TheInfoList

In simple terms, risk is the possibility of something bad happening. Risk involves
uncertainty Uncertainty refers to epistemic Epistemology (; ) is the branch of philosophy Philosophy (from , ) is the study of general and fundamental questions, such as those about reason, Metaphysics, existence, Epistemology, knowledge, ...

about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences. Many different definitions have been proposed. The international standard definition of risk for common understanding in different applications is “effect of uncertainty on objectives”. The understanding of risk, the methods of assessment and management, the descriptions of risk and even the definitions of risk differ in different practice areas (
business Business is the activity of making one's living or making money by producing or buying and selling products (such as goods and services). Simply put, it is "any activity or enterprise entered into for profit." Having a business name A trad ...

,
economics Economics () is a social science that studies the Production (economics), production, distribution (economics), distribution, and Consumption (economics), consumption of goods and services. Economics focuses on the behaviour and interact ...

,
environment Environment most often refers to: __NOTOC__ * Natural environment, all living and non-living things occurring naturally * Biophysical environment, the physical and biological factors along with their chemical interactions that affect an organism or ...
,
finance Finance is a term for the management, creation, and study of money In a 1786 James Gillray caricature, the plentiful money bags handed to King George III are contrasted with the beggar whose legs and arms were amputated, in the left corn ...

, information technology,
health Health, according to the World Health Organization The World Health Organization (WHO) is a specialized agency of the United Nations United Nations Specialized Agencies are autonomous organizations working with the United Nations and each ...

,
insurance Insurance is a means of protection from financial loss. It is a form of risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. ...

,
safety Safety is the state of being "safe", the condition of being protected from harm Harm is a moral A moral (from Latin Latin (, or , ) is a classical language belonging to the Italic languages, Italic branch of the Indo-European language ...

,
security Security is freedom from, or resilience against, potential Potential generally refers to a currently unrealized ability. The term is used in a wide variety of fields, from physics Physics is the natural science that studies matter, its El ...

etc). This article provides links to more detailed articles on these areas. The international standard for risk management,
ISO 31000 ISO 31000 is a family of standards relating to risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Un ...
, provides principles and generic guidelines on managing risks faced by organizations.

# Definitions of risk

## Oxford English Dictionary

The
Oxford English Dictionary The ''Oxford English Dictionary'' (''OED'') is the principal historical dictionary A historical dictionary or dictionary on historical principles is a dictionary which deals not only with the latterday meanings of words but also the historica ...
(OED) cites the earliest use of the word in English (in the spelling of ''risque'' from its French original, 'risque') as of 1621, and the spelling as ''risk'' from 1655. While including several other definitions, the OED 3rd edition defines ''risk'' as:
(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.
The Cambridge Advanced Learner’s Dictionary gives a simple summary, defining risk as “the possibility of something bad happening”.

## International Organization for Standardization

The
International Organization for Standardization The International Organization for Standardization (ISO ) is an international standard An international standard is a technical standard A technical standard is an established norm Norm, the Norm or NORM may refer to: In academic discipline ...
(ISO) Guide 73 provides basic vocabulary to develop common understanding on risk management concepts and terms across different applications. ISO Guide 73:2009 defines risk as:
effect of uncertainty on objectives Note 1: An effect is a deviation from the expected – positive or negative. Note 2: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). Note 3: Risk is often characterized by reference to potential events and consequences or a combination of these. Note 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
This definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts. It was first adopted in 2002. Its complexity reflects the difficulty of satisfying fields that use the term risk in different ways. Some restrict the term to negative impacts (“downside risks”), while others include positive impacts (“upside risks”).
ISO 31000 ISO 31000 is a family of standards relating to risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Un ...
:2018 “Risk management — Guidelines” uses the same definition with a simpler set of notes.

## Other

Many other definitions of risk have been influential: :“Source of harm”. The earliest use of the word “risk” was as a synonym for the much older word “
hazard A hazard is a potential source of harm. Substances, events, or circumstances can constitute hazards when their nature would allow them, even just theoretically, to cause damage to health, life, property, or any other interest of value. The probabil ...

”, meaning a potential source of harm. This definition comes from Blount’s “Glossographia” (1661) and was the main definition in the OED 1st (1914) and 2nd (1989) editions. Modern equivalents refer to “unwanted events” Hansson, Sven Ove
"Risk"
''The Stanford Encyclopedia of Philosophy (Fall 2018 Edition)'', Edward N. Zalta (ed.)
or “something bad that might happen”. :“Chance of harm”. This definition comes from Johnson’s “Dictionary of the English Language” (1755), and has been widely paraphrased, including “possibility of loss” or “probability of unwanted events”. :“Uncertainty about loss”. This definition comes from Willett’s “Economic Theory of Risk and Insurance” (1901). This links “risk” to “
uncertainty Uncertainty refers to epistemic Epistemology (; ) is the branch of philosophy Philosophy (from , ) is the study of general and fundamental questions, such as those about reason, Metaphysics, existence, Epistemology, knowledge, ...

