How to Manage Risk (After Risk Management Has Failed)

Over the past decade, and especially over the past few years, a number of the world’s most widely respected companies have collapsed. The authors believe that a major, though not often mentioned, factor was these companies’ traditional approach to risk management, which tends to look for risk in all the wrong places.

Two fundamentally different views have evolved over the years on how risk should be assessed. The first and prevailing view — termed the frequentist view — is based solely on repetitive historical data, such as weather patterns. The second, or Bayesian, view considers risk to be in part a judgment of the observer, or a property of the observation process; repetitive historical data thus are essentially complemented by other kinds of information. Where there is a great deal of relevant data, this information plays a dominant role, with the integration of judgment making a substantial improvement over the traditional approach. Where there is little or no relevant data, judgment plays a dominant role, providing value under conditions beyond the scope of the traditional approach. Either way, recognizing the important, sometimes central, role of judgment can lead to more reasonable and realistic behavior — in large part because we realize that judgment is not perfect and can be refined as more experience is acquired.

The key point is that risk under the Bayesian approach can be measured quantitatively, whatever the amount and quality of the data. And rather than focusing entirely on the observed world, Bayesian risk assessment also reflects the consistency, reliability and precision of the observer.

Many measures are being deployed to recover from the collapses and to build a more robust system that prevents future crises — a shift from frequentist risk management to Bayesian risk management should be a part of this effort.