On 18 October 2023 thousands of risk-management professionals filed into London’s cavernous ExCel Centre for the #Risk trade show. Organised by GRC World Forums, a digital media and events business, the two-day event promised more than 200 presentations on assessing and managing varied types of risk. Billing itself as “the premier event for risk professionals in the UK”, #Risk London brought together practitioners from different parts of the risk universe – from money laundering to AI, healthcare, terrorism, crime and climate change. Here, finally, was the chance to consider all that imperils the world under one roof.
Real, potentially catastrophic threats abound. But it is only recently that “risk” has become a catch-all approach to security. As recently as the 1980s, few universities offered programmes in risk management and only a small number of professional journals covered the subject outside of finance or insurance. Propelled both by increased regulation and an unfathomable amount of data, the business of risk management has boomed since the turn of the century and is projected to increase by 18.7 per cent annually through to 2027. The average age of exhibitors at #Risk London – beyond major sponsors such as Microsoft and Capgemini, almost all companies in attendance were founded within the last 15 years – testifies to just how incipient the industry is. If the end of the 20th century brought what the German sociologist Ulrich Beck called the “risk society” – a time in which modernity’s vaunted technical and industrial progress generated new, potentially calamitous risks on a global level – the turn of the 21st century has ushered in the risk management society as a concerted attempt to keep the lid from blowing.
What does seeing the world through the lens of risk entail? After all, the risk framework has become commonplace not just for corporate compliance officers, but governments, schools, hospitals, and even individuals. As eager salesmen chatted up prospective clients and demoed online platforms, I wondered why risk, a concept with a long history of specific applications in finance and insurance, has become an expansive and generalised way of thinking about safety and danger? And why might all these tools for managing risk fail to make us secure?
Conventional wisdom says that human beings have had to contend with risks since the dawn of time, from thunderstorms and wild animals to the robot takeover or climate change. But risk is not the same thing as danger or hazard, but a particular concept that arose in the 18th century alongside the modern state and the growth of the capitalist economic system. While dangers have always been a feature of human existence, risk as a way of assessing, quantifying and mitigating them has not. The modern notion of risk is something like what Michel Foucault called an episteme – a way of seeing the world that is so naturalised, it scarcely needs explaining.
Emerging in the wake of 17th-century advances in mathematical probability, risk offers a systematic approach to making projections informed by past occurrences. Risk management is a form of fortune telling – one powered by vast quantities of data. That data is what allows researchers to calculate your chance of dying in an airplane crash, getting struck by lightning, or dying during a surgical procedure. Prior to a time in which data and information could be systematically analysed, attempts to manage risk were little more than “genuflection before the winds”, as Peter Bernstein argued in Against the Gods: The Remarkable Story of Risk (1996).
A former asset manager, Bernstein was interested in the development of mathematical tools that enabled merchants, insurers and investors to quantify, and so better manage, the risks they ventured. It was in the Italian coastal city of Genoa – capital of a powerful medieval maritime republic – that the first reference to the Latin word resicum was recorded. According to Karla Mallette, the term first appeared in a contract written on 26 April 1156. A ship captain agreed to travel to Valencia to invest a certain sum in exchange for 25 per cent of the profit, with the remaining 75 per cent – the “resicum” – reserved for the investor. In a society in which the payment of interest on loans was forbidden, resicum performed a key economic function. “By inventing a bonus paid to the investor in the event of the successful completion of a journey,” Bernstein writes, “the resicum provided a workaround for venture capitalists and for the captain seeking capital.”
In a similar vein, 16th- and 17th-century jurists would cling to the redeeming power of risk, according to the historian Lorraine Daston, to defend financial practices that otherwise appeared usurious. “Largely because of the Catholic church’s position on usury, risk took on a positive tinge as civil and canon lawyers and later Jesuits made it the basis for their defence of potentially shady commercial practices.” In ways that should not sound wholly unfamiliar, invocations of risk served to bypass prevailing moral sentiments related to wealth and equity.
The Mediterranean port cities were cosmopolitan to a degree almost unimaginable in our age of border walls and nation-states – the site of continuous interaction between European peoples and those from Asia and North Africa. It is not surprising to find that the Latin resicum was mostly likely borrowed from the Arabic al-rizq, meaning sustenance or bounty. Variations of al-rizq appear frequently in the Koran in reference to the provision that God gives his creations. As in Surah al-Baqarah, 22: “He is the One who made the Earth for you as a carpet and the sky as a canopy; he sends down rain from the heavens that bring forth fruits as your sustenance (rizqan).”