”, which is a broader term than chance or probability. :“Measurable uncertainty”. This definition comes from Knight’s “Risk, Uncertainty and Profit” (1921). It allows “risk” to be used equally for positive and negative outcomes. In insurance, risk involves situations with unknown outcomes but known probability distributions. :“Volatility of return”. Equivalence between risk and variance of return was first identified in Markovitz’s “Portfolio Selection” (1952). In finance, volatility of return is often equated to risk. :“Statistically expected loss”. The
expected value In probability theory Probability theory is the branch of mathematics Mathematics (from Greek: ) includes the study of such topics as numbers (arithmetic and number theory), formulas and related structures (algebra), shapes and space ...
of loss was used to define risk by Wald (1939) in what is now known as
decision theory Decision theory (or the theory of choice not to be confused with choice theory) is the study of an agent's choices. Decision theory can be broken into two branches: normative Normative generally means relating to an evaluative standard. Normativi ...
. The probability of an event multiplied by its magnitude was proposed as a definition of risk for the planning of the
Delta Works The Delta Works ( nl, Deltawerken) is a series of construction projects in the southwest of the Netherlands to protect a large area of land around the Rhine–Meuse–Scheldt delta from the sea. Constructed between 1954 and 1997, the works cons ...
in 1953, a flood protection program in the
Netherlands ) , national_anthem = ( en, "William of Nassau") , image_map = EU-Netherlands.svg , map_caption = , image_map2 = BES islands location map.svg , map_caption2 = , image_map3 ...

. It was adopted by the US Nuclear Regulatory Commission (1975), and remains widely used. :“Likelihood and severity of events”. The “triplet” definition of risk as “scenarios, probabilities and consequences” was proposed by Kaplan & Garrick (1981). Many definitions refer to the likelihood/probability of events/effects/losses of different severity/consequence, e.g. ISO Guide 73 Note 4. :“Consequences and associated uncertainty”. This was proposed by Kaplan & Garrick (1981). This definition is preferred in
Bayesian analysis Bayesian inference is a method of statistical inference in which Bayes' theorem In probability theory and statistics, Bayes' theorem (alternatively Bayes' law or Bayes' rule; recently Bayes–Price theorem), named after the Reverend Thomas Bay ...
, which sees risk as the combination of events and uncertainties about them. :“Uncertain events affecting objectives”. This definition was adopted by the Association for Project Management (1997). With slight rewording it became the definition in ISO Guide 73. :“Uncertainty of outcome”. This definition was adopted by the UK Cabinet Office (2002) to encourage innovation to improve public services. It allowed “risk” to describe either “positive opportunity or negative threat of actions and events”. :“Asset, threat and vulnerability”. This definition comes from the Threat Analysis Group (2010) in the context of computer security. :“Human interaction with uncertainty”. This definition comes from Cline (2015) in the context of adventure education. Some resolve these differences by arguing that the definition of risk is subjective. For example:
No definition is advanced as the correct one, because there is no one definition that is suitable for all problems. Rather, the choice of definition is a political one, expressing someone’s views regarding the importance of different adverse effects in a particular situation.
The
Society for Risk Analysis The Society for Risk Analysis (SRA) is a learned society A learned society (; also known as a learned academy, scholarly society, or academic association) is an organization that exists to promote an discipline (academia), academic discipline, p ...
concludes that “experience has shown that to agree on one unified set of definitions is not realistic”. The solution is “to allow for different perspectives on fundamental concepts and make a distinction between overall qualitative definitions and their associated measurements.”

# Practice areas

The understanding of risk, the common methods of management, the measurements of risk and even the definition of risk differ in different practice areas. This section provides links to more detailed articles on these areas.

Business risks arise from uncertainty about the profit of a commercial business due to unwanted events such as changes in tastes, changing preferences of consumers, strikes, increased competition, changes in government policy, obsolescence etc. Business risks are controlled using techniques of
risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving ...

. In many cases they may be managed by intuitive steps to prevent or mitigate risks, by following regulations or standards of good practice, or by
insurance Insurance is a means of protection from financial loss. It is a form of risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. ...

.
Enterprise risk managementEnterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typical ...
includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.

## Economic risk

Economics Economics () is a social science that studies the Production (economics), production, distribution (economics), distribution, and Consumption (economics), consumption of goods and services. Economics focuses on the behaviour and interact ...

is concerned with the production, distribution and consumption of goods and services. Economic risk arises from uncertainty about economic outcomes. For example, economic risk may be the chance that macroeconomic conditions like exchange rates, government regulation, or political stability will affect an investment or a company’s prospects. In economics, as in finance, risk is often defined as quantifiable uncertainty about gains and losses.

## Environmental risk

Environmental risk arises from
environmental hazards A biophysical environment is a biotic Biotics describe living or once living components of a community; for example organisms, such as animals and plants. Biotic may refer to: *Life, the condition of living organisms *Biology, the study of life ...
or
environmental issues Environmental issues are harmful Human impact on the environment, effects of human activity on the biophysical environment. Environmental protection is a practice of protecting the natural environment on the individual, organizational or governme ...
. In the environmental context, risk is defined as “The chance of harmful effects to human health or to ecological systems”. Environmental risk assessment aims to assess the effects of stressors, often chemicals, on the local environment.

