain events (which matter), failing to answer to the ‘what could go wrong’ question. Without these events and an understanding how these events are caused by other uncertain events, the assessment of probability of non-achievement of an objective becomes impossible. The same then applies to the identification of an effective risk mitigation plan
    – Assigning internal accountability may be difficult as the definition of objectives (rightfully) does not limit itself to organizational structures (e.g. functions/departments). Ideally objectives are then broken down to the level of single process or groups of assets, for which an unique owner can be often found.

    PS I doubt, not having done any research, where many companies clearly articulate their clear business objectives (aligned to their strategy), and go beyond short-term KPIs and Targets, eg whether this condition is present for risk management process to gain traction.

    The acceptable level of risk (or better uncertainty) can be defined as the tolerable level of deviation from the target set for a specific business objective, which the management of an organisation is willing to accept.

    I agree with Norman that reporting of risks based on their ‘acceptability’ is indeed the right way (management should be supported in where its attention should go), pointing out that management itself then also needs to set these risk tolerances explicitly as well.

  4. Bruno Cheval
    March 28, 2016 at 9:30 AM

    Norman, two points:
    1) A quick distinction: I believe “risk” relates to a situation in which both outcomes and associated probabilities are known (your lottery example). “Uncertainty” relates to the more common situation in which outcomes and/or associated probabilities are not known. So most of the time, we should be talking about “uncertainty” rather than risk. Organizations could then differentiate across various types of risk/uncertainty (known outcomes and probabilities (i.e. risk), known outcomes/unknown probabilities and unknown outcomes/unknown probabilities).
    2) I fully agree with you that risk (or uncertainty) should be linked to an objective and that assessing risk solely in terms of “level” does not make much sense most of time (I come from an industry (capital markets) in which if you don’t take risk, you don’t make money and and where rate of return is linked to a level of risk: Sharpe ratio). Instead, an organization is better off looking at the level of risk with regard to both its objective and its risk appetite (when possible, expressed in quantitative terms).
    Also, one should keep in mind that risks within the organization are often correlated (i.e. not independent from each other). For this reason, it is key to understand the aggregate level of risks associated to each objective as well as the interdependence between all risks taken.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: