A history of risk

Stephen Asbury looks at how our understanding of risk defines modern times

Ask a manager from the 21st century what risk is and, as likely as not, you’ll be told that it is an estimation of the likelihood and severity of harm occurring. Different managers use different terms, but most will know that risk concerns a reasoned view of the future that can be calculated and planned. But you would not have to go back many years for the modern clarity of approach to be lost.

The power of numbers

A well-educated individual 1,000 years ago would not recognise the number ‘0’ and probably would not pass a basic mathematics test. 500 years later, few would do much better and without some form of measurement, risk would be a matter of gut feelings.

The power of numbers arrived in the west in the early 13th century when a book entitled Liber Abaci appeared in Italy. This was 15 hand-written volumes by Leonardo Pisano, commonly known as Fibonacci who is best known for a series of numbers that answered the problem of how many rabbits will be born throughout the course of one year from one pair.

He identified the power of numbers for the first time, but using them to assess risk remained centuries distant. In the UK, it was only when the Management of Health and Safety at Work Regulations were implemented in 1993 that its use in workplaces started to become more common.

In 1991 the UK’s Health and Safety Executive published the guidance document Successful Health and Safety Management, where risk was identified as the product of two independent variables: ‘likelihood’ and ‘severity’. Afterwards many health and safety managers started to use a matrix-type approach to assessing risk using numbers to measure those two parameters.

In the early 1990s, the Institution of Occupational Safety and Health developed its managing safely training course to include a quantitative risk measurement using a 5x5 matrix (see figure 1). A low risk was identified by a likelihood rating of one, and a severity rating of one while a high risk was identified with ratings of five. The higher the number, the higher the risk and this led to prioritised action plans.

Figure 1: A 5x5 risk measurement matrix

Peter Bernstein, in his book Against the Gods: The Remarkable Story of Risk, wrote about the importance of the development of risk. He said: ‘The revolutionary idea that defines the boundary between modern times and the past is the mastery of risk: the notion that the future is more than a whim of the gods and that men and women are not passive before nature. Until human beings discovered a way across that boundary, the future was a mirror of the past or the murky domain of oracles and soothsayers.’

Hazard and risk

The words to define risk have also been around for centuries. A modern definition of the word ‘hazard’ is ‘the potential for harm’. The word is said to derive from the Arabic word for dice – ‘al zahr’. Dice is a game of luck – of pure chance and of pure hazard. The word ‘risk’, on the other hand, is said to derive from the early Italian word ‘risicare’, which means ‘to dare’ and implies the freedom to choose, and possibly to fail.

The influence of these age-old definitions can still be seen today. Those involved in the management of risk use language centred around the chance of an event happening such as ‘frequency’ or ‘probability’. And, managers choose, or ‘dare’, how and when to respond to possible hazards. These choices, of course, influence the likelihood of the harm occurring and the severity of this harm should it occur.

In recent years, the term risk has been more widely interpreted as anything that may impact on the achievement of business objectives and is generally quantified in terms of its likelihood and severity. Risk is commonly expressed and measured in two ways:

inherent risk – the risk exposure before the effect of the selected business control framework is accounted for. Some call this the pure or gross risk

residual risk – the remaining risk exposure after the mitigating and controlling factors of the business control framework are accounted for

But definitions aside, the first step in managing risk is understanding that it is defined as any source of potential impact, either positive or negative, upon the achievement of the organization’s objectives. The level of the potential impact can then define the amount and the urgency of any actions managers need to initiate.

As one of the scientists who developed the Saturn V rocket put it: ‘You want a valve that doesn’t leak and you try everything possible to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate’.

About the author

Stephen Asbury is a Chartered Fellow of the Institution of Occupational Safety and Health and the managing director of Corporate Risk Systems Limited

Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums.

Print page

Extras

This article is abstracted, with revisions, from ‘Health and Safety, Environment and Quality Audits – A Risk-based Approach’

Welcome to IRCA's quaterly e-zine.

Extras