## Financial risk

Finance Finance is a term for the management, creation, and study of money In a 1786 James Gillray caricature, the plentiful money bags handed to King George III are contrasted with the beggar whose legs and arms were amputated, in the left corn ...

is concerned with money management and acquiring funds.
Financial risk Financial risk is any of various types of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving imperfect or unknown informati ...
arises from uncertainty about financial returns. It includes
market risk Market risk is the risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving imperfect or unknown information. It applies to predic ...
,
credit risk A credit risk is risk of default Default may refer to: Law * Default (law), the failure to do something required by law ** Default (finance) In finance Finance is the study of financial institutions, financial markets and how they ope ...
,
liquidity risk Liquidity risk is a financial risk Financial risk is any of various types of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations invol ...
and
operational risk Operational risk is "the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses" ...
. In finance, risk is the possibility that the actual return on an investment will be different from its expected return. This includes not only "
downside riskDownside risk is the financial risk Financial risk is any of various types of risk associated with financingFunding is the act of providing resources to finance a need, program, or project. While this is usually in the form of money, it can also ...
" (returns below expectations, including the possibility of losing some or all of the original investment) but also "upside risk" (returns that exceed expectations). In Knight’s definition, risk is often defined as quantifiable uncertainty about gains and losses. This contrasts with
Knightian uncertainty In economics Economics () is the social science that studies how people interact with value; in particular, the Production (economics), production, distribution (economics), distribution, and Consumption (economics), consumption of goods a ...
, which cannot be quantified.
Financial risk modelingFinancial risk modeling is the use of formal econometric techniques to determine the aggregate financial risk, risk in a financial Portfolio (finance), portfolio. Risk modeling is one of many subtasks within the broader area of financial modeling. R ...
determines the aggregate risk in a financial portfolio.
Modern portfolio theory Modern portfolio theory (MPT), or mean-variance analysis, is a mathematical framework for assembling a portfolio of assets such that the expected return is maximized for a given level of risk. It is a formalization and extension of Diversification ...
measures risk using the
variance In probability theory Probability theory is the branch of mathematics Mathematics (from Greek: ) includes the study of such topics as numbers (arithmetic and number theory), formulas and related structures (algebra), shapes and spaces ...

(or standard deviation) of asset prices. More recent risk measures include
value at risk Value at risk (VaR) is a measure of the risk of loss for investments. It estimates how much a set of investments might lose (with a given probability), given normal market conditions, in a set time period such as a day. VaR is typically used by fi ...

. Because investors are generally
risk averse In economics Economics () is a social science Social science is the branch A branch ( or , ) or tree branch (sometimes referred to in botany Botany, also called , plant biology or phytology, is the science of plan ...
, investments with greater inherent risk must promise higher expected returns.
Financial risk managementFinancial risk management is the practice of protecting economic value In economics Economics () is the social science that studies how people interact with value; in particular, the Production (economics), production, distribution (eco ...
uses
financial instruments Finance is the study of financial institutions, financial markets and how they operate within the financial system. It is concerned with the creation and management of money and investments. Savers and investors have money available which could ...
to manage exposure to risk. It includes the use of a
hedge A hedge or hedgerow is a line of closely spaced shrubs and sometimes trees, planted and trained to form a barrier or to mark the boundary of an area, such as between neighbouring properties. Hedges that are used to separate a road from adjoinin ...
to offset risks by adopting a position in an opposing market or investment. In financial
audit An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditin ...

, audit risk refers to the potential that an audit report may fail to detect material misstatement either due to error or fraud.

## Health risk

Health risks arise from
disease A disease is a particular abnormal condition that negatively affects the structure A structure is an arrangement and organization of interrelated elements in a material object or system A system is a group of Interaction, interactin ...
and other biological hazards.
Epidemiology Epidemiology is the study and analysis of the distribution (who, when, and where), patterns and risk factor, determinants of health and disease conditions in defined populations. It is a cornerstone of public health, and shapes policy decisions ...
is the study and analysis of the distribution, patterns and determinants of health and disease. It is a cornerstone of
public health Public health has been defined as "the science and art of preventing disease", prolonging life and improving quality of life Quality of life (QOL) is defined by the World Health Organization The World Health Organization (WHO) is a s ...

, and shapes policy decisions by identifying risk factors for disease and targets for
preventive healthcare Preventive healthcare, or prophylaxis, consists of measures taken for disease prevention.Hugh R. Leavell and E. Gurney Clark as "the science and art of preventing disease, prolonging life, and promoting physical and mental health and efficienc ...
. In the context of
public health Public health has been defined as "the science and art of preventing disease", prolonging life and improving quality of life Quality of life (QOL) is defined by the World Health Organization The World Health Organization (WHO) is a s ...

,
risk assessment Broadly speaking, a risk assessment is the combined effort of: # identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis A hazard analysis is used as the ...

is the process of characterizing the nature and likelihood of a harmful effect to individuals or populations from certain human activities. Health risk assessment can be mostly qualitative or can include statistical estimates of probabilities for specific populations. A health risk assessment (also referred to as a health risk appraisal and health & well-being assessment) is a questionnaire screening tool, used to provide individuals with an evaluation of their health risks and quality of life

## Health, safety, and environment risks

Health, safety, and environment (HSE) are separate practice areas; however, they are often linked. The reason is typically to do with organizational management structures; however, there are strong links among these disciplines. One of the strongest links is that a single risk event may have impacts in all three areas, albeit over differing timescales. For example, the uncontrolled release of radiation or a toxic chemical may have immediate short-term safety consequences, more protracted health impacts, and much longer-term
environmental impact Environmental issues are harmful effects of human activity on the biophysical environment. Environmental protection Environmental protection is the practice of protecting the natural environment by individuals, organizations and governments. Its ...
s. Events such as
Chernobyl Chernobyl (, , russian: Чернобыль), also known as Chornobyl ( uk, Чорнобиль, Chornobyl'; ; ), is a partially abandoned city in the Chernobyl Exclusion Zone, situated in the Ivankiv Raion of northern Kyiv Oblast, Ukraine ...

