Answering this question with an engineering perspective is the heart of this book. If you went to work this morning, you took a risk. If you rode your bicycle, used public transportation, walked, or drove a car, you took a risk. If you put your money in a bank, or in stocks, or under a mattress, you took other types of risk. If you bought a lottery ticket you were involving an element of chance – something intimately connected with risk. If you decided to go ahead with one production process rather than another, you took a risk. If you decided to write a book, and not another book or some scientific papers, you took a risk. If you decided to publish one book, and not another one, you took a risk. All these examples reveal that “risk” may involve different meanings depending how we look at it.

The current highly competitive nature of economics might encourage firms to take on more or higher negative risks. But giving up managing such risks would be financially destructive or even suicidal, even possibly in the short-term, because once disaster has struck it is too late to rewrite history. Some of you might argue that safety is expensive. We would answer that an accident is even more expensive: the costs of a major accident are very likely to be huge in comparison with what should have been invested as prevention.

Let us take, as an example, the human, ecological, and financial disaster of the Deepwater Horizon drilling rig in April 2010. Are the induced costs of several billions of euros comparable to the investments that could or might have averted the catastrophe? Answering this question is difficult, a priori, because it would require assessing these uncertainties and therefore managing a myriad of risks, even the most improbable. Most decisions related to environment, health and safety (EHS) are based on the concept that there exists a low level of residual risk that can be deemed as “acceptably low”. For this purpose, many companies have established their own risk acceptance or risk tolerance criteria. However, there exists many different types of risk and many methods of dealing with them, and at present, many organizations fail to do so. Taking the different types of risk into consideration, the answer to whether it would have been of benefit to the company to make all necessary risk management investments to prevent the Deepwater Horizon disaster would have been – without any doubt – “yes”.

In 2500 BC, the Chinese had already reduced risks associated with the boat transportation of grain by dividing and distributing their valuable load between six boats instead of one. The ancient Egyptians (1600 BC) had identified and recognized the risks involved by the fumes released during the fusion of gold and silver [1]. Hippocrates (460–377 BC), father of modern medicine, had already established links between respiratory problems of stonemasons and their activity. Since then, the management of risks has continued to evolve:

As Ale [4] indicates, the essence of risk was formulated by Arnaud as early as 1662: “Fear of harm ought to be proportional not merely to the gravity of the harm, but also to the probability of the event”. Hence, the essence of risk lies in the aspect of probability or uncertainty. Ale further notes that Arnaud treats probability more as a certainty than an uncertainty and as, in principle, measurable. Frank Knight even defines risk in 1921 as a “measurable uncertainty” [5]. Today, the word “risk” is used in everyday speech to describe the probability of loss, either economic or otherwise, or the likelihood of accidents of some type. It has become a common word, and is used whether the risk in question is quantifiable or not. In Chapter 2, we will further elaborate on the true definition and the description of the concept of “risk” and what constitutes it.

In response to threats to individuals, society, and the environment, policy makers, regulators, industry, and others involved in managing and controlling risks have taken a variety of approaches. Nowadays, the management of risk is a decision-making process aimed at achieving predetermined goals by reducing the number of losses of people, equipment and materials caused by accidents possibly happening while trying to achieve those goals. It is a proactive and reactive approach to accident and loss reduction. We will discuss risk management and its definition in a more general way in the next chapters, and we will define risk as having a positive and a negative side, but we will focus in the remainder of the book on managing risks with possibly negative consequences.

Human needs and wants for certainty can be divided into several classes. Abraham Maslow [6] discerned five fundamental types of human needs and ordered them hierarchically according to their importance in the form of a pyramid (Fig. 1.1).

When reading this book it is necessary to wear “engineering glasses”. This means that we will look at risk management using an engineer’s approach – being systemic and not (necessarily) analytic.

What is the essential idea of risk management? We have all heard the saying, “Give a man a fish and you feed him for a day. Teach a man to fish, and you feed him for a lifetime”. We could adapt this expression taking into account a risk management standpoint: “Put out a manager’s fires, and you help him for a day. Teach a manager fire prevention, and you help him for a career”. If a manager understands good risk management, he can worry about things other than fire-fighting.

Negative risk could be described as the probability and magnitude of a loss, disaster or other undesirable event. In other terms: something bad might happen. ERM can be described as the identification, assessment and prioritization of risks, followed by the coordinated and economical application of resources to minimize, monitor and control the probability (including the exposure) and/or impact of unfortunate events. In other terms: being smart about taking chances.

The first step is to identify the negative risks that a company faces: a risk management strategy moves forward to evaluate those risks. The simplest formula for evaluating specific risks is to multiply (after quantifying the risk in some form) the likelihood of the risky event by the damage of the event if it would occur. In other words, taking into consideration the possibility and consequences of an unwanted event.

The key word here is data. The best risk management specialists excel at determining predictive data.

The ultimate goal of risk management is to minimize risk in some area of the company relative to the opportunity being sought, given resource constraints. If the initial assessment of risk is not based on meaningful measures, the risk mitigation method, even if it could have worked, is bound to address the wrong problems. The key question to answer is: “How do we know it works?”

Several reasons could lead to the failure of risk management [8]: