What is risk, and why bother managing it?

Most of us, when using the term risk colloquially, understand it to be something ominous: a danger, a threat, something that could go wrong. Paradoxically, it seems that while considering risk-taking reckless, we also tend to celebrate it as bravery.

It is better by noble boldness to run the risk of being subject to half the evils we anticipate than to remain in cowardly listlessness for fear of what might happen. — attributed to Herodotus

Throughout history, famous political leaders, philosophers, scientists and artists have all provided words of wisdom regarding risk-taking, not as a warning against it, but rather as encouragement. If we are rational beings, however, how can we hold both of these conflicting beliefs simultaneously? How can we both view risk as a danger to be avoided, and risk-taking as a virtue to be celebrated?

Decision making & risk

Beyond intuition, risk is a formally studied concept across several disciplines. Game theory examines strategic choices between competing actors, behavioural economics studies how people actually make decisions, but the one that we think can best help us understand the nature of risk is decision theory.

Wikipedia describes decision theory as a branch of probability, economics, and analytic philosophy that uses expected utility and probability to model how individuals would behave rationally under uncertainty. This is a mouthful for an introductory chapter on risk, so let’s take a more naive but simplified view.

Decision theory is a theory of rational choice. At its core it looks at possible actions we can take, and events (also known as states of the world, or states of nature) which are descriptions of how the world can materialise around us and what outcomes we will see across the possible actions. The theory offers criteria and methods for choosing the best course of action based on what we know about the world.

As such it recognises three environments in which decisions are made:

• Decision making under certainty — we know for certain how events will play out and what outcomes we will get.
• Decision making under uncertainty — we have no reliable knowledge about how events will play out.
• Decision making under risk — we have some knowledge about the world and can assign different probabilities to different outcomes.

While decision theory distinguishes between the three, offering criteria and methods that best fit different environments, the boundaries are less rigid than they appear.

Absolute certainty is simply the case where one event has a probability of 100%. Leaving aside how realistic it is to claim certainty for events, decisions made in this environment are trivial (you choose the action leading to the best outcome) and not debated.

Uncertainty is more contested. It boils down to the difference in view on probability between different schools of thought . One view, going back to economist Frank Knight in 1921, holds that uncertainty is fundamentally different from risk. Under this view, probability simply does not apply to uncertain events, as there is no basis for assigning any probability. Attempting to do so is meaningless, so the criteria for choosing an action is mostly based on looking at worst or best possible outcomes. A different view, on the other hand, is that probability represents a degree of belief, making it possible to assign probability values to events even in the absence of reliable information.

In management practice (where our focus is) this difference is almost negligible. Pure unknowability is rare, as we almost always have some information that lets us form at least a rough estimate of how likely different outcomes are (more on this in a future post). This is why we adopt the latter view. Under it, the first two environments (where we either have absolute, or no reliable knowledge) become special cases of the third environment.

Essentially, under this interpretation of decision theory, risk represents the basis on which rational decisions are made.

Threats & Opportunities — two sides of the same coin

If you are reading this blog, chances are you’re not a decision theorist. You have probably encountered risk terminology different from what is discussed in the previous section. In many fields we are used to talking about threats, impact and a predefined set of risk response strategies. What most risk management courses don’t teach us, however, is that these terms map directly to the concepts of decision theory: threats are the events, impact is the outcome, and response strategies are the actions we can choose from.

In the previous section we intentionally used the term events rather than states, which is more common in decision theory literature, to make this bridge easier to see. The difference in framing is that decision theory treats events, outcomes and actions more broadly, while management practice typically narrows the focus to threats as potentially harmful events that lead to financial loss or some other negative consequence.

Financial economics has taught us, however, that risk is inseparable from reward. And in strategic planning we often need to consider not only threats but also opportunities. While some scholars and practitioners still prefer the colloquial, simpler view of risk, there is a good argument to be made for adopting a more outcome-agnostic definition that covers both threats and opportunities.

For example, starting a new business is uncertain. You might fail, lose your investment, and wish you had stayed employed. You might also build something that provides independence, income, and work you find meaningful. Same uncertainty, multiple possible outcomes.

