There are many definitions of risk, with most coming pretty close to each other with minor nuances as distinctions. Interestingly, most all of these definitions put "risk" well beyond the point of "expected losses" on the actuarial loss curve (think high point on the curve that trails off into infinity as loss becomes less and less likely to occur but more and more severe; see figure 1). For the purposes of this discussion I'll focus exclusively on the downside of risk or the potential for loss versus the upside where risk can be exploited for gain and value creation (another subject worthy of separate treatment). So are expected losses, and those that that fall to the right of this point on the loss curve below, really "risks?" If risk is the effect of uncertainty on objectives (one common and simple view of risk) then, by that definition, "expected losses" would not be materially "uncertain;" they would be "expected" (though not certain).
This dichotomy has perplexed many risk professionals, especially those who lean into the traditional insurable risk realm, as these sources of loss are the primary focus of most of the responsibilities of traditional insurance-based risk management. All good then, as that is what they were hired to do; a very necessary function for the successful operation of organizations. And yet this may be the one thing that limits the influence – and in some cases the upward mobility – of many traditional risk managers. After all, senior managers are typically interested in the unexpected and uncertain potential for disruption to the organization, its strategy and its plans that defined success. As one CEO I worked for would say: "tell me what I don't know and can't foresee." An understandable interest since the CEO is the ultimate accountable person for the successful achievement of the plans, both short- and long-term, of the organization he or she leads.
Can expected losses prevent successful execution of operational or strategic plans? The answer is generally "no" assuming these losses have been accounted for in budgets, whether they're funded as retained losses or transferred to others through insurance or contract. Now, budget shortfalls do occur and some claims may not be paid under certain insurance or contract conditions, but these are typically one-off variances that are typically well within risk appetite (whether defined formally or not) and thus usually wouldn't prevent accomplishment of most objectives.
So the obvious questions are two: 1) how does your organization define risk and is it the right definition that all stakeholders understand, agree upon and can manage to? and 2) where on the loss curve do you want to manage risk to? Other questions will emerge in trying to get to the second question in particular. For example, do you assign more importance to likelihood or impact? I would suggest they are not of equivalent import and get their relative importance from a well-defined risk strategy and the risk culture that undergirds it. Another question that quickly becomes critical is: how far out on the likelihood axis to you may be relevant to your risk strategy? This is the penultimate question that will define where you focus along the x-axis (likelihood or frequency), what your resource needs are, the level of sophistication of tools and techniques necessary to manage risk effectively, etc. I urge you to get your key risk stakeholders together and vet these issues to ensure you have the right priorities and focus for managing risk within your organization. Absent this, you'll be flying blind along a curve that presents an infinite number of combinations of likelihood and impact. Can you afford to fly blind in the face of the potential of catastrophic uncertainty?
Chris Mandel, SVP, Strategic Solutions