, for example, caused immediate deaths, and in the longer term, deaths from cancers, and left a lasting environmental impact leading to
birth defect A birth defect, also known as a congenital disorder, is a condition present at birth Birth is the act or process of bearing or bringing forth offspring, also referred to in technical contexts as parturition. In mammals, the process is initiat ...
s, impacts on wildlife, etc.

## Information technology risk

Information technology (IT) is the use of computers to store, retrieve, transmit, and manipulate data.
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving i ...
(or cyber risk) arises from the potential that a
threat A threat is a communication of intent to inflict harm or loss on another person. IntimidationIntimidation (also called cowing) is intentional behavior that "would cause a person of ordinary sensibilities" to fear injury Injury, also known a ...

may exploit a
vulnerability Vulnerability refers to the inability (of a system or a unit) to withstand the effects of a hostile environment. A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, compromised or lacking. The understan ...
to breach security and cause harm.
IT risk management IT Risk Management is the application of risk management methods to information technology in order to manage IT risk, i.e.: :''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within a ...
applies risk management methods to IT to manage IT risks.
Computer security Computer security, cybersecurity, or information technology security (IT security) is the protection of computer system A computer is a machine that can be programmed to carry out Sequence, sequences of arithmetic or logical operations ...
is the protection of IT systems by managing IT risks.
Information security #REDIRECT Information security #REDIRECT Information security Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of Risk management information systems, inform ...

is the practice of protecting information by mitigating information risks. While IT risk is narrowly focused on computer security, information risks extend to other forms of information (paper, microfilm).

## Insurance risk

Insurance Insurance is a means of protection from financial loss. It is a form of risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. ...

is a risk treatment option which involves risk sharing. It can be considered as a form of contingent capital and is akin to purchasing an
option Option or Options may refer to: Computing *Option key, a key on Apple computer keyboards *Option type, a polymorphic data type in programming languages *Command-line option, an optional parameter to a command *OPTIONS, an Hypertext Transfer Prot ...
in which the buyer pays a small premium to be protected from a potential large loss. Insurance risk is often taken by insurance companies, who then bear a pool of risks including market risk, credit risk, operational risk, interest rate risk, mortality risk, longevity risks, etc. The term “risk” has a long history in insurance and has acquired several specialised definitions, including “the subject-matter of an insurance contract”, “an insured peril” as well as the more common “possibility of an event occurring which causes injury or loss”.

## Occupational risk

Occupational health and safety Occupational safety and health (OSH), also commonly referred to as occupational health and safety (OHS), occupational health, or occupational safety, is a multidisciplinary field concerned with the safety Safety is the state of being "safe", ...
is concerned with
occupational hazard An occupational hazard is a hazard experienced in the workplace. Occupational hazards can encompass many types of hazards, including chemical hazards, biological hazards (biohazards), psychosocial hazards, and physical hazards. In the United ...
s experienced in the workplace. The Occupational Health and Safety Assessment Series (OHSAS) standard OHSAS 18001 in 1999 defined risk as the “combination of the likelihood and consequence(s) of a specified hazardous event occurring”. In 2018 this was replaced by ISO 45001 “Occupational health and safety management systems”, which use the ISO Guide 73 definition.

## Project risk

A
project A project (or program) is any undertaking, carried out individually or collaboratively and possibly involving research or design, that is carefully plan A plan is typically any diagram or list of steps with details of timing and resources, us ...

is an individual or collaborative undertaking planned to achieve a specific aim. Project risk is defined as, "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives”.
Project risk management#REDIRECT Project risk managementRisk management activities are applied to project management Project management is the process of leading the work of a team to achieve goals and meet success criteria at a specified time. The primary challenge of ...
aims to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events in the project.

## Safety risk

Safety Safety is the state of being "safe", the condition of being protected from harm Harm is a moral A moral (from Latin Latin (, or , ) is a classical language belonging to the Italic languages, Italic branch of the Indo-European language ...

is concerned with a variety of
hazards A hazard is a potential source of harm Harm is a moral A moral (from Latin Latin (, or , ) is a classical language belonging to the Italic languages, Italic branch of the Indo-European languages. Latin was originally spoken in the area aro ...
that may result in
accidents An accident is an unplanned event that sometimes has inconvenient or undesirable consequences, other times being inconsequential. The occurrence of such an event may or may not have unrecognized or unaddressed risks contributing to its cause. M ...

causing harm to people, property and the environment. In the safety field, risk is typically defined as the “likelihood and severity of hazardous events”. Safety risks are controlled using techniques of
risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving ...

. A high reliability organisation (HRO) involves complex operations in environments where catastrophic accidents could occur. Examples include aircraft carriers, air traffic control, aerospace and nuclear power stations. Some HROs manage risk in a highly quantified way. The technique is usually referred to as probabilistic risk assessment (PRA). See
WASH-1400 WASH-1400, 'The Reactor Safety Study', was a report produced in 1975 for the Nuclear Regulatory Commission The Nuclear Regulatory Commission (NRC) is an independent agency of the United States government Independent or Independents may refer to: ...
for an example of this approach. The incidence rate can also be reduced due to the provision of better occupational health and safety programmes

## Security risk

Security Security is freedom from, or resilience against, potential Potential generally refers to a currently unrealized ability. The term is used in a wide variety of fields, from physics Physics is the natural science that studies matter, its El ...

is freedom from, or resilience against, potential harm caused by others. A security risk is "any event that could result in the compromise of organizational assets i.e. the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities." Security risk management involves protection of assets from harm caused by deliberate acts.

# Assessment and management of risk

## Risk management

Risk is ubiquitous in all areas of life and we all manage these risks, consciously or intuitively, whether we are managing a large organization or simply crossing the road. Intuitive risk management is addressed under the psychology of risk below.
Risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving ...

refers to a systematic approach to managing risks, and sometimes to the profession that does this. A general definition is that risk management consists of “coordinated activities to direct and control an organization with regard to risk".
ISO 31000 ISO 31000 is a family of standards relating to risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Un ...
, the international standard for risk management, describes a risk management process that consists of the following elements: :Communicating and consulting :Establishing the scope, context and criteria :
Risk assessment Broadly speaking, a risk assessment is the combined effort of: # identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis A hazard analysis is used as the ...

- recognising and characterising risks, and evaluating their significance to support decision-making. This includes risk identification,
risk analysis Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving ...
and
risk evaluation In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environmen ...
. :Risk treatment - selecting and implementing options for addressing risk. :Monitoring and reviewing :Recording and reporting In general, the aim of risk management is to assist organizations in “setting strategy, achieving objectives and making informed decisions”. The outcomes should be “scientifically sound, cost-effective, integrated actions that reatrisks while taking into account social, cultural, ethical, political, and legal considerations”. In contexts where risks are always harmful, risk management aims to “reduce or prevent risks”. In the safety field it aims “to protect employees, the general public, the environment, and company assets, while avoiding business interruptions”. For organizations whose definition of risk includes “upside” as well as “downside” risks, risk management is “as much about identifying opportunities as avoiding or mitigating losses”. It then involves “getting the right balance between innovation and change on the one hand, and avoidance of shocks and crises on the other”.

## Risk assessment

Risk assessment is a systematic approach to recognising and characterising risks, and evaluating their significance, in order to support decisions about how to manage them.
ISO 31000 ISO 31000 is a family of standards relating to risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Un ...
defines it in terms of its components as “the overall process of risk identification, risk analysis and risk evaluation”. Risk assessment can be qualitative, semi-quantitative or quantitative: :Qualitative approaches are based on qualitative descriptions of risks and rely on judgement to evaluate their significance. :Semi-quantitative approaches use numerical rating scales to group the consequences and probabilities of events into bands such as “high”, “medium” and “low”. They may use a
risk matrixA risk matrix is a matrix Matrix or MATRIX may refer to: Science and mathematics * Matrix (mathematics), a rectangular array of numbers, symbols, or expressions * Matrix (logic), part of a formula in prenex normal form * Matrix (biology), the materi ...
to evaluate the significance of particular combinations of probability and consequence. :Quantitative approaches, including Quantitative risk assessment (QRA) and
probabilistic risk assessment Probabilistic risk assessment (PRA) is a systematic and comprehensive methodology to evaluate risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with res ...
(PRA), estimate probabilities and consequences in appropriate units, combine them into risk metrics, and evaluate them using numerical risk criteria. The specific steps vary widely in different practice areas.

## Risk identification

Risk identification is “the process of finding, recognizing and recording risks”. It “involves the identification of risk sources, events, their causes and their potential consequences.”
ISO 31000 ISO 31000 is a family of standards relating to risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Un ...
describes it as the first step in a risk assessment process, preceding risk analysis and risk evaluation. In safety contexts, where risk sources are known as hazards, this step is known as “hazard identification”. There are many different methods for identifying risks, including: :Checklists or taxonomies based on past data or theoretical models. :Evidence-based methods, such as literature reviews and analysis of historical data. :Team-based methods that systematically consider possible deviations from normal operations, e.g.
HAZOPA hazard and operability study (HAZOP) is a structured and systematic examination of a complex planned or existing process or operation in order to identify and evaluate problems that may represent risks to personnel or equipment. The intention of pe ...
, FMEA and
SWIFT The Society for Worldwide Interbank Financial Telecommunication (SWIFT), legally S.W.I.F.T. SCRL, is a Belgium, Belgian cooperative society that serves as an intermediary and executor of financial transactions between banks worldwide. It also ...
. :Empirical methods, such as testing and modelling to identify what might happen under particular circumstances. :Techniques encouraging imaginative thinking about possibilities of the future, such as
scenario analysisScenario analysis is a process of analyzing future events by considering alternative possible outcomes (sometimes called "alternative worlds"). Thus, scenario analysis, which is one of the main forms of projection, does not try to show one exact pic ...
. :Expert-elicitation methods such as
brainstorming Brainstorming is a creativity technique, group creativity technique by which efforts are made to find a conclusion for a specific problem by gathering a list of ideas spontaneously contributed by its members. In other words, brainstorming is a si ...

, interviews and
audit An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditin ...

s. Sometimes, risk identification methods are limited to finding and documenting risks that are to be analysed and evaluated elsewhere. However, many risk identification methods also consider whether control measures are sufficient and recommend improvements. Hence they function as stand-alone qualitative risk assessment techniques.

