Recommended books on Risk Assessment and Risk Management

Some of these are quite old, but the fundamentals of risk assessment and risk management haven't changed, even if some new risks have appeared and some other risks are easier to mitigate.

Nassim Nicholas Taleb, Thomson Texere , 2001

This book contains musings on random events and its effects on the market (and life in general) by a professional trader, Nassim Taleb. There are thoughts here which I found quite profound concerning the nature of inductive logic (reasoning from events to rules), as well as interesting examples and explanations of how we allow ourselves to be fooled by random phenomena.

Taleb is particlarly fascinated by what he describes as the Black Swan Problem. We see lots of swans. All of them are white. We infer that all swans are white. Unfortunately we have never been to Australia, where the swans are black as well. If we build our trading systems on such principles will the appearance of a black swan wipe us out?

The style of writing here is collection of literate musings and digressions which I rather liked but, judging by Amazon reviews, it appears to irk some readers.

Richard A. Posner, Oxford University Press , 2004

There are disasters that affect the individual. There are disasters that affect an organization. And then there are disasters that affect the human race. It is this third type of disaster that interests Posner: more specifically, disasters that can wipe out the entire human species. The author discusses the possible causes of such catastrophes (natural and man-made), and the possible regulatory frameworks required to prevent or mitigate disaster. The difficulties of using cost/benefit analysis with low-probability very high consequence events are also covered.

A general interest book unless you are concerned with national (or international) policy.

David Ropeik, George Gray, Houghton Mifflin , 2002

This book aims to give balanced information on the fifty most talked about hazards in daily life. Each risk is presented along with background information and a discussion of the consequences and likelihood of exposure.

Although you may not agree with all their risk assessments, the information is presented in sufficient detail (along with references) that you can reach your own conclusions.

Although aimed at personal risks rather than business risks, this book presents excellent examples of how to analyze and report a risk.

Note that (as the authors clearly state) this is a book about the most talked about risks, not necessarily the ones which are most likely to kill you. Interesting tables in the Appendix correct this deficiency. Did you know that in the USA your lifetime odds of being killed in a car accident are 1 in 88? Or that a truck driver is about six times more likely to be killed on the job as a police officer?

John F. Ross, Perseus Books , 1999

A collections of musings on risk in everyday life. The title comes from the author's jumping-off point: an expedition in the arctic which discovers that there is a risk of meeting a polar bear, but has never encountered one before. How should the unknown risk be assessed?

It has been said that a picture is worth a thousand words. Unfortunately Ross provides the thousand words in place of the picture or diagram. Some of the discussions are therefore more difficult to follow than they should be, and the presentation of data in prose rather than tabular format is often irksome.

Some interesting discussions on the complexity of risk nonetheless.

Douglas W. Hubbard, Wiley , 2009

When I started reading this book I didn't like it. It starts out a little bit too much about the author, rather than the subject. So I put it aside for a while. But when I subsequently dipped into it, my opinion changed. It's a valuable book.

Hubbard's critique of risk management is based on its use of ad hoc methods which are fundamentally subjective and where there is little to no justification that the method actually works. Qualifiers (such as "low", "medium", "high" probabilities and "low", "medium", "high" impacts) are multiplied together in scoring systems which really offer no insights but just provide a warm and fuzzy feeling for management.

Hubbard won't accept the argument that "we just can't compute the probabilities" or "we can't estimate the losses" as an excuse for not trying to make a quantitative assessment of risk. He points out that the lack of a long historical record does not mean such estimates cannot be made. Safety engineers and actuaries can and do make such estimates, but their methods are frequently unrecognized or ignored when considering business continuity risks.

You don't need comprehensive historical data about a system to get a quantitative risk estimate. Indeed, just looking at historical data won't help for rare events. However, you can look at similar systems elsewhere, system components, and dependencies and combine the data for these using standard methods to get a reasonable assessment.

Hubbard also looks at how people make mistakes in estimates. Often they make the same errors in reasoning, or ignore the same factors.  There's some good sections on what these errors are, how to recognize them, and how to avoid them.

Overall, this a useful addition to any risk management library. It's not a methodology guide book, but it should help you recognize weaknesses in frequently used methods and (hopefully) find and adopt a better methodology of your own.

Michal Zalewski, No Starch Press , 2022

I'm not normally a fan of "prepping" books. The scenarios described are too unlikely and the proposed mitigations are often unrealistic and disproportionate.

A Mad Max style dystopian future won't occur next week, and before you prepare to fend off gangs of armed marauders attacking your underground nuclear bunker there are more mundane risks you should be prepared to survive.

Zalweski takes a wide view of risk, looking at disasters from personal to global. He assesses their likelihoods, and looks at what the practical measures are that we can take to prepare for them. I like the coverage here. There's everything from unexpected unemployment and falling off a ladder to hyperinflation and nuclear war. Each is treated thoughtfully with the respect it deserves.

In risk management everything is about trade-offs, and this book covers some trade-offs I had never considered. For example, every emergency plan suggests stockpiling some food to cope with disruption to supply. Food doesn't last forever, and whether its a one week supply or a one year supply your stockpile needs to be managed so that it is still edible when you need it. One approach is to continually eat through and replenish your stockpile, thus ensuring it has a certain level of freshness; the other is to eat nicer (but more perishable) and food discard your stockpile at regular intervals. I've tried both by accident rather than design, and when the presented as a choice, I know which I prefer.

Ultimately how likely you believe various threats are and what efforts you should personally take to mitigate them is your own decision. This book provides a good basis for clarifying those risks and making that decision.

Michael T. Osterholm PhD MPH and Mark Olshaker, Little, Brown Spark , 2017

Before the SARS-nCov-2 outbreak in 2019/2020, most government (and business) contingency planning was based around the idea of a novel influenza pandemic. The history of the flu pandemic in 1918 (which left tens of millions dead) is well known, and it's widely recognized that there is little to prevent a similar outbreak happening in future. There have been many less severe influenza pandemics (with perhaps a few million killed), but the annual seasonal flu epidemics (which kilsl around 400,000 people) tends to make it easy to accept the risk.

Although the risks from influenza are generally accepted (if not always fully understood and planned for), the possibility of other pandemics has always been there. This book, written two years before the Covid-19 pandemic, looks in detail at the risks from all the major families of infectious diseases, as well as of diseases yet to be discovered. It is based on the author's in depth experience working on the prevention and management of infectious diseases since the first cases of HIV / AIDS were noticed through to the SARS and MERS outbreaks. As a result the author can explain clearly not only the characteristics of the diseases themselves, but also the public health measures required to identify outbreaks before they get out of control, and the subsequent steps needed to prevent the outbreak from spreading.

This book should be an essential read for anyone involved in public health policy or planning. It includes some key policy lessons which were learned "the hard way", and which are easily forgotten. In addition, anyone involved in business continuity or emergency planning would do well to consider the detailed scenario provided for a full scale flu pandemic: it includes many second and third order effects which are easily missed and have real consequences for government, businesses, and individuals. Did you fail to predict what would happen during the Covid-19 epidemic? You might not if f you had read this first.

I found this a fascinating read during the Covid-19 epidemic. Normally when I read this type of book I have to ask myself how good the author's predictions are likely to be. But when reading this with the benefit of hindsight the answer is easy: pretty damn good.

Relevant Books
If you purchase a book using one of these links, we receive a small payment from Amazon, which helps pay for this site.

See Also