The useful question is not exclusively: What could go wrong?; nor exclusively: What could go right?; but rather: Given my goals and what I know about the world around me, what is the best course of action to achieve them?

Opportunities and threats are not that different — they are both uncertain events (states) that differ only in whether the outcome is beneficial or harmful. This is why most major risk frameworks like ISO 31000, COSO ERM, Risk IT, etc. align with broader decision science tradition in accepting a definition that accounts for both directions. In our practice we adopt ISO’s definition of risk, which is:

Risk is an effect of uncertainty on objectives — ISO 31000:2018

Where an effect is any deviation from the expected — positive or negative.

Positive risk in a negative outfit

While risk management frameworks have adopted the aforementioned definition of risk, allowing for risk to refer to potentially positive outcomes, the vocabulary has not caught up yet. Most resources, tools, and standards still use terminology built around negative risk: threats, vulnerabilities, losses, mitigation. Some frameworks introduce parallel terminology for positive risk, but these terms are not standardised and are used inconsistently across sources.

In our practice, and for the rest of this series, we stick with the established vocabulary. We will speak about threats, vulnerabilities and loss, while allowing opportunities, strengths and gains to be managed through the same process without always explicitly stating them.

We will revisit this issue again in upcoming posts, when we talk about modelling and expressing risk.

Managing risk is more than just an operational overhead

As established above, risk is foundational to rational decision-making. There is no decision made without, at least implicitly, considering some uncertainty and therefore some risk. Even the most trivial decisions, like what to have for lunch, involve balancing short-term gratification against convenience, cost, and long-term health consequences.

Of course, explicitly managing what you eat for lunch is counterproductive for most of us. But the more complex the situation and the higher the stakes, the more important it becomes to manage risk deliberately.

• A founder who decides against entering a new market because “the timing feels wrong” is making a risk decision.
• A CTO who delays a migration because “too many things could break” is making a risk decision.
• A CFO who sets aside cash reserves “just in case” is making a risk decision.

All these cases can benefit from a more formal approach to risk. In fact, even the lunch decision can be non-trivial and require more conscious planning for people suffering from diabetes, food allergies, severe food intolerances and other health conditions. Unfortunately, many view risk management as an overhead, often done pro-forma for the purpose of satisfying a compliance checkbox.

Risk as a reasoning tool

One way a structured approach to risk helps is by formalising the processes and rules under which uncertainties and related decisions are analysed.

Studies in psychology and behavioural science have shown that human judgement is subject to biases that systematically distort how we perceive and evaluate uncertainties. We overweight vivid, recent events. We anchor on the first number we hear. We confuse familiarity with safety. And many more. A formal process does not eliminate bias, but it creates a structure in which assumptions are made explicit and can be examined. Further, it enables us to evaluate the quality of our decisions over time and continually improve the system to yield better results.

Risk as a communication tool

The second major benefit of adopting a risk management framework across an organisation is that it can bridge the language barrier between people in different functions.

Most organisations, large and small, figure out ways to bring the right people to the table. Often there is no lack of complaints and ideas from the leaders of different functions. But a frequent issue that prevents organisations from properly analysing and prioritising across functions is the difference in language: engineering, HR, finance — they all use different terminology that prevents them from communicating effectively.

A shared methodology with common criteria for analysing and expressing risk overcomes this barrier and enables effective prioritisation and allocation of resources.

Risk as a legal tool

When industries fail to adopt best practices, they usually become regulated. A third, more recent consideration is that regulatory frameworks like DORA and NIS2 now explicitly ground their requirements in risk management and hold leadership personally accountable for the decisions made.

For organisations that were already managing risk well, these requirements change very little. For those relying on intuition, informal processes, or checkbox compliance, regulation has turned a best-practice argument into a legal one.

What’s next

In this post, we looked at different views on risk and adopted a definition that allows for both positive and negative outcomes. We made the case that managing risk deliberately is worth the effort, not just as operational overhead, but as a tool for reasoning, communication, and accountability.

In the next post, we will look at the landscape of risk management activities and then turn to a foundational question that determines everything downstream: how do we express risk?