## Risk analysis

Risk analysis is about developing an understanding of the risk. ISO defines it as “the process to comprehend the nature of risk and to determine the level of risk”. In the ISO 31000 risk assessment process, risk analysis follows risk identification and precedes risk evaluation. However, these distinctions are not always followed. Risk analysis may include: :Determining the sources, causes and drivers of risk :Investigating the effectiveness of existing controls :Analysing possible consequences and their likelihood :Understanding interactions and dependencies between risks :Determining measures of risk :Verifying and validating results :Uncertainty and sensitivity analysis Risk analysis often uses data on the probabilities and consequences of previous events. Where there have been few such events, or in the context of systems that are not yet operational and therefore have no previous experience, various analytical methods may be used to estimate the probabilities and consequences: :Proxy or analogue data from other contexts, presumed to be similar in some aspects of risk. :Theoretical models, such as
Monte Carlo simulation Monte Carlo methods, or Monte Carlo experiments, are a broad class of computation Computation is any type of calculation A calculation is a deliberate process that transforms one or more inputs into one or more results. The term is used in a v ...
and
Quantitative risk assessment software Quantitative risk assessment (QRA) software and methodologies give wikt:Special:Search/quantitative#Adjective, quantitative estimates of risks, given the parameters defining them. They are used in the financial sector, the chemical process industry, ...
. :Logical models, such as
Bayesian networks A Bayesian network (also known as a Bayes network, belief network, or decision network) is a probabilistic graphical model that represents a set of variables and their conditional dependencies via a directed acyclic graph (DAG). Bayesian networ ...
,
fault tree analysis Image:Fault tree.svg, A fault tree diagram Fault tree analysis (FTA) is a top-down, Deductive reasoning, deductive failure analysis in which an undesired state of a system is analyzed using Boolean logic to combine a series of lower-level events. ...
and event tree analysis :Expert judgement, such as
absolute probability judgementAbsolute probability judgement is a technique used in the field of human reliability Human reliability (also known as human performance or HU) is related to the field of human factors and ergonomics, and refers to the reliability of human Hum ...
or the
Delphi method The Delphi method or Delphi technique ( ; also known as Estimate-Talk-Estimate or ETE) is a structured communication technique or method, originally developed as a systematic, interactive forecasting method which relies on a panel of experts. The t ...
.

## Risk evaluation and risk criteria

Risk evaluation involves comparing estimated levels of risk against risk criteria to determine the significance of the risk and make decisions about risk treatment actions. In most activities, risks can be reduced by adding further controls or other treatment options, but typically this increases cost or inconvenience. It is rarely possible to eliminate risks altogether without discontinuing the activity. Sometimes it is desirable to increase risks to secure valued benefits. Risk criteria are intended to guide decisions on these issues. Types of criteria include: :Criteria that define the level of risk that can be accepted in pursuit of objectives, sometimes known as
risk appetite Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, t ...
, and evaluated by risk/reward analysis. :Criteria that determine whether further controls are needed, such as benefit-cost ratio. :Criteria that decide between different risk management options, such as
multiple-criteria decision analysis Multiple-criteria decision-making (MCDM) or multiple-criteria decision analysis (MCDA) is a sub-discipline of operations research that explicitly evaluates multiple conflicting wikt:criterion, criteria in decision making (both in daily life and ...
. The simplest framework for risk criteria is a single level which divides acceptable risks from those that need treatment. This gives attractively simple results but does not reflect the uncertainties involved both in estimating risks and in defining the criteria. The tolerability of risk framework, developed by the UK
Health and Safety Executive The Health and Safety Executive (HSE) is a UK government agency responsible for the encouragement, regulation and enforcement of workplace health, safety and welfare, and for research into occupational risk In simple terms, risk is the possib ...
, divides risks into three bands: :Unacceptable risks – only permitted in exceptional circumstances. :Tolerable risks – to be kept as low as reasonably practicable (
ALARP ALARP, which stands for "as low as reasonably practicable", or ALARA ("as low as reasonably achievable"), is a term often used in the regulation and management of safety-critical A safety-critical system (SCS) or life-critical system is a system ...
), taking into account the costs and benefits of further risk reduction. :Broadly acceptable risks – not normally requiring further reduction.

# Descriptions of risk

There are many different risk metrics that can be used to describe or “measure” risk.

## Triplets

Risk is often considered to be a set of triplets (also described as a vector): :$\text = <\text_\text _\text _\text >$ for i = 1,2,....,N where: :$\text_\text$ is a scenario describing a possible event :$\text_\text$ is the probability of the scenario :$\text_\text$ is the consequence of the scenario :$\text$ is the number of scenarios chosen to describe the risk These are the answers to the three fundamental questions asked by a risk analysis: :What can happen? :How likely is it to happen? :If it does happen, what would the consequences be? Risks expressed in this way can be shown in a table or risk register. They may be quantitative or qualitative, and can include positive as well as negative consequences. The scenarios can be plotted in a consequence/likelihood matrix (or
risk matrixA risk matrix is a matrix Matrix or MATRIX may refer to: Science and mathematics * Matrix (mathematics), a rectangular array of numbers, symbols, or expressions * Matrix (logic), part of a formula in prenex normal form * Matrix (biology), the materi ...
). These typically divide consequences and likelihoods into 3 to 5 bands. Different scales can be used for different types of consequences (e.g. finance, safety, environment etc.), and can include positive as well as negative consequences. An updated version recommends the following general description of risk: :$\text = \left(\text \right)$ where: :$\text$ is an event that might occur :$\text$ is the consequences of the event :$\text$ is an assessment of uncertainties :$\text$ is a knowledge-based probability of the event :$\text$ is the background knowledge that U and P are based on