[See also: What the left gets wrong about Gaza and “decolonisation”]
Likewise, believers are enjoined not to fear bringing children into this world for fear of want tomorrow, but rather to have faith that God will provide for the future. This sentiment has often led Western observers to accuse Muslims of fatalism, of simply accepting the future as it is given rather than actively trying to shape it. Peter Bernstein relied on this Orientalist trope to explain why Muslim mathematicians – despite their sophistication – never developed the science of probability, which forms the basis of all modern risk applications. “The idea of risk management emerges only when people believe that they are to some degree free agents. Like the Greeks and the early Christians, the fatalistic Muslims were not yet ready to take the leap.”
It is striking that contemporary notions of risk overturn the Islamic ancestor, implicit within which was a sense of security that God will sustain his creation. On the contrary, the multiplying fields in which humans are charged to assess and manage risk today leads to a perpetual sense of insecurity – the fear of danger lurking behind every corner; the self under ambush from potential threats against which there is no reprieve. But our modern sense of risk as mostly menacing also departs from the way that Bernstein depicted it just a few decades ago. As befitting a work published at the End of History, his account is rather triumphal in tone. Risk was the rocket-fuel for modernity, “the missing ingredient that has propelled science and enterprise into the world of speed, power, instant communication, and sophisticated finance that marks our own age.” Risk was what separated humans who charted their own destinies from those who merely accepted what the fates threw in their path.
We could posit a long list of reasons why Bernstein’s celebratory account of risk now rings hollow, from the attacks of 9/11 and global War on Terror to the advances of digital technologies and the climate crisis. But beyond the general sense of insecurity that is a feature of 21st-century life, risk management’s contemporary applications also depend on an unprecedented amount of data. The greater the availability of such data, the greater the allure that everything can be quantified and, therefore, human life more rationally planned.
This was, in effect, the sort of optimism that the utilitarian economist William Stanley Jevons expressed in 1871 when he wrote that, “Now there can be no doubt that pleasure, pain, labour, utility, value, wealth, money, capital, etc, are all notions admitting of quantity.” Like his contemporary Francis Galton, whose zeal for measurement led him to establish the science of eugenics, Jevons was a product of an era that sought mastery over both the natural world and the human one and viewed data as the means of achieving it. Human beings and human behaviour seemed to contain, at scale at least, some level of regularity that could be quantified, analysed and deployed for managing the future. Stability seemed just around the corner.
But there have been two major snags in human efforts to become better fortune tellers. The first is that we tend to conflate risk with uncertainty. Writing in 1921, the American economist Frank Knight used the example of a champagne producer to demonstrate the difference between the two. He argued that bottles that burst during production represented a risk because “a practically constant and known proportion of the bottles burst”, meaning such costs could be calculated and passed on to consumers like materials or labour costs. “The essential fact is that ‘risk’ means in some cases a quantity susceptible of measurement,” he wrote, whereas uncertainty remained largely incalculable. As risk has moved out of the insurance and banking world and into the social and political one, such careful distinctions have all but dissolved.
Today’s risk models often rely on best guesses, intuition and vibes – such as the registers prepared by UK universities that estimate the likelihood (on a scale of one to five) of a terrorist attack or fire occurring on their campuses. And even when data is available, it often feeds models that replicate existing social inequalities, as Cathy O’Neil has shown in Weapons of Math Destruction (2017). For instance, studies have uncovered racial bias built into recidivism risk algorithms used for sentencing and parole as well as predictive policing. Yet the pretence that risk represents a “scientific” approach to security remains, making it harder to question the value of such exercises or the criteria that risk models are constructed around.
The second problem is when genuinely new events occur for which no past data exists to generate clear calculations, as we saw in the early days of Covid-19. The records of the past might be the only clues we have to go on, but the true lesson of history is that humans and the world they live in remain unpredictable. And at a deeper, philosophical level, trying to manage the future based on data from the past implies a sort of continual feedback loop in which genuine novelty – a different sort of world – is foreclosed in advance. The goal becomes managing affairs in their present form. Seen from this angle, perhaps it is no coincidence that the business of risk management rose alongside Margaret Thatcher’s directive that “there is no alternative” to capitalism. And indeed, as I strolled from booth to booth at #Risk London, it was impossible to shake the sense that much of this industry amounts to a giant plaster stretched across an increasingly unstable economic and political reality.
Risk-management professionals are a measured and well-meaning crew, the sort who diligently recycle and turn out in droves to hear Alastair Campbell lament populism, polarisation and post-truth as the biggest threats to democracy. Given that my last trip to London was to report on the National Conservatism conference, I preferred the crowd of centre-left technocrats to the Suella Braverman enthusiasts. As I strolled through the booths picking up corporate swag – ostrich socks and stuffed animals for my daughters, new notebooks for myself – I found salespeople affable and interested that I was writing a book about what the existence of their industry indicated about the nature of our politics.
