Home > Risk > An important discussion of risk and its assessment

An important discussion of risk and its assessment

Alex Sidorenko has written What is a risk? It’s not what you think it is.  Here’s his first and most important point, with my emphasis added:

Uncertain event with uncertain effect

This is probably the most known way to describe risk. Risk is represented as an uncertain event within a given timeframe that if it happens will have an effect on objectives, decisions or some other important aspect of the business.

Make no mistake, I am not talking about qualitative nonsense you would see in a heatmap. Risks don’t have a single consequence, it is always a range. Smaller consequences usually have higher probability and catastrophic consequences usually have lower probability. Consequences of any given risk are a probability distribution. Understanding the nature of that distribution is crucial for risk mitigation, whether it is lognormal, metalog or something more exotic.

What about frequency or probability? First basic math, risk doesn’t happen on average (unless we are dealing with some portfolio risk analysis), it either happens or it doesn’t. That’s why probability is also a distribution, like Bernoulli for example. But wait, many risks may happen more than once per period. That’s why it’s actually often useful to replace probability with frequency which is also a distribution, like Poisson.

ISO 31000 talks about risk as the effect on objectives, and that is fine. (COSO is not that different.)

So, I would argue that we are not talking so much about an uncertain event (or situation) as we are or should be concerned with an uncertain range of effects, each with its own and uncertain likelihood. While they may be caused by one or more events (bad things do tend to happen in clusters), it is the effect that needs to be addressed – or, I should say, the range of effects.


Understanding that an event or situation can have a range of effects, each with its own likelihood, is crucial to informed and intelligent decision making.

While I understand the desire to reduce the range to a point (Alex talks about a value), we must be incredibly careful!

Is there a point, maybe more than one, in the range of effects and likelihoods that is not acceptable? While calculating an overall value may incline people to decide that it is okay and can be accepted, it is quite possible that even a very low likelihood of a catastrophic effect is unacceptable.


Even then, making a decision based on an assessment or visualization of one source of risk, even if shown clearly as a range, ignores the fact that:

  • There is rarely just one source of risk that needs to be considered in making the decision.
  • It ignores the reasons you might want to take the risk, such as the possibility of reward or the need to invest the resources in addressing one or more other sources of risk.


I like the concept of resilience.

As a Vice President in IT at major financial institutions, one of my teams was responsible for contingency planning (both for the data centers and for the business). We realized that we needed to be prepared for and ready to recover from the disruption of technology services (the effect) regardless of the cause of that effect (the event or situation). Yes, prevention of the event was important, but there are some events or situations that are out of your control. For example, our main data center was on the flight path into Burbank airport and there was no way we could prevent a plane hitting our facility!

Resilience recognizes that while there are some sources of risk that you can anticipate, others can surprise you.


Returning to the main points:

  1. Recognize that heat maps and even models that attempt to put a single value on the level of risk, ignoring the fact that there is a range of effects and likelihoods, are simply wrong.
  2. Trying to make a decision based on information about only one of the many potential sources of risk, only one of the potential drivers and consequences, is unlikely to lead to success.
  3. Don’t leave out of the equation the reasons for taking a risk – the potential for reward.


One massively overlooked point is this:

You need to understand the decision that needs to be made before you can understand and develop the information needed to make it.


Provide decision-makers the information they need about risks, opportunities, and the potential consequences of their actions/inactions.

Don’t provide the information you think they should need based only on standards, frameworks, so-called best practices, or other generic guidance.


I welcome your thoughts.

  1. June 14, 2021 at 7:59 AM

    I think the most important observation you made about the article is that, “It ignores the reasons you might want to take the risk, such as the possibility of reward or the need to invest the resources in addressing one or more other sources of risk.” We sometimes forget this as ‘risk managers’.

