(Photo by Eugene Chystiakov on Unsplash)

What is risk? What is uncertainty? And how does all of that connect to risk management?

I'd originally planned this as a short reference piece – something I could point to whenever I mentioned those terms – but quickly realized how much the definitions vary based on context, the perspectives of the people involved, and whether we're talking about nouns or verbs.

So instead of trying to wrangle a single, all-encompassing definition, I'm sharing some of my favorites.

Taking a wider view

For both risk and uncertainty, all of the definitions center on the idea of future outcome. Specifically, multiple possible future outcomes of some action or decision. The future represents a mixed bag of maybes – good, bad, and everything in-between.

Definitions of uncertainty build on the future being a question mark. Most explanations of risk build on the negative outcomes – it's either a future state that carries consequences, or the probability of such an incident.

I emphasize "most" there. Traders talk about risk in terms of volatility – the amount by which prices bounce back and forth, and the speed with which that happens. Notice that this balanced view includes fine-tuning our approach in search of the good things as well as looking for worthwhile opportunities while closing off sources of problems.

Definitions from my favorite risk authors and speakers

Starting from that kernel of an idea, let's walk through perspectives from noted risk experts:

Michele Wucker (The Gray Rhino, You Are What You Risk) sees a risk as the relative probability and impact of loss or harm, weighed against that of opportunity for profit or benefit. From there, she notes that classical economic theory defines a "risk” is a probability that can be measured and "uncertainty” as one that cannot.

This lends itself to the quantitative risk-thinking that is common in the financial space, and also drops a subtle hint about uncertainty: you'll notice that banks refer to their "risk management" function, not "uncertainty management.”

In everyday usage, however, risk and uncertainty are inseparable. This may explain why risk “experts” and laypeople often have a hard time speaking the same language; in this case, their words do not mean the same things.

Douglas Hubbard (The Failure of Risk Management) closely aligns with what I've outlined above: he says that "uncertainty" is when there's more than one possible outcome, and "risk" is when one of those outcomes may result in some kind of loss.

Richard Bookstaber (A Demon of Our Own Design), in an interview, describes risk in terms of the negative outcomes – a mix of a vulnerability and "an event that makes that vulnerability matter. So the vulnerability is how thick the ice is on a lake. And the event is a boulder that rolls down into the lake." The key point is that the ice and boulder do not, on their own, represent any danger. The danger lies in the potential for the boulder and ice to meet. And even then, there's no guarantee the boulder will crash through.

(In that same interview, host David Crosby draws a similar analogy involving potential energy, realized energy, and a catalyst. The potential energy is the possibility of an incident, while the catalyst is what could set that energy free.)

Morgan Housel (The Psychology of Money, Same as Ever) notes that "risk is what’s left over when you think you’ve thought of everything."

I'll ask you to reread that one-liner and give it a chance to sink in before you move on. There's a lot in those twelve words.

Aaron Brown (Red-Blooded Risk) discerns between danger (chance of downside only), opportunity (chance of upside only), and risk (a mix of upside and downside, "something you dial up and down in order to accomplish a goal"). He also notes that the distinction between a danger and a risk depends on your level of agency: in some cases, a person can put you in danger in order to dial their risk up or down.

My takes

Over the years I've borrowed the aforementioned definitions of risk, and also come up with some of my own. Here are the two I use the most these days:

"A measure of distance between reality and fiction." If something is really worth $50 per share and it's trading at $500 per share, then – assuming you bought at the peak – you can quantify your risk at up to $450 per share. That's how far the price can go as it travels back to reality.

This definition aligns well with asset bubbles and similar manias. The hype artificially inflates a price, while the acceptance of reality brings it back down.

"A question mark on your balance sheet." Call it a blurry line item if you'd like, or a hazy form of debt. You know neither the date nor the amount. All you know is that it represents the potential for red ink on your books at some unspecified time in the future. Your company is therefore worth (some as-of-yet determined value) less than you think.

The eventual mark-to-market will inject some much-needed clarity into your valuation. That incident can take the form of a regulatory change that overturns your market business model, or a lawsuit over a sketchy move you pulled when you got started, or anything else that you didn't properly "pay" up-front.

Risk management

Pulling all of this together, we get to the formal industry definition of risk (ISO 31000:2018): "the effect of uncertainty on objectives." This inability to know the future affects our ability to plan and decide. And that brings us to risk management.

Someone once explained to me that risk management boils down to answering two questions: "what are you worried about?" (as determined by a risk assessment) and "what are you going to do about it?" (documented in your risk mitigation plan). I've since amended this wisdom to a three-question form:

1. "What should you be worried about?" You may be over-emphasizing some problems and missing out on others.
2. "What are you going to do about it?" Maybe you change course or find a place to transfer the risk, like an insurance policy.
3. "What are you prepared to deal with as-is?" Sometimes the potential reward is worth taking the chance. You decide to take your chances and handle the incident if and when it occurs.

The second point is a reminder that we can't control the future, but we can take steps to influence it. That means identifying potential future outcomes, then figuring out how to make the most of the good ones while protecting yourself against the bad. In that sense, risk management is better described as risk optimization.

When it comes to understanding those outcomes Patrick Boyle (Derivatives for the Trading Floor) notes:

Anything that has happened, can happen again. And many things that haven't happened, will happen. [Borrowing a phrase from dissertation advisor Elroy Dimson:] "More things can happen, than will happen." Essentially, there's more out there than you realize.

An eye on the incoming storm

We're sometimes told that risk management is a fool's errand, because you can do all of this prep work and the incidents you plan for never occur. "You said this thing was going to happen, and it didn't happen, so you were wrong." Or even, "you say something bad might happen, but you can't tell me exactly what, so the risk mitigation plan is worthless." Risk professionals similarly note that they are underappreciated: if you steer the company away from a danger, how do you quantify the savings from a non-event?

Allow me to offer some perspective:

The practice of risk management is about identifying possible future outcomes, some of which are favorable (untapped opportunity that we need to exploit) and some of which are not (potential problems that we need to wall off). Risk management will note the conditions under which those outcomes are likely to occur. This list is not a statement of fact, but an indication of possibility. Sometimes you land on the other side of the statistic and whatever you were planning for never happens. That's fine.

In other words:

Risk management is not a train schedule, but a weather forecast.

Armed with that forecast, you can plan your adventures accordingly.

Keep your eyes and your mind open. That will guide you through uncertainty, and help you make the most of risk.