Why the basics matter and key things to know
Necessary Nuances of Risk
Why Care About Risk?
Risk and uncertainty are fundamental and unavoidable parts of life. In our personal and professional lives, we’re constantly evaluating how likely we are to succeed at a task or goal, we ruminate on our fears about what may happen, and we feel unsettled when things important to us are uncertain. Despite playing an ever-present – and often anxiety including– role in our lives, the components and nuances of risk are largely an opaque part of our organizational or personal decision-making. For many people, this is navigated intuitively using past experiences, learned heuristics, personal risk perception and appetite, and mental biases (“good” ones and “bad” ones). While an intuitive approach certainly has value, an incredible amount of clarity and leverage can be gained with a basic understanding of risk, its components, and some critical nuances.
Thankfully, it doesn’t have to be complex or difficult. The basics are as simple as they are useful. And, once you understand the basics, the useful nuances around risk are extremely accessible. These are where the real practical insights around risk exist that are often missed or ignored by teams and leaders to their own detriment. With that in mind, let’s quickly cover the basics and transition to the necessary nuances of risk.
Basic Components of Risk
While there is a lot of ways to define risk depending on the context, I believe in practicing simplicity. Let’s then define risk as “something bad happening” – whatever that happens to be. With that in mind, risk has two basic components: Impact & Frequency.
RISK = Impact * Frequency
Impact indicates how bad it would be if the thing we’re concerned about actually happened. This may be the outcome from an earthquake, the consequence of failing an exam, or something as simple as missing a bus. Meanwhile, frequency describes how likely it is the given event/hazard/outcome occurs. Is this an event that has a 50% chance of happening every day, once a year, or once a century? Both pieces are obviously important: If something happens constantly but it isn’t anything more than a minor nuisance, we may be able to just ignore it. If something may be catastrophic but the odds of it occurring are astronomical (eg: not likely for tens of thousands of years), there may be more pressing and frequent issues to worry about.
That’s it; those are the basic components. Risk is simply comprised of the interaction between how bad a thing would be if it did occur – and- how likely it is that thing will occur. The less understood and far more useful insights come from nuances around what determines the impact, the types of frequency, and their interactions with one another.
Necessary Nuances of Risk
What determines impacts, the types of frequencies, and how they interact together comprise what I would consider a few necessary nuances of risk. By understanding these three concepts, you’re far better equipped to navigate risk in both your professional and personal life – and if you really understand it – you may also see opportunity where others don’t.
What drives impacts?
There are two key components of what determines impacts: the hazard itself (what does the damage) and the vulnerability or resilience of the thing being impacted. Once again, still pretty intuitive and simple.
A hazard is comprised of the type of hazard at hand– such as an earthquake, fire, flood, active shooter, cyber-attack, or computer failure- and the magnitude or intensity of the hazard itself. Of course, the type of hazard matters. A wildfire creates radically different concerns and impacts than a cyber-attack. At the same time, the magnitude of the hazard itself is an important factor. The difference between the impacts of a 1.0 magnitude earthquake and an 8.0 magnitude earthquake are immense despite being the same type of hazard.
Hazards don’t exist in a vacuum though – they interact with something to produce an impact. It may be a home, an internal network, community infrastructure, or even a society as a whole. Regardless, hazards must interact with something to produce an impact; an empty field that floods doesn’t make a disaster while a town that floods does. In this way, impacts are created by the interplay between a hazard and the vulnerabilities or resilience of the thing being impacted. This is easily illustrated in the case of flooding.
Above we have three relatively similar homes aside from their elevation. They’re on the same street and their construction is relatively similar (aside from some mitigation work on one). Unfortunately, these homes were built in an area that had a potential to flood….
Relying on our basic risk equation, we can see that the type of hazard is the same (flooding) and the magnitude of the hazard (level of flooding) is the same, but the impacts are likely the be radically different. The first house on the left is likely a total loss, the second house may have some clean-up/repairs required on the first floor, while the third house appears almost entirely untouched. In this case, the hazard interacted with the vulnerability and resilience of the houses to produce dramatically different impacts.