  2. June 14, 2021 at 8:32 AM

    Suppose the decisions to make are, ‘What are the most serious risks to the achievement of the organisation’s objectives and are controls operating to bring them down to a level I consider acceptable?’
    I need: list of my objectives, the circumstances which may hinder/help their achievement and the processes which are intended to bring them to an acceptable level. In order to rank those circumstances, both before and after the processes are applied, I need some sort of scoring mechanism. It doesn’t need to be sophisticated since I’m just making a decision about whether I need to be worried. Consequence times likelihood is an option for a very rough score. Yes, a single score is naive but it’s good enough for the decision I have to make. As you say Norman, that’s often overlooked.

    • Norman Marks
      June 14, 2021 at 9:37 AM

      David, aren’t you still considering risks one at a time, separate from the possibilities of reward?

      Each can be acceptable individually but unacceptable in the aggregate.

      Each may appear unacceptable in isolation, but necessary to achieve a far larger reward.

      • June 14, 2021 at 12:12 PM

        Yes, I am considering risks and benefits one at a time, but since they are linked to objectives there’s the possibility of adding the risk scores to get a very crude idea of the objectives most at risk. If, as a result, it was proposed that the objective was dropped the benefits could be taken into account and a much more sophisticated decision analysis carried out.

        • Norman Marks
          June 14, 2021 at 1:39 PM

          David, I have recommended that the assessment be expressed, not in terms of dollars, but how it would affect the achievement of which objectives – in a way that you can see the percentage drop or gain in the likelihood of achieving objectives.

          Do you like that?

          • June 14, 2021 at 1:51 PM

            Yes, that seems a good method.

            • Norman Marks
              June 14, 2021 at 2:02 PM

              Thanks – that’s the theme of my books

  3. Doug Anderson
    June 14, 2021 at 8:34 AM

    The concept of risk is not simple. As you deftly point out, we need to consider distributions, not point estimates when we consider the impact of risk on a specific objective or decision. In addition, risk factors are typically not independent items. One often needs to evaluate a number of other consoderations in understanding how one aspect of risk will impact an organization.

    • Doug Anderson
      June 14, 2021 at 8:35 AM


  4. June 14, 2021 at 9:47 AM

    Why do anything about risk? It is not estimated or probable therefore doesn’t exist and we therefore are allowed to ignore by the business rules.

  5. John Fraser
    June 14, 2021 at 2:26 PM

    I am disappointed that some still define risks as limited to ‘events’. To me, and to users of ISO 31000, risk is much more that just events and includes all ‘uncertainties’.

  6. June 15, 2021 at 2:46 AM

    I am in full agreement with you Norman, except perhaps for the parenthesis of “bad things tend to happen in clusters”. It may be perceived as such as we are more sensitive to bad things happening when something bad has already made us more vulnerable and attentive. A bad thing happening in the middle of a success-story tend to be forgotten/overlooked/ignored.

    A part from that sure. The value of the risk manager comes from leveraging and supporting:
    – Quantitative risk analyses (of likelihood and impact range)
    – Monte Carlo simulation ofr consolidation of a portfolio of risks, levers and uncertainties
    – Intelligent risk taking, as there is no such thing as no risk taking

  7. June 16, 2021 at 10:09 AM

    Norman, just pondering how to measure risk. One possible way would to answer the question, ‘How much am I prepared to pay to control this risk?’ So in your example, how much would you pay to protect your data? Would it be sufficient to build a second data centre, or rent backup services? The amount is obviously related to the impact of the risk but also takes into account likelihood.

    • Norman Marks
      June 16, 2021 at 10:18 AM

      David, that is a great measure that I have used myself many times. There are factors that affect how much I am willing to pay such as the opportunity cost of those resources and the presence of other risks and opportunities.

  8. John Fraser
    June 16, 2021 at 12:06 PM

    That is the first step. The second step is to compare this source of risk against the others and decide which is more important and then prioritize according to your risk criteria. We have a chapter on prioritizing resources to address risks in our ERM book.

  1. June 14, 2021 at 8:21 AM
  2. July 12, 2021 at 1:22 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: