W102

SABSA RISK MANAGEMENT

Part One – the Meaning of Risk
Release 1.0

A White Paper published by The SABSA Press™, an imprint of The SABSA Institute™

July 2018

Page i
Copyright © 2018, The SABSA Institute C.I.C. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the
prior permission of the copyright owners unless it is presented in its current form as published by
The SABSA Institute.
Document Title: SABSA Risk Management Part One – The Meaning of Risk. (A SABSA White Paper)
2018
Document Number: TSI W102

Published by The SABSA Press, (a trading name of The SABSA Institute C.I.C.) July 2018.
Comments relating to the material contained in this document may be submitted to:
The SABSA Institute C.I.C, 126 Stapley Road, Hove, BN3 7FG, UK
Registered in England and Wales, No. 08439587

Or by electronic mail to:

[email protected]

Trademarks
SABSA® is a registered trademark of The SABSA Institute. Other trademarks owned by The SABSA
Institute are labelled with a TM mark on their first occurrence in the text.
All other brands, company, and product names are used for identification purposes only and may be
trademarks that are the sole property of their respective owners.

This Document
This document is a white paper that introduces the SABSA view of ‘risk’ from a philosophical and
existential point of view. It is a preparatory tutorial for the subsequent SABSA Risk Management:
Parts 2 and 3 which will be published later in 2018.
It has been developed and approved by The SABSA Institute C.I.C. Board of Trustees.

Acknowledgements
Author: John Sherwood: Chief Architect, The SABSA Institute.
Contributors and Reviewers: John Czaplewski, Editor-in-Chief, The SABSA Institute. Maurice Smit,
Deputy Chief Architect, The SABSA Institute.

Page i
SABSA: Risk Management Part 1: 2018: The Meaning of Risk

Contents
THE MEANING OF RISK ...................................................................... 2
WHAT IS RISK?..................................................................................... 2
PHILOSOPHY OF RISK ............................................................................. 2
ORIGINS OF UNCERTAINTY ..................................................................... 3
LIFE CYCLES AND RISK............................................................................ 4
EMERGENT PROPERTIES OF SYSTEMS ....................................................... 5
DUALITY OF RISK: OPPORTUNITIES, THREATS AND MAKING DECISIONS .......... 6
HUMAN SOCIETY AND RISK..................................................................... 7
BUSINESS RISK ..................................................................................... 8
SABSA RISK BALANCE .......................................................................... 9
RISK APPETITE .................................................................................... 10
CATEGORIES OF BUSINESS RISK ............................................................. 11
ENTERPRISE RISK ................................................................................ 11
RISK MODELLING ................................................................................ 12
Effects of Limited Information ......................................................................12
Qualitative versus Quantitative Models .......................................................13
Limits of Computations .................................................................................14

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 1
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

The Meaning of Risk

What is Risk?
Risk is a human Risk is an entirely human concept, based on existential observations of the
concept derived from uncertainty of the outcomes of events in the world around us. The effects of
our experience of the
world uncertainty can be seen to exist and even be measured, and they rule the entirety
of our lives.
The theoretical and Part One of this white paper begins by exploring the theoretical and philosophical
philosophical origins foundations of this concept of risk by looking at the origins of uncertainty in the
of uncertainty
universe and moves on to interpreting our experiences in terms of what risk
means in the living of life, both personal life and business life.
Part 2 and Part 3 to Part 2 of this White Paper (SABSA: Risk Management Process) and Part 3 (SABSA
follow Control and Enablement Strategy) are then developed from these basic concepts
of risk described and explained in this Part 1.
Philosophy of Risk
Risk is concerned The future is uncertain. We can never know with certainty about events that we
with uncertainty of shall experience in the future. We know for certain that we shall die one day, but
future outcomes
the circumstances of our death – when, where, why and how it will happen –
cannot be known in advance.
Risk is the driver for Staying alive and avoiding an early death is what drives us to take care of
life in all its forms ourselves and strive for a better and longer life. Whilst this existential experience
is a human one, all life forms share this motivation. The only difference is that
most of those other organisms are not sentient to what is going on. However, it is
the competitive nature of life and living things that has driven evolution and
ultimately led to the emergence of the human species – the survival of the fittest.
Random errors in DNA provides life forms the ability to copy information from one molecule to
reproduction lead to another. The differences between RNA and DNA in early single cell organisms and
opportunities for
adaptive life forms DNA in humans are only in the detail of the genes, not in the basic principle. The
process by which life reproduces is the splitting of the double helix molecule of
the DNA, and when this happens there are sometimes accidental, random
imperfections in the reproduction.
The uncertainty of In other words, the outcome of the fundamental mechanism for the reproduction
reproductive errors of life is uncertain, and this uncertainty eventually leads to the emergence of new
drives evolution
species of life forms. Depending upon the environmental factors prevailing at the
time, some of the new species may be more or less suited for survival and
development, and the ones most fitted to the environment will be the ones that
go forward in the evolutionary process.
Organisms well Life is a competition. Organisms struggle to compete for the resources available in
adapted to the their environment. For some, the environment provides opportunities for growth
environment will
succeed and thriving. For others, the environmental threats overwhelm them and they die
off. This competition exists both intra-species and inter-species, and is what drives
evolution and the future of life on earth (and maybe even in the universe, for all

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 2
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

we know – a known unknown). This tension between opportunities and threats is

what we humans experience as ‘risk’.
Eco-systems are When we speak of the environment in which life exists in all its forms, we must
dynamic and change remember that the organisms themselves are part of that environment. Life forms
due to the actions of
the organisms within interact with one another and are part of a complex eco-system. Eco-systems are
them not static, but in a constant state of change and development, often as a result of
the actions of the organisms themselves. There are predators and prey, the
populations of which are closely entangled. Even the vegetarian organisms can
have a huge impact on the eco-system by over-consuming their food supply. Eco-
systems are self-regulating through these mechanisms, but that does not imply
that they are static.
Environmental risks Amongst the environmental risks that humans face are many caused by the
are embedded in the activities of humans themselves that have potential impacts on the eco-system:
eco-systems and can
be related to human climate change (although human causation remains controversial for many
activity people), pollution, the spread of diseases, over-population, over-use of natural
resources, industrialisation, war between tribes and nations competing for scarce
resources, and many more similar impacts that are risk factors in today’s human
society.
Origins of Uncertainty
Human intelligence So, uncertainty of outcome of events is an existential human experience. As
allows us to examine intelligent organisms we also have the capacity to look deeper into the reasons
the reasons behind
universal uncertainty for this uncertainty. Scientific research through observation of our surroundings
has led us to understand that there are some fundamental laws of physics that
rule the universe in which we live.
Uncertainty and We have learned that although the universe is capable of creating orderly
randomness is built structures such as galaxies, star systems and planets, the ways in which these
into the laws of the
universe processes work has a large degree of embedded randomness. Uncertainty is built
into the universal laws at every level, from the sub-atomic quantum level to the
cosmological level.
The second law of The second law of thermodynamics tells us that entropy (the level of disorder in a
thermodynamics, system) will tend to increase, and that this process is random in its nature. If we
entropy and doing
work, using energy, want to restore order or even keep it static, we have to expend energy to do real
to restore order work to rebuild the order of the system. And if we want to maintain order we
must continuously expend energy.
Gardening as an This may sound very theoretical and distant from human life experiences, but take
example of restoring for example the keeping of a garden. In the early spring you go out into the
order in a high
entropy system garden to tidy up the ravages of the winter and to encourage the growth of your
favourite plants. You mow the lawn, trim the hedge, weed the flower beds, plant
new seeds, sweep the paths, prune the rose bushes and other shrubs and it all
looks lovely. You then go away on a spring holiday and three weeks later you
return and it looks like a wild jungle. The second law has been at work and the
disorder has increased. You need to expend some more energy to do gardening
work to restore the order once again. This process never stops – it merely has

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 3
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

seasonal rhythms to it. The action of the second law has very existential
consequences for ordinary life as a human being.
Decay of computer Another example of the effects of the second law is maintaining the configuration
system of computer systems. There are numerous parameters that can be set to optimise
configurations as an
example of the system performance and system security. Many professional enterprises that run
second law of complex business computing systems have a specified standard by which all these
thermodynamics parameters should be set. You can configure the system to the standard, but over
time conformance of the settings to the standard degrade. There are software
updates and patches, there are functional changes and modifications, there are
errors made by systems maintenance and operations people, and there are bugs
in the software that were unknown at the time of initial configuration. There are
also the performance overheads of measuring system performance, which
themselves affect the performance. Measuring a variable often changes its value
in dynamic systems. Over time these small changes and effects lead to a drift from
the configuration standard, and from time to time it is necessary to do some
work, expend some energy, to clean up the configuration and restore its
orderliness – reversing the effects of increasing entropy.
The only certainty is Random and uncertain decay of orderly systems is the way the world works.
random decay
Life Cycles and Risk
The ravages of time Now consider the interaction between the essence of life as a competition
and the aging between organisms and adaptation of organisms to a changing eco-system. Also
process
now bring in the action of the second law in its inexorable process of decay and
degradation of orderly systems. Each new organism born, through whatever
reproduction process applies to that species, will most often begin in a state of
near perfection. There may be some configuration errors buried in the genes in
the DNA, but often these will not show in the beginning. Young things are
beautiful and usually work as designed. As the aging process progresses, the
second law takes its toll. Cells die off. New cells that are randomly damaged
replace some of the dead cells (for example, human red blood cells are constantly
replenished, born and grown in the bone marrow over a period of around 100 –
120 days). Genetic imperfections start to emerge as physical and psychological
health issues.
Life cycles defined The organism reaches a level of maturity at which that life form is optimised to
reproduce and bear the next generation (but only if it has been fit enough to get
that far in life). Then it begins to degrade more quickly, and when the next
generation is secured, it has little usefulness any more – it can die. So in all cases
of life, organisms are born, grow, reproduce, decay and die. This is what we call a
life cycle.
Lifecycles are a The nature of life cycles is a complex interaction between the need to evolve to
mechanism for keep up with the changing environment of the eco-system, and the inevitable
evolutionary
responses to increase in entropy that is governed by the second law of thermodynamics. It’s a
emerging changes very clever trick that nature has pulled off here, to use these combined forces to
improve life forms and optimise them for the prevailing conditions.

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 4
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

Human opportunities From the human existential perspective all of this presents itself as a series of
and threats opportunities and threats in life. We don’t often think about these theoretical
roots – we simply experience these effects as being ‘risks’ in our lives.
Living life means Living life and being alive is a constant process of risk management on a personal
managing risk level. Every human has to look out for the best opportunities and grasp them, and
continuously
to look out also for the most important threats and take action to mitigate those.
That is the skill of living a successful life. Those that have that skill will thrive and
reproduce a strong next generation. Those without this skill are less likely to
succeed in life – but then every outcome is probabilistic – there are no guarantees
of success, and the randomness of outcome is what feeds the evolutionary
process.
Emergent Properties of Systems
Complex dynamic Simple dynamic systems are easy to predict in their behaviour. As the level of
systems are built of complexity of a dynamic system increases it becomes more and more difficult to
hierarchical sub-
systems and predict every type of behaviour that it will exhibit. Highly complex dynamic
components systems are built from sub-systems, which are built from sub-sub-systems, and so
on. At the bottom layer of this hierarchical decomposition we can see system
components – simple things that have well known and well defined behaviours.
Emergence defined Emergence is when we observe an overall unexpected (perhaps unwanted)
as unexpected system behaviour that is not part of our system design goals. It is an unexpected
system behaviour
property not caused by faulty components or failure of components to work
according to specification, but by the complexity of the interaction of the system
components.
Deadlock in Consider a very simple example: the emergence of ‘deadlock’ in computer
computer systems as systems is when two concurrent processes compete for two resources. Process A
an example of
emergence has secured resource X and now needs to access resource Y. Resource X is locked
so that no other process can use it until process A releases it. Process A is waiting
for resource Y to become available so that it can complete its operation.
Meanwhile, process B has secured and locked resource Y and now needs to
acquire resource X to complete its operation and is waiting for that resource to
become available. Both processes are waiting on each other and they will wait
forever unless there is a third process to intervene and resolve the deadlock.
Deadlock at road You can observe the same effect at road junctions where several vehicles are
junctions as another waiting to turn across the oncoming traffic but are blocking each other’s exit from
example of
emergence the junction space. Unless someone reverses out, it will last forever, and if other
vehicles are queued behind, the situation can be very difficult to resolve in
practice. The introduction of the ‘yellow box’ at road junctions to caution vehicles
against entering the junction unless there is room on the other side for their exit,
and some rules about its use, is the mechanism to avoid those traffic deadlock
situations, only so long as drivers observe the protocols.
Congestion in Another very tangible example of an emergent property is the development of
networks as an congestion in networks all types. Road traffic networks and digital
example of
emergence communications networks are both subject to the same emergent property. The

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 5
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

components may all be working as expected, but if the traffic density becomes
overloaded, congestion builds up and the system ceases to work as designed.
Considering Insecurity of highly complex computer systems can be viewed as an emergent
‘insecurity’ of property. It is the level of complexity that renders the system vulnerable to
systems as an
emergent property attacks by those who can find ways to manipulate the components to behave in
ways that they were never designed to do. Perhaps the most famous example of
this is described in the 1989 book The Cuckoo's Egg: Tracking a Spy Through the
Maze of Computer Espionage by Clifford Stoll, in which the correct working of the
UNIX operating system could be manipulated to deliver malware to the root
privilege level.
Emergence is a This emergence is yet another source of uncertainty of event outcomes in life,
source of uncertainty another source of risk. In particular, systems and eco-systems that involve animal
of outcome
behaviour (including human behaviour) are liable to the unpredictability of
component interactions.
Human emotional Humans, like other animals, have a lower brain that processes input signals as
responses and ‘feelings’ rather than ‘thoughts’. The higher human brain (the neo-cortex) does
‘feelings’ can be
unpredictable logical processing that we call ‘thinking’. The lower human brain (the limbic brain)
gets to make ‘flight, fight or freeze’ decisions several milliseconds before the
logical neo-cortex kicks into action, which is why human behaviour is often of an
emotional type of response, and as such very uncertain and unpredictable. If the
system has human components, which it usually does, then all kinds of emergent
properties can be exhibited. Even with the apparent similarity of initial conditions,
the outcome can be very different on different occasions.
Duality of Risk: Opportunities, Threats and Making Decisions
Life is a constant In exploring the nature of risk in relation to human life, what emerges is a picture
stream if risks: both of life as a series of both opportunities for thriving, and threats that will oppose a
opportunities and
threats long and healthy life. Through the entire life cycle we are confronted by risks in
this dual form. For every opportunity there are associated threats, and for every
threat there are associated opportunities. From the moment of conception of a
new human life in the mother’s womb, until the moment of death, every human
being experiences a constant stream of risks in the form of opportunities and
threats. Leading a successful life requires us to manage those risks to an optimal
level.
Leveraging risk Several things are essential to this success:
management as a
critical success factor n Recognising that risk is pervasive in every aspect of life. You cannot put risk in
a box and put it aside out of sight. It applies to all the decisions that are ever
made by humans in all aspects of lifestyle:
„ Private life;
„ Corporate life;
„ Political life.
n Recognising the opportunities and threats when they arise;

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 6
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

n Identifying which ones are of great importance and which are not;
n Finding the optimal balance between opportunity and threat;
n Making good life decisions on several time horizons:
„ Strategic life decisions (long term), such as what career to choose; what
educational programme to follow; whether or not to be married, and if so,
to whom; whether or not to have children, and if so, how many, where to
live, and so on.
„ Tactical life decisions (medium term), such as where to go on a family
holiday so as to satisfy the needs and desires of all the stakeholders in the
family unit; which house to buy with similar stakeholder considerations,
and so on.
„ Operational life decisions (short term and the present moment), such as:
Is it safe to cross the road now? Is this food safe to eat? If I buy this new
dress will I look good at the party? Etc.
„ Contingency planning decisions for unexpected events at unknown future
times. Although called out here as a separate ‘time horizon’, it could be
filed under ‘strategic decisions’. ‘Rainy day savings’ is one example – what
an enterprise would call ‘risk capital’.
n Recognising that all decision making of any kind is risk-based. Each human
continuously evaluates the positive and negative aspects of the risks and
makes decisions that are intended to optimise life. Risk can never be ignored,
since it is present in every moment of every human life. You cannot ever
eliminate risk if you are alive. There is no such thing as ‘no risk’, but there are
‘low risk’ options. The decisions that we make are:
„ Should I do this thing or not?
„ Should I do this thing or that thing?
„ Or should I be looking for some other thing to do?
„ Should I do nothing?
n It is essential to realise that ‘doing nothing’ is not a zero-risk option. Doing
nothing has its own risks, especially if you are ‘doing nothing’ in the face of an
obvious threat or opportunity. Sometimes action of any type is better than
doing nothing, but then sometimes the ‘freeze’ response (perhaps acting
dead) is more appropriate. However, no option has a zero risk attached to it.
Human Society and Risk
Living in society So far in this paper we have explored the meaning of risk from the point of view
brings its own set of of an individual human being. However, humans are very social animals that
opportunities and
threats organize themselves into all sorts of social structures. These social structures are
influencing factors that affect the human experience of risk, both in terms of life
opportunities and life threats. Whilst humans benefit from many aspects of

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 7
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

shared living, there are also many threats that arise from this sharing. Living in
communities is a two-sided coin – the risk coin:
n Cultural risk factors:
„ Family: blood relatives and in-laws;
„ Ethnicity: shared tribal culture;
„ Religion: shared beliefs;
„ Language: shared communication;
„ History: shared background;
„ Nationality: shared identity;
„ Socialisation: shared interests – music, the arts, sports, and hobby
activities.
n Economics: shared wealth creation and distribution;
n Politics: shared social values;
n Government: legal structures and citizen services;
n Technology: shared tools;
n Industrialisation and industry sectors: shared work activity;
n Geographical co-location: shared natural environment and resources;
n Corporate bodies: business organisations and enterprises with shared
objectives.
We must work with In each and every one of these factors one can see that human competition is at
all these risk factors play, and that as a result there is uncertainty of outcome. There is risk.
all the time
Business Risk
Entrepreneurial Business in a free-market economy is based on entrepreneurship. An
activity is risk taking entrepreneur is someone who takes the initiative to start a business, usually at
to develop new
business some considerable personal financial risk. As the business grows, the
entrepreneur usually offers the opportunity for others to make financial
investments, at their own risk, in order to scale up the enterprise. Eventually this
may result in ‘floating’ the business enterprise on the stock market – a public
financial investment vehicle. All the investors take risk for the purpose of financial
advantage and receiving dividends on their investment. They weigh the balance
between opportunity for gain and benefit, and the threat that they will lose their
money.
Operational risk is as In order to protect the investments, the business also has to deal with a wide
important as financial variety of operational risks, such as legal risk, IT risk, information risk, business
risk
continuity risk, employment and human resources risk, product and process
quality risk, and many more categories. There is also the risk posed by the
environment, such as natural disasters and natural opportunities.

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 8
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

One person’s threat It is interesting to note that the threat to human society from potential climate
is often another change has also thrown up a huge business opportunity for those investing in
person’s opportunity
‘carbon-neutral, green technology’. Where there’s a threat, there is always an
associated opportunity. If climate change leads to unusual flooding in some low
lying areas, then those in the business of building flood defences will thrive, and
so it goes on. This example is merely one of many that are currently high profile in
the public debate on risk.
SABSA Risk Balance
In SABSA Thinkingä We have so far established that finding the right balance between opportunity
we treat risk and threat is the secret of a successful life, both for the individual human and for
management as a
balancing act collective groups of humans, including business enterprises. The SABSA Risk
Balance Strategy models this concept of risk balance (Figure 1).

Business Value Chain

Negative Risk Context Positive

Outcomes Outcomes
Assets
Threats Opportunities
at Risk
Likelihood of Proxy Assets Likelihood of
Asset Asset
threat opportunity
materialising
value Attributes value
materialising

Likelihood of Negative Positive Likelihood of

weakness impact impact opportunity
exploited value value exploited
Overall Overall Overall Overall
likelihood loss benefit likelihood
of loss value value of benefit

Loss Event Beneficial Event

Copyright © The SABSA Institute 1995 – 2018. All rights reserved.

Figure 1: SABSA Risk Balance Strategy

Measures of risk: At this point it is necessary to introduce some additional terminology of risk. We
likelihood and impact have already mentioned positive and negative event outcomes, threats and
opportunities, losses and benefits, but now is the time to discuss how we measure
risk. There are two key measurements that we use to express the relative sizes of
risks:
n Likelihood: the expected or estimated probability that something will happen;
n Impact: the relative, measured, effect of the event will it will make on our
objectives, either positive or negative.

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 9
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

The risk context The Risk Context is the detail of the circumstances that surround the human
defines the business experience of the risk being measured. What sort of risk is being considered and
background
what are its boundaries? Who ‘owns’ the risk and is accountable for the outcome?
Who will be affected by the impact of the risk? Who is responsible for managing
the risk? What risk factors are relevant?
Assets are anything The Assets are those things that are considered valuable and ‘at risk’. The value
that has value to us, can either be enhanced or damaged, depending on whether the outcome is
tangible or intangible
positive or negative. Assets can be tangible or intangible. SABSA focuses a lot on
business capabilities, processes and services as assets – which are intangible but
real assets nevertheless.
Threats and There is also a sequence implied in the Risk Balance diagram:
opportunities act on
assets n Threats exploit weaknesses (vulnerabilities), leading to a negative impact on
objectives, which is a loss event. Asset value is diminished.
n Strengths exploit opportunities, leading to a positive impact on objectives,
which is a beneficial event. Asset value is enhanced.
The subtle difference Note the subtle difference here. There is an inversion of the what exploits what. A
between threats and threat actor is different from an opportunity agent. The threat actor is probably
opportunities: active
versus passive active, whereas the opportunity agent is passive. An opportunity needs to be
grabbed. An opportunity flies by your window, and you have to invite it, convince
it to come in. The invitation, the convincing, is done with a strength.
Threats are active A threat actor may be knocking on your door looking for the weakness to answer.
and will exploit any You do not invite it in deliberately. Threats from natural disasters or other
vulnerabilities they
encounter environmental elements may not per se knock or actively search of the weakness,
but they will hit you anyway. The weakness doesn’t necessarily have to advertise
“Hi, hey, hello!! I’m here! Hit me, hit me!” To be vulnerable is enough for an
active threat to exploit you.
Opportunities need to Opportunities from natural disasters or other environmental elements may just
be grasped and pass by. Although we’ve identified them as such in our Risk Assessment, if the
exploited by the
strengths that you strength does not reach out, the opportunity passes, unused. So, opportunity
possess. does not exploit the strength. The strength exploits the opportunity.
More details in Parts More detail on these additional concepts can be found in Part 2 and Part 3 of this
2 and 3 of this paper white paper. The purpose here is to introduce them at a superficial level to
explain their meaning.
Risk Appetite
Risk appetite defined Risk appetite is the amount of downside risk (threat) that an enterprise or person
is prepared to take in order to pursue the opportunities for benefits and gain that
it perceives. To do business is to take risks, and to live life is to take risks, but the
level of appetite for taking risks varies from one enterprise to another, and from
one person to another. Some people like to do extreme sports for leisure
entertainment, whilst others prefer to watch it on television in the comfort of
their own homes.

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 10
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

Risk appetite Risk appetite is about the balance between temptation to ‘take a risk’ (meaning
embraces the downside) to get the big prize (upside). Is the size of the prize worth the candle?
‘balance’ concept
and the ‘price of risk’ What’s the price of risk? This is what the market would ask. Who will buy risk at
this price? Market forces will adjust the price. From the stock exchange to the
world of betting on horse-racing and football matches, the market drives the price
of risk. You can package and sell almost any type of risk. That is what the
insurance market does: life assurance, motor insurance, property insurance
health insurance, and many more.
Over-commitment to There can be an ironic effect of being tempted by too many opportunities, having
opportunities can a greedy appetite bigger than one’s ability to digest the intake, as it were, in
lead to failure to
deliver which the entity (enterprise or person) takes on so many opportunities that there
are insufficient resources to service the demands made. In this case there is an
emerging threat of failure to deliver, raising expectations that cannot be met and
causing self-damage to reputation. As always, risk balance is the key to success.
Budget as a means In business, risk appetite is managed by balancing the financial budget between
to manage risk activities to pursue opportunities and activities to mitigate threats. Risk appetite is
appetite
a concept derived from the risk balance described above. This is discussed in more
detail in Parts 2 and 3 of this white paper.
Categories of Business Risk
High level risk From the point of view of any business there are three main high-level categories
categories of risk with which the enterprise must deal. In all three, the issue of opportunity
versus threat is applicable. These categories also roughly equate to the ‘time
horizons’ discussed earlier.
n Strategic Business Risk: Reputation; Competition; Business model; Markets
addressed; Product and services mix; Territories and channels to market;
Investment in growth; Product life cycles; Governance; Supply chain; Mergers,
acquisitions and disposals; etc.
n Change Risk (Tactical): Risks concerned with: Projects and Programmes; New
technologies; New management; Reorganisation; Process Re-engineering;
Business transformation; Digital disruption of the market; Architecture; etc.
n Operational Risk: All risks to do with people, processes, technology and
naturally occurring events. Includes: Health and Safety; Legal and Regulatory
Compliance; Human Resources; Business Operations; Information
management and IT; Production; Delivery; etc.
Enterprise Risk
Harmonising and Although it is often convenient to organise risk management under various silos of
optimising interacting expertise, risks of different types interact in a complex system and produce
risks across the
enterprise emergent risk properties. The mitigation of one threat can lead to an increased
danger from another threat, not obviously related. Similarly, the pursuit of one
opportunity can have damaging effects on the pursuit of another one. Enterprise
risk management considers risk from a holistic high-level viewpoint, optimising
the entire basket of risks from an enterprise perspective, rather than from a local

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 11
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

business unit viewpoint. More detail on this topic is discussed in Parts 2 and 3 of
this white paper.
Domain diagram Enterprise risk can be considered as the single high-level risk category, being the
representation of fusion and intersection of all other risk categories (domains).
enterprise risk

Strategic)Risk)

