Shostack + Friends Blog Archive


Risk Appetite or Volatility Appetite?

lucky-dice.jpgOver at “Not Bad For A Cubicle,” Thurston (who is always worth reading) manages to tickle a pet-peeve of mine in “A super-size risk appetite?” No rational business has a risk appetite. They accept risk. They may even buy risk in fairly explicit ways (some financial derivatives) if they think that those risks are mis-priced because of either asymmetric information or different risk models. No rational person has a risk appetite. Some rational people have a thrill appetite, which may include elements of risk taking. Gamblers, extreme sports devotees and idiots may all do things in search of a thrill that includes a risk of serious injury or death. That risk may even increase their thrill, but what they’re seeking is the thrill, and they take risk as part of that package.

If you think you have a risk appetite, I have a simple game for you. We flip a coin. If it lands heads, you give me a dollar. If it lands tails, you may choose to play again. This is pure risk. I’ve removed any possible gain. Feel free to play, I’ll send you my address.

The picture is NelC’s “My Lucky Dice.”

[I’ve responded to some of the comments at More on risk tolerance“.]

7 comments on "Risk Appetite or Volatility Appetite?"

  • Alex Hutton says:

    How about “tolerance”. People and corporations and so forth may be able to tolerate a certain level of risk, and make decisions based on how much risk an enterprise introduces into the organization.
    But if you’re going to be a little snarky about using the word “appetite”, let me be similarly dogmatic about risk and your use of “pure” risk.
    Risk (as we tend to use it)is best defined as how much you stand to lose and how often you stand to lose it. Suggesting that there is a pure risk that is somehow contaminated or dilluted by introducing less loss frequency just doesn’t make sense.
    Snarky, I know, but half the problem our profession faces is definition and vocabulary.

  • Chris Walsh says:

    You’re fighting a losing battle. What an individual investor would call “risk tolerance”, the risk management industry calls “risk appetite”.

  • Kaa says:

    You seem to define risk as “the probability of bad things happening”. That’s valid definition, but not the one normally used in finance and other places. In finance risk generally means “variability of uncertain outcome”. In simple cases the standard deviation of an (assumed) normal distribution is often used as a proxy for risk.
    For example, let’s consider two investment opportunities. In one I will get one cent if the coin flip comes up heads and lose one cent if it comes up tails. In another one I will get one dollar for heads and lose one dollar for tails.
    Both cases have the expected return of zero. Yet the second one is riskier than the first. I would expect some rational people to choose the second investment opportunity, even though it has higher risk.
    Moreover, as a very very general statement, in financial markets there is a pronounced correlation between risk and returns. If you want to get higher returns you must accept higher risk (= variability of your returns). In this context it’s perfectly sensible to talk of a company’s appetite for risk which means that it prefers a more uncertain chance of higher returns. Again, that’s a valid, rational preference.

  • Alex Hutton says:

    Love the comment. I find that there are many, many definitions of risk. The trick is finding one with which you can build a metric framework for Information Risk.
    In general, I subscribe to the following:
    _Risk – The probable frequency and probable magnitude of future loss_
    This covers probability and financial impact. I’m actually, not against _variability of uncertain outcome_ as long as one can create a good framework to consistently express information risk.
    I would ask – if we use a more financial risk definition, what would *our* reward be? Would it be the lack of impact? In that case, maybe Adam’s “purity” comment works (I still don’t like the term _grin_).
    If our risk analysis was concerning levee’s that could withstand force 3 hurricanes or force 5 hurricanes, is the “reward” of our analysis decision to build force 3 the difference in cost between the two options?

  • fredrick Lee says:

    Adam, I agree with you that risk is a chance for loss, but I agree with Alex and don’t think that pure risk exists. In your “I lose a dollar half the time” game, I might be paying for the fun of playing. I might play just to take your coin. I might play because I have a bunch of radioactive waste dollars that cost me $400 each to dispose of. My point is that you haven’t established any risk tolerance, which is fundamental to any “risk decision” as well as the reward portion–I mean doesn’t risk usually imply taking a chance for a reward? Under normal circumstances, playing your game might be dumb, but I don’t think that it is “risky”… am I off here?
    Also, Kaa, I don’t think that your investment opportunities exemplify a risk situation very well either, since there is reasonably nothing to gain–in the long run.. (and like you later say “gain” is implicit) and again, no one mentions my risk tolerance, neither of these games address risk tolerance (which is critical to saying what is “riskier”) But you are absolutely correct a company could have a higher “appetite” to take chances (risks).
    I don’t want to play semantics, but assumptions are really killing the information security industry when it comes to the use of the word “risk”. I don’t know crapola about the financial industry and the terminology, but it has to be more stable than IT security’s paltry lexicons.

  • anonymous says:

    Risk appetite also refers to one’s utility curve: how much one values one’s current dollar vs. how much one would value an Nth additional dollar. If one values the millionth dollar more than the dollar one is holding, and the house doesn’t take too big of a cut, then it’s rational to gamble for such a jackpot. That’s a preference or appetite for risk. Most people, but not all, are risk averse, e.g. they’d give up a one-in-a-million chance for a million dollars in order to receive a dollar, and thus do things like buying insurance, giving the house a cut in exchange for reducing risk.

  • Kaa says:

    Hmm… risk is, basically, what you define it to be 🙂 Taking our favorite coin flip, let’s say I win $1 on heads and I win $1000 on tails. Is there risk? There’s no loss, but there’s noticeable uncertainty of the outcome.
    Also note that risk tolerance and utility curves are about perception of risk and “value” of risk for a *specific* person (or company). We haven’t gotten to this point yet. We are still trying to figure out what risk *is* — once we do that we can talk about how it’s perceived and evaluated.

Comments are closed.