Risk management comes in many forms, but one approach, which I call the 3As, looks at three different risk management styles:
Actuarial - the law of large numbers
Active - the law of the land
Adversarial - the law of the jungle
They can be mundane everyday risks or complex matters of international concern.
Some risks are easily understood with statistical models and managed with standard procedures, reviewed, and adapted as required. Human discretion in responding to unusual events or system changes can also be specified. We typically have reasonable knowledge and information about this category of risks. When risks change, they usually do so for understandable and often anticipatable reasons.
Some examples include workplace safety, insurance and actuarial analysis, engineering, manufacturing, and the operation of vehicles, aircraft, and machinery. There is no specific human counterparty, and these types of risks generally operate in a state of equilibrium. These risks can be modeled and studied using the law of large numbers.
At the most basic level, they can involve games such as blackjack or backgammon, where the probabilities can be calculated and optimized. More complex examples include insurance (actuarial) calculations and engineering risks, all the way through to complex threats such as climate change or space travel. With such risks, most elements at least can be calculated with high precision, subject only to the availability of sufficient information and computing power.
These risks require active management because they are actively evolving. Procedures, policies, checklists, etc., are essential, but operational human decision-making is the core element. Threat actors in this environment typically operate in a competitive and adaptive but (mostly) benign environment.
Examples include financial markets, project management, business enterprises, sports, and marketing. In this context, organizations and individuals will face adaptive counterparties who seek to out-compete us, and their intention typically is to achieve their gain. These actions can, but will not necessarily, cause loss or benefit for the other parties.
Operational risks can range from healthy benign competition, such as a soccer match to normal commercial activities, all the way up to complex legal strategies argued in a Supreme Court or international courts.
Risks in this category may be zero-sum or may benefit others. An example of mutual benefit is a cafe owner who advertises to increase their business. It will probably help their own business and attract new customers to the area, benefitting other business owners.
An example of zero-sum would be a stallholder at a farmers market who aggressively competes on price but does not increase the market size. Such an approach will increase the market share of that stallholder but at the expense of other stallholders.
Most risk models fail because complex systems behave entirely differently from equilibrium systems. Active risks are very different from actuarial risks. As a result, central bank and financial equilibrium models consistently produce poor forecasts and risk management results. Every analysis starts with the same data. Yet when you enter that data into a deficient model, you get flawed output. Investors who use complexity theory can leave mainstream analysis behind and get better forecasting results by considering their various counterparties' actions, reactions, and motivations.
This presence of adaptive counterparties means that risks are continually appearing and evolving. In this context, the primary constraint for risks is usually the boundary between legal and illegal activities where all parties prefer to remain within the law of the land.
This type of risk involves an adversary who is actively seeking to harm the individual or organization. It can range from burglary to world wars and everything in between.
Examples include terrorism, security, war, fraud, geopolitical actions such as tariffs or sanctions, and criminal activities. This risk category involves an adversary who can usually be identified, at least in terms of a group of actors, if not the specific individual.
Adversarial risk sources adapt and change their tactics in response to risk treatments and barriers. Equally, any organization seeking to manage these risks must be adaptive, continually modifying risk treatments as the situation evolves.
These risks ultimately involve human counterparties. However, artificial intelligence, robotics, and other technologies mean the human operator may not always be visible in the system.
Another critical consideration is that this category of risk is often asymmetric. A lone computer hacker or terrorist can inflict damages out of proportion to the size or visibility of the operation. The relevant law here can be considered the law of the jungle.
These three types of risk are not mutually exclusive, and many situations involve two or three of these types of risk. The perspective of this 3A model of managing risk is to understand which type of risk you are dealing with because they each require different strategies for risk management.