# 4.3 Comprehensive AND Scientifically Valid

To our knowledge, today there are few, if any, risk processes (excepting the process we introduce below) that are both comprehensive *and *scientifically valid. There are processes that are comprehensive but rely on mathematically meaningless multiplications of ordinal measures of likelihood and impact; and there are processes that are scientifically/mathematically meaningful but do not include impact on multiple objectives such as an reputation, customer satisfaction, employee learning, some of which are qualitative and/or subjective.

4.3.1 Scientifically valid but not comprehensive

4.3.1.1 Insurance Risk Management*Risk* management in the insurance industry is based primarily on a scientific analysis of actuarial information and, until recently, was as comprehensive as it needed to be. The fast-changing world of today has changed that, especially when insuring for cyber risks where many of the risk events have little or no historical data.

4.3.1.2 Risk management for financial portfolio theory

The predominant theory for risk management when optimizing a financial portfolio is Modern Portfolio Theory (MPT)[1] which is a mathematical framework for optimizing a portfolio such that the expected return is maximized for a given level of risk where both expected return and risk are based only on historical prices for the assets/stocks being evaluated for inclusion in the portfolio. While this theory has prevailed for many years, it has survived numerous criticisms, including those in a recent book, *Getting Back to Business [2]*, which presents some strong arguments for why MPT has failed investors and why a change is long overdue. Without going into technical arguments about MPT here, we only point out that MPT is not comprehensive in the sense that it considers only historical prices without any consideration for current or forecasted future strengths and weaknesses of the assets/stocks. The framework that we present below includes consideration of future uncertain risk events that overcomes this limitation.

4.3.2 Comprehensive but not scientifically valid

Most risk management analyses we have seen are based on eliciting human judgment about likelihood and impact on 1 to 5 scales, and then multiplying the inputs to derive a mathematical measure for risk. As will be discussed in detail below, this approach is mathematically meaningless and can lead to management decisions that have been shown to be at times, worse than having no analysis at all. We will describe mathematically ways to derive event likelihoods and impacts in Section 5 below and will illustrate in Section 7 below.

[1] https://en.wikipedia.org/wiki/Modern_portfolio_theory

[2] Peris, Daniel, 2018 *Getting Back to Business: Why Modern Portfolio Theory Fails Investors and How You Can Bring Common Sense to Your Portfolio*, McGraw-Hill