Risk and risk discussions are often hampered by inconsistent terminology and a high degree of subjectivity. To overcome this, we need to understand what we mean when we ask ‘what is risk?’. This article lays out a concept for risk using the ISO definition – the effect of uncertainty on objectives – and breaks individual risks into their three main components – threat, vulnerability and impact for downside risks or opportunity, exposure and impact for upside risks. These concepts form the basis for all subsequent risk discussions and lay the groundwork for a risk assessment methodology.
What is risk?
Risk always seems to be a difficult thing to discuss. A lot of this is due to the many different definitions of risk and we often have instances where similar terms are used to mean very different things. Another big issue is that risk is highly subjective and what constitutes an actual risk differs from person to person. Even if we agree on what risk is conceptually, everyone involved in the discussion will have different examples in mind which will influence their thinking. In a general discussion, this can prove to be frustrating but this is a much more serious problem if you are trying to conduct risk-led activities. I have seen hundreds of hours of work wasted because terms were not agreed at the start of a project. If we want to develop a functioning risk management system, we need to agree on definitions and remove some subjectivity from the discussion.
Difficulties defining risk
Unfortunately, answering the question ‘what is risk?’ is not particularly straightforward. The British Royal Society’s report following their 1992 study of risk begins by noting that a consensus was not possible and, rather than a single report, the Society would instead publish six independent essays on risk. It is difficult to say whether the experience and knowledge of the study group helped or hindered a consensus but that gives you an idea of how complicated these discussions can be. Given this difficulty, it would be a tall order for me to come up with some great unifying theory of risk.
Luckily, we don’t need a grand unifying theory but we do need a clear definition and a robust framework to underpin the whole of the Understand / Address / Monitor & React process for risk management. That’s what I have laid out below: a simple definition and framework for risk that reflects widely-recognized terms and concepts. This means that the definition and structure will be straightforward to implement and will allow this framework to integrate into other risk management systems. Most importantly, this is an approach that works in practice and is something you can employ in the real world.
That’s a lot of introduction so let’s dive in.
The ISO Definition of risk
ISO 73 defines risk as “the effect of uncertainty on objectives”. This is pretty simple as definitions go, but the more I have thought about it, the more I like it. It stresses that we are considering the effects of events, not the causes, and how these influence an entity’s objectives rather than simply judging risk by the magnitude of an event. For example, flooding by itself isn’t necessarily a risk, in fact some farmers rely on flooding to irrigate their crops, therefore we need to consider how floods might effect an organization’s objectives to determine if this poses a risk or not.
This definition also highlights that there is a degree of uncertainty involved since the type, time and place of an event cannot be anticipated (although we can sometime make educated guesses). Even if we can anticipate or observe an event, the full effects may not be known for some time. This is a particular issue in tightly coupled, highly integrated systems where the full effects of an event can take some time to emerge.
Finally, an additional benefit of this definition is that it works for both positive and negative risks. Although risk is often thought of a purely negative concept – A.K.A. downside risk – this ISO definition also allows for the fact that events can create an advantage – an upside risk. Using the same framework for both types of risk allows for like-by-like comparisons which can be very useful from a decision-making perspective.
Although this is a solid start and a robust definition for risk as a concept, this ISO definition doesn’t give us everything we need to develop our risk management system. For that, we need some additional detail. What follows is a bottom-up framework for individual risk that still align with the ISO definition. This framework is both practical and theoretically sound and, with some terminology tweaking, we can use the same framework for downside and upside risks.
Upside versus downside risk
In this framework, risk is comprised of three elements. Negative or downside risks are comprised of a threat, vulnerability and potential impacts. Upside risks are comprised of an opportunity, exposure and the potential impacts. Combined, these three elements explain the risk posed by a particular event. By separating the key components, this framework allows each element to be addressed separately in the risk assessment and risk treatment processes. This helps prepare clear, understandable risk descriptions and more effective risk treatment plans.
Let’s look at each of these components in more detail.
The three components of risk: threat, vulnerability and impact
Threats are the type of events which could negatively effect our objectives. Threats are often grouped together in categories for simplicity – e.g. environment, safety, infrastructure – as the same functional team will ‘own’ these threats making management of the process easier. Threat descriptions should stress the effect rather than the cause so instead of listing ‘climate change’ as a potential threat, the threat might be ‘increased frequency of flooding in area x’. Full descriptions should include the potential likelihood and magnitude of a threat. For upside risks, we can call these events opportunities.
The second component of a risk is vulnerability, essentially describing the conditions that allow an event to occur or those that might prevent it. Vulnerabilities exist due to proximity to a threat, because of inadequate preventative measures or where there are poor or non-existent controls. Conversely, robust controls or separation from a threat will lower vulnerability. Vulnerabilities relate to both physical and non-physical threats, so both poor physical security and weak corporate governance create vulnerabilities. For upside risk we can use the term exposure.
Threats and vulnerabilities are considered as pre-event factors (left-hand side for those of you risk bow-tie enthusiasts out there) as these create the conditions that allow an event to occur. If an event were to occur, we have to consider its effects and the specific impact on the organization (the right-hand side). Impact is highly contextual and it is not always the immediate effect of the event that is being considered. Instead, we should consider the effect that the event has on the organization’s objectives, which might be a combination of physical effects, reputational damage and loss of market share.