Enterprise)
Risk)

k)
Ch

Ris
an

al )
ge)

on
a3
Ris

er
k)

Op

Figure 2: Enterprise Risk as the optimisation of all risks

Risk Modelling
Effects of Limited Information
Risk management Risk is concerned with uncertainty of outcome, but there are various levels of
requires risk uncertainty that we can deal with based on information that is available. We can
information
record historical data on risk events and use that data for forecasting future risk
events. In some cases the past can be a useful predictor of the future, but there
are some severe limitations that we must take into consideration.
Incomplete or biased The problem revolves around lack of complete information – even information
information can about past events is never quite complete, and different accounts from different
mislead the risk taker
people will give different versions of past events. As they say, the victors write the
history.
Known knowns, So, how much information do we have available on which to base our risk
known unknowns and decisions? At a U.S. Department of Defense (DoD) news briefing on February 12,
unknown unknowns
2002, Donald Rumsfeld, Secretary of State for Defense, answered a question
about how much information the allied forces had regarding the supply of
weapons of mass destruction by Iraq to terrorist groups. This was his (now
famous) replyi:

“Reports that say that something hasn't happened are always

interesting to me, because as we know, there are known knowns;

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 12
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

there are things we know we know. We also know there are

known unknowns; that is to say we know there are some things
we do not know. But there are also unknown unknowns – the ones
we don't know we don't know. And if one looks throughout the
history of our country and other free countries, it is the latter
category that tend to be the difficult ones.”
Complete information In this statement Rumsfeld eloquently captured the general problem with risk
is never possible. forecasting – lack of hard information. We can never know everything about
The gaps are part of
the uncertainty everything, and in particular we cannot know what it is we don’t know – such
would be a paradox.
Witness accounts Even if we have witness accounts to analyse, it is a known fact that different
often vary witnesses to the same event will give different accounts of what happened, not
because they are being dishonest, but because their perceptions and memories
are different. They viewed the event from different viewpoints, both physical and
logical, and therefore saw different aspects of the event.
Opinions about the When it comes to opinions about the future, the scope for difference becomes
future vary even even more pronounced, because different people will see emphasis on different
more
risk factors in a complex scenario.
Unknown knowns Something that Secretary Rumsfeld did not mention is the challenge of unknown
knowns – information we have but don’t know we have. The problem is often
brought about by a security protocol – the ‘need to know’ principle. The 9/11
Commission Report, issued on July 22, 2004, made a recommendation that the
‘need to know’ principle should be replaced with the ‘need to share’ principle.
Statistical distribution Nicholas Taleb his book ‘The Black Swan’ii challenges the science of risk
models suffer from forecasting based on stochastic modelling because he explains that without the
the lack of rare or
unforeseen data data points relating to the ‘unknown unknowns’ the statistical distributions that
points are fitted to event histories are deeply flawed and are unreliable in predicting the
future. He also claims that what we regard as ‘rare events’, because we have
never seen them before, are in fact quite common, and that our existential
experience is that we are seeing new event types all the time.
Scenario modelling to The way that enterprises try to get more reliable forecasts is to dream up
predict the future in scenarios of the future that have the same initial conditions (the ‘now’ state) but
different
environments progress in different directions. So as a simple example, a business might make
economic forecasts based on three different scenarios: the price of oil stays
stable; the price of oil rises steeply, and the price of oil drops through the floor.
What would each mean for the company? Then they make three different
strategic and tactical plans and see what actually happens. Scenario analysis is
covered in more detail in Parts 2 and 3 of this white paper.
Qualitative versus Quantitative Models
Risk assessment All human decisions are based on risk assessment, whether explicit (documented)
underpins decision or implicit (gut feel). In cases where the assessment is explicit there is a
making
documented rationale based on some estimations or calculations. This

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 13
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

