The metarisk series (I), can we agree on what is risk?

This is the first of a series of articles about “metarisk” and probably it would help to start with a small definition of what this thing is about. No, this is not related with social networks and if you arrived here looking for that you can continue your search (maybe another day we can talk about that). At least in the IT Security community the buzzword ‘meta’ is well-known since many years ago, we use it to describe the data within Office documents and we find this ‘metadata’ with the glorious FOCA, the queen of metadata (congrats to those developers!). Then we have a little piece of software called Metasploit, probably it rings a bell to you too. This list may continue for a while...

Saying this, what is the Metarisk? If we follow the structure of thinking of other definitions, it’s the data about risk, just it. But this and next posts we are going to look at that from a slightly different angle, let’s talk about the risk of not reading / understanding the data about risk that we have. That’s a risk that face not business processes but, in particular, risk management departments such as those present from the 1^st to the 3^rd line of defence of the existing industries. Of course, external auditors or regulators are special guests in this journey.

As years go by and experience starts to flourish, there are certain patterns, errors, pitfalls or whatever you prefer to call them that repeat everywhere. In this series I try to present them and give some light on the many mistakes we all can make in our everyday job within risk departments. For the sake of the discussion I will provide the example of an internal audit department (so 3^rd line), but you can replicate / adjust the patterns in your favourite risk management department.

“The first principle is that you must not fool yourself, and you are the easiest person to fool”.

Richard P. Feynman

 The basics

“The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact”.

IIA – 2100 (Nature of work)

So, let’s start from the very beginning… What are we talking about when we talk about risk? Well, as apprentices in the matter let’s check what the experts have to say:

Institute of Internal Auditors

“The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood”.

ISO 31000: Risk Management

“The effect of uncertainty on objectives.”

Project Management Institute

“An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives”

WordReference

1. dangerous chance.
2. the chance of loss.

3. to put or place someone or oneself near the chance of injury or danger.
4. to take the chance of;

      to hazard.

Crystal clear, isn’t it? As per the different definitions, risks share these attributes:

-      Risks happen in the future.

-      Risks produce damage (destruction that reduces value) or opportunity (¿?).

-      Risks are random (they happen, but we don’t know when and where). There is uncertainty around risks.

Here the challenge to the PMI folks (and whoever agrees with their definition) would be the following: There is nothing such a good outcome from risks, otherwise they would not be risks. It’s when the risk does not materalise or it has such a low impact that it’s meaningless when the good outcome arrives. So just in case that there were doubts, ‘risk departments’ are there to prevent risks mainly (that may feed other opportunities and value gains, but that’s not the focus of this post).

The associated formula for calculating risk is:

 R = (probability of the accident occurring) x (expected loss in case of the accident)

But we know that there is no 1 to 1 relation between risks and activities, so what we are actually talking about is the following:

So that is our starting point. To put it in simple-plain words:

 

We just may just have an idea of the how …But we don’t know when.

And considering the Risk definition… How do human beings deal with things that are random, happen in the future and produce damage?

Let’s think about it…

While playing…

Ok, enough sarcasm. I don’t wanna be pesimistic, we are wired to deal with risks, aren’t we?

Then, why all the fuss? Well, even if we are well wired & prepared to deal with risk, that doesn’t mean that our history with risk is a complete success. Understanding, preventing and dealing with risk is a continuous process that may waste a lot of our brainpower because there is no single risk-free decision that human beings can take:

•       If you drink coffee or water.

•       If you buy another t-shirt or save the money.

•       If you call your mother / father once per day, once per month or never.

•       If you take the bike or the bus, even better, if you work from home (always).

•       If you answer that e-mail at 19:00 p.m. or the next day.

•       If you go to the gym or practice sports outdoor.

•       If you go on holidays to Seville or Milan (the 17^th of February 2020).

•       If you buy your son that toy or that video game.

•       If you use facemask in the street or not.

•       If you read this post or tun the TV on.

Even thinking that something is a ‘zero-risk’ event / activity is a well-known BIAS (quite common I would say).

So, to get this thing called risk under control big players / companies define three lines of defense, Governments create public agencies, national security forces (dozens of them and usually independent but reporting to the top-level politician elected every X years, or not). That should increase our chances of success, of preventing impacts, of progress…

Well, at least that is what we all try to accomplish. Sometimes with more success than others.

Risks could be very simple or extremely complex to deal with. Many times, the higher is the goal, the biggest is the risk and our success is determined for how can break this formula. To be more clear, we gain value when we are able to achieve higher (more complex, more difficult) goals, objectives while keeping the risk ‘under control’. Let’s try to visualize it with a few images:

I hope that you follow me so far. Coming back to our favourite formula, it’s a way to say that the result may grow (exponentially) and sabotage our attempts to obtain something:

So, the risks of one single activity are an addition of all the things that may go wrong in that activity. As processes may have up to N activities, each step has it's own risks and interdependencies. So when we look at high level the impacts, on the contrary to the risk, may scale to unforeseen levels. 

In any case these statements are simplifications for the sake of the discussion, just to set a common foundation. Then we may wonder if all the risks are the same and where do we go exactly with this 'risk for dummies' article. It is so obvious, is it? We will talk about it in the part 2…