What is risk?

What is risk?

The informal notion of risk as the chance that something bad might happen is not a bad place to start defining risk. Better management requires a better definition though. We need to break risk into distinct parts that are measurable.

RISK IS THE PROBABILITY OF LOSS GIVEN AN EVENT

Mathematical precision is possible and desirable in some cases. Large financial firms, for example, have sufficient data about operational losses that they can build predictive models based on experience to measure risk. They are the exception.

To illustrate how we might define risk in statistical terms take the formula: R = p * LGE. In this case R stands for risk, p for Probability of Event expressed as a percentage, and LGE stands for Loss Given Event. LGE is a measurement of the financial harm from an event. LGE can include non-financial losses, but they must yield to measurement for the formula to quantify risk.

Most organizations do not have the data or resources (or confidence in) abstract models of risk. Organizations without statistically valid loss data can still measure and manage risk, particularly legal risk, by simply moving a few steps toward quantification, away from the "bad stuff" notion.

Effective risk identification

To identify risks reliably requires a workable definition of risk. The ISO 31000 definition of risk usefully includes "positive risks." This is right lens for identifying legal risks and, ultimately, managing legal risks.

Risk in an information problem. We can manage risk when we understand the scope and components of our uncertainty. The approach to risk can guide the organization to develop a risk management strategy.

WHY IS RISK TOLERANCE IMPORTANT?

An explicit legal risk tolerance policy achieves two objectives. First, it saves the organization money by calibrating the cost of risk treatment under ISO 31000. The organization cannot know how much to spend on preventative risk management if it does not have a target for acceptable risk.

Second, the legal risk tolerance policy improves organizational efficiency. For example, it is not unusual for sales executives to complain about revenue deals held up in legal. If both sides understand the organization's tolerance for risk, then sales executives and lawyers can collaborate on the contract in a meaningful way.