When doing risk workshops, it is always quite telling how people will squirm and fidget in their seat as I ask them what their definition of risk is. Workshop participants then go to great lengths to avoid eye contact, so that they will not be selected to give their definition of risk. Again, this is a definition that almost every three-year old can articulate. It then starts to get really interesting as workshop participants strive to demonstrate their risk prowess by seeing who can come up with the most precise, and consequently, the most academic definition. Inevitably, the answers start to get more quantitatively oriented, or more regulatory and legalistic in nature. Carry the conversation on long enough and you will need a doctorate in math and or laws in order to make sense of it.

You might think that it is absolutely bizarre, or at least a waste of space by spending a chapter talking about the definition of risk. However, I believe that having a clear and consistently understood definition of risk throughout an organization is one of the easiest, yet one of the most beneficial steps that a company can take in improving their risk management activities. Conversely, not having the right definition of risk, and not having a clear and consistently understood definition is the root cause of many of the problems in risk management.

If you ask the average person on the street what their definition of risk is, they will likely respond that risk is a chance that something bad will happen. Indeed, if you look up risk in the dictionary, you will get, “the possibility that something bad or unpleasant (such as an injury or a loss) will happen.”¹ This definition is fine and good, but it leaves a lot to be desired for risk management purposes.

Firstly, the definition of “possibility of something bad happening” is not consistent with the mathematics of the most common ways to measure risk. Secondly, it is an extremely limiting definition that forces most of the potential value of a risk management function wasting away. Thirdly, and perhaps most importantly, it is a very negative definition, which, in turn, imparts a negative pall over all of risk management. Finally, this common (mistaken) definition of risk is one of the reasons I decided that this book needed to be written.

You might be thinking that defining risk as “the possibility that bad or good things may happen” is a convenient butchering of the English language. While it is true that the editor of this book will find many instances of my butchering of the English language, the definition of risk as given is perfectly legitimate and valid in the context of organizations and in the context of risk management. Indeed, as will be argued, it is, by far, the preferred definition. It is also the de facto mathematical definition of most risk management measurements—whether you realize it or not.²

The Committee of Sponsoring Organizations of the Treadway Commission, more commonly known as COSO, is a joint initiative of a variety of organizations with a common interest in developing standards and frameworks for effective risk management. The COSO framework for enterprise risk management is considered by many to be the definitive framework for risk management. Their definition for risk is:

A moment’s reflection will show that it is consistent with the proposed definition of risk, while albeit being a bit more sophisticated in its wording.

There are three elements to my proposed definition of risk; firstly, there is an element of uncertainty, secondly there is an element of the future, and thirdly, and perhaps most significantly (and unconventionally), there is an element that risk has both upside and downside components.

The first element of the definition involves uncertainty. In simple terms, with risk, there is an element of not knowing what will happen. Frequently, risk and uncertainty are used as synonyms for each other. When we state that a situation is uncertain, we may as well say that it is a risky situation and viceversa.

In the technical mathematical literature, as well as in the academic risk community, risk and uncertainty have close, but different meanings. With risk, you have a range of possible outcomes, but the mathematical distribution is known. For instance, we can state what the average daily returns of the S&P 500 index were, as well as what the standard deviation for the index was, for any given year for which we have the data.⁴ However, what will be the most popular genre of music among high school students 10 years hence is, however, unknown, and at the present time, unknowable. It is quite possible that the most popular genre of music 10 years hence has not yet been conceived of. This is uncertainty. Given the pace of technological change in the music industry, it is also hard to envision how that music will be distributed and consumed as well. Thus, we see that stock returns can be labeled as risky, while future popular music genres are uncertain.

This parsing of the difference between risk and uncertainty is, for the most part, academic and does not really need to concern us. There is, however, one catch: risk management as a profession is becoming enthralled with what can be quantified, and thus, there is an inherent biases toward elements that can be measured with precision, which includes events for which a known mathematical distribution such as the normal distribution or a Poisson distribution (or perhaps even something sexier sounding such as a Gaussian distribution) can be applied to. Experienced organizational professionals will immediately see a problem with this, as many key risks cannot be so easily distilled to such a known distribution. As management guru Peter Drucker famously stated, “what gets measured gets managed.” However, that does not mean that all that needs to be managed gets measured, or conversely, that everything that can be measured needs to be managed. It might be argued that the most important risks are precisely those that cannot be measured—a theme that we will return to later.

The second element of our definition of risk is that it concerns the future. That may be an incredibly obvious statement, but too often we are focused on the past; the past crisis, the past mistake, the past regret, and as a result, spend way too little time creatively thinking about what might be. Risk cannot be managed in the rearview mirror, and while the past might be the best precursor to the future, it is not a very reliable one. The professional risk manager must be knowledgeable and respectful of the past, but with a vision focused on the present and an imagination trained on the future. Again, there seems to be a disconnect as risk measures and risk strategies, as well as tactics are frequently (and correctly) criticized for fighting the last crisis. We cannot change the past. The best we can hope for is to manage the future, but obsessively focusing on the known past is not only too convenient and intellectually lazy, but it takes valuable time and energy away from imagining future scenarios that will need to be managed.

The final element of our definition of risk is that risk involves both the downside as well as the upside. Risk is the possibility of both good things as well as bad things happening. This is the element of the definition that causes pause with the most people. In workshops, it is the element that causes the most push-back, as many risk managers, as well as regulators, believe that the sole function of risk management is preventing the downside. It is certainly how almost all risk management functions in practice. However, an equal focus (if not more than equal to overcome long standing biases) on the upside is what makes all the difference.

