How to Think About Risk

How to Think About Risk

*This article was kindly contributed by Yaniv Bernstein author of the People Engineering newsletter (subscribe here).


A parable

You own a goose that lays golden eggs. (Congratulations)

Every year, the eggs laid by that goose can be sold for a total of $1 million.

That goose is giving you a very good life, but you’re worried. What if the goose is kidnapped? Or gets sick? Or simply flies away? What if golden eggs become less valuable? Or they break while they’re being shipped?

Luckily there’s insurance and other risk management tools. For a price, you can get peace of mind against one of those things going wrong. So you start taking out policies. You buy accidental death insurance, veterinary insurance, transit insurance. You pay for a security detail, a private dietitian, an animal psychologist. You take out futures contracts on gold for hedging. The local mob is only too happy to provide protection in return for fair consideration.

Your goose is safe, and you feel safe. Of course, all that safety costs money. By the time you’ve paid out all your expenses, only $100,000 of that annual million dollars remains.

You’re also so focused on protecting that golden revenue stream that it doesn’t occur to you that some of those golden eggs might hatch into more magic geese, if only you let them.

In the meantime, the years pass. Your goose grows old. Despite every effort, it finally dies. And you realise that in your caution, your aversion to risk, you have made many people wealthy… but not yourself.


Expected value maximisation

One way of making decisions is by using “expected value maximisation”. The expected value of an event is the payoff of an event, multiplied by the probability of that event occurring. The expected value of a decision is the sum of the expected value of all possible events.

For example, if I make a decision that has an 80% chance of yielding $10 and a 20% chance of yielding $100, the expected value is $8 + $20, or $28. Note that it’s not actually possible for the decision to yield $28. Rather, if I were able to take that chance over and over again, $28 is the average amount I would make.

Under expected value maximisation, I would make whichever decision had the largest expected value. This has a certain sound logic: if we were living in a simulation¹ and had the opportunity to run the same decision over and over again, then the decision with the highest expected value would have the best outcome on average.

Managing risk

Maximising expected value is not necessarily the best strategy for every situation. For example, if I were personally offered a bet where I staked everything I owned for a 1-in-100 chance of winning $10 billion, I’m not sure it would be wise to take the bet. Sure, the expected value is outstanding, but in the vast majority of possible outcomes I end up with nothing to my name. I only have one life to live, and relatively modest needs. Hedging my financial bets makes sense. I want to protect myself from extreme downside events (like losing everything).

If this weren’t the case, there would be no insurance industry at all. The expected value of a dollar spent on insurance is always less than a dollar (otherwise the industry would be unprofitable). What insurance does is reduce the variance in outcomes: you’re less likely to do extremely poorly, but you’re also less likely to do extremely well.

Similarly, many safety measures have a poor expected value but still make sense to people. When my wife was pregnant, we invested $1000 in tests for genetic conditions that we had a less than 1-in-5000 chance of passing on to our child. Using expected value maximisation, the genetic condition would have to have had an equivalent cost of at least $5 million for this to make raw financial sense. But of course, it was worth it to protect ourselves from the unlikely but extreme negative return.

When to manage risk

It is well known that rental car agencies make most of their profit by selling additional insurance policies, for example to reduce the excess or insure against cracked windshields. These policies are terrible deals. You pay a guaranteed $300 to reduce the excess on a one week rental, to guard against a small chance of having to pay out an extra $2000 if you do serious damage to the vehicle.

The only time it would be rational to buy this crappy insurance is if you could afford to pay $300, but would be ruined financially if required to pay a $2000 excess. Insurance and safety measures with negative expected value are only worth doing if the cost of a possible negative outcome is too extreme to contemplate.

  New Zealand goose: How one blind bisexual bird became an icon - BBC News  
The fact that I can find an image containing both a goose and black swans makes me love the Internet so much.

Reducing blast radius

Much of risk management (at least as I have experienced it) tends to focus on reducing the chance of a thing going wrong rather than on reducing the cost of it going wrong. This is a shame, because often it less expensive to reduce the damage caused by failure rather than to prevent it from happening or to insure against the resulting damage.

In software engineering, many of the best operational practices are about reducing blast radius. Rather than gumming up the works with elaborate quality assurance processes, modern tooling emphasizes frequent releases, canarying, comprehensive monitoring, and easy rollbacks. Each of these are about reducing the cost of error rather than reducing their occurrence.

Another example in the legal sphere would be to have a policy of aggressive early settlement with unhappy customers whenever there is a risk of litigation. So rather than implementing complex and costly processes to avoid the possibility of being sued, work to reduce the likely size of the payout.

The Black Swan

By definition risk management focuses on risks that are predictable. In The Black Swan as well as the rest of his Incerto Series, Nassim Nicholas Taleb argues convincingly that humans and organisations systematically underestimate the chance of catastrophic, unpredictable tail events.

What is a Black Swan event? It’s when you flip a coin, you miscue, and it hits you at just the right angle as to cut through your jugular vein. Or when you flip a coin, it rolls under a floor board and in retrieving it, you find a priceless treasure. In any real-world scenario, your list of possible outcomes will never be exhaustive, and the probabilities you capture will never add up to 100%.

By definition, traditional risk management techniques cannot mitigate against Black Swan events. Even worse, such techniques usually elevate the risk of a Black Swan event doing massive harm to the organisation. In other words, it increases the organisation’s fragility.

When an organisation attempts to manage risks through prevention, the main cost will be the slowing and ossification of the organisation. Processes and best practices will reduce initiative and dull responsiveness. The cost to the organisation therefore comes from reduced productivity, decreased innovation, and lack of agility. When the unexpected happens, such an organisation is poorly positioned to respond.

Tying it together

Bringing the above discussion together, I believe the following is a good general approach to thinking about risk:

  1. Expected value maximisation is a good place to start, but it is important to be aware of the risk of extreme negative outcomes.

  2. Don’t take out insurance except when the cost of an extreme negative outcome would be catastrophic.

  3. Minimise taking preventative measures, except where the expected value of the measure is clearly positive or the cost of an extreme negative outcome would be catastrophic.

  4. Favour reducing blast radius over putting preventative measures in place. I.e. reduce the magnitude of a possible negative outcome rather than trying to stop it from happening.

  5. Be anti-fragile. Remember that slow-moving organisations tend to be destroyed by Black Swans, whereas agile ones often benefit from them.

Startups and risk

In addition to the above, I would like to add the following note when it comes to startups in particular. To avoid confusion, when I talk about a startup business, I am referring to a technology (or similar) business that takes on multiple rounds of external venture capital.

When compared to a private individual or other type of organisation, a startup should lean quite a bit more heavily in the direction of expected value maximisation. Why? A startup is a bet on an extreme positive outcome. It’s a bet on a certain hypothesis or view of reality that, if true, will deliver stunningly good returns. If the bet doesn’t pay off, well, you may as well learn that sooner rather than later. Delaying failure is the worst thing you could do. Venture investors are not interested in a modest return; they are interested in an extreme return, and are very comfortable losing their entire investment in pursuit of that.

As somebody working at a startup, your incentives are more aligned with investors than you might think. A career in startups is forged through rapid learning, often through failure. But whatever you learn from a given startup, you should learn it quickly.

Overemphasizing risk management and diversification might reduce the chance that you go to zero (at least, in the short term). But it does so at the expense of massively reducing the likelihood that you will go to the moon. If you’re a startup, this is a bad tradeoff.

What’s the lesson here? Certainly it is not to be foolhardy or cavalier. Instead, the lesson is about focus: instead of diverting resources and attention on cushioning potential failure, put everything you have into maximising the chance of success.