## Probability distributions

If all the consequences are expressed in the same units (or can be converted into a consistent
loss function In mathematical optimization Mathematical optimization (alternatively spelled ''optimisation'') or mathematical programming is the selection of a best element, with regard to some criterion, from some set of available alternatives. Optimizat ...
), the risk can be expressed as a
probability density function In probability theory Probability theory is the branch of mathematics Mathematics (from Greek: ) includes the study of such topics as numbers (arithmetic and number theory), formulas and related structures (algebra), shapes and spaces ...
describing the “uncertainty about outcome”: :$\text = \text$ This can also be expressed as a
cumulative distribution function In probability theory Probability theory is the branch of mathematics Mathematics (from Greek: ) includes the study of such topics as numbers (arithmetic and number theory), formulas and related structures (algebra), shapes and space ...
(CDF) (or S curve). One way of highlighting the tail of this distribution is by showing the probability of exceeding given losses, known as a complementary cumulative distribution function, plotted on logarithmic scales. Examples include frequency-number (FN) diagrams, showing the annual frequency of exceeding given numbers of fatalities. A simple way of summarising the size of the distribution’s tail is the loss with a certain probability of exceedance, such as the
Value at Risk Value at risk (VaR) is a measure of the risk of loss for investments. It estimates how much a set of investments might lose (with a given probability), given normal market conditions, in a set time period such as a day. VaR is typically used by fi ...

.

## Expected values

Risk is often measured as the
expected value In probability theory Probability theory is the branch of mathematics Mathematics (from Greek: ) includes the study of such topics as numbers (arithmetic and number theory), formulas and related structures (algebra), shapes and space ...
of the loss. This combines the probabilities and consequences into a single value. See also
Expected utilityThe expected utility hypothesis is a popular concept in economics, game theory and decision theory that serves as a reference guide for judging decisions involving uncertainty. The theory recommends which option a rational individual should choose in ...

## Mild Versus Wild Risk

Benoit Mandelbrot Benoit B. Mandelbrot (20 November 1924 – 14 October 2010) was a Polish-born French-American mathematician A mathematician is someone who uses an extensive knowledge of mathematics Mathematics (from Ancient Greek, Greek: ) include ...
distinguished between "mild" and "wild" risk and argued that risk assessment and analysis must be fundamentally different for the two types of risk. Mild risk follows or near-normal
probability distribution In probability theory Probability theory is the branch of mathematics Mathematics (from Greek: ) includes the study of such topics as numbers (arithmetic and number theory), formulas and related structures (algebra), shapes and spaces ...
s, is subject to
regression to the mean In statistics Statistics is the discipline that concerns the collection, organization, analysis, interpretation, and presentation of data Data (; ) are individual facts, statistics, or items of information, often numeric. In a mo ...

and the
law of large numbers In probability theory Probability theory is the branch of mathematics Mathematics (from Greek: ) includes the study of such topics as numbers (arithmetic and number theory), formulas and related structures (algebra), shapes and spaces ...

, and is therefore relatively predictable. Wild risk follows
fat-tailed distribution A fat-tailed distribution is a probability distribution In probability theory and statistics Statistics is the discipline that concerns the collection, organization, analysis, interpretation, and presentation of data. In applying statist ...
s, e.g., Pareto or
power-law distributions 300px, An example power-law graph that demonstrates ranking of popularity. To the right is the 80–20 rule).">Pareto_principle.html" ;"title="long tail, and to the left are the few that dominate (also known as the Pareto principle">80–20 rule). ...
, is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict. A common error in risk assessment and analysis is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and analysis are to be valid and reliable, according to Mandelbrot.

## Risk attitude, appetite and tolerance

The terms ''risk attitude'', ''appetite'', and ''tolerance'' are often used similarly to describe an organisation's or individual's attitude towards risk-taking. One's attitude may be described as ''risk-averse'', ''risk-neutral'', or ''risk-seeking''. Risk tolerance looks at acceptable/unacceptable deviations from what is expected. Risk appetite looks at how much risk one is willing to accept. There can still be deviations that are within a risk appetite. For example, recent research finds that insured individuals are significantly likely to divest from risky asset holdings in response to a decline in health, controlling for variables such as income, age, and out-of-pocket medical expenses. Gambling is a risk-increasing investment, wherein money on hand is risked for a possible large return, but with the possibility of losing it all. Purchasing a lottery ticket is a very risky investment with a high chance of no return and a small chance of a very high return. In contrast, putting money in a bank at a defined rate of interest is a risk-averse action that gives a guaranteed return of a small gain and precludes other investments with possibly higher gain. The possibility of getting no return on an investment is also known as the rate of ruin.
Risk compensation upright=1.3, Skydiver Bill Booth's second rule states that "The safer skydiving gear becomes, the more chances skydivers will take, in order to keep the fatality rate constant." Risk compensation is a theory A theory is a reason, rational type of ...
is a
theory A theory is a rational Rationality is the quality or state of being rational – that is, being based on or agreeable to reason Reason is the capacity of consciously making sense of things, applying logic Logic (from Ancient Greek, G ...

which suggests that people typically adjust their
behavior Behavior (American English American English (AmE, AE, AmEng, USEng, en-US), sometimes called United States English or U.S. English, is the set of variety (linguistics), varieties of the English language native to the United States. Cur ...
in response to the perceived level of risk, becoming more careful where they sense greater risk and less careful if they feel more protected. By way of example, it has been observed that motorists drove faster when wearing
seatbelt A seat belt (also known as a safety belt, or spelled seatbelt) is a vehicle safety Automotive safety is the study and practice of design, construction, equipment and regulation to minimize the occurrence and consequences of traffic collisio ...

s and closer to the vehicle in front when the vehicles were fitted with
anti-lock brakes An anti-lock braking system (ABS) is a automobile safety, safety anti-Skid (automobile), skid braking system used on aircraft and on land motor vehicle, vehicles, such as cars, motorcycles, trucks, and buses. ABS operates by preventing the whee ...
.