documentation provides a traceable audit trail on why certain decisions were

made. Quantitative methods usually involve some type of statistical analysis of
previous data that look out for trends and cycles in the observations and use them
as predictors of the future. These are the methods that are so heavily criticised by
Nicholas Taleb in his book ‘The Black Swan’.
Qualitative risk It is also common to use a qualitative approach, rating risk parameters on a high,
assessment is medium and low type of scale, or using a one-to-five scale (or similar). It can be
popular and creates
more of a ‘gut feel’ argued that for ‘gut feel’, a human is optimised for a three level approach – hence
the common use of high, medium and low, or as it is often called, ‘traffic light
reporting’ using red, amber and green colour coding. Even with a documented
traceable audit trail, many decision makers will reduce the decision to a gut feel. It
has to ‘feel right’.
Take care to SABSA takes a pragmatic qualitative approach to assessing risk. It seems that most
standardise what is key decision makers will condense and reduce any more complex rating into there
meant by levels such
as high, medium and own high, medium and low bands, and so it is useful to present these already
low prepared. One must be careful though to baseline what these levels mean. One
person’s ‘high’ can be another person’s ‘medium’ or ‘low’. Part 2 of this white
paper describes in detail how SABSA does risk assessment.
Limits of Computations
The ‘butterfly effect’ In 1972 Edward Lorenziii was working on early computer models of the weather in
and Chaos Theory order to do weather forecasting, using numerical analysis techniques. His data for
the initial conditions (starting point) was measured to seven decimal places. He
had some apparent success with his test on the model and decided to re-run it by
entering the data all over again to check the results. For a short cut he entered
only three decimal places for the ‘quick check’. At first the output followed the
first run, but quickly started to diverge, until the forecast outputs were entirely
different. What he had discovered he named the ‘butterfly effect’, later known
more generally as Chaos Theoryiv.
Chaos is caused by Chaos Theory is concerned with infinitesimal differences in the initial conditions of
deterministic complex dynamic systems. It appears to be similar to emergent properties of
multiplication of
rounding errors – not dynamic systems, but is not quite the same. Chaotic behaviour, being
random behaviour deterministic, is not identical to non-deterministic, random behaviour, but looks
the same from an existential human viewpoint. It is definitely an occurrence of
uncertainty of outcome from the human viewpoint.
All digital computers Computer modelling of any dynamic system suffers from this problem. There is
suffer from chaos always a floating-point arithmeticv (FPA) module in a digital computer, which
after repeated
floating point always has a limit on the number of significant figures it can process. No matter
operations how precisely the initial data is entered, the FPA unit will cause rounding errors
that will eventually multiply up to produce chaotic output.

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 14
 SABSA: Risk Management Part 1: 2018: The Meaning of Risk

Application This is an area of computer science often neglected by application developers and
developers with little users when they build models to simulate long-term dynamic behaviour in
idea about computer
science often have complex systems such as the climate of our planet. There is no total fix for the
too much faith in their problem, although the Oracle paper referenced in this paper’s Endnote (v) gives a
computer models very full exploration of how to make the best of it.
Additional problems Now put on top of this processing problem the data measurement problem and
with accurate combine the effects. No matter what measuring instrument you use for your
measuring of input
data initial conditions (your input data), it has a limit of accuracy in measuring real
numbersvi. This means that every piece of ‘real number’ input data already has a
rounding error in it, to be fed to the FPA for further rounding during processing.
Data insufficiency There is yet another problem of data sufficiency. How many data points do you
adds to the errors need to ensure that you have captured the entire state of the initial conditions of
through false
assumptions your dynamic system that you are modelling? No matter how ‘complete’ your
data is, in real terms it always has a degree of sparseness – because you can never
have an infinite data set. How certain can you be that the missing ‘in-between’
data points follow your assumptions? Sceptics of mainstream climate science
point out that we know very little about the science of ‘cloud ice’ and its reflective
properties, or about deep ocean science, and that these uncertain areas of
‘missing data’ are significant reasons to mistrust current climate models.
Widespread All of these limiting factors are the everyday business of computer science, but
unquestioning belief how frequently do the application developers with their applied models
in computer
modelling could be understand these limitations? Perhaps this is one of the biggest risks of the
the biggest risk we modern world – the widespread human belief that digital computers offer the
face solution to everything. Many significant strategic and tactical decisions are being
made on this basis.

i Rumsfeld Quotation: http://jxb.oxfordjournals.org/content/60/3/712.short (Accessed 20th May 2017)

ii The Black Swan: https://en.wikipedia.org/wiki/The_Black_Swan_(Taleb_book) (Accessed 20th May
2017)
iii Edward Lorenz: https://en.wikipedia.org/wiki/Edward_Norton_Lorenz (Accessed 20th May 2017)
iv Chaos Theory: https://en.wikipedia.org/wiki/Chaos_theory (Accessed 20th May 2017)
v Floating Point Arithmetic: https://docs.oracle.com/cd/E19957-01/806-3568/ncg_goldberg.html
(Accessed 20th May 2017)
vi Real numbers: https://en.wikipedia.org/wiki/Real_number (Accessed 20th May 2017)

Copyright © The SABSA Institute 1995—2018. All rights reserved. Release 1.0 July 2018. Page 15