While this seems like a little bit of a “no duh” sort of concept when expressed in terms of flooding and structures, what isn’t readily realized is this applies across nearly all pieces of our world and lives. The infrastructure in our region, how we decide to staff our hospitals, the physical health of our communities, all of this can be conceptualized in terms of how vulnerable or resilient it is to a wide array of hazards or situations. These hazards don’t have to be thought of in terms of disasters either – they could be the loss of a job (resilience/vulnerability of personal finances), the sudden death of a loved one (personal mental health and resilience), or any number of things we don’t want to occur. Even a tightly packed schedule can be thought in terms of vulnerability; all it takes is a small hazard (unexpected traffic) which leaves you scrambling to completely trainwreck an otherwise well-planned day.
Here is why I think this is critically important to understand this concept: this is where you get to have a say in how things turn out. For the most part with obvious exceptions excluded, individuals and organizations have far more control over their vulnerabilities and resilience than they do over the hazards impacting them.* First, you understand far more about your own vulnerabilities and resilience than you do about all the types of hazards that could impact you. In terms of organizations, you know more about your cash flow, what costs and downtime you can’t absorb, and where your single points of failure or weak spots may be. Your knowledge of your organization is likely much more robust than your collective knowledge of hydrology, seismology, meteorology, volcanology, epidemiology, space weather, cyber-attacks, terrorism, or any other study of a particular hazard that may impact you. Secondly, on average, you have more leverage over your vulnerability and resilience than you do over the hazards themselves. While you can structurally reinforce your building, you can’t prevent an earthquake. While you can harden your IT system against cyber-attacks, you can’t hunt down and stop all potential attackers, and so forth. Furthermore, often when you mitigate your vulnerability against one hazard you increase your resilience to others as well. For example, having a backup generator mitigates the impacts of power outages from all types of hazards be they a storm or a squirrel.
*Two quick balancing points: This is not an argument we shouldn’t pay attention to hazards, rather, that individuals and organizations often have more knowledge and influence over their own vulnerabilities than they do over the hazards themselves. Secondly, this isn’t an argument that collective action against hazards isn’t beneficial or warranted. While an individual organization may only be able to mitigate flooding for their structures, collectively a community can take much more comprehensive actions to mitigate the hazard.
So, what about frequency?
While frequency may seem to be a one-dimensional and simple concept (eg: how likely is it a given thing will happen?), it plays an incredibly important and under-appreciated role in determining risk. There are two necessary nuances related to frequency and risk I’d like to introduce. First, extremely high magnitude hazards are inherently less frequent and - despite how infrequent they are – they dominate the bulk of the impacts over time. This is readily apparent when examining earthquake magnitudes and frequency. Every year there are about 500,000 detectable earthquakes worldwide with only 100 of them causing damage. Below you can see how the frequency of earthquakes decreases as the magnitude of the quake increases. The left side of the graph indicates the magnitude of the quake while the numbers in the center of the graph indicate how frequently that type of quake occurs each year. One the right you can see the amount of energy released based on the intensity of the quake.
Source: Incorporated Research Institutions for Seismology - https://www.iris.edu/hq/inclass/fact-sheet/how_often_do_earthquakes_occur
The relationship is extremely clear; the bigger the quake the less likely it is to happen any given year. While we may have millions of smaller magnitude earthquakes, any given year there may be only a dozen 7.0 quakes and a single 8.0 magnitude quake. To generalize the idea and put it another way; there is an inverse relationship between the magnitude of a hazard and how frequently it occurs.
Now, let’s connect this point to the second part of this concept – those infrequent events dominate the bulk of the impact over time despite how rarely they occur. While there are over a million 2.0 or less earthquakes happening every year, they produce little to no impacts despite their frequency. In fact, using the graph above as a reference, a single 8.0 magnitude earthquake will release more energy than all the lesser magnitude earthquakes in a year combined. This type of relationship holds true in a wide variety of hazards from wildfires to floods, to cyber-attacks, to disease outbreaks, to financial hazards, and so forth (nerdy note: these often follow power laws in their distribution). It is true when one examines disaster impacts in terms of costs as well. Billion-dollar disasters (extreme events) make up 85% of all disaster related costs in the United States which is a trend that has been increasing for the last several decades. In this way, rare but extreme events determine the majority of impacts over time.