## Risk and autonomy

The experience of many people who rely on human services for support is that 'risk' is often used as a reason to prevent them from gaining further independence or fully accessing the community, and that these services are often unnecessarily risk averse. "People's autonomy used to be compromised by institution walls, now it's too often our risk management practices", according to John O'Brien. Michael Fischer and Ewan Ferlie (2013) find that contradictions between formal risk controls and the role of subjective factors in human services (such as the role of emotions and ideology) can undermine service values, so producing tensions and even intractable and 'heated' conflict.

# List of related books

This is a list of books about risk issues.

*
Ambiguity aversion In decision theory and economics, ambiguity aversion (also known as uncertainty aversion) is a preference for known risks over unknown risks. An ambiguity-averse individual would rather choose an alternative where the probability distribution of the ...
* Audit risk *
Benefit shortfall Benefit or benefits may refer to: Perks and social welfare * Benefit (social welfare), provided by a social welfare program ** Federal benefits, provided by the United States federal government * Credit card#Benefits and drawbacks, Credit card, an ...
*
Civil defence Civil defense (civil defence in UK English) or civil protection is an effort to protect the citizens of a state (generally non-combatants) from military A military, also known collectively as armed forces, is a heavily armed, highly organ ...

*
Countermeasure A countermeasure is a measure or action taken to counter or offset another one. As a general concept it implies precision, and is any technological or tactical solution or system (often for a military A military, also known collective ...
* Early case assessment * External risk * Enterprise risk * Event chain methodology *
Financial risk Financial risk is any of various types of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving imperfect or unknown informati ...
* Fuel price risk management * Global catastrophic risk * Hazard (risk) * Identity resolution * Information assurance * Inherent risk * Inherent risk (accounting) * International Risk Governance Council * ISO/PAS 28000 *
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving i ...
* Legal risk * Life-critical system * Liquidity risk * Loss aversion * Moral hazard * Operational risk * Preventive maintenance * Probabilistic risk assessment * Process risk * Reputational risk * Reliability engineering * Risk analysis (business), Risk analysis * Risk assessment *
Risk compensation upright=1.3, Skydiver Bill Booth's second rule states that "The safer skydiving gear becomes, the more chances skydivers will take, in order to keep the fatality rate constant." Risk compensation is a theory A theory is a reason, rational type of ...
** Peltzman effect *
Risk management Risk management is the identification, evaluation, and prioritization of risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty Uncertainty refers to Epistemology, epistemic situations involving ...

* Risk-neutral measure * Risk perception * Risk register * Sampling risk * Systemic risk * Systematic risk * Uncertainty * Vulnerability

# Bibliography

## Referred literature

* James Franklin (philosopher), James Franklin, 2001: ''The Science of Conjecture: Evidence and Probability Before Pascal'', Baltimore: Johns Hopkins University Press. * * Niklas Luhmann, 1996: ''Modern Society Shocked by its Risks'' (= University of Hong Kong, Department of Sociology Occasional Papers 17), Hong Kong, available vi
HKU Scholars HUB

## Books

* Historian David A. Moss' book ''When All Else Fails'' explains the US government's historical role as risk manager of last resort. * Bernstein P. L. ''Against the Gods'' . Risk explained and its appreciation by man traced from earliest times through all the major figures of their ages in mathematical circles. * * * * * * * Gardner D. ''Risk: The Science and Politics of Fear'', Random House Inc. (2008) . * Novak S.Y. Extreme value methods with applications to finance. London: CRC. (2011) . * Hopkin P. Fundamentals of Risk Management. 2nd Edition. Kogan-Page (2012)

## Articles and papers

* * * * * * * Hansson, Sven Ove. (2007). "Risk", ''The Stanford Encyclopedia of Philosophy'' (Summer 2007 Edition), Edward N. Zalta (ed.), forthcomin

* Holton, Glyn A. (2004). "Defining Risk", ''Financial Analysts Journal'', 60 (6), 19–25. A paper exploring the foundations of risk. (PDF file). * Knight, F. H. (1921) ''Risk, Uncertainty and Profit'', Chicago: Houghton Mifflin Company. (Cited at

§ I.I.26.). * Kruger, Daniel J., Wang, X.T., & Wilke, Andreas (2007) "Towards the development of an evolutionarily valid domain-specific risk-taking scale" ''Evolutionary Psychology'' (PDF file). * * * * Neill, M. Allen, J. Woodhead, N. Reid, S. Irwin, L. Sanderson, H. 2008 "A Positive Approach to Risk Requires Person Centred Thinking" London, CSIP Personalisation Network, Department of Health. Available from: https://web.archive.org/web/20090218231745/http://networks.csip.org.uk/Personalisation/Topics/Browse/Risk/ [Accessed 21 July 2008]. *