# Risk = Probability X Consequences. Really?

(image from www.impactlab.net)

Probably the most frequently used definition of risk is this one:

Risk = the Probability of something happening X resulting Cost/Consequences

This definition is flawed because of two fundamental reasons, which the formula itself suggests very eloquently:

1. Estimation of probabilities of future events is very difficult (while it is considerably easier when talking of past events). Rare events have very low probabilities and these are extremely difficult to estimate due to the fact that the sample of available data is very small (what is the probability of an event similar to 9/11?). Since this factor multiplies the “cost” in the above equation it is of paramount importance.

2. Estimation of the costs/consequences of these events. This is most difficult. Even after a catastrophic event it is difficult to estimate the total damage and cost.

However, the most important flaw is hidden and it is conceptual. Imagine the following example which was discussed at a recent conference on the so-called Black Swans (i.e. very rare events with dramatic consequences). Suppose that in a certain portion of a motorway a radar is mounted with the intent of catching those who enjoy speeding. If you’re 20-30 km/h above the limit, you can expect a fine of around 100 Euros. It is known from statistics that on that portion of the motorway on average one driver out of ten gets caught. The above formula would suggest that anyone who is speeding is risking 1/10 X 100 = 10 Euros. This is of course senseless. If you get caught, you pay 100 Euros, if you don’t, you pay nothing. In other words, if you drive fast, you’re risking a 100 Euros note, not a 10 Euros one. Try arguing with a policeman that your fine should be 10 Euros! Suppose that drivers are obliged to carry on board a regulatory capital for fines (something similar to Basel II or III). Would it be 10 Euros in this case?

In this simple example, the cost was easy to estimate. It was a full 100 Euros. However, the p=1/10 is irrelevant. If YOU get caught, you get caught independently of the probability suggested by past statistics. For you, statistics begin the moment you start the engine. The past is irrelevant. So, if you get caught by radar, the cost is 100 Euros if p=0.1, or 0.001 or even 0.0000001. The damage is the same regardless of the probability you may conjure up. Things either happen or they don’t.

In the case of more complex situations, the above equation is even more disputable. Consider earthquakes, flooding or terrorist attacks. How can one possibly make an a-priori estimation of the costs (or consequences)? How many people will perish? How many families will lose their homes? What will the impact on the economy be? How much will stocks fall? How long will it take to recover? What was the probability of 9/11 a year before it actually happened  (we now know that it was 100%!)? What have the consequences been? Can any of this be estimated a-priori in a significant manner if even after the fact it is difficult to measure the costs of catastrophic events? What, then, is the real and practical value of similar calculations?

As an example, consider hurricane Katrina. According to Wikipedia:

The total damage from Katrina is estimated at \$92.6 billion (2012 US dollars).

According to a NY Times article:

The “total damages/costs” of Katrina were \$ 140 Billion (2012 dollars).

These two estimates alone differ by a factor of 50%.

Another eloquent example is from a FORTUNE article (by Nomi Prins, October 28, 2008) with the title “The Risk Fallacy”. The author writes” Wall Street thought it had risk all figured out. But the very systems the banks created to protect themselves are at the heart of the financial meltdown. If you visit Lehman Brother’s website today, more than a month after the bank’s plunge into bankruptcy, you can find the following words: The effective management of risks is one of the core strengths that has made Lehman Brothers so successful”.

The tightrope performer in the image at the top of this blog is risking 100% of his life, not 1% or 1/10% of it.

www.ontonix.com

Established originally in 2005 in the USA, Ontonix is a technology company headquartered in Como, Italy. The unusual technology and solutions developed by Ontonix focus on countering what most threatens safety, advanced products, critical infrastructures, or IT network security - the rapid growth of complexity. In 2007 the company received recognition by being selected as Gartner's Cool Vendor. What makes Ontonix different from all those companies and research centers who claim to manage complexity is that we have a complexity metric. This means that we MEASURE complexity. We detect anomalies in complex defense systems without using Machine Learning for one very good reason: our clients don’t have the luxury of multiple examples of failures necessary to teach software to recognize them. We identify anomalies without having seen them before. Sometimes, you must get it right the first and only time!

## 4 comments on “Risk = Probability X Consequences. Really?”

1. Reblogged this on Get "fit for randomness" [with Ontonix UK] and commented:
“Wall Street thought it had risk all figured out…” should read that they figured out a marketing message given kudos by the number of Phi’s, MBA’s etc. employed by organisations whose appetite for individual/collective wealth and power was enabled by regulatory and credit (rating) regimes that suited the aspirations of politicians at the expense of their citizens. Their own greed and inability to continue to control information that exposed it, has been their undoing. Access to INFORMATION has enhanced our knowledge to such an extent that we have been able to recognise the MISINFORMATION. that was presented as ‘knowledge and expertise’.

They created and profited from a volitile financial environment that, once globally interconnected, is beyond their control but, for as long as profits can be privatised and losses socialised, they will not suffer…until what has been ‘hidden in plain view’ can no longer be tolerated or sustained.

Time is nearly up.

Like

2. Right on, Ontonix! Your message is well received. The vast majority of ordinal-based risk assessment programs need to be scrapped as you have pointed out.

Like

3. Johne666