Recommended books on Risk Assessment and Risk Management

Some of these are quite old, but the fundamentals of risk assessment and risk management haven't changed, even if some new risks have appeared and some other risks are easier to mitigate.

Nassim Nicholas Taleb, Thomson Texere , 2001

This book contains musings on random events and its effects on the market (and life in general) by a professional trader, Nassim Taleb. There are thoughts here which I found quite profound concerning the nature of inductive logic (reasoning from events to rules), as well as interesting examples and explanations of how we allow ourselves to be fooled by random phenomena.

Taleb is particlarly fascinated by what he describes as the Black Swan Problem. We see lots of swans. All of them are white. We infer that all swans are white. Unfortunately we have never been to Australia, where the swans are black as well. If we build our trading systems on such principles will the appearance of a black swan wipe us out?

The style of writing here is collection of literate musings and digressions which I rather liked but, judging by Amazon reviews, it appears to irk some readers.

Richard A. Posner, Oxford University Press , 2004

There are disasters that affect the individual. There are disasters that affect an organization. And then there are disasters that affect the human race. It is this third type of disaster that interests Posner: more specifically, disasters that can wipe out the entire human species. The author discusses the possible causes of such catastrophes (natural and man-made), and the possible regulatory frameworks required to prevent or mitigate disaster. The difficulties of using cost/benefit analysis with low-probability very high consequence events are also covered.

A general interest book unless you are concerned with national (or international) policy.

David Ropeik, George Gray, Houghton Mifflin , 2002

This book aims to give balanced information on the fifty most talked about hazards in daily life. Each risk is presented along with background information and a discussion of the consequences and likelihood of exposure.

Although you may not agree with all their risk assessments, the information is presented in sufficient detail (along with references) that you can reach your own conclusions.

Although aimed at personal risks rather than business risks, this book presents excellent examples of how to analyze and report a risk.

Note that (as the authors clearly state) this is a book about the most talked about risks, not necessarily the ones which are most likely to kill you. Interesting tables in the Appendix correct this deficiency. Did you know that in the USA your lifetime odds of being killed in a car accident are 1 in 88? Or that a truck driver is about six times more likely to be killed on the job as a police officer?

John F. Ross, Perseus Books , 1999

A collections of musings on risk in everyday life. The title comes from the author's jumping-off point: an expedition in the arctic which discovers that there is a risk of meeting a polar bear, but has never encountered one before. How should the unknown risk be assessed?

It has been said that a picture is worth a thousand words. Unfortunately Ross provides the thousand words in place of the picture or diagram. Some of the discussions are therefore more difficult to follow than they should be, and the presentation of data in prose rather than tabular format is often irksome.

Some interesting discussions on the complexity of risk nonetheless.

Douglas W. Hubbard, Wiley , 2009

When I started reading this book I didn't like it. It starts out a little bit too much about the author, rather than the subject. So I put it aside for a while. But when I subsequently dipped into it, my opinion changed. It's a valuable book.

Hubbard's critique of risk management is based on its use of ad hoc methods which are fundamentally subjective and where there is little to no justification that the method actually works. Qualifiers (such as "low", "medium", "high" probabilities and "low", "medium", "high" impacts) are multiplied together in scoring systems which really offer no insights but just provide a warm and fuzzy feeling for management.

Hubbard won't accept the argument that "we just can't compute the probabilities" or "we can't estimate the losses" as an excuse for not trying to make a quantitative assessment of risk. He points out that the lack of a long historical record does not mean such estimates cannot be made. Safety engineers and actuaries can and do make such estimates, but their methods are frequently unrecognized or ignored when considering business continuity risks.

You don't need comprehensive historical data about a system to get a quantitative risk estimate. Indeed, just looking at historical data won't help for rare events. However, you can look at similar systems elsewhere, system components, and dependencies and combine the data for these using standard methods to get a reasonable assessment.

Hubbard also looks at how people make mistakes in estimates. Often they make the same errors in reasoning, or ignore the same factors.  There's some good sections on what these errors are, how to recognize them, and how to avoid them.

Overall, this a useful addition to any risk management library. It's not a methodology guide book, but it should help you recognize weaknesses in frequently used methods and (hopefully) find and adopt a better methodology of your own.

Relevant Books
If you purchase a book using one of these links, we receive a small payment from Amazon, which helps pay for this site.

See Also