Taking a Look at Risk
Author: Amanda Andrei
Delve into the history and meaning of risk, and you may be surprised to find that the word risk has an uncertain etymology. Depending on the domain, definitions of risk may be based on probability, danger, uncertainty, or chance. The Oxford English Dictionary and Webster’s College Dictionary attribute the word’s origins to mid-17th century uses from French, Italian, Spanish, and Portuguese, with tentative ties to Latin, Greek, and Arabic, ranging in meaning from cliff, root, and divine provision (Aven, 2011; Hamilton et al., 2007).
And what of risk as a concept, an idea, or something to be measured? How do we define risk today? How do we identify risks? And how do we mitigate them?
In the MITRE Institute’s Practicing Risk Management course, risk is a potential event which, if it occurs, will negatively impact the ability to meet objectives or outcomes. Furthermore, a risk may cause unwanted or unforeseen adverse consequences. Risk management helps staff identify, analyze, and manage risks for their programs, with the ultimate goal of preventing, eliminating, or reducing potentially unwanted events from occurring.
Let’s consider a specific domain—computational finance. Brian Tivnan, chief engineer at the Modeling & Simulation Center, whose work has included using models to identify financial crisis scenarios, explains, “Risk as a measure is widely accepted and understood in finance to be the probabilistic exploitation of a vulnerability with a consequence.” Digging deeper into financial literature, risk as a measure tends to consist of two essential components: uncertainty and exposure. Uncertainty is a state of not knowing whether a proposition (a statement expressing an observation, judgment, or opinion) is true or false, while exposure refers to the material significance or consequences of the proposition.
For instance, say you are inside your house and plan to take a walk outside, but the clouds look like rain (uncertainty). If you do not bring an umbrella or raincoat, there is the material consequence of getting wet (negative consequence/outcome). On the other hand, if there is a full downpour and you leave your house without an umbrella or raincoat, there is no uncertainty that you will get wet – and in that case, there is no risk, because you will certainly get drenched. It is about your tolerance level for getting wet as to whether you mitigate the potential impact (bring an umbrella) or avoid the risk and stay inside.
Getting on the Same Page
“Risk is all about context,” explains Charlene McMahon, one of the teachers of the MITRE Institute course and co-department head of the Enterprise Program and Risk Management department. “What is your risk tolerance/context. What question are you trying to answer? Then figure out which approach you’d use.”
Knowing, assessing, and managing risks is critical to ensuring that government programs are affordable and effective. Risk can be assessed along the lines of threat, vulnerability, cyber, security, and safety, not to mention acquisition, cost and schedule, health care, financial, insurance, as well as investment and portfolio management, enterprise and strategic, and capability gaps. But what’s the best way to map out and measure risk? Stoplight charts? Agency-specific frameworks? Risk metrics?
“Qualitative, quantitative, computational – you have to do it all,” explains McMahon. “There’s no number that will mean anything to you unless you do it in context and no system that will assess the number unless it has relevance or meaning. It’s also about getting people on the same page. What are we trying to achieve? And what’s the risk associated with that?”
Various domains have their own metrics or frameworks for identifying, assessing, and managing risk. In our next post, we’ll take a broad look at three domains where MITRE has used its tools and techniques to deal with risk.
Amanda Andrei is a computational social scientist in the Department of Cognitive Sciences and Artificial Intelligence. She specializes in social media analysis, designing innovative spaces, and writing articles on cool subjects.
Aven, T. (2011). The risk concept—historical and recent development trends. Reliability Engineering and System Safety, 99, pp. 33-44.
Hamilton, C., Adolphs, S., & Nerlich, B. (2007). The meanings of ‘risk’: a view from corpus linguistics. Discourse & Society, 18.
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited. Case number 19-3659.
MITRE’s mission-driven team is dedicated to solving problems for a safer world. Learn more about MITRE.