Different Approaches to Classifying Risks

Classification is one of the most important functions humans perform to speed our cognitive processing of the overwhelming amount of external stimuli we absorb every day.

In the world of risk, many different classification schemes are employed, both formal and informal. But after many years of interacting with them, we remain unsure of whether they clarify or further confuse many of the underlying risk governance and management issues facing boards and leadership teams.

In this note, we’ll try to categorize some of the different risk classification schemes we’ve encountered, and highlight the distinctions they seek to draw.

Broadly speaking, various classification schemes can be grouped into four categories:

  • Potential Causes of Future Risk-Related Events

  • Risk-Related Events

  • Consequences of Risk-Related Events

  • Other Approaches

Potential Causes of Future Risk Related Events

We have often noted how in complex socio-technical systems, causal reasoning is often difficult, because of the dense mix of interrelationships they contain, many of which are characterized by time delays and non-linearities.

However, we often see analyses that classify risks in terms of broad causal forces, such as technology change; environmental change (from macroscopic – e.g., climate change – to microscopic – e.g., antimicrobial resistance); economic and military developments, demographic and social forces, and political and regulatory trends. The World Economic Forum’s annual
Global Risks Report is a good example of the “risk event causes” approach.

Risk-Related Events

This classification scheme is the most traditional, as it is closely tied to frequentist statistics and actuarial science methods that facilitate the quantification, pricing, and transfer of certain types of risk. A good example of this approach is “A Common Risk Classification System for the Actuarial Profession” by Kelliher et al.

A good example of this approach is the division of potentially harmful events into business, market, credit, operational, and more recently cyber risks.

However, as was made painfully apparent in the 2008 financial crisis (not to mention this history of war and politics), this approach suffers from four key shortcomings.

First, not all risks can be easily represented by discrete events; some take the form of gradually accumulating forces that eventually pass a tipping point, causing adverse consequences to accelerate.

Second, the discrete event approach often struggles with “rare event” or “tail” risks, for which historical experience is largely lacking.

Third, capturing the interrelationship between various risks continues to be a challenge, especially in quantitative models.

And fourth, it neglects the fact that complex socio-technical systems are usually characterized by ongoing evolution and the emergence of new phenomena, which reduce the usefulness (or at least the accuracy) of the past as a guide to the future.

Consequences of Risk-Related Events

This is perhaps the broadest approach that is used to classify risk, though at the same time the least consistent. It includes relatively organized approaches to classifying the consequences of risk events (e.g., revenue reduction, cost increase, fall in asset value, and/or increase in liability value), as well as individual categories that aren’t part of an integrated system of consequences (e.g., liquidity risk, reputation risk, strategic/existential risk, etc.).

Risk classification based on consequences also raises questions about sequencing – e.g., what is a first, second, or third order impact. For example, a serious cyber event could lead to weakening sales volumes, pricing pressures, and/or rising costs, which in turn would depress margins, and eventually lead to liquidity problems.

Other Approaches

Distinct from logically sequenced classification schemes based on casual forces, risk events, and subsequent consequences are a number of others that take a different approach.

One example is the distinction that is often made between risk, uncertainty, and ignorance. Events characterized as “risks” can be described statistically, and thus priced and usually transferred. In contrast, “uncertainties” – which cannot be described using frequentist statistics – are both far more common and impossible to transfer via derivative and insurance markets (though they can sometimes be hedged via other means). And ignorance – the realm of Donald Rumsfeld’s famous “unknown unknowns” – is ever present, but of unknowable scope and potential danger.

Other example is the characterization of potential risk events in terms of their relationships to other risk events, and thus their potential to trigger “risk cascades” with non-linear impact.

A final example is the characterization of risks according to either the velocity at which they are maturing, or the net difference between risk maturity and velocity and the time required to formulate and execute an adequate organizational response.

All of these various risk classification approaches have their strengths and weaknesses; each highlight certain aspects of risk, but sometimes at the price of blinding us to others. It is for that reason that we recommend using a combination of approaches – or different frames – when analyzing the risks facing an organization.

This approach almost always produces richer board and management team discussions about risks, as well as superior decisions about how best to govern and manage them.
blog comments powered by Disqus