Among the dozens of exhibitors, I spoke with companies that offered enterprise governance, risk and compliance (GRC) tools, data privacy services, employee background screening, workplace wellness training, terrorism threat analysis, rewilding and other sustainability projects, activist monitoring (for corporate clients), political risk analysis, cybercrime recovery services, and online suicide intervention support, among others. The range of products and services underscored both how capacious our contemporary sense of risk has become, and how last century’s distinction between risk and uncertainty has all but disappeared. Risk is no longer something one can quantify with any precision, but a vague sense that the world is big and scary and requires a posture of constant vigilance. And vigilance is not just an attitude but a suite of products and services that must be procured through the marketplace.
I asked several industry veterans what they made of the risk business’s rapid development over the past few decades. David Tattam, co-founder of a beginning-to-end corporate risk-management platform called Protecht, was one of many to point to increased regulation in the wake of “banks behaving badly” as a key driver of growth. But it is not just financial services companies that are affected by a more stringent regulatory environment, which at this point affects every organisation that manufactures and sells products, collects and/or stores user data, or indeed, employs people at all. Tattam noted that while much recent regulation represents a necessary response to “Wild West” corporate practices, it has also helped fuel a general recognition that risk management is everywhere – part of the operating mandate of every government and every organisation in the world.
As living, breathing, never fully rational human beings, employees represent a particular challenge from a risk-management perspective, as they may leak sensitive data, sexually harass their co-workers, or commit fraud. Skillcast, a compliance training portal, is one of many companies that offer employees courses on everything from unconscious bias to workplace safety, environmental awareness, managing home-workers and modern slavery. This segment of the risk dovetails with that of workplace wellness – an approach to improving employee physical and mental health that has surged in recent years despite the lack of evidence that such programmes increase well-being or lower medical costs. More cynically, we could note that the popularity of workplace wellness programmes has grown alongside persistently high levels of employee dissatisfaction. As Sadie Restorick, co-founder of a workplace wellness provider called Wellity argued in a presentation/sales pitch, employee stress and burnout are a major problem for the corporate bottom line. But the solutions on offer focus on tweaking corporate culture rather than – like the efforts of organised labour – addressing the structural demands of the workplace. Thus, managers might not be able to reduce unmanageable workloads, Restorick noted, but at least they can make employees feel like their voices are being heard. It is hard not to hear such suggestions as a way to squeeze just a little more value out of an already exhausted labour force.
Likewise, the services offered by Sigwatch – a consultancy that monitors NGOs and social movements on behalf of clients like Coca-Cola, Unilever and Deutsche Bank – left me with the sense that risk management is a strategy to proceed with business as usual in unusual times. While Sigwatch positions itself as an intermediary between the business and activist communities, its proprietary data set – including “over ten years of intelligence on campaigning by 10,000 activist groups” – reveals that demands for a more just, sustainable and equitable social order are precisely the “risks” that corporations must manage. As with workplace wellness, engaging with the demands of activist communities is about the bottom line. “In a world where the line between business and social responsibility is increasingly blurred, paying attention to activists is not just ethical but also smart business,” as one recent Sigwatch post argues. None of this should be surprising if we keep in mind that risk management is often more concerned with liability than broad-based security – with conveying the impression that all factors have been considered, all boxes ticked, rather than addressing the root causes of possible harms.
As the language and logic of risk has penetrated all aspects of 21st-century life – from parenting and healthcare to climate, governance and crime – we seem to have overlooked how risk determinations remain subjective and even contested. A risk to who? And from what? A profitability risk to Coca-Cola should it suspend the use of plastic bottles is, from the perspective of environmentalists, an enormous win. But the neutralised, quasi-scientific language of risk management masks these power struggles by suggesting an agreed-upon set of dangers that can be effectively managed outside of the political arena. As I learned in one of the first presentations of the first day of #Risk London (“The Road to 2030: Geopolitical Risk in the Age of Nationalism”), politics itself constitutes a major risk – again, not primarily to actual human beings, but to the operations and profitability of global capital. While packing up to leave the ExCel Centre at the end of the day, I realised that the way the latter has been operating for the last several decades – producing more than half of all CO2 emissions since the Industrial Revolution alongside record levels of economic inequality, and fuelling the populist sentiment that democratic governance is a sham – was the one risk I didn’t hear anything about.
[See also: The left needs to be more like Michel Foucault]