Risk Anatomy™
Tell me more
Sign up for our newsletter — or just get in touch: for ½ a weekly 🍺 you get to consult JC. Ask about it here.


Policy is organisational scar tissue” — Jason Fried

The nature of risk

The real risks are the black swans: risks that we don’t recognise as risks until they happen. All significant market dislocations have come from blind spots. Known knowns – about which firms naturally obsess, are not generally risks at all, precisely because they are known knowns and are properly identified, managed and controlled. Black swans, after they happen, cease to be black swans.

Our constitutional insistence[1] in reviewing the tape for PAST PERFORMANCE means we obsess about risks in stables from which horses have already bolted. Eg (okay this is my hobby horse) close out netting. Real risks unknown unknowns won’t cleave to the organisational structure, much less the firm’s own risk taxonomy or division of responsibility for risk management. These things of necessarily, which is based on stables from which horses have already bolted. Therefore unknown unknowns will tend present across non-contiguous areas of risk management – the same risk might be partly legal, partly credit, partly market risk. Each in isolation may be containable, but combined effect less so.

Are they real risks?

Your risk controller is an individual with powerful personal incentives to see risks that might be paper tigers. As long as they're complex, her subject matter expertise will carry her through. But let’s not be cynical. Let us go with it and allow that these are real risks

  • Tail risks or daily risks? Depending on which, the reaction decision differs.
  • Daily risks: You can reliably predict them, quantify them, average their cost and price them based on observed expected probability. This is what insurance underwriters do. But they do this across a wide portfolio of individuals who can’t reliably predict the risk. The predictability is an emergent property of the aggregation of the risks — it's a function of scale. With sufficient scale, you can make a binary decision:
    • accept the risk — in other words, self-insurance — in this case, reprice your service to factor this quantifiable cost of doing business. Charge your customers the insurance premium. For them it may be a tail risk they will pay for; they may only trade once a year. For you, it’s a normal cost of business.
    • reject it — if you can’t price your risk into your offering (and pass it to your clients) don’t take the risk in the first place — even if that means not doing the business at all. No risk, so no insurance. Either way, don’t buy insurance. No need for a risk manager
  • Tail risks: Tail risks are, in principle, insurable. But still you’ve got some questions. How big is the risk? How bad would any risk event be? If it is containable in size given your volume of business (a toaster you use every day blows up once in five years) then take the risk. Again, it's just a cost of business. This is no different in impact to a quantified daily risk. If it is a potentially catastrophic then you still have some questions. Is the business worth it? Have you priced it correctly? How effective is your insurance? Will the risk controller get it right? Will she protect against the risk? Are you sure?

Asymmetry of outcomes

  • Before it happens: before it happens, a risk has a positive value, albeit (if it is an unknown unknown, one that is difficult or impossible to quantify.
  • It is is avoided: A risk that passes untriggered, has no value. It is like an option you wrote that expired out of the money.
  • If it happens: If the risk comes about but the firm has successfully protected itself against it, again it has no value. The firm’s resulting profit and loss is flat. If the the firm has not defended against it, then notionally, someone is responsible. But see diffusion tactics – here the primacy of the individual’s survival instinct over the firm kicks in.
  1. Stare decisis, anyone?