Definition
The formal definition of Risk (adopted by ISO 31000) accepts that risk is the effect of uncertainty on objectives. In simple terms, Risk denotes the potential for developments that take an unexpected, surprising turn versus somebody's objectives.
The definition builds on several concepts:
- Objectives are defined with reference to an individual (a real person) or a Legal Entity. This highlights the subjective nature of risk (it is defined from the point of view of a specific entity).
- The effect of Uncertainty on an entity's objectives manifests as a deviation of the actual (realized) outcomes from the outcomes that were expected by the entity before hand. Outcomes may refer to any aspect of the world that is relevant for the entity.
Examples
- In a business context Risk means, informally, the potential for monetary Loss or other adverse outcome affecting an individual or an organization.
Issues and Challenges
- The standard admits both positive and negative effects of uncertainty as being part of the Risk definition. In common usage the term Risk denotes only negative deviations (adverse outcomes). The standard is thus not aligned with the casual use of the term risk, in that a positive deviation from expectations (an unexpected but beneficial outcome) would not normally be characterized as risk in common usage.
- Frequently (and erroneously) Risk is assumed to be some combination of the probability of an event and its consequence (e.g. by constructing a product of quantitative measures such as likelihood and severity). Risk is in general not a number (not quantifiable). In certain cases
