What is unacceptable risk?
Someone posed me the following question on the Quora forum: “What is unacceptable risk?“. It made me reflect on the matter and I don’t think there’s an easy answer. Risk is in the eye of the beholder. What is acceptable to one is maybe unacceptable risk for another person. However, in the following paragraphs I try to give an adequate answer to the question posed.
What is risk?
“Risk is the effect of uncertainty on objectives” (ISO 31000). Or, phrased in another way: risk is that which makes maintaining and achieving your objective(s) uncertain. This effect of uncertainty is about things that could or could not happen and, as a result, impact one’s objectives. It means that the consequences of these rather unexpected events influence the actual outcome of your objectives. So, risk, in a sense, is a possible deviation of expected results. Of course, this deviation can be positive, negative or even both, depending on what objectives one considers or which time frame one observes. Because risk is a complex matter, related to an unknown future concerning all of one’s objectives. These objectives can be conscious and explicit, but also unconscious and implied. As such, unacceptable risk entirely depends on what you want, what you expect of the future and how this can be affected in the future.
Taking and running risk are concepts that exist in many languages. However, the meaning of these concepts is not always clear. At least, the interpretation of them can be different from one person to another. Although, in understanding risk it is very helpful to make a clear distinction between the two concepts. So here is my interpretation of these concepts.
Taking risk, in essence, is trying to reach or improve the positive effects on specific objectives. It results from decisions, conscious or not, due to which people either take or refrain from taking action. The aim is to improve the odds of achieving what people want and what they don’t want. This depends on their attitude to go towards or turn away from something.
For example, people take the risk of starting a business. They do this because they want to deploy their talents and make a profit. This, instead of doing things for a living they don’t like that much. People cross streets because they want or need to be at the other side or don’t want to stay on the same side. People don’t go sky diving because they fear an accident, instead of enjoying the thrills of such activity. So, taking risks is an active result of people making a choice by conscious or unconscious decisions. As such, they try to find a balance between getting what they want or need and avoiding what they are fearful of or repelled by.
On the other hand, people also run risks. Running risks is about the uncertain effects on their objectives people didn’t choose for. It is the consequence of having objectives and the choices one makes when dealing with those objectives. Regardless whether these decisions were taken deliberately or unconsciously.
For example, starting a business implies that you can fail and loose precious time and money in such an endeavour. Likewise, crossing a street opens the possibility to be run over by a bus or a car.
Two sides of the same coin?
Because taking risk is normally about pursuing the positive effects of uncertainty on objectives, running risks is mostly about undergoing the negative effects of uncertainty. While taking risks is active, running risk is passive. Taking risks is involved with a limited number of specific objectives. Running risk can be related to these specific objectives, but also happens to other, less deliberate objectives. In fact, you always run risks to all of your objectives! This is why taking risk is often mingled with the unwanted risks people run when deliberately taking risks. Certainly, when these people are more risk averse and want to be certain about things.
Because people generally try to avoid what they don’t want, they associate taking risk with the unwanted consequences of the risks run. It is why risk management traditionally has always focused on the negative effects of uncertainty on objectives. But this is not helpful when value creation and achieving goals are the purpose. Risk management, in the traditional way, soon becomes a show stopper. Definitely when the possible negative consequences, associated with taking risks, are deemed to be unacceptable. But then again, what is unacceptable risk?
In general, taking risks is aimed at creating positive effects on specific objectives, while not being 100% sure of the expected positive outcome. On the other hand, running risks is the likelihood of negative effects on objectives. All of one’s objectives!
So, when you don’t have any objectives (even not the will to live), there’s no risk. Because anything that happens or doesn’t happen is just fine. When there are no objectives, there cannot be any effect of uncertainty on objectives. Also, when people are 100% sure of an outcome (but they really need to be 100% sure), there’s no risk. When there’s no uncertainty, it can’t have any effect. But also, when there’s no effect on the objectives, whatever the level of uncertainty, there’s no risk. Obviously, when objectives are not affected, they are not at risk. However, it is highly unlikely to have no objectives at all. It is also impossible always to be 100% certain regarding a possible outcome. And it is unlikely having objectives that can’t be affected.
The level of risk
The level of risk is a combination of the level of consequences and the likelihood of these consequences materializing. For each and every objective a level of risk can be determined. Either quantitatively or qualitatively. Therefore, it is also possible to choose a level of risk that is the boundary between acceptable and unacceptable risk. These boundaries are also called risk criteria. They determine at which level one can no longer accept the consequences and likelihood of occurrence that you have identified as a possibility.
So, when the combination of consequences and likelihood is such that it goes beyond your risk criteria, it becomes an unacceptable level of risk and you either have to change your objective(s), or you have to start managing risk in order to modify the effects of uncertainty on your objectives as deemed necessary.
Unacceptable Risk, a short example:
A racing driver can gain time and possibly win a race by going quicker through the corners, drive faster and brake later. These are the risks the driver takes in order to maximize his objective of winning a race. However, by doing so the driver also increases the likelihood of a crash and also the level of the consequences when this happens. So, every driver will try to determine its personal risk criteria depending on the car and circumstances at a given moment. As such, their try to maximize the result, aiming to stay just below the unacceptable level of risk of having a crash, destroying the car and getting injured.
Performance and Safety – Two sides of the same coin.
Managing risk starts with establishing the context carefully. Not every car, track and track condition will allow for the same criteria. Drivers test their cars to better understand how it responds during turns or at high speeds or when braking in different conditions. Drivers can also make improvements on their cars, choosing better tires with more grip, selecting more powerful brakes and putting aerodynamic features on the car to improve its handling. These are all features to improve the odds of the positive effects when taking risks.
However, they can also improve the strength of the car by reinforcements, putting roll cages and crash bars. Also, they can wear crash helmets, put on protective equipment, install safety belts and equip the car with fire extinguishers. These are controls to reduce the odds and level of consequences of the negative effects related to the risks run.
So, unacceptable risk will always depend on the level of risk you take, the risks you run and how well you manage both sides of this coin.
Managing both sides is at the same time increasing one’s performance and improving one’s safety and the fundamental knowledge for this is contained in the ISO 31000 standard.
Since September 2014, Peter is also employed at TUDelft, working as a PhD researcher for the Safety Sciences section of the Technology Policy and Management faculty.
As the managing director of G31000 Europe he is now a trainer and consultant using the ISO 31000 Risk Management Standard.
Some of his articles can be read on LinkedIn