This idea is particularly dangerous when considering the second nuance related to frequency; the less we have the deal with something the more vulnerable we are to it – and - the less capable we are of handling it. This is obvious to anyone who has lived in a city that routinely deals with snow and one that doesn’t. Growing up in Idaho, snow and icy roads were a constant every winter. Learning to drive in the snow and ice was expected, snowplows were a funded resource, snow tires and salt were common, snow days were not, and – for the most part – people understood inertia and friction. Conversely, I remember my first visit to Eugene, Oregon after a very light dusting of snow. It was as if the rapture or zombie apocalypse had occurred and I was the only one left alive. No cars on the road (although some were off the road), stores closed, and school was cancelled.
This tiny hazard had brought an entire town to a stop precisely because it was infrequent not because it was extreme. They didn’t have the plan, collective knowledge, and resources to either mitigate the hazard or respond effectively despite how insignificant it was. This same concept can be seen with regions that routinely experience earthquakes and ones that do not, organizations that deal with disruptions routinely and ones that are typically sheltered from them, people who have never had to navigate without a GPS, and so forth. Expressed in a phrase; “smooth seas don’t make good sailors.” When a hazard is infrequent, we are more likely to be vulnerable to it and less likely to be ready to respond effectively.
Putting it All Together
There are a few lessons to take away from these concepts that can apply broadly to navigating risk – not just in terms of disasters but in nearly all aspects of life. While a lot of terrible things that come our way may seem entirely up to chance, you get a say in how things turn out (the impact) by understanding and mitigating your vulnerabilities. Although influencing tornadoes and earthquakes is likely out of your grasp, you have a much greater degree of control on how prepared you are personally, how ready your organizations are, and how resilient your community is. Unfortunately, there is a tricky part to all this: the time to act is well before you’re sure the bad thing will actually occur – you need to decide to mitigate before you know it will pay off. After all, who sells insurance on a house that is already on fire?
Additionally, opposed to what you may intuitively think, it is often the events that are the least likely to happen that you need to be the most worried about. This is due to two factors; the inverse relationship between frequency and magnitude of hazards – and – the fact that we get better at things by doing them. As noted previously, across a wide variety of hazards, the most extreme magnitude events are also the most infrequent. Despite how incredibly infrequent they are, their impacts often outweigh all of the more frequent events combined. This extreme magnitude is made even more dangerous by the infrequency of these events; since they don’t occur often, we are far more likely to be underprepared and vulnerable to them. Or, even worse, we may be completely unaware they exist (see the concept of black swans).
While all this is apparent within the context of hazards and disasters, it also applies to many aspects of life in general. We often put off mitigating vulnerabilities (like that computer backup you haven’t setup) or we may be idealistic in how we expect the future to go (that perfectly scheduled day without a minute free). Then, when that low chance but high magnitude event occurs (like a hard drive failure) we’re left scrambling and stressed without a plan. Or, when we have a particularly vulnerable thing (tightly scheduled day) due to our optimism or naivete, all it takes is a tiny disruption (unexpected traffic) to produce a cascading trainwreck of impacts.
On the flip side, we may miss amazing opportunities because of our fixation on how likely we are to succeed or not. For example, there may be a job opportunity that we feel is well beyond our reach. The cost of entry is low (application, time for interviews), the odds of success are low (underqualified in our mind), but the reward is high magnitude (good fitting job with great pay). This situation is the same type of thing as the high impact/low frequency disasters we’ve covered; the difference is the impact is positive in this case. It may be unlikely that we get the job, and we may recognize this going in, but the decision to apply is still worth the low cost. This isn’t to say that you should go out and buy lottery tickets, or that things that impact you frequently are not a problem to be dealt with, instead this is about recognizing uncertainty and tradeoffs present in nearly every decision we make. Both the impact and the frequency, along with how they interact together, are critical for us to understand both risk and opportunity.
Effective decision-making isn’t just about how likely we are to be right about what will occur; it’s also about balancing the risks and opportunities that exist if we’re wrong. By understanding the basics of risks, along with a few necessary nuances, you’re far better equipped to effectively navigate the risk and uncertainty that are ever-present features of life.