“Prediction is very difficult, especially about the future.â€
(Nobel Laureate and nuclear physicist, Niels Bohr)
Many people become very uncomfortable with the notion of estimating probabilities, especially if they believe that they could be perceived as, and held accountable for, being wrong if the future unfolds differently than it seems they predicted.
Risk analysis is fundamentally all about establishing probabilities, and I can guarantee that if you do it often enough, at some point the future will unfold in a way that leaves open the possibility for others to perceive that you were wrong. Now, there always is the possibility that you were mistaken with your analysis – we’re human, after all. But even if your analysis was perfect, the future is uncertain. A great example is rolling a pair of six-sided dice. Assuming the dice and roll aren’t fixed in some manner, we can establish with a high degree of confidence that there’s about a 2.7% probability of rolling snake-eyes, or, in other words, about once every thirty-six rolls. Now, if snake-eyes comes up on the first roll, does that mean that our probabilities were wrong? No! There’s no rational reason to expect the dice to wait until the thirty-sixth roll to turn up snake-eyes. The key thing to keep in mind is that establishing probabilities is not the same thing as foretelling the future.
Decisions entail uncertainty
Any time we’re forced to make a decision, we do so without perfect knowledge of what the outcome will be. We may be nearly certain, but nothing provides absolute certainty of what the future holds. This uncertainty introduces risk – i.e., the outcome of any decision may be undesirable.
The good news is that most businessmen and leaders are very aware that no guarantees exist and that the nature of business entails uncertainty and risk. They also understand the notion of probabilities and appreciate an analysis that articulates risk in those terms rather than in terms of “it could happen.†The “it could happen†analysis is generally looked upon as a “Chicken Little†position and is of little value to the person making the decision. They need to understand the probabilities of loss (i.e., risk) so they can balance those against the reward probabilities.
Risk tolerance
One of the questions that FAIR other risk analysis methods will never answer is whether a given level of risk is acceptable. Risk analysis only identifies how much risk exists. We can draw lines on charts and establish various criteria that attempt to delineate between what’s acceptable and unacceptable but, at the end of the day, acceptability is a very human and personal issue. A decision-maker always chooses between risk and reward, or between various risks. That’s what risk decisions are – choices between the probability of loss (risk) and the probability of reward. Risk analysis provides only half of the information needed for the decision.
Another thing to keep in mind is that risk tolerance is unique to every individual. We each have different tolerances for loss, and our tolerance for loss varies from issue to issue. For example, I may have a very low tolerance for financial loss, but be entirely willing to take up skydiving. As a result, we shouldn’t become too concerned when others have a very different perspective on what represents acceptable risk. Those differences are normal, natural, and unavoidable.
Summary
Everything I’ve covered so far highlights the fact that information risk is a complex subject, and that our profession has been challenged to deal with it effectively. At this point I’ll add that FAIR is not a perfect solution; there are no perfect solutions. FAIR does, however, provide a rational, effective, and defensible solution to the challenges I’ve described.
Next Section:Â Risk Landscape Components
Leave a Reply