Understanding risk: An introduction - part 1/3

Introduction

Though risk is a huge theme, risks and risk handling are not too difficult to understand or done correctly. Having a common understanding of risk within your team or hopefully within your company gives only added value.

The purpose with this introduction to risk is to give a simple summary to understand risk and provide a common understanding of the theme. I have divided this small introduction into three parts. The reason for this is to scope a longer text into smaller chewable articles that each has its own focus.

• Part one will cover the understanding of risk conditions,
• the second part will focus on defining risks,
• the last part will cover risk matrixes.

Condition and Decision.

Risk is linked to making a choice, which means carrying out a decision. There are three conditions in which decisions can be made, these are:

• Condition of Certainty.
• Condition of Risk.
• Condition of Uncertainty.

Condition of Certainty.

In this condition, the outcome is certain. For example, if we throw a stone into the air, we know it will eventually land back on the ground. Theoretically, if we throw it hard enough, it might enter orbit, but that’s beyond practical feasibility.

So, it’s reasonable to say that when we throw a stone up, it will fall to the earth, which is a known event. The information available to us about throwing stones allows us to provide a forecast with certainty for this event. This event is defined as Known.

Known events shall not be used as input to risk identification. In example it is not an interesting factor of a risk assessment if we know that a change on a service will have a down-time and where this is planned for.

Condition of Risk.

When something is in a condition of risk, we know there is a certain probability that an event will occur. For instance, we know it will rain sooner or later, but we don’t know exactly when. We can make assessments around this uncertainty. However, it’s not entirely certain when it will rain. Therefore, we might say, “There is a risk of rain next week.” We know the event will happen, but the exact timing or amount of rain remains unknown. This event is defined as Known-Unknown.

Known-Unknown events shall be used for risk identification.

Condition of Uncertainty.

In this condition we don’t know if an event will happen at all. We don’t know if an undiscovered meteor will hit our data centre. This is completely uncertain and cannot be analysed. In theory we might say that sooner or later a meteor will fall somewhere nearby, but we don’t even know the earth’s condition when such time occurs. Everything about “if” and “impact” is unknown. This event is therefore defined as unknown.

Unknown events shall not be used for risk identification. For example, if it's total unlikely that a certain event happens within a defined time frame then this will not be any interesting information in a risk assessment, and shall not be used and not be listed in a risk register.

Conditions to make a choice.

Based on what is explained above we have three conditions to make choices. If an event is certain, it is easy to make a choice, and there is no need for any forecasts or evaluations. If an event is a risk we don’t know the actual outcome, but we can evaluate and to a certain degree predict the outcome. When the event is uncertain, we can’t expect any reasonable outcome from any evaluations. We can understand this by thinking of an insurance company.

An insurance company will only insure under a condition of risk, nothing else. When you insure your home, it is based on what the company know. This is based on statistics, that a certain number of houses will burn down yearly, but not knowing when or the exact impact. In the policy it is stated that it doesn’t include complete uncertainty i.e. force majeure (e.g. war and huge natural disasters). It is neither possible to ensure anything that will surely happen. For example, if it is certain that a house will burn down, it is impossible to ensure it.

These are the choices we and the insurance company take. We look at the risk of fire with related high costs as a threat, and we choose to transfer this risk to another party which is the insurance company. The company looks at this risk as an opportunity for higher profit. To transfer a risk like this is one of the measures that can be implemented, and will be discussed in part 2.

Threat or opportunity.

A risk can be a threat or an opportunity. It is therefore more correct to use the terms "Positive risk" and "Negative risk", but we often focus only on the negative risks. The statement “there is a risk here” normally means “there is a negative risk here”.

Next: Part 2 - Defining risks.