Let’s start with attitude. My experience has been when talking with frontline professionals that they in some way label the risk management function of their organization as the “Department of No!” Admit it, that is likely how the risk management department in your organization is thought of. Not a very optimistic thought, is it? It is kind of like risk management being the dark cloud; the spoil sport of the group; the “it’s sure to rain” declarer. No one wants to invite the party pooper to the party.

A change in the definition is more than a slogan. To begin with, a change in definition can become an attitude changer. In Chapter 8, some ideas for creating a good risk culture will be discussed. This simple, but profound change in definition is a key element in creating a positive and effective risk culture. Instead of a culture of fear, or blame, or a culture of restraint and being held back, the risk culture becomes focused on the positive, the possibilities, and on how risk adds value and effectiveness to the goals and objectives of the organization. This does not diminish the focus on the downside, but counterintuitively can enhance an appreciation for, and the understanding of managing both the downside and the upside both individually and in tandem.

Secondly, a change in the definition helps risk to become a proactive function, rather than a reactive function. Think for a second about the tasks that bring out the best of your procrastination skills. Do you procrastinate on the positive things, the optimistic things, or do you procrastinate more on the perceived negative or downside events? Do you procrastinate more on making your dental appointment or booking tickets to see your favorite sports team play in the finals of the championship? There are upsides and downsides to both events. My dentist recently told me that my teeth are as solid as rocks, and your dentist as well may give your mouth a clean bill of health, but instead you focus unwarrantedly on the need for a potential root canal. Meanwhile, your team may suffer a blow-out in the playoffs, but instead you focus on the joy and thrill of victory and the experience of celebrating with a group of like-minded fans. You do not allow the thought of your team suffering an embarrassing beat-down to enter into your consciousness. It is easy to see why the dentist has a receptionist phone your office to coerce you into making your semiannual appointment while there will be a queue of people camping out overnight in order to buy playoff tickets.

A large part of risk management is dealing with human nature. Having a definition that incorporates both the positive and negative elements of risk works with human nature to produce a far more proactive attitude toward risk. It is human nature to focus on fear and downside risk, unless a more positive element is also explicitly introduced.

A central theme of this book is that risk management function should be a value-oriented function, rather than a cost center. Have some patience and before you start espousing all those studies about companies losing their figurative shorts by making the risk function a profit center, humor me for a few chapters, so that I can explain and build the argument. I am not advocating that risk managers should start trading derivatives in order to time the markets and make exceptional profits. As someone who is trained as a finance professor, and as someone with professional trading experience, I have a strong belief in the efficient markets hypothesis, which states that it is impossible to make positive abnormal returns from financial trading. The exploits of firms such as Procter and Gamble and Metallgesellschaft⁵ in the 1990s have unambiguously and definitively shown the folly of corporate entities trying to make money solely through sophisticated financial trading, rather than efficiently making things and selling things. What I am advocating is using intelligent and positively focused risk management to enhance the effectiveness and profitability of making things and selling things and services. More on that later, but the point for now is that risk management should be seen as a value-creation activity. Instead of the “Department of No!,” risk management has the capability to become the “Department of How We Can Do It Better!” Many of the techniques and tactics for managing downside risk can also be, and should be, applied toward enhancing upside risk. The proposed definition of risk goes a long way toward allowing this to happen.

The final advantage of the proposed definition is that it changes the definition of what the “risk management” function is. Defining risk as the possibility of bad things happening sets up risk management as the function to prevent losses. Setting the definition of risk as the possibility that bad or good things may happen provides the basis for a much more positive and valuable objective for risk management.

As an example (albeit a trivial one), consider the last time that you took a trip in your car. It could have been a cross-country trip with your family or it could have been a five-minute drive to the grocery store. Assuming that you are an experienced driver, and a good driver,⁶ you almost certainly practiced risk management as I have proposed. You drive defensively to prevent an accident, but you also drive so as to achieve your objective, namely arriving at your destination in a time-efficient manner. If you were acting like most risk management departments, you would take far fewer trips to avoid the chance of an accident. No car trip means no car accident, but also no family viewings of the Grand Canyon or no groceries at home.

Often, when I propose this definition of risk, it will be argued that it is axiomatically impossible to simultaneously manage to increase upside probability of good events while decreasing the possibly of downside events. That argument of course is poppycock and a sign of lazy thinking. We are constantly trying to increase our odds of success while simultaneously decreasing our odds of failure. We do this with almost every activity we undertake. In fact, by focusing on increasing success, we automatically are decreasing the possibility of failure. In school, the best way to avoid failing a course is to work to get a great mark in the course. At work, the best way to avoid getting fired (or demoted) is to work so as to get promoted. In sports, it is often stated the best defense is to have a great offense. Winning is not just preventing your opposition from scoring, it also means scoring yourself. However, how focused is your risk management function on scoring?

If you say that scoring (i.e., creating profits) is the function of operations and marketing, then you are missing the point. In saying that organizations are siloing risk management, while probability also spouting a nice platitude about how risk management is everyone’s responsibility. I believe that risk management truly is everyone’s responsibility, but having a risk function that focuses solely on the downside almost always produces the opposite effect. Assuming that risk management will take care of the bad stuff and marketing will produce the profits is not an effective integration of functions. In Chapter 9, we discuss one unintended and counterintuitive consequence of this, which is known as risk homeostasis: namely having a really strong risk function focused on the downside actually increases the probability and severity of something bad happening.

Defining risk management as increasing the probability and magnitude of good risk while decreasing the probability and severity of bad risk implies balance, and risk management is nothing if not an exercise in balance. It is a balance between art and science, process and judgment, knowledge and intuition, people and processes, and the current and the future. It is extremely difficult to have balance when one is so unbalanced by focusing solely on...