Risk is often mapped to the probability of some event which is seen as undesirable. Usually the probability of that event and some assessment of its expected harm must be combined into a believable scenario (an outcome) which combines the set of risk, regret and reward probabilities into an expected value for that outcome. There are many informal methods which are used to assess (or to "measure" although it is not usually possible to directly measure) risk, and (for some applications) formal methods such as value at risk.
In scenario analysis "risk" is distinct from "threat." A threat is a very low-probability but serious event - which some analysts may be unable to assign a probability in a risk assessment because it has never occurred, and for which no effective preventive measure (a step taken to reduce the probability or impact of a possible future event) is available. The difference is most clearly illustrated by the precautionary principle which seeks to reduce threat by requiring it to be reduced to a set of well-defined risks before an action, project, innovation or experiment is allowed to proceed.
In information security a "risk" is defined as a function of four variables: the probability that a threat will act on a vulnerability to cause an impact. If any of these variables approaches zero, the overall risk approaches zero. For example, human beings are completely vulnerable to the threat of mind control by aliens, which would have a fairly serious impact (until Tom Cruise saves us all in the last reel, of course). But as we haven't yet met aliens or discovered mind control, the probability of such an attack happening is almost zero, so the overall risk is almost zero.
Risk in Finance
Risk in finance has no one definition, but some theorists, notably Ron Dembo, have defined quite general methods to assess risk as an expected after-the-fact level of regret. Such methods have been uniquely successful in limiting interest rate risk in financial markets. Financial markets are considered to be a proving ground for general methods of risk assessment.
However, these methods are also hard to understand. The mathematical difficulties interfere with other social goods such as disclosure, valuation and transparency.
In particular, it is often difficult to tell if such financial instruments are "hedging" (decreasing measurable risk by giving up certain windfall gains) or "gambling" (increasing measurable risk and exposing the investor to catastrophic loss in pursuit of very high windfalls that increase expected value).
As regret measures rarely reflect actual human risk-aversion, it is difficult to determine if the outcomes of such transactions will be satisfactory. Risk seeking describes an individual who cares more about the potential gains than about the expected gains from an investment. For example, an individual who invests in a small stock, knowing there is a large chance of losing some money, but a small chance of making a great deal of money could be described as a risk seeker.
In financial markets one may need to measure credit risk, information timing and source risk, probability model risk, and legal risk if there are regulatory or civil actions taken as a result of some "investor's regret".
Risk = Probability (of the Event) times Consequence.
(The total risk is then the sum of the individual class-risks)
The risks are evaluated using Fault Tree/Event Tree techniques (see safety engineering). Where these risks are low they are normally considered to be 'Broadly Acceptable'. A higher level of risk (typically up to 10 to 100 times BA) has to be justified against the costs of reducing it further and the possible benefits that make it tolerable - these risks are described as 'Tolerable if ALARP'. Risks beyond this level are of course 'Intolerable'.
The level of risk deemed 'Broadly Acceptable' has been considered by Regulatory bodies in various countries - an early attempt by UK government regulator used the example of hill-walking and similar activities which have definable risks that people appear to find aceptable.
The technique as a whole is usually refered to as Probabilistic Risk Assessment (PRA), (or Probabilistic Safety Assessment, PSA).
via [ RiskBlog ]
Recent Comments