I mostly write about ML/AI on this website, though long-time readers will notice that I focus on the non-technical matters: leadership, hiring, and team structure are common topics here.
I’ve also mentioned risk in a few posts. I find risk to be a fascinating topic overall, and one that we don’t think about nearly enough in ML/AI.
There are many ways to think about risk. One that I keep coming back to is: a possible future entry on the balance sheet, of indeterminate (and unbounded) amount. This perspective is especially relevant when you consider how future costs weigh into company valuations for investment and M&A purposes: if a company has done something dodgy with its training data, then it’s probably heading for trouble down the line, and that should be reflected in any purchase price.
I plan to cover risk here more in the future, and in deeper detail, so I figured an introduction to risk was in order.
It’s cliché but necessary to lead with some terminology.
Risk is built on the idea that some Event might happen. We emphasize, “might.” It’s not that it definitely will happen, because then it would be a fact. Instead, a risk is a Not-Yet Event. And there’s only a chance that it will become a Has Happened Event.
The core of risk, then, is the notion of maybe.
Why should we care about a maybe? Well, if The Event happens, there will be some outcome, usually in the form of consequences. That’s what separates risk from other areas of future planning: it’s about exploring things that don’t go as intended.
That leads us to some other key terms:
Risk assessment is the practice of figuring out what are those events that might happen (the Not-Yets) … and the impact should they become Has-Happends.
Risk mitigation is the practice of actually handling the risk, either by doing something to prevent it from happening to you, preventing it from happening at all, or by cleaning up after it happens. Mitigation, then, turns a Not-Yet into a Not-To-Me, a Not-At-All, or a What-Now.
Exposure hovers over assessment and mitigation. It’s the circumstances under which a given event will happen to a given entity (usually, you). That means exposure is a matter of When-Me. A large When-Me means a greater opportunity for a Has-Happened, therefore, a greater chance of facing consequences.
Risk assessment is therefore a matter of identifying the exposure: when could this happen? and how likely is that to take shape?
Flipping this around, assessment and exposure set the parameters for exploring risk mitigation. For example: if you have a very small exposure (a very narrow window of opportunity), and your assessment determines that the impact is small, you probably won’t spend too much time lining up a mitigation strategy. Why bother? On the other hand, if the window of opportunity is very large, and the impact significant, it’s worth your time to think carefully about how to handle the Event if it happens.
We can use a concrete example to demonstrate:
I’d like to walk home from the office tonight.
Between the weather forecasts and the clouds in the sky, I determine that it may rain today. I’ll get drenched if I’m caught in the rain. That’s my assessment.
Why do I care? Because I’d like to walk home, and I don’t want to get drenched. That walk home is my exposure to the rain shower.
If it starts raining, I can stay in the office till it ends. Or I can use an umbrella on my walk. Those options comprise my mitigation plan. The office option works so long as I don’t mind staying late, and the umbrella option works so long as the rain is not a torrential downpour.
This was a toy example but it shows a certain pattern of thought. We call this risk thinking, and it’s the process of exploring a world beyond our intended outcome to identify Other Possible Scenarios and decide how – or whether – we would handle them.
(One thing we didn’t do in this example, is leave some flexibility for some things we hadn’t considered. Donald Rumsfeld took some heat for his “Unknown Unknowns” comment but, from a risk perspective, there is a lot of truth in there.)
This may sound very rigid and formal but it is something we all do; it’s just that we rarely consider the thought process because it happens quickly and automatically. What took four bullet points and a couple of paragraphs in print, would take just seconds inside your brain.
I often tell people that I’d rather be inconvenienced than surprised: I can plan for an inconvenience that I know is coming, but a surprise requires that I adapt on the spot. (Most surprises ship with a free side of inconvenience.)
Risk thinking is all about limiting the impact of that surprise. It’s a different way of looking at the future. We have our intended, preferred outcome in mind but we know that this is just one possible outcome in the absence of perfect information. The wise among us apply risk thinking to take the sting out of our predictions-gone-wrong.
(This content is an excerpt of a future project on risk.)