For example, compare two warehouse fires. A fire that shuts down an Amazon distribution center in the summer would still be a big incident but is unlikely to affect such a large organization’s overall objectives. Conversely, a fire that destroys a small business’s only warehouse immediately prior to a period of peak demand would have a major – maybe catastrophic – impact. By maintaining an effects-led approach, we ensure that we focus on the impacts on the business, not the event itself.
Describing a risk
If we combine these three components, a risk is comprised of an event that poses a threat, vulnerabilities that could allow the negative event to effect the organization and an impact on the organizations objectives. If we combine these into a risk statement you can see how these three elements describe a risk in detail.
XYZ Co faces a significant risk [severity description] due to the potential for civil unrest in Janwick [threat description] which could severely disrupt our global supply chain as our key manufacturing sites are concentrated there [impact statement and explanation]. The firm is particularly vulnerable in Janwick as our local safety and security arrangements were designed when the country was peaceful and have not been updated to address the deteriorating security situation [vulnerability statement].
This gives us a clear explanation of the elements that contribute to this risk and we can start to see how we can target elements of the risk for treatment. This type of statement also aligns closely with the kind of risk statement that would appear in an enterprise risk management (ERM) program. This means that in addition to aligning with the ISO definition of risk, this framework is also something that could be incorporated into an ERM framework at a later stage.
Benefits of this approach
This approach has several additional benefits.
There is no unit for risk so we cannot measure it as such. However, we can use this definition mathematically so risk = threat x vulnerability x impact  gives us the basis for quantitative risk assessment. This r = tvi formula provides quantitative values that allow us to evaluate, grade and order risks. (Read more about risk grading and metrics here.) In turn this significantly improves our ability to assign priorities and allocate resources to reduce or exploit risks. Again, the same basic formula applies to upside risk where risk = opportunity x exposure x impact (r = oei).
The second benefit of this approach is that separating these three components makes it much easier to see where mitigation is possible and what effect different treatments could have. Cost-benefit analyses or return on investment (RoI) calculations can be combined with this approach to determine where resources can be best spent.
In the Janwick example above, the changing security situation has rendered the existing safety and security arrangements inadequate. Breakdown of law and order is a function of the state and not something the company can likely influence so treatment could be focussed on reducing vulnerabilities by enhancing security measures or moving manufacturing elsewhere. Alternatively, developing a parallel supply chain as a back up would allow the company to reduce the impact if something did happen.
Finally, breaking a risk into these three component parts also helps identify the conditions or triggers that can lead to a risk event. These can be monitored to help prompt additional controls or a response to mitigate an event.
Risk is subjective
As a reminder, it is important to reiterate that risk is particular to the organization. Two entities in the same place and facing the same range of threats may have very different assessments of the overall risk. For example, security companies in Janwick might see unrest as an opportunity creating an upside risk. A local security firm might describe an upside risk as follows:
Superior Security Services has a significant opportunity [severity description] due to the potential for civil unrest in Janwick [opportunity description]. This could lead to a significant increase in demand for security guards and protective services which have been limited due to the relative peace that has existed until recently [impact statement and explanation]. We have significant exposure to this market through our existing contacts providing drivers and night watchmen to Janwick’s larger firms which we can leverage to realize this opportunity [exposure statement].
This example highlights how the same situation will effect different groups in different ways and illustrates how the same framework can be used to consider both downside and upside risk.
Hopefully this has helped answer the question ‘what is risk?’. I appreciate that there is a lot in this article but I hope this has cleared up what a risk is conceptually – the effect of uncertainty on objectives – and the elements that make up an individual risk – threat, vulnerability and impact or opportunity, exposure and impact. This now gives us a basis for the Understand / Address / Monitor & Respond framework for both upside and downside risk. Moreover, this framework aligns with the recognized ISO definition and other accepted risk concepts which will help align or incorporate this approach into other systems in the future.
 This is termed ‘risk perception’ which is something we will look at in more detail subsequently.
 Risk: Analysis, Perception and Management, Warner et al, The Royal Society, London, 1992
 Please read a foundation for risk management before you go any further as this lays out our overall structure for risk management.
 Risk management – the process used to assess and treat risks in order to reduce uncertainty and limit effects.
 ISO 73 – Risk Management Vocabulary
 These give rise to what Perrow calls ‘baffling interactions’. These interactions and the associated issues are part of what gives rise to his normal accident theory. Normal Accidents, Perrow 1999.
 “Risk assessment involves the identification of risks followed by their evaluation or ranking.” ISO 31000 Implementation Guide, AIRMIC, Alarm, The IRM 2010
 Risk treatment – steps taken to mitigate downside risk or to increase upside risk as part of the risk management process.
 Some of you will notice that this description of a threat resembles some simple risk models which are also based on likelihood and impact. This is not based on a desire to make things more complicated but I don’t find this two-factor approach to risk as effective as separating things into the three elements described here. I find the three-element framework more adaptable and effective in the long run.
 The risk bowtie is one method of illustrating a risk with a pre-event cone on the left and a post-event cone on the right, joined by an event node in the center resulting in a bow tie shape.
 ERM refers to a risk management system that is applied through an entire organization.
 There is additional detail on the application of this formula mathematically in the risk metrics article.